Account Share

 

Thread by @NetworkString: "Here's something fun for the weekend. A quick run down of the @BBFC web infrastructure. They use @zodiac_media_uk who in turn use @Exponenti […]" #AgeVerification #av

10 tweets
Here's something fun for the weekend.

A quick run down of the @BBFC web infrastructure.

They use @zodiac_media_uk who in turn use @Exponential_e and @linode to host a @drupal instance (among other things).
Our first port of call is bbfc-varnish.zodiacmedia.co.uk which helpfully provides us with the list of the backend web servers it uses, namely;

bbfc_01 - 176.58.110.210
bbfc_02 - 139.162.216.230

If you check shodan you'll see the web servers are running on tcp/8080 (and NTP is open)
They are running PHP 5.5.9 with Drupal 7

Here are the vulnerabilities for those software versions;

cvedetails.com/vulnerability-…

cvedetails.com/vulnerability-…

Just your usual collection of remote code execution issues.
But hey this is just the marketing site, who cares, they are only the #ageverification regulator. Who cares if they are lax at computer security?

Oh look, an IBM Domino 9 server... mail.bbfc.co.uk

cvedetails.com/vulnerability-…

Anyway...
Why am I pointing this out?

Well a lot of people have told the @BBFC that they need to mandate that #ageverification providers *ensure* user security because a breach of #av data has lethal consequences but the BBFC themselves don't really seem to care that much about security.
Someone at @NCSC / @DCMS should have a word and sort this out because the @BBFC *is* going to be a target and so are the #ageverification companies.

Is the @BBFC "CyberEssentials" certified? If not why do they have millions of pounds of tax payers cash?
But hey, it's not like some annoyed teenager is going to ... oh I don't know, point metasploit at the website of the Ministry of Truth

24 hours later & bbfc-varnish.zodiacmedia.co.uk / mail.bbfc.co.uk are now offline / firewalled but the prod website is still leaking backend meta-data that'd be useful to an attacker.

You're going to have to do better once people start getting annoyed at #ageverification ...
The problem with being a vendor for something like the @BBFC is that you become a target yourself.

Attackers may start poking to see if they can find passwords in your redmine, owncloud or gitlab instances.

redmine.zodiacmedia.co.uk
cloud.zodiacmedia.co.uk
gitlab.zodiacmedia.co.uk
Think CloudHopper;

An attacker breaches Zodiac, to breach the BBFC to then use social engineering (spear phishing etc) to target the #AgeVerification vendors to breach their DBs.

Once #AgeVerification goes live this will happen.

Those DBs are valuable :(
This content can be removed from Twitter at anytime, get a PDF archive by mail!
This is a Premium feature, you will be asked to pay 30$/year
for a one year Premium membership with unlimited archiving.
Don't miss anything from @NetworkString,
subscribe and get alerts when a new unroll is available!
This is a Premium feature, you will be asked to pay 30$/year
for a one year Premium membership with unlimited subscriptions/alert.
Did Thread Reader help you today?
Support me: I'm a solo developer! Read more about the story
Become a 💎 Premium member ($30/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy me a 🍺 beer ($5) or help for the 🛠 server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com
Using crypto? You can help too!
Trending hashtags:
Did Thread Reader help you today?
Support me: I'm a solo developer! Read more about the story
Become a 💎 Premium member ($30/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy me a 🍺 beer ($5) or help for the 🛠 server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com
Using crypto? You can help too!