Web security: Why Local Councils are easy pickings for hackers

I guess its not surprising to hear that a Local Borough Council’s computer systems wont be the hardest thing in the world to hack compared to say the MOD, but after this week’s dealings with the utter IT incompetence that comes from most of UK’s councillor workforce.. I had to come post about it.

My work task recently has involved sending letters to over 100 different borough council’s around the UK.  Quite frankly the range of responses i’ve had has been astonishing, some people answer brilliantly and professionally with the reference numbers i have assigned… others… haha… OTHERS!… Well its the others that we shall talk about for they need to go home and let some of this vast pool of unemployed take up the jobs that they most definitely fail at.

Anyway….   So Monday of this week I was greeted with a few annoying responses… Weeding out the ‘We wont reply to your letter unless you pay us £50’ .. letter which affects only certain of the (more poorly run) boroughs.. I continued to read down the list until I found a few stinkers…  The first one was a .doc attachment so right away I frowned upon seeing it. I condemed it to my VM honeypot and opened it up as I would a used doggy bag.  Yep a big brown dog shit in the guise of a font based exploit. Not only are the council in question infected by said virus.. they have had the stupidy to use the particular font in their outgoing! .. unacceptable.  I must say aswell that this particular borough didn’t even have the decency to keep my subject reference number the same OR let me know the address of the site in question in the body of the email.. it was just a badly subject titled email with an attachment.. *hangs head*.

Tuesday… more boroughs.. more .doc email attachments this time not infected with Trojans.. seriously though, who the fuck sends .doc in this millennium?.  Ooh some .rtf too .. I guess those guys were too cheap to install.. say Libre Office…  oh wait…

Wednesday… This one was a good one because it reminded me of the shittest attempt at a L.M.G.T.F.Y. ever!.  Someone responded to my well crafted and formal letter with a link and a SCREENSHOT of their computer surfing their OWN website.  Its not only clear they are using Win XP with IE6 with all its standard bookmark stinkyness,  I can also see their outdated virus scanner in their task bar as well as what version of Microsoft Word and Outlook they are using.  Not only that but I can see their Intranet IP!.   Looks like banner grabbing is wholly unnecessary for this council; just send them an email and they will gladly show you their proverbial underwear not to mention the exploits are likely to work on removing them.

Merton Council I name and shame you!  May you now die in DDOS hell until you learn some IT and that “Let me google that for you” is a disgusting response to someone that has taken the time to write to you :).

I have only had responses for about 20% of my emails so far, I’m sure there will be much more fail to come :)

By the way I would just like to say that I most certainly don’t condone hacking but I do agree that a DDOS is the internet version of a peaceful protest and should be treated the same as you would 1000s of people waiting outside your house while you try to get to work and most definitely NOT a terrorism attempt.