14 DAY TRIAL // The British Home Office failed to properly decommission a domain name, which was later registered by someone else and used to host a morally questionable website. This caused the old links on its own pages, as well as various electronic documents, to direct visitors to the embarrassing content.
The Home Office, formerly known as the Home Department, is the British equivalent to an Interior Ministry, the Ministry of Internal Affairs or Ministry of Home Affairs, names that are more commonly used in other countries. As such, it is responsible with security and order, co-ordinating the police and other law-enforcement agencies.
The BBC has reports that a Home Office mishap has resulted in a potentially dangerous situation, after a domain name formerly used by its Technical Advisory Boards (TAB) has been left to expire and has been subsequently registered by someone else. But not only has it been left to expire, as the links from the Home Office website pointing to it have neither been removed, nor redirected to a 404 error page.
In this case, the person who registered the domain redirected it to a Japanese adult-content website, but it might have just as easily been used to serve malware, launch phishing attacks, or perform other malicious actions. However, even after the Home Office told BBC that the now-offending links had been cleaned up from its website, remnants of the problem still remained and were most likely to persist for a long time.
As Graham Cluley, senior technology consultant at Sophos, points out, the government workers dealing with this situation did not consider the fact that the URL was also present in various .pdf files and other documents hosted on the Home Office website. But, even if these get cleaned too, it does not entirely solve the problem, because versions of these documents that have already been downloaded by other institutions, organizations, companies and users cannot be automatically cleaned. The same can be said about other websites that might link directly to this domain.
Interestingly enough, this is not the first time that the British Home Office fails to protect domain names it is no longer using. In September 2008, Sophos revealed that the domain name used by the National Hi-Tech Crime Unit at the time was similarly hijacked by a German citizen, who profited from the fact that the Home Office failed to extend its registration.
These unwanted situations should serve as not-to-do examples for other parties that manage domain names of significant public interest. Considering that an org.uk domain name, like the one lost that used to belong to the Technical Advisory Board, can cost as low as £3 ($4.5) per year, it is certainly an investment worth making in order to avoid such an incident. "More care needs to be taken about ensuring website URLs do not fall into the wrong hands, even if it has been decided to mothball an old website," Mr. Cluley concludes.
In an unrelated incident, political blogger "Dizzy Thinks" announces that the website of Paul Clarke, under-secretary of state at the Department of Transport and Labour MP for Gillingham and Rainham, has been defaced by an Egyptian hacker. Calling himself "red virus," the perpetrator has left offensive web graffiti behind.