back to article NHS website hit by MASSIVE malware security COCKUP

Hundreds of URLs on the NHS website have been flooded with malware by hackers and - at time of writing - it remains exposed. The security blunder was first spotted early this morning and an alert was posted on Reddit along with a list of 587 pages said to have been compromised on the www.nhs.uk site. The Register put calls in …

COMMENTS

This topic is closed for new posts.

Page:

  1. Joe 35

    Anyone else find the word "collapse" at the bottom of that twitter post amusing?

    1. R 11

      What an unlucky coincidence that their typo pointed to a malicious domain that was registered yesterday.

      I think one of two things could have happened. They did make a typo, but left it hanging around long enough for someone to notice. That person then registered the domain and took advantage.

      The alternative is that they were simply hacked and the pages were maliciously altered.

      To me, the first scenario seems the more likely screw-up. And therein lies a lesson to everyone in the dangers presented by typos, particularly when you're trusting code from other domains.

  2. NormansLament
    FAIL

    How they want to hold my health records.

    No fucking way José

    1. Anonymous Coward
      Anonymous Coward

      Re: How they want to hold my health records.

      Your records are going to be held digitally, the days of paper records are over. So, you have a choice - do you get each individual surgery to handle records, with software they choose, supported by whoever they choose. Or do you get a larger organisation who can notice a problem on a Sunday and have a fix in place on Monday?

      Also, a web site is supposed to be internet facing, your records aren't, it's unlikely that malware on a web site would expose your records.

      That said, it's true that capita don't exactly have a brilliant reputation...

      1. I. Aproveofitspendingonspecificprojects

        I'm OK

        My doctor uses Windows so I can rely on being able to access it all without too much difficulty.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm OK

          @ I. Aproveofitspendingonspecificprojects - Go on then, hack your own records and when you've done it let your local NHS trust know, cc The Register. Until that point and while I do accept you're probably joking, please put a sock in it, the whole "Windows is so insecure anyone can hack it" meme is very tired and clearly incorrect.

          1. asdf
            Trollface

            Re: I'm OK

            >please put a sock in it, the whole "Windows is so insecure anyone can hack it" meme is very tired

            The butt hurt is strong with this one. The joke was so lame I went right by until you caused me to reread the original post.

        2. Anonymous Coward
          Anonymous Coward

          Re: I'm OK

          My GP wants to know why all the NHS desktops can't be locked down Linux, to cut admin costs and reduce the chance of viruses and trojans.

          He's a supporter of preventive medicine.

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm OK

            I think I know who your GP is. He's the guy running his surgery on a custom rolled version of *nix because it's "more secure". He is specifically unsupported by the vendors of the software he relies on who have made it abundantly clear that his custom edited version of their software is not supported, recommended or sensible and privately say a great deal more despairingly in fear of one day them being required to support this setup when the disaster occurs. He has no disaster recovery plan, or backups.

            His servers are not in racks, they are liberally spread across the floor of a room with power and network cables providing a set of tripwire security, in that when anybody walks into the room chances are good that the entire surgery will suddenly lose everything, and the county level support people will get a call. It's happened before, and the support techs actually beg not to be sent there.

            He's also the GP who doesn't realise that the majority of the software that people need to do their jobs only works on Windows. He doesn't know this, because patients (quite bloody rightly!) avoid him in favour of his overworked, but competent colleague so he doesn't have to do much in the way of medical work. Unfortunately this leaves him more time to tinker with IT stuff, yet he still hasn't heard of AD or GPO's and doesn't realise that you can lock windows boxes down quite thoroughly.

            He is a real person, IIRC his surname begins with "M", the county he is in begins with "S" and the name of the town that has the misfortune of him being it's GP starts with "F". Correct?

            Anon, for obvious reasons!

            1. Anonymous Coward
              Anonymous Coward

              Here's the official NHS IT Net router installation

              As you can see, it uses an equipment cabinet.

              As a shelf.

              www.flickr.com/photos/79701911@N00/3270608094/

              <img src="http://farm2.staticflickr.com/1351/3270608094_7b2f0ddb30_m.jpg" width="240" height="158" alt="using an equipment cabinet">

              That was a few years back ...

              Here's the offical replacement using a more modern Cisco router and put in by the official contractor under the management and supervision of the NHS

              http://www.flickr.com/photos/midgley/9068055498/

              <img src="http://farm3.staticflickr.com/2875/9068055498_3002b1cb5c_n.jpg" width="320" height="240" alt="Newly installed critical network infrastructure for healthcare.">

              As you can see, it uses a plastic bucket, upside down.

              Still, it is reassuring to know that these systems are installed and supported by professionals in salaried IT jobs, rather than by either self-employed doctors who know they depend on them for thier business to succeed and their patients to be safe, or anyone they may employ directly and supervise themselves.

              Meditel System 5 by the way, the first widespread and well-designed GP automation system (mainly EMR and prescription printing but some decision support etc) was before Windows, and ran on Xenix.

              People who think it is all on WIndows or needs to be on windows are likely to be young.

              1. Roland6 Silver badge

                Re: Here's the official NHS IT Net router installation

                "People who think it is all on WIndows or needs to be on windows are likely to be young."

                So we can expect the replacement for that 'modern' Cisco router to be some form of PC, because "software defined networking" is now in...

      2. Anonymous Coward
        Anonymous Coward

        Re: How they want to hold my health records.

        " it's unlikely that malware on a web site would expose your records."

        However it is highly likely that malware could end up on the main records servers due to a combination of incompetence and poor training at all levels and then its game over. At least if a surgery gets hacked its just the patients at that one surgery that have to worry - not the entire bloody country.

        1. Anonymous Coward
          Anonymous Coward

          Re: How they want to hold my health records.

          Its doubly unlikely seeing as the NHSChoices website has no access whatsoever to health records.

      3. Fatman

        Re: How they want to hold my health records.

        That said, it's true that capita don't exactly have a brilliant reputation...

        You made a mistake, I have corrected it below:

        That said, it's true that cRapita don't exactly have a brilliant reputation...

        There, much better!!!

      4. Bod

        Re: How they want to hold my health records.

        "Or do you get a larger organisation who can notice a problem on a Sunday and have a fix in place on Monday?"

        I had quite a chuckle at that one. We're talking public sector IT here.

        1) They won't notice the problem

        2) No one knows what to do about the problem and the original supplier has probably gone under or is deemed too expensive to use for ongoing support

        3) It will go round and round for months until someone quotes £5m to fix it and then it takes a year to fix it and the end cost has risen to £10m. For something that's probably a 10 minute job to fix.

        1. Anonymous Coward
          Anonymous Coward

          Re: How they want to hold my health records.

          @Bod

          "3) It will go round and round for months until someone quotes £5m to fix it and then it takes a year to fix it and the end cost has risen to £10m. For something that's probably a 10 minute job to fix."

          Or the original supplier comes along with V2.0 and says for umpty million quid all your current problems will be solved! Though of course they won't mention they'd have a whole lot of new ones to contend with and they won't explain why they didn't backport the fixes to version 1.0 either.

      5. Anonymous Coward
        Anonymous Coward

        Re: How they want to hold my health records.

        There is a limited range of software for General Medical Practice automation, basically EMIS, SystmOne and Vision, and a very few smaller suppliers. We don't each make it up for ourselves, although as it happens, I could.

        Support comes as a package with the software, and is backed up by local area teams, whose offices are close enough that were we to really need to get hold of them and discuss something, are not far away.

        If the main store is on a server far far away, connected by one piece of wet string to one corner of the building, via one trunk line, then you may feel that secures the records (perhaps you've not been bothered about GCHQ/NSA) however some form of client software is still required on whatever runs on our desktops.

        GPs invented this stuff, and got it going quite well, with various IT heroes from the dawn of time. The direction of development nowadays is toward management control, national objectives etc, and as you would expect is entirely beign and in tune with all ethical and practial considerations, as well as being backed up by managemnt, development, and system administration whose excellence is really legendary.

        I'm a GP. My coat? THe one with the gaffer tape over the namebadge, thanks.

  3. Irongut

    There's a reason they're called Crapita.

    1. Anonymous Coward
      Anonymous Coward

      Crapita should read this page

      www.nhs.uk/Conditions/vaccinations/Pages/How-vaccines-work.aspx

      1. geekguy

        Re: Crapita should read this page

        And again Capita do not run the NHSChoices website and haven't done for 1 year, it is run by HSCIC.

  4. Gordon Pryra

    Outsource outsource outsource

    The results are always great

  5. JohnMurray

    Now, about all that extremely sensitive data on your/my/their children that crapita also manage?

  6. Arachnoid
    IT Angle

    You`ll be glad to know...

    Its not a virus you've got its just the flu

    1. Richard Taylor 2
      Happy

      Re: You`ll be glad to know...

      which is, yes. you guessed it, a virus

  7. Richard Jones 1
    WTF?

    No Health Support For People Or Their Data

    I assume that as a minimum they have blocked ALL access to this dangerous mess?

    I am not going to try accessing them. I will look into a router block in a few moments.

    Then they did put up a warning that the site may affect the health of your data equipment?

    Or it action on an NHS waiting list?

    Is that the sound of a new concord wooshing across the skies or the sound of confidence in NHS records leaving the country?

    Or should confidence already be lost since they are probably already in India anyway?

    1. Anonymous Coward
      Anonymous Coward

      Re: No Health Support For People Or Their Data

      When I worked for BT on NPFIT contracts, all NHS patient data had to be held only in England (England, not Scotland, Wales or N Ireland). Mastek had to move their developers for SPINE to England for them to work on any code that had access to patient data.

      But who know who will have access to England's patient data once it's partially anonymised and sold off?

      1. Richard Jones 1
        FAIL

        Re: No Health Support For People Or Their Data

        At one (recent) time I was told that my x-rays were being sent out to India to be read... Hence my evidence based complaint.

        Has anyone done anything to stop the present problem?

        Responded, it is after midday?

        I guess blinding silence.

      2. Anonymous Coward
        Anonymous Coward

        Re: No Health Support For People Or Their Data

        > When I worked for BT on NPFIT contracts, all NHS patient data had to be held only in England (England, not Scotland, Wales or N Ireland).

        This is still the case today. We have had to put plans into place so we only use a datacentre located and staffed in England, so as not to fall foul of these regulations.

        Ironically, we also have a facility located in Wales, who use this same datacentre. NHS Wales seems not to care about where we store data on its patients (or much else on an InfoSec standpoint, for that matter).

        Anon for obvious reasons.

      3. BongoJoe

        Re: No Health Support For People Or Their Data

        This cross border stuff is a nightmare when have our GP and some hospitals on side of the England/Wales border and the other hospital that treats us sometimes is on the other...

        We have to take our own records backwards and forwards ourselves. Unoffically, of course. But it's the only way that we mange to get consultants to read the same notes.

  8. Elmer Phud

    " 587 pages said to have been compromised on the www.nhs.uk site, which is run by Capita."

    Local 'Easy Council' gits farmed everything out to Crapita (and then gave themselves a pat on the back).

    I've been wondering where my DBS application has gone, I suspect the usual well-staffed front office with the usual shoe-string back-office.

    We tried to tell them but councillors were too busy congratulating themselves at closing the last of council services and giving themselves putty medals.

  9. Winkypop Silver badge
    Devil

    Nurse!

    Matron!!

    Anyone.....

    1. DriveBy

      Re: Nurse!

      Arrrgh....

      Too late.

  10. Baldie
    FAIL

    care.data anyone? Don't think so

  11. 0laf
    FAIL

    CRAPITA strikes again.

    Still it makes a change from Northgate.

  12. Captain Hogwash
    Coat

    Nurse! The screens!

    OK, I'm going.

  13. mastodon't

    Google Aspies

    Hiding the script under a malicious url googleaspis.com instead of a valid googleapis.com.

    Great name for a gang

    1. admiraljkb
      Joke

      Re: Google Aspies

      Great name for yet another inane awards show - the Google Aspies

    2. Rich 11

      Re: Google Aspies

      The variation was probably chosen by someone who knew this:

      http://en.wikipedia.org/wiki/Aspis

  14. WibbleMe

    I wonder if the FTP password was "password"?

  15. JurassicPark
    Unhappy

    Trust me, I'm a doctor, your data (life?) is safe in my hands.

  16. Toby Rose

    A DoH spokesman. More like a Doh! spokesman!

  17. Anonymous Coward Silver badge

    Small problem really

    So it looks like what really happened was that some coder inadvertently added an 's' in googleapis.com; possibly years ago.

    Some bugger has now registered that domain and hosted crap on it (whois shows: Creation Date: 2014-02-02T00:00:00Z)

    So the NHS site wasn't hacked or externally compromised.

    It does however show one of the problems of referencing external scripts in a website.

    1. thosrtanner

      Re: Small problem really

      So they had a load of pages with links to non-existent sites. Not non-existent because they'd recently gone off line but - never existed.

      If you're looking for a security hole to exploit, that's a pretty good one. No work on your part beyond looking for pages who send requests to sites which don't exist, register site, populate site with malware, $$$$$

      Some level of review and automated checking *before* these pages were pushed out to unsuspecting users would have been a good (and professional) thing.

      1. keithpeter Silver badge
        Windows

        End user alert: I'm mildly confused...

        "So they had a load of pages with links to non-existent sites. Not non-existent because they'd recently gone off line but - never existed."

        An API is supposed to return something when you access it.

        So why were these pages that were programmed to link to a URL accessing an API (which URL I imagine was some kind of query string with the data going to the API in) which in fact was not returning anything? Was there not some form of test on the returned data (in this case nothing)?

        Have I misunderstood anything?

    2. Anonymous Coward
      Anonymous Coward

      Re: Small problem really

      So the NHS site wasn't hacked or externally compromised

      In the sense that the NHS site wasn't modified in any way, I guess you're right.

      However, their coding error left a gaping hole which the miscreants took advantage of resulting in the same effect as if they had compromised the site.

      So I'm not inclined to let NHS off lightly, or at all.

    3. Jonathan Richards 1
      Stop

      Stop this nonsense forthwith, saith the icon

      I suppose that nobody here is unaware of the Firefox extension NoScript, but here's a link, just in case:

      http://noscript.net/

      The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice

      1. frank ly

        Re: Stop this nonsense forthwith, saith the icon

        I'd also recommend the Firefox plugin 'Request Policy'. This prevents the browser from accessing content from outside of the domain you're looking at, unless you give it temporary/permanent permission to do so, on a target by target basis. Try it; it's instructive to see how many external sources many websites use. Then those external sources download their own Javascript, etc. and have their own pointers to further external sources.

        1. Michael Dunn

          Re: Stop this nonsense forthwith, saith the icon @frank ly

          "Then those external sources download their own Javascript, etc. and have their own pointers to further external sources."

          As Pope wrote:

          So naturalists observe the flea

          Hath smaller fleas that on him prey.

          Or in the vernacular:

          Little fleas have smaller fleas upon their backs to bite 'em.

          Smaller fleas have smaller fleas abd so ad infinitum.

  18. Anonymous Coward
    Anonymous Coward

    Capita.. nope not anymore

    Capita no longer runs the NHSChoices website, it was handed back to HSCIC Last year.

    1. Anonymous Coward
      Anonymous Coward

      Re: Capita.. wrote it though ...

      Crapita may have handed it on, but are they claiming not to have developed, written or set up the administrata for the site, handed on ("back"?) to HSCIC?

      I'm assuming the poster works for them.

Page:

This topic is closed for new posts.

Other stories you might like