Feeds

back to article CEOP accused of misleading public over site security fail

The person who discovered that the child abuse reporting mechanism on the website of the Child Exploitation and Online Protection Centre was insecure has reacted with anger to suggestions from the agency that the flaw had only affected surfers visiting the site from either Facebook or Google. He says that contrary to CEOP's …

COMMENTS

This topic is closed for new posts.

Re only affected surfers visiting the site from either Facebook

Considering the fuss CEOP made about panic buttons on Facebook why do they say "only" and describe those reporting possible perverts as "surfers"?

11
0

so everyone

who posted via BT or virgin had thier entire submission stored in the http accellerator caches for the PFYs to scan, download and sell to the papers. This will have the ACPO in an uproar as selling "breaking" info to the press is one of thier revenue streams.

5
0
FAIL

Slightly Off-topic...

Considering how much of a song and dance CEOP made about getting the fb panic button added, im amazed not to have heard them release any figures about how many children have been "saved" by its very presence...

Call me cynical, but could that be because the number is so close to zero that it would be embarrasing for them to admit that it WAS the waste of time everyone told them it would be? Hmmm...

9
0

Number of incident reportsed through the CEOP reporting website

6,291 intelligence reports have been received by the CEOP Centre – a culmination of reports through the public

‘ClickCEOP’ reporting mechanism, from the online and mobile industries and law enforcement partners in the UK

and overseas2.

Page 11 http://www.ceop.police.uk/Documents/CEOP_AnnualReview_09-10.pdf

0
0
g e
Silver badge

CEOP

Cynical

Entrepreneur

Ogles

Paycheck

9
1
FAIL

Not very good with hyperlinks in general

I noticed this on one of their advertised jobs: the two hyperlinks in the listing are to CEOP's own Outlook Web Access site, rather than to www.ceop.police.uk or the mailto: link intended. Copy/paste job gone wrong? (http://www.ceop.police.uk/Recruitment/Vacancies/Head-of-Behavioural-Analysis-SG2-/ )

Clicking on the OWA link shows that there is no current SSL cert installed on that site either. Now, if it were for their GSI email then you could argue that its on a secure network, but this is for their non-GSI mail, accessible outside of the secure Government network and therefore theoretically at risk of interception.

Technical Details

owa.ceop.gov.uk uses an invalid security certificate.

The certificate expired on 25/09/2010 00:59. The current time is 03/05/2011 12:47.

(Error code: sec_error_expired_certificate)

7
0
FAIL

not so much

Just because it's expired doesn't mean it's not secure.

All it means is they've not paid for a new one. They don't magically switch off when a date passes.

0
2
Anonymous Coward

but not exactly best practise?

Part of the security offered by SSL is that not only the link is encrypted, but you know that the site you're sending your confidential information to is who it says it is.

CEOP's internal users become used to ignoring security warnings - and lo, they're trying to pickup email in a hotel lobby at a conference for Paedofinders General and someone's hijacked the wifi and spoofing CEOP's webmail. Perhaps not very likely, but possible.

Anyway, we have organisation that can't be bothered to check the links in a job posting on their public website and can't be bothered to renew their SSL certs. An organisation that doesn't secure their report-a-paedo web pages. No wonder industry players were so loathe to take instruction from them on how to build web services.

1
0
Grenade

CEOP haven't a clue

Hit the useless totcdanglers* hard Terry!

*Think Of The Children Danglers

1
0
Silver badge
FAIL

a "technically advanced" hacker

CEO-speak for "anybody who can actually do more than just PowerPoint"

0
0
Gold badge

Frankly...

the lack of https use is not great, but it is to their credit that they at least fixed it quickly once they were told about it. They should have run SSL from the start, but realistically I do assume the "man in the middle" is much more likely to be looking for credit card numbers and bank account info than looking for use of CEOP web site.

On the other hand, saying it was only unencrypted when coming from Facebook or Google is a flat-out lie, and that is pretty inexcusable.

1
0
This topic is closed for new posts.