Local Authorities – Is Uncertainty In Their DNA?


With the knowledge that most readers will have noticed the extent of successful cyber attacks on public services such as the government and especially the dispersed local agencies notified by the US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK National Cyber ​​Security Center (NCSC), which published a joint technical alert about malicious cyber activity. According to the warning, the targets of such malicious cyber activity are primarily government and private organizations, critical infrastructure providers, and Internet service providers (ISPs) who support these sectors – right? In fact, as early as 22018, Big Brother Watch published a paper entitled Cyber ​​Attacks in Local Authorities, which can be found at the following URL:


However, despite the ongoing notifications, warnings and notices that have been circulated, it seems they are falling on deaf ears as the Lincolnshire local authority gets into the hands of a third party outsource provider in a ransomware attack. And add that kind of imposition to a report by insurance broker Gallagher, who reported that local councils across the UK faced up to 263 million cyberattacks in the first half of 2019, averaging around 800 cyberattacks per hour (Freedom of Detected Information Requests (FOI).

The real concern here, of course, is that it is not just the UK that suffers from such negative interests, and considering the drive for digital transformation and smart cities like the NEOM project in Saudi Arabia, it can only be said that they are in such security-related deployments like this have somehow overcome the uncertainty problem and are building their deployments within an overarching security structure supported by a robust security structure – but I have my doubts!

With the known-known With the data and information in the back of my mind, I started a small research project to assess the general security situation of a sample of 10 + 1 local authority domains as well as a local council that has just undergone a major upgrade of its web, while open source.

My overarching concern here is that local authorities, government agencies, and the evolving Transformed Smart Cities have and will have significant holdings of data about their local populations, and as such, the risk is increased by a factor of the public domain of the local digital presence!

By randomly sampling a sample of the 10 + 1 domains, they were rated against a number of criteria listed below – and the results are or should be of great importance to any resident who falls within their scope of data collection. and can only suggest or deduce how high the uncertainty will be for those who have not been assessed.



5.621 – Accounts at risk

128 – violations

38 – Pastes – 5 Sensitive

14,498 – data leaks

5,360 – Compromised passwords


No tracking detected.



0 – Accounts at risk

0 – violations

0 pastes

0 – data leaks

0 – compromised passwords


1 x ad tracker linked to the domain.



1,427 – Accounts at risk

59 – Violations – 1 sensitive

8th – pastes – 5 Susceptible

3,654 – data leaks

1,358 – Compromised passwords


No tracking detected.



2,873 – Accounts at risk

93 – violations

18th – pastes – 5 Susceptible

8,339 – data leaks

2,622 – Compromised passwords


3 x third-party cookies recognized.



1,550 – Accounts at risk

63 – violations

14th – pastes – 2 Susceptible

3,931 – data leaks

1,453 – Compromised passwords


The following were found associated with the domain:

2 x ad trackers discovered

2 x third-party cookies detected

Google Analytics found that it followed visitors across the internet



2,635 – Accounts at risk

17th – violations

13 – pastes – 5 Susceptible

6,874 – data leaks

2,537 – Compromised passwords


The following were found associated with the domain:

1 x ad tracker

There is an indication that this website may monitor keystrokes and mouse clicks.



1,747 – Accounts at risk

18th – violations

14th – pastes – 4th Susceptible

4,796 – data leaks

1,585 – Compromised passwords


The following were found associated with the domain:

4 x Ad Tracker discovered

There is an indication that this website may collect keystrokes from users.

This website informs Facebook about user visits to the website.

Google Analytics found that it followed visitors across the internet



1,710 – Accounts at risk

50 – violations

7th – pastes – 4th Susceptible

2,798 – data leaks

1,064 – Compromised passwords


1 x third-party cookie detected



287 – Accounts at risk

33 – violations

4th – pastes – 2 Susceptible

725 – data leaks

273 – Compromised passwords


No discoveries.



2,910 – Accounts at risk

61 – violations

12th – pastes – 3 Susceptible

7.166 – data leaks

2,865 – Compromised passwords


No discoveries.


Of the above domains, two (Lincolnshire and Nottingham) were selected for additional open source inspections and discoveries and the results were similar and also worrying with the following results:

Lincolnshire: The Lincolnshire domain hosted the following identified vulnerabilities in its deployment:

13 HIGH Areas of Risk of Safety Exposure

28 MEDIUM ……………………………….

73 LOW ………………………………….

3 INFO …………………………………….

This included discoveries related to unencrypted password pages, entities identified as malicious, and certificate issues. In addition, there were several blacklisted leak site entries and 223 jointly hosted sites, as well as multiple hacked email addresses, e.g. B. according to the example blacked out below:

[email protected]

Nottingham: The Nottingham domain hosted the following identified vulnerabilities in its deployment:

9 HIGH Areas of Risk of Safety Exposure

15 MEDIUM ……………………………….

79 LOW ………………………………….

Local councils

While doing this research, I also looked at all of the scattered ward councils serving their local communities, and being aware that my own had just done a web upgrade, I took this as an example for the sample. Here we are inspecting a domain that provides around 7,000 residents with information about their community and as such is by no means to be classified as critical – but the points to be considered are:

  • Should such a domain be asserted as secure?
  • Should it be used in such an attitude that it cannot be used for any other jump point purpose?
  • Should the domain take into account the possibility of takeovers and misinformation?
  • Should we expect those who develop such deployments to build security in?

After a very brief OSINT technical inspection, it was found that the updated site is hosting 508 Security gaps and vulnerabilities:

493 HIGH


11 LOW


No discoveries.

The discoveries consisted of a number of unsecure areas, from unencrypted websites that have captured passwords and credentials (see image below), poorly configured web technologies, multiple open unencrypted TCP / UDP ports, outdated and vulnerable SSH protocols, to digital security issues for certificates.

Unencrypted web passwords and input pages for login information

The question that arises here is that at a time when many people suffer from compromises, data leaks and other forms of digital abuse, it is ethical to develop such community-oriented websites in a totally unsafe state; or should better be expected by those who use such websites on their behalf trustful, counting Customers?

Note on HTTP scans

Although a site is found to be based on an inadequate security posture, if it is only examined at the SSL level, it can give a false sense of security – in the case of the Lincoln domain that failed the HTTP check, QUALYS SSL LABS Report and A Rating, while hstspreload.org reports an unsafe company (see below):

HTTP scan rating: The notified grade is based on a rating system of 100 points, in which each security hole that the tool identifies gives you a certain number of points – some points are weighted more than others! For example, no content security policy – 25 points. Under Resource Health Not Implemented? -50 points etc.!


In conclusion, we need to focus on the fact that this is just a snapshot of a sample of live sites that have been hosted in the UK to serve their local public which is very worrying as we are globally based in the age of cyber toxicity are. Of course, such concerns are compounded by the fact that the overall profile of the threat has been identified and reported by global authorities, including our own NCSC, but nonetheless we encounter the lackluster security profile of the threat.

What I find really annoying is the fact that there is a wide variety of open source tools that can be used by anyone from researchers to cybercrime, government sponsored actors to bedroom-based script kiddies trying To put their wings in the world of potentially lucrative cybercrime. The open question that remains for me is, if such tools are available, what they are, then why are local authorities and developers using them to test their own security profile and attitudes to which they can react after their own discoveries, to secure their own? Calls? – just one question

Visiting professor


Expert comments: 3

Security article: 26

Visiting professor at the School of Science and Technology at Nottingham Trent University (NTU), visiting professor / lecturer at the University of Slavonia [to 2015], Independent Consultant, Practicing Expert, ENISA CEI Listed Expert, Editor … Read more

Source link


About Author

Leave A Reply