This is starting to get a little tedious. The Bedfordshire Police website has just been taken down after it was discovered that every page had been replaced by an animated man carrying a Tunisian flag. Underneath, according to the BBC, was a green symbol and a Muslim prayer written in Arabic. Don’t bother clicking on the link: …
Not the only site..
It's not the only site compromised at the moment.. I've identified nearly 30 local and national government sites recently hit by SQL injection attacks.
Extreme thought crimes?
Perhaps some malcontent hacker has decided to seed Home office and Police computers with potentially illegal anime and other extreme porn. Probably a library of some of the less tasteful anime pics featuring suspiciously youthful looking career girls with a taste for frilly clothing and a compulsion to investigate incidents involving be-tentcaled beasts from another plane of existence.
Possibly they're proactively uploading publicly available documents in a pre-emptive strike. Just in case the Home office decides that other documents such as the Bible, the Tora or the Koran are suddenly in contravention of one or more public order or obscenity laws.
Hey, stranger things have happened. Perhaps they're filling the computers with pictures of Optimus Prime in case of an anti-Transformer jihad?
Shock, Gasp.. nope.. sorry.. not surprised
West Yorkshire Police had until October last year open wifi access to their building on Westgate / Grace Street Leeds (might still be open, haven't looked recently). A simple look through the window meant you could see all their Domain Controllers. Beyond that I did not look.
Are you re-assured?
Nope, I'm not surprised either.
Of course I won't be surprised when someone in the Government starts demanding that "Something must be done!" and starts another ill-judged crusade against "hacking tools" or some other nonsense.
Since everyone is using CMSes, these days, and poorly-written ones, at that, this has become a powerful vector. I'm flabbergasted by how few people know how to use mysql_real_escape_string().
The dark side of MySQL/PostgreSQL...
Where Your Data Lives
I know many people that prefer to use the phone or mail to make transactions/applications.
They do this because "The Internets have Leaky Tubes."
The problem is that the organization that receives your info then puts it on their server, which has a tube plugged straight into the Internets via an old LynkSys router.
... the Rozzers (or their contractors) don't or can't practice what they preach. They're not technology experts (although they are expected to investigate and prosecute technology crimes) so it should be unsurprising when things go wrong.
Paris, because I prefer her hot fuzz.
Borat da H4x0r Muppet more like! That UBend site is a screaming spoof. Hope it stays up, I bookmarked it.
"The dark side of MySQL/PostgreSQL..."
Injection attacks aren't limited to those products or the interpreter either.
Isn't this good news?
"The website is hosted externally, away from all other police systems so no personal or confidential data could have been obtained."
That is the type of statement that gives me confidence, that is good sound administration.
Am I re-assured? Oh yes!
"This was a hack that effectively “skimmed the surface” of the website, without connecting with any deeper database functionality."
So they're implying that if it had connected to the databases, it might have revealed personal information on the public?
Implying that sensitive databases are accessible by their web server?
That wouldn't surprise me, we the public should have a right to sue the government under the DPA for each and every screw up they make with our personal information.
It's time the British public stop bending over and taking it up the a**e from this pathetic excuse of a government.
The vulture, because that's what this country will become if something isn't done.
"without connecting with any deeper database functionality"
But when you use your webapp to view your database entries, how do you know that the webapp is reporting what is in the database?
If the webapp isn't needed for reading the database, why is it there? Contractor pork?
I'm so glad the Home Office takes IT security so seriously...
Quote: 'The Home Office bods “take information very seriously”. This incident will now be included in a review of the security of its websites, undertaken by the Independent Reviewer of Information Assurance, and due to report back in Spring 2009.'
Must be a very thorough review, already in progress and continuing until Spring 2009. And after it reports it will take no more than (lets be optimistic) three months to fully implement all of the excellent security recommendations. I'm so relieved that leaves such a tiny window of opportunity of about ***ONE WHOLE F*CKING YEAR*** for assorted miscreants to hack the Home Office and pinch our personal data, etc.!
Yep, I'd give up all my personal biometric data to these people. And I'd trust them to not abuse detention without trial. And I'm sure they wouldn't dream of using evidence obtained by torture from people kidnapped by the CIA and taken to Aghanistan, Morocco, <insert name of country lacking in human rights here>.
I actually live in Bedfordshire and can testify beyond a shadow of a doubt that the police force don't have a clue how to catch a real criminal, let alone work out how or who committed this jocular offence. Muldar and Scully would be the best people to call in.
Sorry guys and girls of Bedfordshire's finest, but i my eyes you're just community support officers (sorry, ex traffic wardens) not REAL police.
quote "Sorry guys and girls of Bedfordshire's finest, but i my eyes you're just community support officers (sorry, ex traffic wardens) not REAL police." /quote
And they're different from any other UK police force how exactly !!
To Gareth Pye
I think you are write that the sites seporation from other information has proven a wise move.
Peronaly I cant wait for all my personal and bimetric data to be online so anyone can see it and we can stop relying on it to prove my identaty.
The Hacker's Site.. (translated)
I have been researching on Arfaoui FirAs .. the hacker of the bedfordshire police site.. and how found his website.. The website was originally in Arabic, therefore i have used google's Free Translator, here is the link; http://www.google.com/translate?u=http%3A%2F%2Fwww.xtobi.ektob.com%2F&hl=en&ie=UTF8&sl=ar&tl=en
I think the details given may be misleading though. As reports say he is living in the U.S
I have Posted Anonymously just because of that. the hacker may not want people looking at his personal information
"..when the technological explanation appears and we are assured that whilst the website was hacked, no-one could possibly have wormed their way through to anything more sensitive, there is a credibility gap. One of the biggest obstacles to data centralisation is public confidence. This destroys it."
Yes it destroys public confidence but would that actually be an obstacle to implementing ID cards. Surely the more sites that get hacked the more we need ID cards and scanning. The more DVD's with biometric data they lose the more we need ID cards. The public will be completly convinced we don't want ID cards and the government will be even more convinced we actually want them.