Tuesday, 2nd December 2008

News from the Guernsey Press

‘Bungle’ as second web flaw emerges

By Nicci Martel

0551858.jpgPersonal information of residents at Maison Maritaine was accessible online

INCOMPETENCE is to blame for care home residents’ personal information being accessible online, according to a leading security consultant.

The comments came as it also emerged that the States computer system has been breached before. Campbell Murray said yesterday that the States internet vulnerability was major and that personal information should not have been left on a server that was so exposed.

‘Getting access to it sounds like pretty basic stuff – a huge amount of knowledge wasn’t required to find the vulnerability and wouldn’t be needed to exploit it,’ said Mr Murray, technical director at Worcester-based IT security company Encription Ltd, which specialises in testing websites for weaknesses.

‘From the government’s point of view, they based their security on threat analysis and for the election.gov.gg site they might have thought the impact level of that information getting out was quite low. Clearly they had forgotten about the highly sensitive information stored on the server, which they should not have done.’

The earlier breach was spotted 15 years ago via the Greffe.

A former post worker recalled: ‘I was pretty staggered when I found a user called Bailiff and his files were wide open to me.’

Encription Ltd managing director Tony McDowell said it was foolish not to have had site security tested by a third party.

‘The web developer and whoever tested it are very much at fault and, frankly, shouldn’t have got paid.’

‘Script Kiddies’ - youngsters around the world sitting at a PC in their bedroom - were using the same type of detection plug-in that had led Marcus Cicero to discover the vulnerability. Any one of them, he said, could have found it.

But ministers have denied it was a low-grade hack.

States director of ICT Jane Wonnacott said: ‘We cannot say why the vulnerability was not spotted, but in our view this was a determined effort to access the States system and could only have been achieved with expert knowledge and specialist software.’

She did not know why a file containing Maison Maritaine residents’ bank details was on the system, but added that there would be an internal investigation.

Article posted on 20th March, 2008 - 2.30pm

Have your say on '‘Bungle’ as second web flaw emerges', comment below

Subscriptions

The Guernsey Press provides daily in-depth coverage of life in the Bailiwick. Subscribe here. View a demo and subscribe to our online edition here.

Article filed under: News

Other Articles

« If only youngsters knew all that there was to do
It’s a hard one to sell »
Car Finder - 468
History & Heritage - 230Cinema - 230
Jobfinder - 468

Post a Comment on this Article

Your email address is never published nor shared. Required fields are marked *

*
*

Disclaimer: This comment area is moderated by the Guernsey Press, which aims to create a valuable forum for the expression of views by all who have an interest in Guernsey. Contributors are expected to respect the opinions of others and all submissions may be edited. In particular, our policy is not to allow defamatory, gratuitously offensive, factually inaccurate or self-promotional statements to be posted. The moderators will not enter into e-mail correspondence about the editing of individual submissions.

Your Shout: View all recent comments. More detail on the comment icons.

If you wish to make a comment about this website, please use our feedback form.