Thursday, December 21, 2006

Government website wide open to hacking?

Yesterday, to very little fanfare, the Department for Constitutional Affairs launched a new website called The UK Statute Law Database. The site is basically a free online resource containing over 30,000 items of revised UK primary legislation, all searchable.

When I first discovered the site I wondered why it went live with so little Government boasting. After all, it's a successful Government IT project, and they are few and far between. Then I discovered the awful truth.

It is wise that they've not promoted it to much. The site is running on a Windows server using IIS 5.0. This is bad. This is very bad. IIS is now officially at 6.0 and whilst it remains utter rubbish as a web server it doesn't at least have quite the wealth of "how to hack IIS" guides as 5.0 does.

I'd be surprised if it isn't attacked by scriptkiddies at some point, although in fairness it's likely to fall over before that if gets a sustained amount of traffic from lawyers etc. I should add too that this has really lightened up the day in my office. We're all rather amused that such a system could go live. The question on our lips is if the front-end is running IIS5.0 what the hell is the database running? *shudders*

Update: I'm sure the ID cards database system will be very secure though.

Update 2: It has just occurred to me that should this site be compromised I will be the first port of call for the Old Bill. For the record, I am not encouraging any criminality, I am highlighting the fact that the Government has launched a system that is inherently weak in terms of security, and it clearly needs to look at it's processes in relation to security review.

15 comments:

Serf said...

If this becomes a well used database by Lawyers, could we not subtly change the law here and there. After all with the concept of legal precedent, once a verdict or two had been influenced....

Perhaps we should run a poll, for which law we should change.

dizzy said...

You make a very good point, as does Croydonian on this at his. The scope of mischeif that could be targetted toward such a database is quite worrying.

James Higham said...

Who would have made the decision about IIS5.0 in the first place?

Benedict White said...

Dizzy, I have been lobbying for this for years. Well, that is public access to what is the law.

This is not for lawyers they already have it all.

If you want to know how passionate I am about access to justice just google my name on the group uk.legal or uk.legal.moderated.

I am pleased they have done it, but why oh why on Windows and out of date shit as well when I offered a host of lawyers and lay people like myself to index, cross reference and do it all!

I am happy and angry at the same time, and it is not like they do not know who I am or where I live. (I got a call from the cabinet office once)

Andreas Paterson said...

Inherently weak? IIS 5.0 may be old but Microsoft patched up the initial vunerabilities long ago.

Plenty of the web still runs on IIS and Microsoft has not exactly been losing in it's share of the server market.

In my experience Microsoft have always been a bit of a target for this due to their size and wealth.

dizzy said...

IIS 5.0 is a piece of piss to hack. It will take you about two seconds to find complete guides on how to do it.

Plenty of the web still runs on IIS and Microsoft has not exactly been losing in it's share of the server market.

It may not have been losing it's share but it hasn't been gaining it either. In comparison to Apache running on a real operating system, Microsoft has got not much more than 30% of the market. The platform of choice for anyone sane is going to be Apache on *nix.

In my experience Microsoft have always been a bit of a target for this due to their size and wealth.

You;re not very experienced then are you? The only reason Microsoft finds itself a target is because they produce crap software with bad security models. Apache has 70% of the server market because it's better, end of.

The only reason Microsoft even maintains a presence on a handful of Internet facing web servers is because there is wealth of point and drool idiots out there who have no idea how to use a keyboard and work with an operating system that doesn't bolt on ten tons of shit to the kernel.

Andreas Paterson said...

It pays to step out of your UNIX bubble from time to time Dizzy. Yes, IIS 5.0 can be hacked, but most of the hacking occurs due to duff default settings that can be disabled. As I said there are patches for the security vunerabilities, hacking guides will state the same.

On a domain basis (according to Netcraft), Microsoft have about a 33% share, Apache have about 60% of market share. 33% Would seem to be a pretty respectable market share by my reckoning. Also as Microsoft is keen to point out, it has a larger market share among Fortune 1000 companies. There is no shortage of companies who willingly chose to implement architectures based around IIS.

You are welcome to your opinion that Microsoft IIS is an insecure unreliable piece of crap, but it is precisely that, an opinion, and not one that is shared by a large proportion of the world's IT professionals.

dizzy said...

1: Default settings should not be duff. Microsoft = bad security model.

2: The Fortune 1000 statistics are meaningless. Just because lots of big companies use it doesn't it make it better. They choose to implement IIS because idiot IT directors who read Computer Weekly are conned into buying it.

3: No, my view is not an opinion, it's a verifiable fact.

4: "IT professionals", what, you mean MCSEs who have learnt to point and click in a system that takes negates security as it's starting position? You mean people who think Exchange is real mail server? You mean people who think SQL Server is a serious Enterprise application? You mean people who think rebooting a system is a fix?

5: You may say I am in a Unix bubble. Actually, what I am in the Internet bubble, where systems need to stay up for years. I'm in the bubble that wants real memory management. I'm in the bubble that wants proper IO Scheduling filesystems. I'm in the bubble that wants decent cpu click scheduling. I'm in the bubble that wants to control my system wholly.

Anonymous said...

I'm keen to know what enterprises you've worked in, Dizzy.

There are plenty of places running huge, high transaction SQL Server databases. I've deployed one of over 300GB and it was just fine.

Exchange not a real mail server? Funny. There's plenty of multinationals who seem to think it is.

Seems to me that you have a pretty narrow mind about what goes on in the world outside of your little bubble. Linux/Unix stuff is great, but a lot of the Microsoft technology is too.

dizzy said...

I've been working in multinational ISPs for the past eight years. Most of my work today involves high availability clustering with networked storage (GFS/Veritas). High availability WebLogic clustering and J2EE deployment of large scale provisoning and financial systems using Sybase ASE, Sybase IQ - usually in the region of 2.5Tb EMC San.

When I say Exchange isn't a real mail server, I do so in the sense that it can't handle serious volumes of mail. Not only that, but it isn't RFC compliant.

When it comes to large-scale SMTP you're not going to see Exchange get a look in when put in comparison to Sendmail, Exim, Qmail or even Postfix. That's why ISPs don't and can't use it.

Some of the other stuff I've been involved in has been network related, configuring Cisco MGX 8000's and Cisco 10000 in broadband provisioning contexts.

There's plenty of multinationals who seem to think it is.

argumentum ad populum.

If you really want a stable, secure, and reliable system then you don't use Microsoft. The reason that so many people use Microsoft isn't because they have good products, its because they have good salesman most often selling to idiots that think reading Computer Weekly makes you an IT person.

I'm not at all narrow minded on this point really, I've worked with Windows servers, it was the most painful experience of my life.

When you're running systems that need to be up 24/7/365 then you cannot find yourself anywhere other than the world of Unix. It's the backbone of the Internet for a start, but more importantly it is vastly superior in performance, stability, and configurability.

Anonymous said...

I've been working in multinational ISPs for the past eight years.

So, when you said "Just because lots of big companies use it doesn't it make it better. They choose to implement IIS because idiot IT directors who read Computer Weekly are conned into buying it.", which big companies (outside ISPs) have you worked in?

dizzy said...

Erm.. what does who I've worked for have to do with the fundamental point about IIS being rubbish?

Anonymous said...

It doesn't. You're making an assertion that I've seen no evidence of. I know why companies I've worked in chose IIS, and it's nothing to do with being "conned" or the Microsoft sales force. But let's here your experience.

Incidentally, you could also, while you're at it, back up your "IIS is rubbish" claim (granted, IIS 5.0 was).

dizzy said...

"But let's here your experience."

My experience is wider than IIS alone to be honest. Fundamentally, running an Internet facing website on a Windows server, is, in my experience hell. And, from a security point of view its scare the living bejsus out of me - especially given the way Windows can so easily execute malicious code without a care in the world.

Also, in my experience Windows and ISS/Sql Server can be horrible when it comes to swapping. Windows still, as far I am aware, uses pagefiles rather than raw swap devices. This means a massive overhead when swapping because the kernel and OS have to go all the way through the filesystem sublayer to page out.

Incidentally, you could also, while you're at it, back up your "IIS is rubbish" claim (granted, IIS 5.0 was).

In fairness, when I have been talking about IIS in this thread, and the original post, it has been about 5.0. I even commented at the beginning that 6.0 was the latest release. The way I see a brand new Government website being deployed on IIS 5.0 is exceptionally worrying (and given you agree 5.0 is rubbish I presume we are in agreement there).

Anonymous said...

Dizzy,

I agree with the general point - IIS 5.0 is not good.

At least they're using ASP.NET. The "choose and book" system is using classic ASP.