Their 'next job could be in cyber': UK Cyber Security Council launches itself by pointing world+dog to domain it doesn't own

Shouting cyber cyber cyber, mega mega fail thing


The UK Cyber Security Council announced itself to the public realm last week by touting a domain it doesn't own. Helpfully, internet jokesters then bought up variations on the official address.

A brainchild of the Department for Digital, Culture, Media and Sport, the UK Cyber Security Council is billed by government as "the regulatory body, and voice, for UK cyber security education, training and skills." As part of that it "drives progress towards meeting the key challenges the profession faces."

All very worthy and important. When British infosec folk noticed that the official press release mentioned an email address for ukcybersecurity[.]org[.]uk, however, everything started unravelling.

facepalm

UK govt advert encouraging re-skilling for cyber jobs implodes spectacularly

READ MORE

Why? Because the UK Cyber Security Council didn't own ukcybersecurity[.]org[.]uk. Nobody did – until Adrian Kennard bought it and pointed it at his personal blog, where he dispensed some gentle advice to the new org.

"One of the tips I can give you when it comes to cyber security is that you should be careful to ensure that contact details you publish actually belong to you," wrote Kennard, who runs a UK ISP, adding: "It took a while to stop laughing at the irony first, but now, yes, the UK Cyber Security Council are welcome to ukcybersecurity.org.uk. They can email me at press@ukcybersecurity.org.uk for more information (be nice)."

The UK Cyber Security Council domain doesn't even have a parking page, let alone a working website behind it

The UK Cyber Security Council domain doesn't even have a parking page, let alone a working website behind it

So far nobody's asked for the domain, Kennard told The Register – though there were a couple of attempts to register GPG keys for the address which he said weren't by him. This could have been serious had an actual fraudster got hold of the domain: they would then be able to present themselves as an authenticated representative of UKCSC.

Others who picked up on the missing domain were slightly less nice. The domain ukcybersecuritycouncil.uk currently returns this actually-quite-helpful page…

Some joker set up a spoof UK Cyber Security Council webpage to answer an obvious question

Some joker set up a spoof UK Cyber Security Council webpage to answer an obvious question

… which points out what happens when you visit what appears to be the legitimate domain, ukcybersecuritycouncil.org.uk. Yes, that's an HTTP 502 error: there's nothing there to view. Inspired viral marketing move, there.

We have asked both DCMS and the UK Cyber Security Council to comment, the latter via what we hope is its actual email address. If this article disappears after publication and is replaced by offers from "Elon Musk" for "free Bitcoin", we might have to keep asking around.

Your next job could be in cyber....

The UKCSC was first mooted in 2018 before being formally announced in the government's Defence Industrial Strategy in March. It's not clear exactly what the new body will do, though it boasts a variety of professional membership bodies as members including the British Computer Society (aka the Chartered Institute for IT), the Institution of Engineering and Technology and, inevitably, TechUK.

In its marketing fluff UKCSC declared it will deliver "thought leadership, career tools and education resources to the cyber security sector and those seeking a career in the industry, alongside helping influence government, industry and academia with the aim of developing and promoting UK cyber security excellence globally and growing the skills base."

El Reg suggests that constructing a website and not directing the press to a non-existent domain would be two good pieces of thought leadership to start with. ®


Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after waves of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Hangouts hangs up: Google chat app shuts this year
    How many messaging services does this web giant need? It's gotta be over 9,000

    Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.

    Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail. 

    Continue reading

Biting the hand that feeds IT © 1998–2022