Sponsored by..

Tuesday 10 June 2008

UK Goverment sites hit by SQL Injection attacks

Do you trust the government with your personal data? A look at some recent national and local government sites that have been compromised with SQL injection attacks might make you think again.

  • fco.gov.uk - Foreign and Commonwealth Office
  • dfes.gov.uk - Department for Children, Schools and Families
  • harrow.gov.uk - Harrow Council
  • cwic.cornwall.gov.uk - Cornwall County Council
  • cityoflondon.gov.uk - City of London
  • corpoflondon.gov.uk - City of London
  • nottinghamcity.gov.uk - Nottingham City Council
  • relocateleicester-shire.gov.uk - Leicetershire County Council
  • gos.gov.uk - Government Office Network
  • lda.gov.uk - London Development Agency
  • uktradeinvest.gov.uk - UK Trade & Investment
  • dcalni.gov.uk - Northern Ireland leisure and tourism
  • colchester.gov.uk - Colchester Borough Council
  • countryside.wales.gov.uk - Welsh assembly
  • cefngwlad.cymru.gov.uk - Welsh assembly
  • broadband.cymru.gov.uk - Welsh assembly
  • wmra.gov.uk - West Midlands Regional Assembly
  • wmlga.gov.uk - West Midlands Local Government Association
  • wycombe.gov.uk - Wycombe District Council
  • southshropshire.gov.uk - South Shropshire District Council
  • businesslink.gov.uk - Business Development
  • shetland.gov.uk - Shetland Council
  • unlockingessex.essexcc.gov.uk - Essex County Council
  • southshropshire.gov.uk - South Shropshire District Council
  • e-petitions.kingston.gov.uk - Kingston Borough Council
  • clevelandfire.gov.uk - Cleveland Fire & Rescue
  • surreyheath.gov.uk - Surrey Heath Council
  • rbkc.giv.uk - Royal Borough of Kensington and Chelsea
  • conwy.gov.uk - Conwy County Council
These are some example searches that show the problem (note that the search results will change over time, and the results themselves may lead to malware). Yahoo! examples: 1 2 3 4 5; Google examples: 1 2 3 4

Widen the search to sites containing .gov with a "b.js" exploit in (the most common), and you can see that government sites all over the world have been compromised, with Yahoo! estimating 11,000 infected pages. Think about it.. these should be trusted sites, but clearly they are not safe. Remember: there is no such thing as a trusted site anymore.

No comments: