RVBC Email Contact re Site Security

Stuart Haworth <Stuart.Haworth@ribblevalley.gov.uk> - 31 Jul

 

Dear Mr Helme

 

Thank you for bringing to our attention the vulnerability within our website.

 

I can assure you that we are taking this matter extremely seriously and are currently working with our software supplier to resolve this issue. Having highlighted your shared concern over the security of personal and sensitive information in your email to us, I am very disappointed to discover your video detailing the vulnerability and how to exploit this on your website and also on YouTube.

 

I ask that you remove this video from your website and YouTube immediately and also any reference that you have made on your website or elsewhere to Ribble Valley Borough Council or our website. Publicising such a vulnerability only encourages others to attempt to exploit it and potentially gain unauthorised access to the personal details of registered users of the site that we fervently protect.

 

As I am sure you are aware, any unauthorised penetration/security testing may breach the Computer Misuse Act 1990 and could lead to legal proceedings being pursued.

 

Yours sincerely

Stuart Haworth

ICT Manager

Ribble Valley Borough Council

Tel: 01200 414458

Email: stuart.haworth@ribblevalley.gov.uk

 

 

Best in the country for customer satisfaction – 94 per cent of Ribble Valley residents are satisfied with life in the borough (Place Survey 2009)

 

 

This transmission is intended for the named addressee(s) only and may contain sensitive, protectively marked or restricted material, and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy, use, or disclose it to anyone else. If you have received this transmission in error, notify the sender immediately. All GCSX traffic may be subject to recording and/or monitoring in accordance with relevant legislation. This e-mail is issued subject to Ribble Valley Borough Council’s e-mail disclaimer, which you are taken to have read and accepted. Click here for further details.

 

 

------------------------------------------------------

 

 

Scott Helme <*snip email*> - 31 Jul

 

Dear Stuart,

 

Thanks for taking the time to respond to my initial email. I'm glad you appreciate that I have come forward with this information and are taking steps to act upon it so swiftly.

 

My blog post and the associated video only demonstrate a technique that would make it possible for a user to access their own account from their own computer, that is all. It is more a proof of concept and is not a viable method to compromise other user accounts or data. To do that would require a much more complex attack vector far beyond the scope of my demonstration. Session Hijacking is a very common form of attack and a brief search on YouTube or Google can reveal literally thousands of guides and videos that go far more in-depth than my own. Given this I feel that my own video is likely to do little to encourage anyone more than the thousands already present and would like to politely decline your request for the removal of this video and blog post.

 

You are indeed correct that I am aware of the ramifications of unauthorised security/penetration testing. As can be clearly seen in my video demonstration I have accessed only my own network traffic and my own account data. This resulted in no form of attack or attempted compromise of your own systems as, by their very nature, a man in the middle attack requires no breach of the host website whatsoever. I sincerely hope that this wasn't a thinly veiled attempt at intimidating me as I have come forward with this information with the best of intentions and sole aim of ensuring a safer browsing experience for everyone on the RVBC website. Had my intentions been less honest I would not have brought this to your attention to be resolved. I hope the information I have provided has been useful and look forward to offering any further assistance that I may be able to provide.

 

Kindest regards,

 

Scott Helme.