With the knowledge that most readers will have noticed the extent of successful cyber attacks on public services such as the government and especially the dispersed local agencies notified by the US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK National Cyber Security Center (NCSC), which published a joint technical alert about malicious cyber activity. According to the warning, the targets of such malicious cyber activity are primarily government and private organizations, critical infrastructure providers, and Internet service providers (ISPs) who support these sectors – right? In fact, as early as 22018, Big Brother Watch published a paper entitled Cyber Attacks in Local Authorities, which can be found at the following URL:
https://bigbrotherwatch.org.uk/wp-content/uploads/2018/02/Cyber-attacks-in-local-Authorities.pdf
However, despite the ongoing notifications, warnings and notices that have been circulated, it seems they are falling on deaf ears as the Lincolnshire local authority gets into the hands of a third party outsource provider in a ransomware attack. And add that kind of imposition to a report by insurance broker Gallagher, who reported that local councils across the UK faced up to 263 million cyberattacks in the first half of 2019, averaging around 800 cyberattacks per hour (Freedom of Detected Information Requests (FOI).
The real concern here, of course, is that it is not just the UK that suffers from such negative interests, and considering the drive for digital transformation and smart cities like the NEOM project in Saudi Arabia, it can only be said that they are in such security-related deployments like this have somehow overcome the uncertainty problem and are building their deployments within an overarching security structure supported by a robust security structure – but I have my doubts!
With the known-known With the data and information in the back of my mind, I started a small research project to assess the general security situation of a sample of 10 + 1 local authority domains as well as a local council that has just undergone a major upgrade of its web, while open source.
My overarching concern here is that local authorities, government agencies, and the evolving Transformed Smart Cities have and will have significant holdings of data about their local populations, and as such, the risk is increased by a factor of the public domain of the local digital presence!
By randomly sampling a sample of the 10 + 1 domains, they were rated against a number of criteria listed below – and the results are or should be of great importance to any resident who falls within their scope of data collection. and can only suggest or deduce how high the uncertainty will be for those who have not been assessed.
HAMPSHIRE
5.621 – Accounts at risk
128 – violations
38 – Pastes – 5 Sensitive
14,498 – data leaks
5,360 – Compromised passwords
privacy
No tracking detected.
COUNTRY COUNCIL SOUTH DUBY
0 – Accounts at risk
0 – violations
0 pastes
0 – data leaks
0 – compromised passwords
privacy
1 x ad tracker linked to the domain.
GLASGOW
1,427 – Accounts at risk
59 – Violations – 1 sensitive
8th – pastes – 5 Susceptible
3,654 – data leaks
1,358 – Compromised passwords
privacy
No tracking detected.
BIRMINGHAM
https://www.birmingham.gov.uk/
2,873 – Accounts at risk
93 – violations
18th – pastes – 5 Susceptible
8,339 – data leaks
2,622 – Compromised passwords
privacy
3 x third-party cookies recognized.
LINCOLNSHIRE
https://www.lincolnshire.gov.uk/
1,550 – Accounts at risk
63 – violations
14th – pastes – 2 Susceptible
3,931 – data leaks
1,453 – Compromised passwords
privacy
The following were found associated with the domain:
2 x ad trackers discovered
2 x third-party cookies detected
Google Analytics found that it followed visitors across the internet
LEICESTER
2,635 – Accounts at risk
17th – violations
13 – pastes – 5 Susceptible
6,874 – data leaks
2,537 – Compromised passwords
privacy
The following were found associated with the domain:
1 x ad tracker
There is an indication that this website may monitor keystrokes and mouse clicks.
NOTTINGHAM
http://www.nottinghamcity.gov.uk/
1,747 – Accounts at risk
18th – violations
14th – pastes – 4th Susceptible
4,796 – data leaks
1,585 – Compromised passwords
privacy
The following were found associated with the domain:
4 x Ad Tracker discovered
There is an indication that this website may collect keystrokes from users.
This website informs Facebook about user visits to the website.
Google Analytics found that it followed visitors across the internet
BELFAST
https://www.belfastcity.gov.uk/
1,710 – Accounts at risk
50 – violations
7th – pastes – 4th Susceptible
2,798 – data leaks
1,064 – Compromised passwords
1 x third-party cookie detected
NORWICH
https://www.norwich.gov.uk/site/
287 – Accounts at risk
33 – violations
4th – pastes – 2 Susceptible
725 – data leaks
273 – Compromised passwords
No discoveries.
LIVERPOOL
2,910 – Accounts at risk
61 – violations
12th – pastes – 3 Susceptible
7.166 – data leaks
2,865 – Compromised passwords
No discoveries.
DEEP DIVE OSINT INSPECTIONS AND DISCOVERIES
Of the above domains, two (Lincolnshire and Nottingham) were selected for additional open source inspections and discoveries and the results were similar and also worrying with the following results:
Lincolnshire: The Lincolnshire domain hosted the following identified vulnerabilities in its deployment:
13 HIGH Areas of Risk of Safety Exposure
28 MEDIUM ……………………………….
73 LOW ………………………………….
3 INFO …………………………………….
This included discoveries related to unencrypted password pages, entities identified as malicious, and certificate issues. In addition, there were several blacklisted leak site entries and 223 jointly hosted sites, as well as multiple hacked email addresses, e.g. B. according to the example blacked out below:
Nottingham: The Nottingham domain hosted the following identified vulnerabilities in its deployment:
9 HIGH Areas of Risk of Safety Exposure
15 MEDIUM ……………………………….
79 LOW ………………………………….
Local councils
While doing this research, I also looked at all of the scattered ward councils serving their local communities, and being aware that my own had just done a web upgrade, I took this as an example for the sample. Here we are inspecting a domain that provides around 7,000 residents with information about their community and as such is by no means to be classified as critical – but the points to be considered are:
- Should such a domain be asserted as secure?
- Should it be used in such an attitude that it cannot be used for any other jump point purpose?
- Should the domain take into account the possibility of takeovers and misinformation?
- Should we expect those who develop such deployments to build security in?
After a very brief OSINT technical inspection, it was found that the updated site is hosting 508 Security gaps and vulnerabilities:
493 HIGH
4th MIDDLE
11 LOW
No discoveries.
The discoveries consisted of a number of unsecure areas, from unencrypted websites that have captured passwords and credentials (see image below), poorly configured web technologies, multiple open unencrypted TCP / UDP ports, outdated and vulnerable SSH protocols, to digital security issues for certificates.
Unencrypted web passwords and input pages for login information
The question that arises here is that at a time when many people suffer from compromises, data leaks and other forms of digital abuse, it is ethical to develop such community-oriented websites in a totally unsafe state; or should better be expected by those who use such websites on their behalf trustful, counting Customers?
Note on HTTP scans
Although a site is found to be based on an inadequate security posture, if it is only examined at the SSL level, it can give a false sense of security – in the case of the Lincoln domain that failed the HTTP check, QUALYS SSL LABS Report and A Rating, while hstspreload.org reports an unsafe company (see below):
HTTP scan rating: The notified grade is based on a rating system of 100 points, in which each security hole that the tool identifies gives you a certain number of points – some points are weighted more than others! For example, no content security policy – 25 points. Under Resource Health Not Implemented? -50 points etc.!
CONCLUSION
In conclusion, we need to focus on the fact that this is just a snapshot of a sample of live sites that have been hosted in the UK to serve their local public which is very worrying as we are globally based in the age of cyber toxicity are. Of course, such concerns are compounded by the fact that the overall profile of the threat has been identified and reported by global authorities, including our own NCSC, but nonetheless we encounter the lackluster security profile of the threat.
What I find really annoying is the fact that there is a wide variety of open source tools that can be used by anyone from researchers to cybercrime, government sponsored actors to bedroom-based script kiddies trying To put their wings in the world of potentially lucrative cybercrime. The open question that remains for me is, if such tools are available, what they are, then why are local authorities and developers using them to test their own security profile and attitudes to which they can react after their own discoveries, to secure their own? Calls? – just one question
Visiting professor
NTU
Expert comments: 3
Security article: 26
Visiting professor at the School of Science and Technology at Nottingham Trent University (NTU), visiting professor / lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert, ENISA CEI Listed Expert, Editor … Read more