Feeds

* Posts by RamblingRant

6 posts • joined 28 Nov 2012

ICO plugs XSS vuln in its website. Only took watchdog FIVE YEARS

RamblingRant

Re: (Re)Curses!

Harsh but hey, if it makes you feel better.

1
0
RamblingRant

Re: Missing the point

With respect Richard, I haven't missed the point at all. The ICO don't collect/retain sensitive information by design... a design which can be altered by anyone using XSS.

The point is, the genuine ICO site may have been collecting personal information for the last 5 years... they just wouldn't know about it. In the screenshot above (twitter link), I've replaced the entire page with a fake article, but it could very easily be a malicious form which forwards the data to a remote location. As the data never hits the ICO's server, they'd be none-the-wiser.

Highly unlikely, sure... but possible. This is the lowest of the low hanging fruit and the ICO missed it, several times. The altruistic notion of the ICO "protecting us", from a technology standpoint at least, is laughable. The site had both stored & reflected XSS and an SQLi exploit in the data protection register, ironically... not to mention the SSL failures late last year. It's shambolic to say the least.

Model of best practice? Give me a break.

2
0
RamblingRant

Re: (Re)Curses!

Funny you should mention that Frankee...

https://twitter.com/Rambling_Rant/status/449514356389064704

1
1

Got a Netgear router from Virgin Media? Change your admin password NOW

RamblingRant

Re: Not quite sure why all the downvotes.

I hope it's not an N66U, or you've jumped out the frying pan, skipped the fire and landed in a volcano.

0
0

Use strong passwords and install antivirus, mmkay? UK.gov pushes awareness campaign

RamblingRant

Quick review of this site for you good folks... with advice on KeePass & IdentitySafe.

http://ramblingrant.co.uk/2014/01/17/cyberstreetwise-com-really-bad-infosec-advice/

0
0

Companies House website security 'a bit of a mess'

RamblingRant
Facepalm

Re: False assumptions?

I look forward to the book ;)

It's a good point though; which makes it all-the-more important to ensure that nobody can change details without authorisation.

Thank you John for publishing this story.

Paul.

0
0