It was with more than a little concern that I read about Monday’s attack on the Strathclyde Police website. Sadly, attacks on websites have become all too common, but what really grabbed my attention was the statement released by the Police which highlighted a level of naivety I did not expect from the police.
As reported in The Drum: “They ruled out viruses as the cause and said that no one who had logged onto the site, would have put their computer at risk.”
Perhaps they intended to say that they trust their employees, that they are well trained and educated about current internet threats. But, this completely ignores the fact that most people don’t willingly download viruses and Trojans onto their computers, they are tricked into doing so and frequently have no idea that they are infected.
Then there are the passwords to consider. I remember a case around 20 years ago where a Police force were securing their systems with the password ‘police’. Of course, one would expect people, especially the Police, to be far savvier these days, but weak passwords are endemic and maybe someone just did not take care. As we’ve advised before, it’s important that people change their passwords regularly, using a mixture of upper and lowercase letters, numbers and symbols rather than dictionary words or anything that would be easy to guess.
I’d also be careful about pinpointing blame. It’s unclear why China has been pinpointed as the source of the attack, but it could be anyone pointing links at a server in a country that is, perhaps, just a little slower than others in taking down servers that host malware.
Taking the website down whilst they investigate the cause of the breach is obviously the best response. It’s likely that this was some kind of SQL injection or cross scripting attack and until that error is found, the site remains vulnerable.
The one thing that is clear from this is that adequate security was not in place at the time of the attack, and that is something that will need to be remedied before the site goes back online.