More than 13,000 emails swiped in Edinburgh council cyber assault Edinburgh council has been targeted by a cyber attack, leading to the details of more than 13,000 email addresses being stolen. In an email to people who have an online account with the council, the local authority said the attacker had penetrated the security of one of its website service providers, based in a UK data centre …
They refused to empty our bin two months ago as it contained glass which "should have been placed in the blue bin provided."
I pointed out they hadn't provided any of us in the area with blue bins so they promised to send some out within ten days.
Failed to do so, and also failed to reply to any of our follow up messages.
So - back on topic - not surprised that their data security is on a par with the rest of the council services.
To coin a phrase, "nice little retort, spoiled only by the fact I never said the website was either designed or run by EC themselves."
They do however have a duty of care in ensuring any such services are robust enough, and if they were the incumbents during its commission to ensure the correct questions were asked regarding security.
My point was around general incompetence. You only need to look at the recent Statutory Repairs scandal in the city to know that either someone was deliberately adopting the ostrich position, or the right questions were failing to be asked time and again.
- now THAT is closer to my idea of a rant ;)
The council I work for is also a Jadu customer,
So I asked them if there was any danger of this happening to any other sites.
There response was "After some investigation, it transpired that the attacker had gained access via a series of customised scripts - not part of the core Jadu CMS software" and then also said the attack came from a Chinese IP address
I'll confirm the entry point was a customisation to the vanilla Jadu CMS. They have a thing called "widgets" which basically allows chunks of user-supplied code to be run in the CMS context. (By "user" I do mean "administrative user"). It doesn't take a lot of imagination to see how this is a disaster waiting to happen though.
It was through one of these customisation's the attacker was able to perform SQLi against the website and extract data. (Email addresses are stored alongside other details, so they probably would have got more than that). However it is hosted away from the councils other core systems, so only website registrants need worry.
I'll also confirm passwords are hashed (with salt).
Other Jadu customers may have had the same customisation. If they tell you you're safe today, I wouldn't trust that means you were also safe yesterday.
@Joe - that depends; if the website in question uses a different auth system to other council services for whatever reason, it may have required users to create an account local to that website with email as the username. If it needed to check information from other services, a lookup against other services using the email as a primary key would be an easy way of doing it without duplicating the information.
My experience of at least some public sector bodies in the UK is that there's an almost fetishistic desire to keep senior mgmt happy by getting random outside companies to look after highly-visible partial refreshes (eg just updating the front page, usually in a way that's utterly out of step with the rest of the site in terms of both aesthetic and functionality - think borked search functions, totally different design elements down to basics such as logo and font, etc). So if that's happened here, it might explain why it was possible to compromise the system in the first place but not get much data from it...
Problem there is a spread of liability. You have your council chap who comissioned the site*; the firm/person who put the site together; the site software; all balanced on a LAMP stack...all of which changes almost daily. And the entry point could be anywhere in there.
*I've had people insisting on things being done a certain way for convenience despite it being a potential security nightmare. All you can do -if you want to get paid- is make them aware of possible problems and make sure you have it in writing.
You, the voter, voted in two successive governments pledging wholesale cuts in public services. Unsurprisingly, getting rid of their own IT departments in favour of bought-in services has been a very good way of saving large sums of money for local authorities.
When you consider that if you follow the government guidelines on procurement the cost makes up 60% of the weighting for a tender bid it unsurprising that most contacts now go to the lowest (and usually crappest) bidder.
This won't be the last of these by a very long chalk. Data security costs money; something local authorities are already running out of.
Unsurprisingly, getting rid of their own IT departments in favour of bought-in services has been a very good way of saving large sums of money for local authorities.
I see this claim regularly. I've never seen it actually substantiated.
In order to "save money", you need to do the same job for less. "Not actually doing the job" doesn't really cover that, in my book...
Vic.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
