Cybersecurity can be hard. Even for the professionals.
The end of last month saw the official launch of the UK Cyber Security Council, a government-backed consortium with a mandate to boost career opportunities and professional standards in the cybersecurity sector, attract more talent, and increase diversity in the industry.
Reading the announcement in the official press release it certainly sounds like the UK Cyber Security Council has good intentions and worthy aims.
But although there are no issues with the message contained inside the press release, there certainly were problems with the contact information it listed at the bottom.
To the casual reader that looks fine. And maybe some journalists will have emailed email@example.com or even tried to visit the UK Cyber Security Council’s website at ukcybersecurity.org.uk.
But anyone who did so, would have been disappointed.
Because whoever approved the press release before it was sent to the IT press, didn’t double-check that the email address actually worked.
And worse than that, not only did the email address not work – but actually no-one had registered the ukcybersecurity.org.uk domain at all.
In other words, someone other than a representative of the UK Cyber Security Council could waltz in and scoop up the URL. Within a matter of minutes they could have created a malicious website or set up DNS records that would mean any emails sent to the council’s published contact address would end up in someone else’s hands.
Fortunately, ISP owner Adrian Kennard quickly stepped in to help – registering the domain and pointing it to a blog post where he explained what had happened. Kennard offered to pass the domain – free of charge – to the UK Cyber Security Council if they wanted it, rather than let it fall into malicious hands.
As Kennard explains in his blog post, such a simple mistake can have serious consequences that overshadow any embarrassment:
“You may think it is no big deal, but it sort of is. If a fraudster can hijack even one point of contact for an organisation they can do a lot of damage. It becomes easy for them to impersonate that organisation. When it is the press contact for a new organisation they get a huge “foot in the door” as they can reply with helpful details on the organisation along with more contact details (names, email, website, phone, postal), all of which at likely to be helpfully published verbatim by the press who have made enquiries.”
“This then leaves a trail of misinformation on the internet and search engines for the new organisation, possibly swamping the actual accurate details, and allowing fraud to continue for years.”
Kennard has – unsurprisingly – started to receive emails which appear to have been intended for the UK Cyber Security Council’s inbox.
Meanwhile, perhaps inspired by Kennard, other people have begun to register domains that are related to ukcybersecurity.org.uk, such as ukcybersecurity.org and ukcybersecuritycouncil.uk:
At the time of writing, the UK Cyber Security Council hasn’t requested the domain from Kennard, so it is still under his control.
What the UK Cyber Security Council has done, however, is update its press release – giving itself a new email contact address: press@UKcybersecuritycouncil.org.uk.
So, if that’s the council’s new domain name, I wonder what happens if you visit the UKcybersecuritycouncil.org.uk website?
If anything, this proves that anyone can make mistakes that might impact your cyber security. Such an incident should be treated as an opportunity to raise awareness amongst other organisations how even the smallest error can have an impact on the security of your communications, and could potentially impact the privacy and safety of others.
Thank goodness that on this occasion the problem was spotted by one of the good guys, rather than someone with malicious intent.