BBC NEWS VOTE 2001      > High graphics
VOTE2001 | Northern Ireland | Scotland | Wales |

High graphics only: Main Issues | Features | Crucial Seats | Key People | Parties | Results & Constituencies | Candidates | Opinion Polls | Online 1000 | Virtual Vote | Talking Point | Forum | AudioVideo | Programmes | Voting System | Local Elections |

Thursday, 17 May, 2001, 13:07 GMT

Conservative website 'open to attack'

By BBC News Online technology correspondent Mark Ward

The woeful security of the Conservative Party website has been exposed by an anonymous computer cracker.

The UK expert says that the conservatives.com website has been failing to take even the most basic security precautions.

He warns that in the run-up to the election anyone who wanted to embarrass the Conservative Party could do so by defacing the site.

The websites run for Michael Portillo, Ann Widdecombe and the Labour Party are almost as easy to compromise, he says.

Security shortcomings

Earlier this week a British cracker who uses the nickname "killingtime" posted comments to the alt.hacker Usenet newsgroup which said that the conservatives.com website has, in his words, "laughable security".

In the message killingtime said he was prompted to probe the security of the conservatives.com site after being incensed by a Tory election broadcast.

He found that the site is lacking most of the patch programs from the past 12 months that would prevent people attacking it via well-known vulnerabilities.

"Any file on this NT box is browsable. That means anyone can download the registry, databases, private files - *anything* - using just a web browser," he wrote in his Usenet message.

On his own website, killingtime goes into more detail about the vulnerabilities and says that widely available hacking tools could be used to exploit the security holes and give a cracker access to the site.

Many net veterans prefer to use the term "cracker" rather than "hacker" to refer to anyone who breaks into sites or computer systems.

Killingtime also issued a warning to the Conservative Party and said: "It is only a matter of time before their web site is defaced."

A technical consultant advising the Conservative Party on the running of its website said killingtime was right that, for some time, the site has been lacking files that would keep it secure.

The missing security patches were applied "within minutes" of the Party finding out it was vulnerable, he said.

The spokesman denied that any system files or files containing confidential information were ever at risk. "Reports that the site is unhardened are simply untrue," he said.

Vulnerabilities

Many malicious hackers and crackers have exploited vulnerabilities in website software to plant programs that harvest information about those using the site or are used to launch remote attacks on other sites.

More recently, killingtime subjected the websites of Michael Portillo, Ann Widdecombe and the Labour Party to the same scrutiny as conservatives.com. While most are not as wide open to attack as the Conservative site, all of them have failed to block well-known vulnerabilities that a determined cracker could exploit.

The comments posted by killingtime were picked up and first publicised by technology news site The Register.



^ Back to top©BBC