Anyone else find the word "collapse" at the bottom of that twitter post amusing?
NHS website hit by MASSIVE malware security COCKUP
Hundreds of URLs on the NHS website have been flooded with malware by hackers and - at time of writing - it remains exposed. The security blunder was first spotted early this morning and an alert was posted on Reddit along with a list of 587 pages said to have been compromised on the www.nhs.uk site. The Register put calls in …
-
-
Monday 3rd February 2014 16:40 GMT R 11
What an unlucky coincidence that their typo pointed to a malicious domain that was registered yesterday.
I think one of two things could have happened. They did make a typo, but left it hanging around long enough for someone to notice. That person then registered the domain and took advantage.
The alternative is that they were simply hacked and the pages were maliciously altered.
To me, the first scenario seems the more likely screw-up. And therein lies a lesson to everyone in the dangers presented by typos, particularly when you're trusting code from other domains.
-
-
-
Monday 3rd February 2014 13:11 GMT Anonymous Coward
Re: How they want to hold my health records.
Your records are going to be held digitally, the days of paper records are over. So, you have a choice - do you get each individual surgery to handle records, with software they choose, supported by whoever they choose. Or do you get a larger organisation who can notice a problem on a Sunday and have a fix in place on Monday?
Also, a web site is supposed to be internet facing, your records aren't, it's unlikely that malware on a web site would expose your records.
That said, it's true that capita don't exactly have a brilliant reputation...
-
-
Monday 3rd February 2014 14:46 GMT Anonymous Coward
Re: I'm OK
@ I. Aproveofitspendingonspecificprojects - Go on then, hack your own records and when you've done it let your local NHS trust know, cc The Register. Until that point and while I do accept you're probably joking, please put a sock in it, the whole "Windows is so insecure anyone can hack it" meme is very tired and clearly incorrect.
-
-
Monday 3rd February 2014 20:26 GMT Anonymous Coward
Re: I'm OK
I think I know who your GP is. He's the guy running his surgery on a custom rolled version of *nix because it's "more secure". He is specifically unsupported by the vendors of the software he relies on who have made it abundantly clear that his custom edited version of their software is not supported, recommended or sensible and privately say a great deal more despairingly in fear of one day them being required to support this setup when the disaster occurs. He has no disaster recovery plan, or backups.
His servers are not in racks, they are liberally spread across the floor of a room with power and network cables providing a set of tripwire security, in that when anybody walks into the room chances are good that the entire surgery will suddenly lose everything, and the county level support people will get a call. It's happened before, and the support techs actually beg not to be sent there.
He's also the GP who doesn't realise that the majority of the software that people need to do their jobs only works on Windows. He doesn't know this, because patients (quite bloody rightly!) avoid him in favour of his overworked, but competent colleague so he doesn't have to do much in the way of medical work. Unfortunately this leaves him more time to tinker with IT stuff, yet he still hasn't heard of AD or GPO's and doesn't realise that you can lock windows boxes down quite thoroughly.
He is a real person, IIRC his surname begins with "M", the county he is in begins with "S" and the name of the town that has the misfortune of him being it's GP starts with "F". Correct?
Anon, for obvious reasons!
-
Monday 3rd February 2014 20:55 GMT Anonymous Coward
Here's the official NHS IT Net router installation
As you can see, it uses an equipment cabinet.
As a shelf.
www.flickr.com/photos/79701911@N00/3270608094/
That was a few years back ...
Here's the offical replacement using a more modern Cisco router and put in by the official contractor under the management and supervision of the NHS
http://www.flickr.com/photos/midgley/9068055498/
As you can see, it uses a plastic bucket, upside down.
Still, it is reassuring to know that these systems are installed and supported by professionals in salaried IT jobs, rather than by either self-employed doctors who know they depend on them for thier business to succeed and their patients to be safe, or anyone they may employ directly and supervise themselves.
Meditel System 5 by the way, the first widespread and well-designed GP automation system (mainly EMR and prescription printing but some decision support etc) was before Windows, and ran on Xenix.
People who think it is all on WIndows or needs to be on windows are likely to be young.
-
-
-
-
Monday 3rd February 2014 13:42 GMT Anonymous Coward
Re: How they want to hold my health records.
" it's unlikely that malware on a web site would expose your records."
However it is highly likely that malware could end up on the main records servers due to a combination of incompetence and poor training at all levels and then its game over. At least if a surgery gets hacked its just the patients at that one surgery that have to worry - not the entire bloody country.
-
Monday 3rd February 2014 14:16 GMT Bod
Re: How they want to hold my health records.
"Or do you get a larger organisation who can notice a problem on a Sunday and have a fix in place on Monday?"
I had quite a chuckle at that one. We're talking public sector IT here.
1) They won't notice the problem
2) No one knows what to do about the problem and the original supplier has probably gone under or is deemed too expensive to use for ongoing support
3) It will go round and round for months until someone quotes £5m to fix it and then it takes a year to fix it and the end cost has risen to £10m. For something that's probably a 10 minute job to fix.
-
Monday 3rd February 2014 15:28 GMT Anonymous Coward
Re: How they want to hold my health records.
@Bod
"3) It will go round and round for months until someone quotes £5m to fix it and then it takes a year to fix it and the end cost has risen to £10m. For something that's probably a 10 minute job to fix."
Or the original supplier comes along with V2.0 and says for umpty million quid all your current problems will be solved! Though of course they won't mention they'd have a whole lot of new ones to contend with and they won't explain why they didn't backport the fixes to version 1.0 either.
-
-
Monday 3rd February 2014 20:45 GMT Anonymous Coward
Re: How they want to hold my health records.
There is a limited range of software for General Medical Practice automation, basically EMIS, SystmOne and Vision, and a very few smaller suppliers. We don't each make it up for ourselves, although as it happens, I could.
Support comes as a package with the software, and is backed up by local area teams, whose offices are close enough that were we to really need to get hold of them and discuss something, are not far away.
If the main store is on a server far far away, connected by one piece of wet string to one corner of the building, via one trunk line, then you may feel that secures the records (perhaps you've not been bothered about GCHQ/NSA) however some form of client software is still required on whatever runs on our desktops.
GPs invented this stuff, and got it going quite well, with various IT heroes from the dawn of time. The direction of development nowadays is toward management control, national objectives etc, and as you would expect is entirely beign and in tune with all ethical and practial considerations, as well as being backed up by managemnt, development, and system administration whose excellence is really legendary.
I'm a GP. My coat? THe one with the gaffer tape over the namebadge, thanks.
-
-
-
Monday 3rd February 2014 11:25 GMT Richard Jones 1
No Health Support For People Or Their Data
I assume that as a minimum they have blocked ALL access to this dangerous mess?
I am not going to try accessing them. I will look into a router block in a few moments.
Then they did put up a warning that the site may affect the health of your data equipment?
Or it action on an NHS waiting list?
Is that the sound of a new concord wooshing across the skies or the sound of confidence in NHS records leaving the country?
Or should confidence already be lost since they are probably already in India anyway?
-
Monday 3rd February 2014 12:41 GMT Anonymous Coward
Re: No Health Support For People Or Their Data
When I worked for BT on NPFIT contracts, all NHS patient data had to be held only in England (England, not Scotland, Wales or N Ireland). Mastek had to move their developers for SPINE to England for them to work on any code that had access to patient data.
But who know who will have access to England's patient data once it's partially anonymised and sold off?
-
Monday 3rd February 2014 13:09 GMT Anonymous Coward
Re: No Health Support For People Or Their Data
> When I worked for BT on NPFIT contracts, all NHS patient data had to be held only in England (England, not Scotland, Wales or N Ireland).
This is still the case today. We have had to put plans into place so we only use a datacentre located and staffed in England, so as not to fall foul of these regulations.
Ironically, we also have a facility located in Wales, who use this same datacentre. NHS Wales seems not to care about where we store data on its patients (or much else on an InfoSec standpoint, for that matter).
Anon for obvious reasons.
-
Monday 3rd February 2014 15:45 GMT BongoJoe
Re: No Health Support For People Or Their Data
This cross border stuff is a nightmare when have our GP and some hospitals on side of the England/Wales border and the other hospital that treats us sometimes is on the other...
We have to take our own records backwards and forwards ourselves. Unoffically, of course. But it's the only way that we mange to get consultants to read the same notes.
-
-
Monday 3rd February 2014 11:28 GMT Elmer Phud
" 587 pages said to have been compromised on the www.nhs.uk site, which is run by Capita."
Local 'Easy Council' gits farmed everything out to Crapita (and then gave themselves a pat on the back).
I've been wondering where my DBS application has gone, I suspect the usual well-staffed front office with the usual shoe-string back-office.
We tried to tell them but councillors were too busy congratulating themselves at closing the last of council services and giving themselves putty medals.
-
-
-
Monday 3rd February 2014 14:57 GMT Rich 11
Re: Google Aspies
The variation was probably chosen by someone who knew this:
-
Monday 3rd February 2014 13:03 GMT Anonymous Coward
Small problem really
So it looks like what really happened was that some coder inadvertently added an 's' in googleapis.com; possibly years ago.
Some bugger has now registered that domain and hosted crap on it (whois shows: Creation Date: 2014-02-02T00:00:00Z)
So the NHS site wasn't hacked or externally compromised.
It does however show one of the problems of referencing external scripts in a website.
-
Monday 3rd February 2014 13:20 GMT thosrtanner
Re: Small problem really
So they had a load of pages with links to non-existent sites. Not non-existent because they'd recently gone off line but - never existed.
If you're looking for a security hole to exploit, that's a pretty good one. No work on your part beyond looking for pages who send requests to sites which don't exist, register site, populate site with malware, $$$$$
Some level of review and automated checking *before* these pages were pushed out to unsuspecting users would have been a good (and professional) thing.
-
Monday 3rd February 2014 23:06 GMT keithpeter
End user alert: I'm mildly confused...
"So they had a load of pages with links to non-existent sites. Not non-existent because they'd recently gone off line but - never existed."
An API is supposed to return something when you access it.
So why were these pages that were programmed to link to a URL accessing an API (which URL I imagine was some kind of query string with the data going to the API in) which in fact was not returning anything? Was there not some form of test on the returned data (in this case nothing)?
Have I misunderstood anything?
-
-
Monday 3rd February 2014 13:28 GMT Anonymous Coward
Re: Small problem really
So the NHS site wasn't hacked or externally compromised
In the sense that the NHS site wasn't modified in any way, I guess you're right.
However, their coding error left a gaping hole which the miscreants took advantage of resulting in the same effect as if they had compromised the site.
So I'm not inclined to let NHS off lightly, or at all.
-
Monday 3rd February 2014 14:39 GMT Jonathan Richards 1
Stop this nonsense forthwith, saith the icon
I suppose that nobody here is unaware of the Firefox extension NoScript, but here's a link, just in case:
The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice
-
Monday 3rd February 2014 14:49 GMT frank ly
Re: Stop this nonsense forthwith, saith the icon
I'd also recommend the Firefox plugin 'Request Policy'. This prevents the browser from accessing content from outside of the domain you're looking at, unless you give it temporary/permanent permission to do so, on a target by target basis. Try it; it's instructive to see how many external sources many websites use. Then those external sources download their own Javascript, etc. and have their own pointers to further external sources.
-
Wednesday 5th February 2014 04:00 GMT Michael Dunn
Re: Stop this nonsense forthwith, saith the icon @frank ly
"Then those external sources download their own Javascript, etc. and have their own pointers to further external sources."
As Pope wrote:
So naturalists observe the flea
Hath smaller fleas that on him prey.
Or in the vernacular:
Little fleas have smaller fleas upon their backs to bite 'em.
Smaller fleas have smaller fleas abd so ad infinitum.
-
-
-
-
-
-
Wednesday 5th February 2014 12:43 GMT Anonymous Coward
Re: Capita.. wrote it though ...
You'd assume incorrectly. I do not work for them.
I also find it amusing that after the site has been up for many years after one incident of this nature that they are labelled as crap. I think you are more prone to hatred of capita than anything else. Do you know when the typo happened ? Do you know who made the typo ?
The sad fact is humans make mistakes this does not automatically make them crap. Also they've admitted this was human error, they haven't tried to pass it off as anything else.
-
-
-
-
Monday 3rd February 2014 13:53 GMT Fatman
Re: "Routine security checks alerted us to this problem on Monday morning"
But I smell a
whiff ofthe putrid stench of rotting bovine manure. I wonder if the phone ringing off the hook from El Reg and concerned users is actually what alerted them to this problem on Monday morning?Icon appropriate for this fuck up!!!
As another commentard pointed out, one of the downfalls of pointing to externally hosted web page url elements.
-
-
Monday 3rd February 2014 13:58 GMT Anonymous Coward
Re: "Routine security checks alerted us to this problem on Monday morning"
So those referenced third-party URLs were supposed to being doing what exactly? If it was something related to site functionality don't you think 587 broken pages might have triggered at least ONE regression test failure??
Oh, never mind - just some data scraping/tracking that wasn't working properly. Nothing to see, move on.
-
-
Monday 3rd February 2014 19:55 GMT Roland6
Re: Routine security checks.... @zolygon
So I take it that the public website under went a major refresh sometime over the weekend (probably Sunday evening?) and went live before the "Routine Security Checks" (which I presume normally run early Monday morning) had been run on it.
Whilst this sequence of activities has a logic to it, the lesson is to do better testing 'offline' and run the "routine security checks" on the new site before it goes live to the 'public' (and retain the current practise of releasing updates on Sunday evening, so that effectively the revised site gets a double dose of "routine security checks"..
Interestingly, this actually seems to be a masquerade/impersonation attack on GoogleAPIs.com rather than the NHS.uk, so other users of Google API's should review their code...
-
Monday 3rd February 2014 16:53 GMT breakfast
But it's alright for Google to have and crossreference this data...
Where they didn't typo, they were linking to Google APIs, which is probably going to be for traffic and link monitoring.
So that's another thing that Google will be able to cross reference when they are building up our profiles.
Which was nice.