Updated Someone in the Parliamentary Digital Service managed to leave a server so completely exposed to the internet that Google indexed the Windows machine’s operating system.
Register reader Chris, who stumbled across this while searching for something related to a Google update, discovered that sizeable chunks of
bills.parliament.uk , well beyond what should have been firewalled off from the wider world, were exposed online.
“Looks like they were potentially exposing the entire system drive of the Windows webserver as read-only for some time,” he commented.
The information exposed through Google’s cache (the server itself seemed to have been taken offline) appears to contain large chunks of a Windows OS running, among other things, VMware, cygwin, Sophos antivirus, the Lynx WWW client, Splunk, Perl and the usual suite of Windows services.
While the read-only access provided through Google is merely embarrassing at best, and could provide some clues for black hats determined to break in for whatever reason, it is not known whether the exposure of the server itself was read-only or whether write access was available as well.
The Parliamentary Digital Service (PDS) had not replied to The Register’s enquiries by the time of publication.
If you’re curious to see for yourself what Parliament’s running on its boxen, put this search string through Google: site:bills.parliament.uk
The breach, as well as leaving several eggs on the faces of Parliament’s digital bods, is likely to provoke some pisstaking from the other government IT department, the infamous GDS. A few years ago PDS declared that it was hiring a bunch of techies to revamp its website and didn’t want GDS anywhere near it.
More seriously, two years ago a “sustained and determined” cyber attack saw 90 Parliamentary email accounts compromised by attackers who were not identified by the authorities. Nonetheless, the attack vector appeared to be a brute-force attempt to see if anyone had set any foolishly weak passwords, allowing for further exploitation. ®
Updated to add 17:36 BST 19/06
The Parliamentary Digital Service got in touch to say: "Although we are aware of a server associated with bills.parliament.uk having an issue, no parliamentary data has been exposed and we are working with the server owner to resolve the issue."