
2,000 NHS Security Vulnerabilities Disclosed - edent
http://shkspr.mobi/blog/2014/03/2000-nhs-security-vulnerabilities-disclosed/
======
grey-area
It is worth pointing out that the majority of these sites do not store patient
data or any privileged information, they are informational brochure type sites
for surgeries to show their operning hours or specific health awareness
campaigns, hence the lack of interest in centralising or updating them. They
could be hacked and defaced I suppose, which wouldn't look so great for the
NHS, but they won't be running on NHS servers or controlled by NHS IT. The XSS
issue is a real one, and they should probably not allow subdomains of nhs.uk
to be used for gp surgeries (the most likely to have terrible websites as they
buy them in themselves).

Patient data is typically held in secure systems like emis etc. run by one of
a few large firms which have contracts with the NHS, so not on this sort of
informational website.

~~~
piqufoh
So if I set up a fake 'contact us' form asking for patient data on a surgery's
nhs.uk domain using XSS that would be ok then?

~~~
grey-area
GP sites don't typically ask for patient data (and should not, given the
budget they are purchased on), they're usually sites with opening times, a few
paras about the GPs etc - if they do ask for patient data it would be by
giving a link to a booking system off-site typically, I'm sure you could find
an exception, but most of them are fairly harmless. The sites are not
exclusively https either - anyone handling patient data should be, that's also
a serious flaw if you're going to start talking about sensitive data being
transferred.

I'm not sure that surgeries would ever be able to adequately protect patient
data on their own sites, so they mostly use externally purchased systems and
the NHS provided IT for handling that (from what I know second hand from
people in the NHS, I don't work there) - those are separate systems from their
brochure websites, which are typically bought from and hosted at some low-
budget shop which churns out WP/drupal/PHP sites for £100 a pop and would
hopefully have the sense to advise surgeries never to collect private patient
data on their website.

The biggest problem here is that these sites have no business being subdomains
of nhs.uk, and should be on something else like gp.uk or whatever, and the NHS
should make it crystal clear that no patient data touches an informational
site (to patients and GPs). It's either that or they need to set up a secure
CMS which all GPs/Hospitals can use for their brochure sites, but that's
likely to be a big budget project and is of questionable value.

You could say the same of most hospital websites - they will not be secure as
they are fire-walled from the actual patient data, and thus it is less of a
priority to keep them secure. Sure it's not nice if they are hacked, but it is
not as important as what happens to patient data.

~~~
Silhouette
_The biggest problem here to my mind is that these sites have no business
being subdomains of nhs.uk, and should be on something else like gp.uk or
whatever, and the NHS should make it crystal clear that no patient data
touches an informational site (to patients and GPs)._

I think it's the "making crystal clear to patients" part that is important
here, because if GPs don't have sufficient security and their sites are
compromised, what they were supposed to do with those sites no longer matters.

The idea that there can be privileged domains like nhs.uk where unmaintained
and potentially insecure sites are hosted and no-one even knows who's
responsible for them is genuinely quite shocking. What next, file your tax
return with izurrevenewzuncustomz.gov.uk (t/a HMRC Ltd)?

~~~
grey-area
It's less shocking when you recognise that these are simply sites to tell
patients when surgeries are open etc. As I said, you can say exactly the same
about other informational sites too like hospitals, universities, etc:

[http://www.gosh.nhs.uk/](http://www.gosh.nhs.uk/)
[http://www.cam.ac.uk/](http://www.cam.ac.uk/)
[http://nyp.org/](http://nyp.org/)
[http://www.highlands.state.nj.us/](http://www.highlands.state.nj.us/)

It would not surprise me to find similar vulnerabilities in all of those
picked at random, given the budget they are typically run on.

I agree it's far from ideal and a situation they should sort out given these
are hosted on .nhs.uk, particularly as we move more and more of our lives
online, there need to be clear rules about which sites are secured and safer
and which are less important.

 _However, these sites do not host patient data._

~~~
Silhouette
_It 's less shocking when you recognise that these are simply sites to tell
patients when surgeries are open etc_

The question is, do patients realise that, or will they tend to assume that
because a site is part of the privileged .nhs.uk hierarchy, it is properly run
by the NHS?

The real problem here is about trust, specifically about what should or should
not appear trustworthy to patients because it is or isn't really. Given the
increasing moves to do things like making appointments on-line, the much-
reported efforts to share sensitive health data more widely, and the ever-
changing sources of information and ways to contact the NHS, it seems to me
that it is long past time these issues were resolved. IMHO it has to be done
properly and from the top to have sufficient credibility and enforcement.

~~~
grey-area
For appointments, just as an example, I believe emis and others offer their
own separate systems and apps for this and also provide hosted sites. No idea
if they are more secure but that's where the important data lives, on systems
like that, not on these wordpress sites. There are 2-3 that almost all gps
use, not sure on hospitals.

[http://www.emis-online.com](http://www.emis-online.com)

I do agree with most of what you're saying though, and this is far from an
ideal situation. Probably a central system makes most sense long term but gov
seems unable (or more recently unwilling) to deliver.

~~~
vertex-four
The point is that if I send you an email, claiming to be your GP, telling you
about "our new appointments system", and linking to something like:

[http://yourgpwebsite.nhs.uk/some-vulnerable-
page?xss=..](http://yourgpwebsite.nhs.uk/some-vulnerable-page?xss=..).

And my XSS replaces the page with something that looks like an appointments
system, the average person has _no way_ of knowing that they shouldn't trust
this. There's certainly none of the usual indicators.

------
oneiroi
So the article focuses on out of date wordpress installations, I really think
the NHS has wider security implications given the recent admission of
uploading their ENTIRE patient database onto googles servers for ease of
deriving statistics ... ([http://www.theguardian.com/society/2014/mar/03/nhs-
england-p...](http://www.theguardian.com/society/2014/mar/03/nhs-england-
patient-data-google-servers))

Regarding hesitation of posting the information in the blog post; the author
appears to have losely followed responsible disclosure methods attempting
remediation with the NHS directly before publishing the findings.

NHS, HMRC etc the information security of these organizations is lax at best,
and down right horrifying, without full disclosure forcing their hand I don't
see any change.

This is why full disclosure / responsible disclosure formed in the first
place.

~~~
edent
It doesn't. I wrote a whole section on non-WordPress vulnerabilities. But,
yes, patient facing sites aren't quite as critical as some of the backend
stuff.

I spent the last two months trying to contact the people responsible. When I
finally did, they said they wouldn't / couldn't do anything :-/

------
jloughry
In the 17th century, John Wilkins wrote of his reasons for full disclosure:

 _If it be feared that this Discourse may unhappily advantage others in such
unlawful Courses; ’tis considerable, that it does not only teach how to
deceive, but consequently also how to discover Delusions._

but even then he knew there were liability risks that go along with
information security research:

 _...the chiefe experiments are of such nature, that they cannot be frequently
practised, without just cause of suspicion, when it is in the Magistrates
power to prevent them._

------
SilkRoadie
Ignoring some of the obvious conversation points. As a developer I like posts
like this and find them very useful.

Information like this demonstrating ways to discover exploits should be more
common knowledge. I feel currently attackers have the advantage over
developers. More posts like this where security is an open topic can only lead
to more secure websites going forward.

------
Silhouette
As an aside, it's a shame about the political snipe partway through this
piece. It might have been a useful citation to give for those of us planning
to write to our MPs in light of the recent disclosures, but I imagine making
an overtly political statement like that would seriously damage its
credibility.

~~~
robk
So frustrating it takes this political tone. It's not helpful in the least to
label the administration "corrupt" and then expect to be taken seriously. It's
not a partisan problem but an institutional one.

------
jloughry
Under current U.S. law, I would be _extremely_ hesitant to publish anything
like this. How different is U.K. law on the subject?

~~~
edent
The Computer Misuse Act is fairly strict - but in this case we haven't
accessed anything without permission, nor altered any data.

We spoke to the overall owner of the sites and they did not object to myself
or the magazine publishing this information.

~~~
jloughry
_We spoke to the overall owner of the sites and they did not object to myself
or the magazine publishing this information._

That's...astonishing.

~~~
edent
We're slightly less litigious this side of the pond... :-)

~~~
polymatter
I'm UKian and I'm astonished. Having worked in the UK Civil Service, sounds to
me the person making this decision didn't know what it meant and that it was
an actual security issue. Probably they thought it was sort of idly
interesting, like speculating how many office computers are still beige. Not
that you were listing sites with trusted nhs.uk domains that appear to be easy
to hack.

~~~
edent
I can assure you that we made it abundantly clear how bad the problem was -
including sending link, screenshots, etc. Had phone calls with them where they
did sound genuinely concerned.

Sadly, it didn't transform into action.

------
iamsalman
There are currently no financial penalties if a website is compromised as long
as the data store which has PHIs (Personal Health Information) is encrypted
and the encryption keys are also safe. However, any compromised NHS website
would lead to bad publicity and insecurity.

~~~
Silhouette
_However, any compromised NHS website would lead to bad publicity and
insecurity._

And horrendous scope for phishing. Who's going to think twice about entering
potentially sensitive information into their GP's web site accessed via a
.nhs.uk address? Not most people, I suspect.

~~~
_delirium
I would guess that's an issue even without the nhs.uk address, unfortunately.
American doctors' websites don't have an 'official' domain they're under, but
some people send information via their local doctor's website anyway. So if
you compromise the Wordpress install (and it's likely that thousands of
American doctors have a vulnerable Wordpress install) you could pull in some
potentially sensitive information. The main mitigating factor in the U.S.
would be that so much stuff is still done on paper and over the phone that
many people wouldn't visit the site in the first place.

Like the NHS, American doctors usually don't store actual patient data on the
generic CMS they use for hosting the website. If they have an online "patient
portal" or "billing portal" it's usually a hosted solution that goes offsite,
via a third-party company that provides such services. But it's nonetheless a
huge phishing opportunity. Besides a fake contact form, you could also clone
the portals, replacing the links from the main site, which are supposed to go
off to places like medfusion.net or eclinicalweb.com, with ones that go off to
medfusion.yourdomain.net or whatever, and most people will not think twice as
long as your cloned site looks vaguely similar. I mean the genuine domains
sound halfway like the domains of phishing sites to begin with...

~~~
jloughry
I've noticed a disturbing trend lately of physicians' office portals
connecting silently to _credit reporting agencies_ and using information from
there for authentication. While I applaud them for trying to reliably
authenticate me when I sign in to get blood test results, it's disconcerting
to be faced with questions like this:

    
    
        Which of the following cars have you NOT owned?
            - 1999 Ford Explorer
            - 2001 Toyota Tercel
            - 2008 Audi
            - 1996 Hyundai
    

Along with a few more questions like that one, it's a dead give-away that my
doctor's office is connected to a credit reporting agency. I have seen this
happening in other places as well; evidently credit reporting agencies
recently got into the business of on-line identification and authentication
(I&A).

------
sp332
The coral cache of the page seems to be working
[http://shkspr.mobi.nyud.net/blog/2014/03/2000-nhs-
security-v...](http://shkspr.mobi.nyud.net/blog/2014/03/2000-nhs-security-
vulnerabilities-disclosed/)

