Feeds

Rush job MI5 security alert service wide open to snoopers

Shambolic service violates user privacy, Spyblog warns

Secure remote control for conventional and virtual desktops

MI5 new e-mail alert service sends web subscription forms to the US without encryption, according to an investigation by Spyblog.

The service, launched by MI5 on Tuesday, is designed to allow subscribers to receive email notification of changing national security threat levels by email. This information is already available on MI5's website for anyone who cares to look.

Worse than being of limited value, Spyblog discovered data submitted to the form is sent to US email marketing and tracking firms without the informed consent of subscribers, evidence of either incompetence or "indifference to the privacy and security of the general public". The privacy campaign website described the heavily promoted service as a "rush job" and a "shambles".

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them," Spyblog rants.

Spyblog looked at the source code of the sign up page and discovered that the web form processing the scripts (http://pmv2.co.uk/bin/listctrl) uses no SSL or TLS encryption and is not even on the MI5 web server. MI5 have outsourced the email subscription process to a third party commercial direct email company, UK-based Mailtrack. This in itself isn't necessarily a bad thing but the server involved in processing these forms is located in the US, hosted by Level 3 in California. The back-end email list marketing software used in the service is provided by another US firm WhatCounts.com.

Spyblog concludes that the set-up of the system means that privacy assurances given on the sign-up form, and promises of adherence to the Data Protection Act 1998, are invalid. "Any ISP or telecomms network administrators, or the Governments of the USA or perhaps also the Canada, can snoop on this MI5 e-mail subscription traffic with impunity," Spyblog reports.

"We will not be surprised if the entire list of MI5 e-mail list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts".

Transactions processed by the list are "outside of the direct control and protection of the UK Government" and may even be the legal property of these US Companies, Spyblog adds.

Since MI5 uses standard SSL protections elsewhere, Spyblog concludes that system has been set up as rush job. "The MI5 website handles its own SSL / TLS encrypted web forms already, so they know exactly what they should be doing," it notes.

Spyblog's comprehensive analysis of the shortcomings of the service can be found here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.