Feeds

Rush job MI5 security alert service wide open to snoopers

Shambolic service violates user privacy, Spyblog warns

Internet Security Threat Report 2014

MI5 new e-mail alert service sends web subscription forms to the US without encryption, according to an investigation by Spyblog.

The service, launched by MI5 on Tuesday, is designed to allow subscribers to receive email notification of changing national security threat levels by email. This information is already available on MI5's website for anyone who cares to look.

Worse than being of limited value, Spyblog discovered data submitted to the form is sent to US email marketing and tracking firms without the informed consent of subscribers, evidence of either incompetence or "indifference to the privacy and security of the general public". The privacy campaign website described the heavily promoted service as a "rush job" and a "shambles".

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them," Spyblog rants.

Spyblog looked at the source code of the sign up page and discovered that the web form processing the scripts (http://pmv2.co.uk/bin/listctrl) uses no SSL or TLS encryption and is not even on the MI5 web server. MI5 have outsourced the email subscription process to a third party commercial direct email company, UK-based Mailtrack. This in itself isn't necessarily a bad thing but the server involved in processing these forms is located in the US, hosted by Level 3 in California. The back-end email list marketing software used in the service is provided by another US firm WhatCounts.com.

Spyblog concludes that the set-up of the system means that privacy assurances given on the sign-up form, and promises of adherence to the Data Protection Act 1998, are invalid. "Any ISP or telecomms network administrators, or the Governments of the USA or perhaps also the Canada, can snoop on this MI5 e-mail subscription traffic with impunity," Spyblog reports.

"We will not be surprised if the entire list of MI5 e-mail list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts".

Transactions processed by the list are "outside of the direct control and protection of the UK Government" and may even be the legal property of these US Companies, Spyblog adds.

Since MI5 uses standard SSL protections elsewhere, Spyblog concludes that system has been set up as rush job. "The MI5 website handles its own SSL / TLS encrypted web forms already, so they know exactly what they should be doing," it notes.

Spyblog's comprehensive analysis of the shortcomings of the service can be found here. ®

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.