Companies House website security 'a bit of a mess'

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2012/11/28/companies_house_website_security/

By John Leyden
The Register
28th November 2012

Serious security holes in the website of Companies House - the UK 
database of corporate information - have exposed sensitive data and 
create the risk of corporate identity theft, security consultants warn.

The UK government agency maintains that alleged security flaws 
identified by researcher Paul Moore are either in the process of being 
fixed or not worthy of serious concern. A spokesman initially told El 
Reg that issues first highlighted in a blog post last month by Moore 
were "nothing we weren't aware of already". He added that most of the 
information held by Companies House was public information.

Moore strongly disputes this. His blog post covers a litany of alleged 
security problems but he said that three were particularly pressing. 
Firstly comes the ability to login as any company (WebCheck/WebFiling) 
without a username/password. Moore is also highly critical of the "poor 
SSL implementation" on the site. Lastly he charged Companies House with 
failing to put the site through adequate penetration testing, a security 
evaluation procedure commonly used across the industry as a means to 
pick up on security problems before they are exploited by hackers.

Moore first highlighted concerns about the Companies House website more 
than a month ago. He updated his warnings on with a video highlighting 
the alleged vulnerabilities to the site, and the potential impact of 
these disputed security flaws.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org