Who accredits the accreditors?
Breach at UK.gov's Cyber Essentials scheme exposes users to phishing attacks
The operation behind the UK government's Cyber Essentials scheme has suffered a breach exposing the email addresses of registered consultancies, it told them today. The scheme's badges are required by suppliers bidding for "certain sensitive and personal information-handling [government] contracts". Companies were notified of …
COMMENTS
-
-
Friday 23rd June 2017 09:50 GMT Anonymous Coward
Who accredits the accreditors?
.. and who holds them to reasonable compliance with security and privacy standards?
These .org.uk people run a mailserver in the US.
-
-
Wednesday 21st June 2017 16:17 GMT Anonymous Coward
Re: the Morissette Scale?
That's the whole idea, the song was Ironic in that it didn't have any irony just bad luck etc..
You could also argue that you're so vain by Carly Simon was ironic because the song was in fact about them.
Ring-a-Ring-of-Roses could also be ironic in that it's a nursery rhyme for young children about the black death.
There's also a fine line between irony and sarcasm.
-
-
Thursday 22nd June 2017 12:34 GMT CrazyOldCatMan
Re: the Morissette Scale?
I read that initially as the Morissey scale.
Which ranges from "I'm mildly upset" to "I'm writing songs for people to top themselves to". With very little between the two extremes apart from a bit of "No-one else appreciates my narcissism".
(Not a fan. I liked the music, just not the depressing lyrics or the haphazard way they were delivered)
-
-
Wednesday 21st June 2017 16:42 GMT RJL
The comment (below) that is included in the main article is irrelevant and just plain daft because every company passing the Cyber Essentials scheme (IASME or otherwise) have their details published on the web anyway. Go to any of the main accrediting bodies and you'll see this. It's freely available information.
"We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations," one affected worker told El Reg. "Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt."
-
Wednesday 21st June 2017 18:46 GMT Mike Moyle
"We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party."
Translated: "Pay no attention to that shoe hanging in mid-air."
-
Thursday 22nd June 2017 19:16 GMT Keven E
Nobody really knows
First it was your email address and the company name. Then it was revealed it was email, company and originating IP address. Next (of course) it's email, company name , IP address and exactly what service you provide,... then (just to keep each blow from getting to overwhelming) it's, well, email, Company name, IP addy, specific service and the project manager's significant other's maiden name,... and then...
-
-
Wednesday 21st June 2017 19:39 GMT EveryTime
A 'bug bounty' is more likely to be trap than a reward
A company representative said "the researcher involved may have earned himself a bug bounty if he had approached the company directly".
The researcher "may" have earned a bounty, not "would" have earned a bounty. Any bounty would likely be more of a trap than a reward: "here is a $1 so that we can sue you to oblivion for violating a contract to never reveal this happened".
-
-
Thursday 22nd June 2017 08:18 GMT Wiltshire
Re: An unknown person accessed a list of email addresses in a log file
"Aren't these supposed to be clever spooks?"
Indeed they are. But all the spooks I've met (a few) are just as human as the rest of us. Forget to lock the house, argue with spouse, shout at children, forget to change the password, promise to fix the config sometime soon, have a list of bugs to fix sometime soon, get distracted...
-
This post has been deleted by its author
-
Thursday 22nd June 2017 13:15 GMT Anonymous Coward
Researcher = Black Hat Hacker
1. Professional disclosure, inform so they can make good, no disclosure thus not professional.
2. Seems to be off the back of Pervades OpIndex tool publicity, so likely to be a TOR user = dubious, I wonder if TOR was used in the attack/research.
3. All the information is in the public domain anyway
4. Any further research/attacks on those listed will just add to balance that script kiddie researchers like this are just malicious. (some are white hat, and are doing good, for the better of us all)
IASME/Pervade/Certification Bodies have informed the clients that were listed = Professional ethical behavior.
Businesses doing Cyber Essentials i.e getting the basic right, now have good reason, as this case proves, on the internet no one knows your a dog and the more that get muzzled the better.
AnonCow