TMCnet News

USERS COULD FACE HACK ATTACKS ON UNSECURED GOVERNMENT WEBSITES ; Experts warn that your information may not be secure [Wales on Sunday (Wales)]
[September 22, 2014]

USERS COULD FACE HACK ATTACKS ON UNSECURED GOVERNMENT WEBSITES ; Experts warn that your information may not be secure [Wales on Sunday (Wales)]


(Wales on Sunday (Wales) Via Acquire Media NewsEdge) MILLIONS of internet users face so called man-in-themiddle attacks every time they log onto government websites because they do not connect securely to servers.

Almost all council and Welsh Government websites do not use internet protocol 'https' across all pages of their websites.

An https connection ensures the site you are visiting is the one you intended to and encrypts communications between computers and servers.

But most authorities only use insecure http as a rule.

"When you go to a server a connection is being made between your computer and another in the world," said Andrew Williams, of the UK Safer Internet Centre.

"What https does is encrypt that data so that someone cannot intercept its journey between your computer and the server.

"That is what we are trying to stop. If you can see that flow of data you can identify things about that person's computer and see what can be found." Https - which stands for Hypertext Transfer Protocol Secure - was created in the early days of the internet as it began to expand. "Hackers will try to exploit things," Mr Williams said.



"If you're snooping you might be able to find a password or get access to information on that person's computer to redirect them to your version of a website to get information. "If you create a fake bank site and intercept someone's traffic to that site you may then be able to get information from them." The computer expert compared a manin-the-middle attack to a game of piggyin-the-middle.

"Janet passes a ball to John or what she thinks is John," he said.


"But in the middle you have got Malcolm.

"Malcolm then passes the ball to John but he thinks it has come from Janet.

"So if John is sending an encryption key to Janet, Malcolm can grab that key and access John's information." People did not know enough about the web.

"We are aware that security from an educational point of view is something that could be improved across the UK," Mr Williams said.

"It is about having a sense of questioning about what you are doing with information." Public wi-fi - offered in cafes, stores and shopping centres around the country - left internet users especially vulnerable.

"If you're not using https and are using wi-fi, and a hacker is trying to see what you are doing, you are opening yourself up to password theft," Mr Williams said.

Privacy experts at Berlin's Tactical Technology Collective criticised the authorities.

"It is very irresponsible for them because they are the government," cofounder Marak Tuszynski said.

"Their role is to educate citizens in better processes. If they do not show that their practices are better as internet providers, that undermines their role as public service providers.

"They should have in mind the security and privacy of citizens that are often critical of them collecting too much data." Switching to https "does not slow transactions" and does not necessarily have an added cost for organisations.

"It speeds up transactions of data," Mr Tuszynski said.

"It can simplify the connection of data between server and client.

"The assumption might be that it would slow down connections but it does not. It can improve it.

"And to avoid confusion for users it would be much more sensible to use https all the time.

The Welsh Government insisted https was not always needed.

"We use https for any interaction that captures data, such as the submission of forms," a spokesman said.

"But for all other general information pages this level of security is simply not required." The National Assembly for Wales insisted it took data security seriously "in particular the protection of people's personal data." A spokesman said: "We use the https protocol on those pages of our website where people submit personal data, for example the petitions pages and forms used to contact us.

"Having the additional protocol on all of the assembly's web pages, when not required for security purposes, could slow down the speed of the website making it a less fluid experience for users. " Welsh Local Government Association chief executive Steve Thomas said: "It is not for me to tell 22 local authorities how to undertake IT strategy. But one problem is that navigating sites can be restricting because of protocols." He also questioned the need for https when financial data was not being inputted.

(c) 2014 ProQuest Information and Learning Company; All Rights Reserved.

[ Back To TMCnet.com's Homepage ]