A full quarter of UK law enforcement websites lack any form of automatic secure connection. And many are left open to POODLE attacks, despite increased spending.
The Centre for Public Safety revealed that potentially sensitive data is communicated in plain unencrypted text in 25% of insecure police sites (in a review of 71 websites).
Of these, more than 70% (12 agencies) invited users to submit personal data—and in some cases information specifically relating to criminal activity—via these unsecured connections. That in turn exposes the public to yet more unnecessary risk. Given that police and crime commissioners are steadily transitioning citizen services to online forums, this could become a much larger problem over time.
“Unfortunately, many governmental websites in Europe allow non-encrypted HTTP connections even to web forms and protected areas, where very sensitive financial, legal or health records may be transmitted,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told us via email. “Usually, this is caused by lack of time or other resources among the IT teams, as many European countries are now cutting governmental costs, impacting the public sector and thus its security.”
He added, “Unlike other much more dangerous web application vulnerabilities, such as SQL injections, a lack of traffic encryption does not enable the compromise of a remote web application, but enables the attackers to easily intercept any information sent or received from the web server. However, today, when many users access public or insecure Wi-Fi networks, reliable traffic encryption becomes a very important question.”
Only 27% in the Centre for Public Safety report demonstrated the highest world-class standard of secure connection. Dorset, Durham and Warwickshire, which ironically have limited IT budgets, were awarded the top A grade.
The Metropolitan Police on the other hand, which spent in excess of £110 million on just one IT supplier in 2014/15, earned a middling cybersecurity grade of C in the review. In fact, the results showed that its server may be vulnerable to the POODLE attack, and that it likely uses older protocols.
“It’s 2016. The internet is not new, the cybersecurity threat is not new, and yet some police forces and their IT providers seem to think it is acceptable to pay large sums of taxpayer money for insecure technology,” Rory Geoghegan, founder of the Centre for Public Safety, told the Register.
Consider the case of the Cheshire Constabulary, which scored a C grade in July 2016. After upgrading its website, a September review gave its systems an F grade, meaning that it was vulnerable to the POODLE attack and had increased vulnerability to man-in-the-middle (MITM) attacks.
Rectifying the situation shouldn’t be difficult. “This action can be easily achieved for the majority of services, involving simple configuration changes to the server. The changes required are achievable by anyone with basic server administration skills,” said the report.
Photo © Tom Plesnik