back to article White hat banned for revealing vulns in news sites used by London councillors

Security consultant Andrew Tierney has claimed that web platform NeighbourNET contains nasty vulnerabilities that could compromise users. The company's sites are used for local news services, often by councils and councillors to communicate with residents. London districts favoured with sites powered by the service include …

Anonymous Coward

Surprise surprise

Well, I am surprised they did not report him to the police. Or maybe they did.

End of the day, he tried to get in between a council and a service procured the way UK public institutions procure services aka "No, we are not corrupt, we just help old school friends a lot".

24
0
Anonymous Coward

Re: Surprise surprise

Im not surprised the cops weren't called in. He reported his findings responsibly as far as I can see.

If they had/have called the cops then they're fools.

Ive disclosed website vulnerabilities before in a sensible and respectful way and had threats of calling the police, but bobody has actually done it.

4
2
Facepalm

Re: Surprise surprise

To be expected response from ostriches, they are all provided with emergency buckets of sand.

Of course, maybe the muppets think that by suspending them they have fixed all their problems, as nobody can report them now!

8
0
Silver badge

Re: Surprise surprise

Good job they didn't call the police. Good luck trying to convince a clueless-about-tech UK magistrate that you were trying to help secure websites over a law abiding policeman saying you are a hacking scumbag trying to bring down the establishment by masquerading as someone else.

3
0
404
Silver badge

Re: Surprise surprise

Sigh... happens in the US too.

Waiting on Homeland Security personally... I'm a 'bad-tempered hacker' according to the state DA...

I'm really a nice guy. Ask anyone (except that DA, anyway).

1
0
Silver badge

Shooting the messenger is always the best response.

...said no sentient being ever.

31
0
Anonymous Coward

... except the one banging the messenger's wife.

There's a metaphor in there.

6
0
Silver badge
Facepalm

Yes, in that that's what he metaphor.

Oh, hang on, no, that's a double entendre, isn't it?

6
0

"There's a metaphor in there."

Perhaps even a metaphoarrr.

4
0

My eyes!!

"It would be fair to say the visual presentation of the sites hints at there being security problems," Tierney says.

No kidding! I thought my Chrome browser had been stolen from me and replaced with Netscape.

16
0
Silver badge
Flame

Nero called

Wants his fiddle back...

7
0

This post has been deleted by its author

I would invoice them

4
0
Silver badge

Goodness me, someone paid for that? The sites look like flashbacks from the Wayback Machine, circa 1980. I would not be surprised if those web sites are programmed with punch cards and paper tape.

8
0
Silver badge
Flame

Another organisation, another pathetic response to security issues

I have engaged Pen Test Partners to carry out security testing of systems on behalf of my clients several times in the past. They are impressively good at their job compared to the majority of CHECK/CREST teams out there and they are extremely easy to work with. When they submit a report it is clear and doesn't just reference a CVE and leave it at that. They explain the vulnerabilities, give examples of how to fix it and get involved with the developers to patch the problem and test it to ensure that it is now locked down. They don't over charge for their work.

This sort of response to a group who have the best interests of their clients and the community at heart is pathetic. It just shows that NeighbourNET don't give a toss about their users and that their interest is just letting the lovely money roll in, in return for doing the minimum possible.

Chances that NeighbourNET signed up for the Cyber Essentials Scheme? Low to Zero.

If you go to their webshite you will find that it is created almost entirely in Flash and if I'm reading this right, a very old and vulnerable version of Flash:

http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0

They give you the wonderful experience of viewing their blurb in a WIDTH="600" HEIGHT="400" frame. Woohoo! Back to the 80s! The page doesn't appear to have been updated since 2009.

Their business model is franchising and they say "We would like to enter into a partnership with you if you are interested in operating a site for your area. You don't need programming skills."

6
0
Big Brother

Meet the tool of the Police State: Nextdoor.com

A much bigger, meaner neighbournet.com:

Spreading across USA (and NL) like a cancer, Nextdoor disposed of our moderators and handed our online community to our hostile neighborhood association! Nextdoor's director is a very frightening person with a deliciously punchable-looking face.

https://www.dawsonneighborhood.org/dawsonaustin-on-nextdoor-seized-by-neighborhood-assn/

http://www.sitejabber.com/reviews/www.nextdoor.com

1
0
RW

Re: Meet the tool of the Police State: Nextdoor.com

"neighborhood association"

In the City of Victoria, BC (sensu strictu) the mayor and municipal council are great fans of nbh assocs and follow their lead in much. Minor problem: afaict, most of the local nbh assocs have perhaps half a dozen active members; they do NOT speak for everyone in the neighborhood, merely the busy bodies active in them.

5
0

Re: Meet the tool of the Police State: Nextdoor.com

Yes, that's certainly an issue in our city, too. The neighborhood associations are dominated by really small, tight groups of 'old friends' who make no attempt to represent the actual neighborhood, and will attack anyone making an earnest attempt to join the decision making. The City Council pays way too much attention to what NA say, and take them at their word that they're speaking the neighborhood's opinion. There is some reform under development though.

Austin also has a "neighborhood council" (not a City bureau) which is sort of an umbrella org for all NA, but they've been assimilated by the same mindset. SO we have an alternate neighborhood council called "Friends of Austin Neighborhoods" and they likewise advocate folks launching alternate neighborhood associations.

I hesitated on that for a while, but then we went ahead and registered with the City. The truth is, things are so bad that we can't work within the system. Our neighborhood finally has a website, and news is posted daily instead of in the old NA's 6x-a-year self-praising tract sheet newsletter. We're aiming to be a nonprofit org so we can handle money to fund social events and give out grants.

Naturally, our old NA is shrieking mad at us. They had a good thing going where they literally did nothing as neighborhood leaders, but got to meet and have their important meetings and use their important titles when emailing and phoning the City. Our members ran for office in the old NA and the election was conducted as a flat-out sham to make our candidates loose. The funniest thing is how the old NA points at the mountain of work we've done and things we've accomplished, and try and draw it all up as unfair attacks on their own hard volunteer work. And what is it that they do? *shuffle feet* Uhm, next topic!

2
0

90s design

Design-wise looks like NeighbourNET is following in the illustrious steps of another site based around 'neighbourhoods'. All that's missing is a page counter, blinking multicoloured text and an "Under Construction" GIF and it's practically Geocities.

11
0

RE: My eyes!!

It just appears to be missing flashing text and a few more fonts.

I thought it was also missing sound effects,but unplugging the head phones reveals I was mistaken.

2
0
WTF?

Re: RE: My eyes!!

No shit... if you read this far in the comments but haven't checked out the sites in question, they are worth a look. Its a trip down memory lane.

http://www.shepherdsbushw12.com/

http://www.hammersmithtoday.co.uk/

http://www.wimbledonsw19.com/

"Local intelligence for intelligent locals" indeed....

(Edit) For example, the site has this useful information:

"The Microsoft IE 5 browser can be found on most free disks included with Computer Magazines or can be downloaded from Microsoft. The disc that Dixons give out for Freeserve also includes the most uptodate version of this browser. "

I say these sites should be preserved in a museum. I kinda miss sites like these...

12
0
Silver badge

Re: RE: My eyes!!

tell me more about this freeserve. Are they better than AOL?

4
0
Anonymous Coward

Re: RE: My eyes!!

Sorry, I forgot to log off............

1
0
Devil

Re: RE: My eyes!!

"tell me more about this freeserve. Are they better than AOL?"

Well the AOL disks make better coasters but the freeserve ones are much better bird scarer’s.

1
0
Silver badge

Re: RE: My eyes!!

"The Microsoft IE 5 browser can be found on most free disks included with Computer Magazines or can be downloaded from Microsoft. The disc that Dixons give out for Freeserve also includes the most uptodate version of this browser. "

Having spent a not small amount of time on site in many council IT departments over the years, the "members", ie councillors, are, on the whole, almost completely tech illiterate. Smart phones, iPads and laptops are delivered to the help-desks to be de-wormed on a frighteningly regular basis and most if not all attempts to lock them down for "business use only" is vetoed at the highest levels. Most are full of free games and apps most likely installed their "clever with computers" kids.

IT help-desks usually have dedicated people *just* to deal with the "members" problems, eg showing them how to open a PDF document 2 years after being issued with the kit despite having all documents delivered that way.. They are very patient and diplomatic teams who are almost certainly the most stressed people employed there.

1
0

Login form is interesting, on, for example, http://www.ealingtoday.co.uk

Type in an email address to find out if that address has an account. If it doesn't you'll get the message:

"Please enter correct regular expression"

Presumably this means that the testing regular expression doesn't match the email address supplied, and that the site administrator needs to change the test?

Seems that if you go to the Contact Us page there are a selection of email addresses that might work - if the site wasn't struggling to handle the interest...

1
0
Anonymous Coward

I just get "Logon Failed, your logon name fuckbucket@arse.net was incorrect"

5
0
Anonymous Coward

Actually, I think I see where I may have gone wrong.

So, how do you become an ISP anyway?

0
0
Anonymous Coward

As I'm originally from Chiswick, I registered fuckbucket@arse.net there. If anyone wants to post as me.

0
0
Bronze badge

their spokes-person wrote:

"Our sites have been operating for over a decade without an major issue with security"

chances are they have no way of knowing whether their systems have been compromised and root-kitted to hell and back.

7
0
Silver badge

That spokes-person's comment can be rephrased as: "The horse hasn't bolted, so there is no need to close the stable door."

8
0
Silver badge

To extend the analogy ...

Yesh ocifer, it's completely OK to drive while pished - I've driven home pished many times and never had an accident yet.

Leading to ... Insurance ocifer, don't need that, I've never had an accident.

What a complete and utter numpty to suggest that a security problem doesn't exist if it's never been triggered yet.

8
0
Mushroom

No passwords at all!

Steps to reproduce:

1) Go to http://www.hammersmithtoday.co.uk/

2) Go to Contact Us page, note email address editor@hammersmithtoday.co.uk exists

3) Go to Log On page, try editor@hammersmithtoday.co.uk

4) Note whether the links in the bottom left have "Editor" and "Log Off"

This site isn't hackable, it has a completely lock-free front door!

I can then go to the Forum, and post messages as "Editor". Doh! zero security, maximum potential for fraud.

14
0

Re: No passwords at all!

Unbelievable and all of the sites are the same.

On the positive side it has brought me back to the halcyon days of the web when AOL disks came through the door every second day, when AOL and Compuserve dumped emails and attachments going from the 8 bit private network to the 7 bit Inertnet <sic>.

I might reach for my mighty Walkman and brick sized mobile to really experience the horror.

2
0
Silver badge
Holmes

Re: No passwords at all!

"Steps to reproduce:"

Oh FFS! As it says there "Doh!". Fortunately the Computer Misuse Act prevents me from doing anything other than staring in horror at what they have done.

1
0
Anonymous Coward

Re: No passwords at all!

Doh! indeed.

There was movement at the station, for the word had passed around

That the colt from old Regret had got away,

And had joined the wild bush horses - he was worth a thousand pound,

So all the cracks had gathered to the fray.

All the tried and noted riders from the stations near and far

Had mustered at the homestead overnight,

For the bushmen love hard riding where the wild bush horses are,

And the stockhorse snuffs the battle with delight.

2
0
Silver badge
Facepalm

Re: No passwords at all!

Oh. My. God.

hammersmithtoday.co.uk times out.

But http://www.wandsworthsw18.com works. There Is No Password At All. None.

It seems to me that the DPA is being contravened, as personal information (postcode, date of birth) is insufficiently protected.

Although, to ensure that the editor's email address is protected, the "contact us" page is now blank.

2
0
Silver badge

Re: No passwords at all!

Well, one thing is for sure: the people behind this website are complete idiots. I don't mean any offense, I seriously dislike name calling, but this is just beyond broken. Apparently something broke and my IP got blocked on their website. Normally a 403 should be just that, right? 403: Forbidden, get lost!

Their 403 page does things a "little" differently. It shows that they're using IIS 7.5 and it shows me the exact physical location of their website. D:\web-sites\sites\hammersmithtoday. I didn't do anything other than check and apparently get blocked. But getting blocked also means that they give you some very peculiar debug information.

Proof of concept: http://imgur.com/XFl3H3Q

And this is why I call them idiots. I'm an IIS administrator myself (even though I personally prefer Mono) and I can tell you one thing: IIS does not share this kind of information by default. It's actually one of the things I like a lot about it: its sane defaults. By default IIS will only show debug information (and stack traces and such) to local sources, not remote visitors.

So obviously someone changed this behavior themselves (edited Web.config).

Even so, now I can see why no one bothered to attack the website so far. I mean, I don't think there's any challenge at all here.

5
0
Happy

Re: No passwords at all!

Tried that with the Shepherds Bush site and got this :

Logon Failed: The account has been suspended to stop posting to the forum.

1
0
Silver badge
Facepalm

Re: No passwords at all!

"I can then go to the Forum, and post messages as "Editor". Doh! zero security, maximum potential for fraud."

Yeah, but that's illegal. Who needs security when there's the big scary Computer Misuse Act? PMSL

0
0
Silver badge

"We have been driving automobiles for many years officer,and have yet to have an accident, therefore your suggestion we wear seat belts is, frankly, laughable." - NeighbourNET 2016

3
0
FAIL

So tempted to spin up a copy of Tails and start trying to log into accounts with the many email addresses Google coughed up as being associated with users of the site. Of Course that's me just being thorough, my fingers are itching to try admin@ and webmaster@ first...

1
0
Silver badge

From some time ago...

Me: You have altered the administrator log in from the default, haven't you?

Hapless Web Developer: Oh yes, yes we have

Me: So I won't be able to log in as "admin" password "admin" will I?

HWD: No, definitely not.

Me: <clicketty-click> No indeed. I see I can now log in as "administrator", password "admin".

2
0

"Our sites have been operating for over a decade without an major issue with security"

Ah yes.. the old "well it's never happened in the past so it can't possibly happen in the future" excuse.

Right up there with the old "well I've never left a USB stick full of sensitive data in a taxi before" excuse.

I very much suspect from the comments that Mr Tierney could just log in and unban himself..

2
0
Silver badge

Quick - copy them

before they get (cough-cough) updated.

Then the court can be shown the total stupidity of the Admins and that really it should be them in the dock for having the nerve to take real money to run this shite.

2
0
Silver badge

Re: Quick - copy them

"Then the court can be shown the total stupidity of the Admins and that really it should be them in the dock for having the nerve to take real money to run this shite."

From the looks of things they haven't made a profit since 2010. They only went into positive net worth last year so I suspect some of their knee-jerking is an attempt to stop that heading the other way, again.

0
0
Silver badge

WOW! and there was me expecting something like this

<meta name="GENERATOR" content="Microsoft FrontPage 6.0">

That email says, in part, that NeighbourNet's development team "acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so."

Are you sure you wanted to say that?

The fact that you have just admitted the security holes have been there for a long time makes you look like a bunch of fools who don't care about security. Just because they haven't been exploited doesn't mean you should ignore them.

3
0

""acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so.""

Awww bless. That's so cute

"we are now talking in terms of months rather than years before implementation. This would close these security holes and others"

Hahaha! Oh dear. They're toast.

4
0
Silver badge

<snork>

It looks as if they are now blocking, one by one, IPs of anyone who logged into their site. This is amusing since they apparently haven't heard of dynamic addressing. This isn't locking the door after the horse has bolted, more like taking a bucket out to scrape up some of the droppings and wondering where the horse is.

1
0
Anonymous Coward

Smug, complacent and wrong.

"We note that Mr Tierney fails to give a single example of any actual occasion on which security is compromised," the company says."

Well they've had more than a few examples today, but apparently have learned nothing from the experience.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018