Cumbrian firms leave themselves open to online attack - investigation
Last updated at 14:45, Tuesday, 02 October 2012
Confidential files are open to view online and major Cumbrian companies have left themselves vulnerable to attack by hackers, an investigation into cybersecurity reveals today.
During a two-hour trawl through websites of some of the county’s most prestigious firms, loopholes were found that would allow hackers to access databases, post abusive messages or view confidential documents.
It also found:
- A health agency which had left a “private and confidential” transcript online which outlined details of indecent exposure by a Cumbrian health professional, who quit his job in return for keeping the matter out of court;
- A tourist website that had left a file containing login and password details;
- A business park and a business quango listed on an Asian hacker’s website alongside guidance on how to breach security on their sites;
- A large employer which had uploaded hundreds of files including invoices on to its servers – and left them where they could be seen online without any need for a password;
- A string of smaller Cumbrian companies such as car dealers, hairdressers and gyms who have had websites built in a way that they could be hacked into within seconds;
- A logistics company whose website allowed access to directories and files that could easily be used by hackers.
The loopholes were found thanks to the expertise of information security consultant Tony Wilson, who advises firms about how to stay one step ahead of the hackers and cybercriminals.
He agreed to show our sister website, in-cumbria.com, how easy it was to gain access to the workings of Cumbrian websites on condition that it did not identify the companies concerned or leave them vulnerable to attack.
Mr Wilson, who runs the Indelible Data consultancy, showed how easy it was to find websites built for local firms and government agencies that leave open loopholes that can be exploited by hackers.
In some cases websites are using old software that is known to be insecure and in others they have accidentally left files and directories where they can be found by anyone with a reasonable knowledge of websites.
A hacker with a point to prove or other malicious intent could use access to a website’s directory to upload files, replace pictures or deface the site.
Another common area was failing to prevent hackers using login screens to enter code to break into the site.
Mr Wilson said: “If you were building a shop you wouldn’t allow it to be done in a way in which a burglar could break in and steal your goods, so why build a website – which is a shop window for the world – in a way that people can hack into it?
“Businesses often believe that website security comes as standard but in many cases it does not.”
in-cumbria.com has informed all the companies about the security breaches uncovered.
Click here for ways businesses can reduce the risk of cybercrime
First published at 11:28, Tuesday, 02 October 2012
Published by http://www.newsandstar.co.uk
Have your say
I work in this field, and have done for some considerable time.The problem is, companies want things on the cheap, they look for the lowest price that gives the best presentation. I have personally been involved with local business that think a well considered security policy is not value for money - many of these companies are exposing themselves not only to the loss of brand (such as loosing customer data or embarasment) but to prosecution under the Data Protection Act. Many consider it an acceptable risk - why not ask your suppliers what their security policy is? They have your data too.... think about it.Web production has become an industry that is full of many under qualified people, yes they can produce wonderful looking websites, but they don't have the industry knowledge to secure them - a view that is supported by the evidential findings in this report.It's not just Web production, the number of unsecured Wireless LAN's around the industrial estates or town/city centres is staggering. There is software freely available that can breach many of the 'security' features employed. It is more dangerous to think you are secure when you are not, than having a totally open WLAN. Securing your data is a specialist task, you either need to take it seriously, or air gap your information (Air gap is a term used to describe a network that has a physical detachment from anything public).I'm glad this report has come out, it's about time companies/traders took the public's data seriously.
Personally, if I was to find my information was leaked, stolen or became public I would pursue the company who let it go, as far as a criminal prosecution of the Data Controller.
Make your comment
Have your say
- Pub's plans to stay open until 4.30am blasted by council (21 comments)
- Ex-Cumbrian health chief says working across Border 'a breath of fresh air' (5 comments)
- Bus cuts across Cumbria loom in bid to save £1.3m (38 comments)
- Hospitals smoking ban goes too far, says Carlisle councillor (70 comments)
- Allerdale set to back Government proposal to sideline county council in nuclear store search (54 comments)
- Can Carlisle's Castle Way cut it in the future? (27 comments)
- Cumbrian beauty queen overcomes cruel internet bullies (10 comments)
- Carlisle dad fined for cycling with daughter on shoulders (45 comments)
- Major police operation in Carlisle area blighted by criminals (12 comments)
- North Cumbrian hospitals struggling to recruit staff (14 comments)