U.K. government slammed over bug in outsourced Web site
Visa applicants' personal details revealed to hackers over the Web
Computerworld UK - An investigation into a security bug on a Web site used to apply for U.K. visas has painted a damning picture of "organizational failures" by a government agency and its contractor.
The online U.K. visa application Web site for people in India, Russia and Nigeria was provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.
Ministers pledged an inquiry after the site was closed down in May following publicity over the security bug, which made personal details of visa applicants easily accessible to hackers.
The report by independent investigator Linda Costelloe Baker slams UKVisas' outsourcing of the online service to a firm that is not an IT specialist, the contractor's performance, and the failure to respond adequately when the security hole was first revealed by Indian national Sanjib Mitra in December 2005.
There had been "inadequate central control of the moves to outsourcing" and contracts had paid "insufficient attention to the requirements of the Data Protection Act and to basic IT security".
Costelloe Baker added: "UKVisas was undoubtedly relieved to have the practical administrative assistance provided by outsourcing, but it did not obtain adequate third party or expert assurances that the VFS IT system was robust, even before VFS was allowed to start up an online system."
UKVisas should have made its expectations clearer, Costelloe Baker said, and the contracts drawn up by UKVisas "lacked specificity".
She cited an expert view that the VFS online system "was so poor that it should be completely rewritten". One expert described it as "an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over".
Since the debacle, VFS had accepted "that it is not an IT company and that it needs to outsource its software writing", Costelloe Baker said. VFS had been keen to grow a new business -- but in doing so it paid insufficient attention to the level of its own IT skills and abilities.
UKVisas "reacted inadequately" to notifications of the data security vulnerability from three people, the investigation found. Costelloe Baker said: "I do not find it acceptable for a complaint to be simply passed on to a third party -- VFS in this case -- for a response."
VFS took "some remedial action in January 2006" after the flaw was first revealed, but this appeared to have been ineffective in solving the problem. Mitra went public when the bug remained unfixed 18 months later.
In a scathing verdict, Costelloe Baker said: "In my view, there is no evidence to support any finding relating to the competence or performance of specific UKVisas' staff -- the problems were far wider than that.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!