Cross-site scripting (XSS) vulnerabilities on the National Health Service's website created a means to send spoofed emails with dodgy medical advice. The vulnerabilities, now fixed, also created a potential means to run information-harvesting attacks. Various security shortcomings on the main nhs.uk website established a means …
WTF - two weeks
Two weeks to contact the web site administrators. Epic fail.
"he contacted staff at NICE, the SANS Institute, UK CERT and the offices of politicians, among others"
Ah! Now I understand. He tried to contact a foreign organisation (SANS Institute) or someone in a bedroom in Sutton (UK CERT).
I know the NHS isn't true government, but a better starting point would have been http://www.govcertuk.gov.uk/. Alternatively one of the other members of FIRST located in the UK http://www.first.org/.
govcertuk.gov.uk were the people that arranged for the websites to be fixed in the end, SANS took it seriously and made sure that the emails got through. The NHS was contracted to an American firm called CSC, the NICE website is not under the govcertuk.gov.uk's brief and so they did nothing about it even though it was demonstraed graphically that the guidelines to doctors could be altered.
SANS were the first people to take it seriously btw, politicians and civil servants an the media, were contacted, the webmaster ignored the emails. Since the Home Office issued a statement stating that xss exploits were "trivial" a week before the discovery of this, it wasn't until it wasn't pointed out that the public could be poisoned that govcertuk took it any notice at all and then they still had to go find the third party responsible for maintaining the website.
FAIL: the government not being able to spot this kind of risk to the British public
FAIL: the webmasters, politicians, civil servants, media who ignored it
FAIL: govcertuk not being able to pull the switch on the NICE guidelines for doctors (though good job on the NHS)
Did you actually try the contact us form at the top of the site?
Yes. My current theory is that the contact us form goes to an administrator who doesn't have any technical knowledge or that the messagelabs software widely used by the government does not like mentioning XSS or having Proof of Concepts in them. In particular the Civil Service bounced messages repeatedly. One thing I didn't think of though, I could have used the flaw in their own email system to send them details of their own vulnerabilities that might have got through the system.
If you read the sla.ckers.org forum it does mentioned that when trying to get the Doctors NICE guidelines secure, that the communications coordinator seem entirely incapable of understanding anything to do with the problem.
My emails state that govcertuk was told on the 18th August, 8 days after having tried to contact webmaster and only after SANS appeared to do something. They responded on the 19th that they would look into it, the first repair was done on the 20th but the second vulnerability with the email system wasn't fixed it was "hidden" rather than repaired. At the same time govcertuk would not do anything with the doctors guidelines and after failing to convince the communications coordinator about the serious nature of the problem, I went to their contractors (who never created the software) and the ISP hosting the website. I believe that they only took the vulnerabilities seriously when I questioned whether their liability insurance covered the possibility of poisoning the British public. (by that time I was rather tired).
I have yet to have a reply from any MP or civil servant including the gentleman responsible for the government's twitter policy in the Department of Communications, Mr Neil Williams, who may not read his email.
...that you ever reached anyone at all. I have totally given up on ever being able to contact anyone with anything remotely like this. One random example: Virgin Media (ex NTL) send out automatic emails for things like e-bills that lack a Date: header, which causes them to fall foul of some spam filters. They obviously know that a lot of their messages end up in spam filters because they have a FAQ that says "look in your spam folder", but it is simply impossible to get past the layers of "front line support" to reach the person who would benefit from the information. Many other examples....
I found another one today, the website has a form to fill out to "contact us", if you put in Proof of Concept code, it crashes the backend. FAIL
In the end I am left with leaving message on phones, emailing PR people in the hope they'll pass on the message and once again going to govcertuk to see if this one is under their jurisdiction.
Two things disturb me about this. The US Airforce has a cyber warfare unit (there's an article on here by Lewis Page) and CSC who repaired the NHS are an American company that also supply err, the new US Airforce cyber warfare unit. (It's in their newsroom)
Secondly I tried everything including posting on the Team Elite forums and contacting them, with no success, because they had found a vulnerability in MI5's website you would think that they were being monitored or at least knew "someone". No luck there, so how could our security services have missed such a massive chance for "the enemy" to poison the UK with just an email and a few hours programming? And the Home Office refers to xss vulnerabilities as "trivial".
My coat's the one filled with shock and frustration.
WTF el Reg
Not decrying Philip's work here at all. Nasty bug, and shockingly bad - if perhaps a little unsurprising - communications process to try and get it resolved. Ahhh, bureaucracy...
I am kind of amused by el Reg's sanctimonious tone in the article though. It's not like they were quick off the mark with this one themselves.
Badgers, just because.
- One HUNDRED FAMOUS LADIES exposed NUDE online
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Rubbish WPS config sees WiFi router keys popped in seconds