By Chris Stokel-Walker
Hundreds of UK government websites have serious security vulnerabilities, putting them at risk of being hijacked by hackers, according to an investigation by a team of security researchers.
Of the 3220 domain names registered under the .gov.uk domain ending – encompassing everything from central government departments to local and district councils – 524 have unpatched vulnerabilities. In total, the 524 insecure websites, including the National Archives, the Scottish prosecution service and the Health and Safety Executive, have about 7200 vulnerabilities between them.
A team of security researchers working for IT companies in the private sector has scanned all public-facing government domain names and looked at the servers hosting each of the websites. They found a hotchpotch of security issues that they have described as “severely unsafe”.
As many government services are increasingly delivered digitally, there is often little choice but to use these systems. HMRC, the UK’s tax collector, was not flagged as having any issues.
The vulnerable domains each had at least one unresolved problem from the Common Vulnerabilities and Exposures (CVE) system, a list of publicly known software issues. It is good IT hygiene to regularly check for and fix any of the issues listed.
The CVE system rates vulnerabilities on a scale of 1 to 10, with 10 being the most dangerous, based on how easy they are to exploit and the consequences of such an attack.
The most commonly found vulnerability across the government websites, CVE-2018-17199, is rated a 7.5 on the CVE scale. Web servers with this vulnerability sometimes store cookies, which are used to verify who is accessing a website, longer than they should. This means that if an attacker steals someone’s cookie, which is a relatively easy task, they can access their account without needing to know their login details.
This vulnerability was posted on the CVE system in late January, but is still found 128 times across different .gov.uk domains. Some of the .gov.uk vulnerabilities have been known for more than a decade.
Hundreds of holes
EU data protection rules don’t require organisations to instantly patch vulnerabilities, but they are required to do so in a timely manner.
The analysis shows there are significant weaknesses in the UK government’s IT infrastructure, says Daniel Abbott, a security engineer at IT firm Node4, and part of the team. Many machines are using very old versions of software. “This demonstrates a lack of reasonable care and attention,” he says.
The domain with the most CVE issues – 266 vulnerabilities – is run by a parish council.
However, some central government services also have large numbers of unpatched holes. The former website of the Criminal Records Bureau, crb.gov.uk, which now forwards to the government’s Disclosure & Barring Service (DBS), an organisation that handles millions of criminal record checks for employers, has 133 vulnerabilities.
Many issues seem related to the fact that the website appears to use versions of server software that are nine years out of date. If the crb.gov.uk host is compromised, an attacker could divert users, such as those seeking a criminal record check to give to employers, to a third-party website and masquerade as the DBS, accessing personal details, potentially including past criminal convictions offered up by users.
The Scottish prosecution website, copfs.gov.uk, has no SSL encryption to protect data sent to and from the website. This is not a CVE, but doesn’t follow good security practice because it allows anyone able to intercept the web traffic to the server to read and modify it.
“Poorly managed services can allow hackers to gain backdoors into secure government networks,” says James Sawyer, part of the team. That allows hackers to then launch attacks.
Unpatched vulnerabilities made the WannaCry attack in 2017 possible, in which ransomware hit more than 300,000 computers worldwide, including thousands used by the NHS. Microsoft had already released a fix for the vulnerability exploited by WannaCry, but many computers had yet to install it.
“It seems that there is a problem,” says Robert Baptiste at French security company fsecurity, who wasn’t involved in the investigation. But until there is evidence of these vulnerabilities being exploited, it is difficult to say how much of an issue they are, he says.
Not every website with a vulnerability can be hacked. So hackers test them to see if they can perform attacks, such as stealing personal information.
The UK government told New Scientist it takes cybersecurity seriously and will investigate thoroughly. It added that departments routinely test their own sites for vulnerabilities and fix any that are found. “The public should remain confident that all details held on gov.uk are safe and secure,” said the Cabinet Office.
More on these topics: