back to article White hat banned for revealing vulns in news sites used by London councillors

Security consultant Andrew Tierney has claimed that web platform NeighbourNET contains nasty vulnerabilities that could compromise users. The company's sites are used for local news services, often by councils and councillors to communicate with residents. London districts favoured with sites powered by the service include …

  1. Anonymous Coward
    Anonymous Coward

    Surprise surprise

    Well, I am surprised they did not report him to the police. Or maybe they did.

    End of the day, he tried to get in between a council and a service procured the way UK public institutions procure services aka "No, we are not corrupt, we just help old school friends a lot".

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprise surprise

      Im not surprised the cops weren't called in. He reported his findings responsibly as far as I can see.

      If they had/have called the cops then they're fools.

      Ive disclosed website vulnerabilities before in a sensible and respectful way and had threats of calling the police, but bobody has actually done it.

      1. 2460 Something
        Facepalm

        Re: Surprise surprise

        To be expected response from ostriches, they are all provided with emergency buckets of sand.

        Of course, maybe the muppets think that by suspending them they have fixed all their problems, as nobody can report them now!

        1. Danny 14

          Re: Surprise surprise

          Good job they didn't call the police. Good luck trying to convince a clueless-about-tech UK magistrate that you were trying to help secure websites over a law abiding policeman saying you are a hacking scumbag trying to bring down the establishment by masquerading as someone else.

    2. 404

      Re: Surprise surprise

      Sigh... happens in the US too.

      Waiting on Homeland Security personally... I'm a 'bad-tempered hacker' according to the state DA...

      I'm really a nice guy. Ask anyone (except that DA, anyway).

  2. Jeffrey Nonken

    Shooting the messenger is always the best response.

    ...said no sentient being ever.

    1. Anonymous Coward
      Anonymous Coward

      ... except the one banging the messenger's wife.

      There's a metaphor in there.

      1. VinceH
        Facepalm

        Yes, in that that's what he metaphor.

        Oh, hang on, no, that's a double entendre, isn't it?

      2. Bloakey1

        "There's a metaphor in there."

        Perhaps even a metaphoarrr.

  3. monty75

    My eyes!!

    "It would be fair to say the visual presentation of the sites hints at there being security problems," Tierney says.

    No kidding! I thought my Chrome browser had been stolen from me and replaced with Netscape.

  4. Winkypop Silver badge
    Flame

    Nero called

    Wants his fiddle back...

  5. This post has been deleted by its author

  6. WibbleMe

    I would invoice them

  7. herman

    Goodness me, someone paid for that? The sites look like flashbacks from the Wayback Machine, circa 1980. I would not be surprised if those web sites are programmed with punch cards and paper tape.

  8. Lotaresco
    Flame

    Another organisation, another pathetic response to security issues

    I have engaged Pen Test Partners to carry out security testing of systems on behalf of my clients several times in the past. They are impressively good at their job compared to the majority of CHECK/CREST teams out there and they are extremely easy to work with. When they submit a report it is clear and doesn't just reference a CVE and leave it at that. They explain the vulnerabilities, give examples of how to fix it and get involved with the developers to patch the problem and test it to ensure that it is now locked down. They don't over charge for their work.

    This sort of response to a group who have the best interests of their clients and the community at heart is pathetic. It just shows that NeighbourNET don't give a toss about their users and that their interest is just letting the lovely money roll in, in return for doing the minimum possible.

    Chances that NeighbourNET signed up for the Cyber Essentials Scheme? Low to Zero.

    If you go to their webshite you will find that it is created almost entirely in Flash and if I'm reading this right, a very old and vulnerable version of Flash:

    http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0

    They give you the wonderful experience of viewing their blurb in a WIDTH="600" HEIGHT="400" frame. Woohoo! Back to the 80s! The page doesn't appear to have been updated since 2009.

    Their business model is franchising and they say "We would like to enter into a partnership with you if you are interested in operating a site for your area. You don't need programming skills."

  9. AustinTX
    Big Brother

    Meet the tool of the Police State: Nextdoor.com

    A much bigger, meaner neighbournet.com:

    Spreading across USA (and NL) like a cancer, Nextdoor disposed of our moderators and handed our online community to our hostile neighborhood association! Nextdoor's director is a very frightening person with a deliciously punchable-looking face.

    https://www.dawsonneighborhood.org/dawsonaustin-on-nextdoor-seized-by-neighborhood-assn/

    http://www.sitejabber.com/reviews/www.nextdoor.com

    1. RW

      Re: Meet the tool of the Police State: Nextdoor.com

      "neighborhood association"

      In the City of Victoria, BC (sensu strictu) the mayor and municipal council are great fans of nbh assocs and follow their lead in much. Minor problem: afaict, most of the local nbh assocs have perhaps half a dozen active members; they do NOT speak for everyone in the neighborhood, merely the busy bodies active in them.

      1. AustinTX

        Re: Meet the tool of the Police State: Nextdoor.com

        Yes, that's certainly an issue in our city, too. The neighborhood associations are dominated by really small, tight groups of 'old friends' who make no attempt to represent the actual neighborhood, and will attack anyone making an earnest attempt to join the decision making. The City Council pays way too much attention to what NA say, and take them at their word that they're speaking the neighborhood's opinion. There is some reform under development though.

        Austin also has a "neighborhood council" (not a City bureau) which is sort of an umbrella org for all NA, but they've been assimilated by the same mindset. SO we have an alternate neighborhood council called "Friends of Austin Neighborhoods" and they likewise advocate folks launching alternate neighborhood associations.

        I hesitated on that for a while, but then we went ahead and registered with the City. The truth is, things are so bad that we can't work within the system. Our neighborhood finally has a website, and news is posted daily instead of in the old NA's 6x-a-year self-praising tract sheet newsletter. We're aiming to be a nonprofit org so we can handle money to fund social events and give out grants.

        Naturally, our old NA is shrieking mad at us. They had a good thing going where they literally did nothing as neighborhood leaders, but got to meet and have their important meetings and use their important titles when emailing and phoning the City. Our members ran for office in the old NA and the election was conducted as a flat-out sham to make our candidates loose. The funniest thing is how the old NA points at the mountain of work we've done and things we've accomplished, and try and draw it all up as unfair attacks on their own hard volunteer work. And what is it that they do? *shuffle feet* Uhm, next topic!

  10. Afernie

    90s design

    Design-wise looks like NeighbourNET is following in the illustrious steps of another site based around 'neighbourhoods'. All that's missing is a page counter, blinking multicoloured text and an "Under Construction" GIF and it's practically Geocities.

  11. DwarfPants

    RE: My eyes!!

    It just appears to be missing flashing text and a few more fonts.

    I thought it was also missing sound effects,but unplugging the head phones reveals I was mistaken.

    1. Anonymous Coward
      WTF?

      Re: RE: My eyes!!

      No shit... if you read this far in the comments but haven't checked out the sites in question, they are worth a look. Its a trip down memory lane.

      http://www.shepherdsbushw12.com/

      http://www.hammersmithtoday.co.uk/

      http://www.wimbledonsw19.com/

      "Local intelligence for intelligent locals" indeed....

      (Edit) For example, the site has this useful information:

      "The Microsoft IE 5 browser can be found on most free disks included with Computer Magazines or can be downloaded from Microsoft. The disc that Dixons give out for Freeserve also includes the most uptodate version of this browser. "

      I say these sites should be preserved in a museum. I kinda miss sites like these...

      1. Danny 14

        Re: RE: My eyes!!

        tell me more about this freeserve. Are they better than AOL?

        1. Baskitcaise
          Devil

          Re: RE: My eyes!!

          "tell me more about this freeserve. Are they better than AOL?"

          Well the AOL disks make better coasters but the freeserve ones are much better bird scarer’s.

      2. Anonymous Coward
        Anonymous Coward

        Re: RE: My eyes!!

        Sorry, I forgot to log off............

      3. John Brown (no body) Silver badge

        Re: RE: My eyes!!

        "The Microsoft IE 5 browser can be found on most free disks included with Computer Magazines or can be downloaded from Microsoft. The disc that Dixons give out for Freeserve also includes the most uptodate version of this browser. "

        Having spent a not small amount of time on site in many council IT departments over the years, the "members", ie councillors, are, on the whole, almost completely tech illiterate. Smart phones, iPads and laptops are delivered to the help-desks to be de-wormed on a frighteningly regular basis and most if not all attempts to lock them down for "business use only" is vetoed at the highest levels. Most are full of free games and apps most likely installed their "clever with computers" kids.

        IT help-desks usually have dedicated people *just* to deal with the "members" problems, eg showing them how to open a PDF document 2 years after being issued with the kit despite having all documents delivered that way.. They are very patient and diplomatic teams who are almost certainly the most stressed people employed there.

  12. Fonant

    Login form is interesting, on, for example, http://www.ealingtoday.co.uk

    Type in an email address to find out if that address has an account. If it doesn't you'll get the message:

    "Please enter correct regular expression"

    Presumably this means that the testing regular expression doesn't match the email address supplied, and that the site administrator needs to change the test?

    Seems that if you go to the Contact Us page there are a selection of email addresses that might work - if the site wasn't struggling to handle the interest...

    1. Anonymous Coward
      Anonymous Coward

      I just get "Logon Failed, your logon name fuckbucket@arse.net was incorrect"

      1. Anonymous Coward
        Anonymous Coward

        Actually, I think I see where I may have gone wrong.

        So, how do you become an ISP anyway?

        1. Anonymous Coward
          Anonymous Coward

          As I'm originally from Chiswick, I registered fuckbucket@arse.net there. If anyone wants to post as me.

  13. Paul

    their spokes-person wrote:

    "Our sites have been operating for over a decade without an major issue with security"

    chances are they have no way of knowing whether their systems have been compromised and root-kitted to hell and back.

    1. VinceH

      That spokes-person's comment can be rephrased as: "The horse hasn't bolted, so there is no need to close the stable door."

    2. SImon Hobson Bronze badge

      To extend the analogy ...

      Yesh ocifer, it's completely OK to drive while pished - I've driven home pished many times and never had an accident yet.

      Leading to ... Insurance ocifer, don't need that, I've never had an accident.

      What a complete and utter numpty to suggest that a security problem doesn't exist if it's never been triggered yet.

  14. Fonant
    Mushroom

    No passwords at all!

    Steps to reproduce:

    1) Go to http://www.hammersmithtoday.co.uk/

    2) Go to Contact Us page, note email address editor@hammersmithtoday.co.uk exists

    3) Go to Log On page, try editor@hammersmithtoday.co.uk

    4) Note whether the links in the bottom left have "Editor" and "Log Off"

    This site isn't hackable, it has a completely lock-free front door!

    I can then go to the Forum, and post messages as "Editor". Doh! zero security, maximum potential for fraud.

    1. Bloakey1

      Re: No passwords at all!

      Unbelievable and all of the sites are the same.

      On the positive side it has brought me back to the halcyon days of the web when AOL disks came through the door every second day, when AOL and Compuserve dumped emails and attachments going from the 8 bit private network to the 7 bit Inertnet <sic>.

      I might reach for my mighty Walkman and brick sized mobile to really experience the horror.

    2. Lotaresco
      Holmes

      Re: No passwords at all!

      "Steps to reproduce:"

      Oh FFS! As it says there "Doh!". Fortunately the Computer Misuse Act prevents me from doing anything other than staring in horror at what they have done.

      1. Missing Semicolon Silver badge
        Facepalm

        Re: No passwords at all!

        Oh. My. God.

        hammersmithtoday.co.uk times out.

        But http://www.wandsworthsw18.com works. There Is No Password At All. None.

        It seems to me that the DPA is being contravened, as personal information (postcode, date of birth) is insufficiently protected.

        Although, to ensure that the editor's email address is protected, the "contact us" page is now blank.

    3. Anonymous Coward
      Anonymous Coward

      Re: No passwords at all!

      Doh! indeed.

      There was movement at the station, for the word had passed around

      That the colt from old Regret had got away,

      And had joined the wild bush horses - he was worth a thousand pound,

      So all the cracks had gathered to the fray.

      All the tried and noted riders from the stations near and far

      Had mustered at the homestead overnight,

      For the bushmen love hard riding where the wild bush horses are,

      And the stockhorse snuffs the battle with delight.

    4. Anonymous Coward
      Anonymous Coward

      Re: No passwords at all!

      Well, one thing is for sure: the people behind this website are complete idiots. I don't mean any offense, I seriously dislike name calling, but this is just beyond broken. Apparently something broke and my IP got blocked on their website. Normally a 403 should be just that, right? 403: Forbidden, get lost!

      Their 403 page does things a "little" differently. It shows that they're using IIS 7.5 and it shows me the exact physical location of their website. D:\web-sites\sites\hammersmithtoday. I didn't do anything other than check and apparently get blocked. But getting blocked also means that they give you some very peculiar debug information.

      Proof of concept: http://imgur.com/XFl3H3Q

      And this is why I call them idiots. I'm an IIS administrator myself (even though I personally prefer Mono) and I can tell you one thing: IIS does not share this kind of information by default. It's actually one of the things I like a lot about it: its sane defaults. By default IIS will only show debug information (and stack traces and such) to local sources, not remote visitors.

      So obviously someone changed this behavior themselves (edited Web.config).

      Even so, now I can see why no one bothered to attack the website so far. I mean, I don't think there's any challenge at all here.

    5. Captain Badmouth
      Happy

      Re: No passwords at all!

      Tried that with the Shepherds Bush site and got this :

      Logon Failed: The account has been suspended to stop posting to the forum.

    6. John Brown (no body) Silver badge
      Facepalm

      Re: No passwords at all!

      "I can then go to the Forum, and post messages as "Editor". Doh! zero security, maximum potential for fraud."

      Yeah, but that's illegal. Who needs security when there's the big scary Computer Misuse Act? PMSL

  15. rmason

    "We have been driving automobiles for many years officer,and have yet to have an accident, therefore your suggestion we wear seat belts is, frankly, laughable." - NeighbourNET 2016

  16. Black Rat
    FAIL

    So tempted to spin up a copy of Tails and start trying to log into accounts with the many email addresses Google coughed up as being associated with users of the site. Of Course that's me just being thorough, my fingers are itching to try admin@ and webmaster@ first...

    1. Lotaresco

      From some time ago...

      Me: You have altered the administrator log in from the default, haven't you?

      Hapless Web Developer: Oh yes, yes we have

      Me: So I won't be able to log in as "admin" password "admin" will I?

      HWD: No, definitely not.

      Me: <clicketty-click> No indeed. I see I can now log in as "administrator", password "admin".

  17. lukewarmdog

    "Our sites have been operating for over a decade without an major issue with security"

    Ah yes.. the old "well it's never happened in the past so it can't possibly happen in the future" excuse.

    Right up there with the old "well I've never left a USB stick full of sensitive data in a taxi before" excuse.

    I very much suspect from the comments that Mr Tierney could just log in and unban himself..

  18. Steve Davies 3 Silver badge

    Quick - copy them

    before they get (cough-cough) updated.

    Then the court can be shown the total stupidity of the Admins and that really it should be them in the dock for having the nerve to take real money to run this shite.

    1. Lotaresco

      Re: Quick - copy them

      "Then the court can be shown the total stupidity of the Admins and that really it should be them in the dock for having the nerve to take real money to run this shite."

      From the looks of things they haven't made a profit since 2010. They only went into positive net worth last year so I suspect some of their knee-jerking is an attempt to stop that heading the other way, again.

  19. adam payne

    WOW! and there was me expecting something like this

    <meta name="GENERATOR" content="Microsoft FrontPage 6.0">

    That email says, in part, that NeighbourNet's development team "acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so."

    Are you sure you wanted to say that?

    The fact that you have just admitted the security holes have been there for a long time makes you look like a bunch of fools who don't care about security. Just because they haven't been exploited doesn't mean you should ignore them.

  20. Anonymous Coward
    Anonymous Coward

    ""acknowledged that you have identified some potential security holes but they have existed for a long time without ever been exploited and there seems little incentive for anyone to try to do so.""

    Awww bless. That's so cute

    "we are now talking in terms of months rather than years before implementation. This would close these security holes and others"

    Hahaha! Oh dear. They're toast.

  21. Lotaresco

    <snork>

    It looks as if they are now blocking, one by one, IPs of anyone who logged into their site. This is amusing since they apparently haven't heard of dynamic addressing. This isn't locking the door after the horse has bolted, more like taking a bucket out to scrape up some of the droppings and wondering where the horse is.

  22. Anonymous Coward
    Anonymous Coward

    Smug, complacent and wrong.

    "We note that Mr Tierney fails to give a single example of any actual occasion on which security is compromised," the company says."

    Well they've had more than a few examples today, but apparently have learned nothing from the experience.

    1. Darryl
      Stop

      Re: Smug, complacent and wrong.

      Sure they've learned. As per the comment above, they're now blocking your IP if you try to get in. That'll make sure you never never ever have any way to get back there.

      1. Anonymous Coward
        Facepalm

        @Darryl

        Even better: they also give you the exact physical location of their website as a bonus. Probably to rub the blockade in, I don't know.

        But I think someone is going to have a heart or panic attack once they learn about dynamically assigned IP addresses :P And that's not even talking about intended circumventing such as using Tor.

        And some people wonder why DoS and DDoS is still a problem on the Net. Well, it's site administrators like these who help to make DoS possible.

        1. Darryl

          @ShelLuser

          You'd think they'd know all about dynamic IP addresses already, though, because the sites were obviously designed back in the days of dial-up

  23. Anonymous Coward
    Anonymous Coward

    Still no pw required !!

    www.ealingtoday.co.uk/

  24. druck Silver badge
    FAIL

    Banned?

    What was he banned from? The only mention of banned is in the headline.

  25. John Brown (no body) Silver badge

    Privacy Policy

    Neighbour Net Ltd is totally committed to protecting your privacy online.

    Oh dear, really?

    "When you first register with us we ask you to provide your name, post-code, date of birth and e-mail address. We do not collect your full postal address or phone number. "

    Oh, they don't ask for a full address or phone number. Except a post code and DoB narrows it down pretty much to an individual anyway.

    "contact you for marketing purposes, and deliver targeted advertisements that may be of interest to you. "

    ...aaaaaand there we have it.

  26. Anonymous Coward
    Anonymous Coward

    Hahaha

    Their attempt to ban me lasted right up until I logged out of my virtual desktop and then back in.

    I have the feeling that any technology more recent than two tin cans and a length of string is beyond their "crack technical team".

  27. Lotaresco
    FAIL

    Oh the irony

    "The basic requirements are good written English and a good understanding of your local community."

    "In principle yes, even outside the UK would not be a major problem. It would be more difficult to do because there would be less customers and information to share with other members of the group but that doesn't rule it out."

    And most amusingly, who will have the stamina to sit through the new Clarkson, May and Hammond "The Grand Tour" series. Look how long the episodes are!

    "Amazon Prime has commissioned three series of the yet-to-be-titled motoring show, which is set to launch in 2016 with 12 hour-long episodes per series."

    Good written English is a basic requirement but they aren't exactly leading by example.

  28. NB213

    Sadly the 'were in the news!' article which linked to this article has been taken down - I wonder why?

    Time to post it again on all of their sites?

    If you fancy a trip down memory lane do visit NNet. Flat forums and the Chiswick one www.chiswickw4.com is populated by conspiracy theorists and lost 'doggies'. It's like being back on a Prestel CUG but without the nice colours.

  29. Lotaresco
    Flame

    I can't reply to the post in question, because it has gone...

    Either killed or withdrawn by someone who came to their senses.

    Allegations that Pen Test Partners are acting in bad faith or are trying to extract money from sites where vulnerabilities are exposed are (very) wide of the mark. In my dealings with PTP over the last few years they have *never* been involved in fixing the problems they expose. That's not their remit. I have, on behalf of clients, engaged PTP to check systems and have paid for their reports. It is then expected that I and my team will fix the problems, not PTP. This ensures independence.

    PTP are held to high ethical standards to maintain their CHECK and CREST certification. Customers are encouraged to submit feedback and CESG are diligent in suspending companies that do not meet the ethical standards of the scheme.

  30. Lotaresco
    Trollface

    Call me suspicious but...

    Leo_Reid creates an account on 12/06/2016, makes just one post to attack Andrew Tierney, makes some ludicrous assertions that the state of NeighbourNet isn't much of an issue and then offgefucks. I wonder who Leo_Reid is a sock puppet of?

  31. NB213

    Those who use it as a local community website get used to the accusations and random bans which only seem to apply to those who criticise NNet and certainly never to their 'friends' who get away with racist, misogynistic bigotry unchecked.

  32. Anonymous Coward
    Anonymous Coward

    From Neighbour Net's "privacy" statement:

    With whom do we share your information and for what purpose?

    We do not sell, rent, or trade your personal information with third parties.

    From Neighbour Net's DPR details:

    Where necessary or required we share information with:

    ...

    •traders in personal data

    These statements appear to be inconsistent.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like