Feeds

Rush job MI5 security alert service wide open to snoopers

Shambolic service violates user privacy, Spyblog warns

High performance access to file storage

MI5 new e-mail alert service sends web subscription forms to the US without encryption, according to an investigation by Spyblog.

The service, launched by MI5 on Tuesday, is designed to allow subscribers to receive email notification of changing national security threat levels by email. This information is already available on MI5's website for anyone who cares to look.

Worse than being of limited value, Spyblog discovered data submitted to the form is sent to US email marketing and tracking firms without the informed consent of subscribers, evidence of either incompetence or "indifference to the privacy and security of the general public". The privacy campaign website described the heavily promoted service as a "rush job" and a "shambles".

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them," Spyblog rants.

Spyblog looked at the source code of the sign up page and discovered that the web form processing the scripts (http://pmv2.co.uk/bin/listctrl) uses no SSL or TLS encryption and is not even on the MI5 web server. MI5 have outsourced the email subscription process to a third party commercial direct email company, UK-based Mailtrack. This in itself isn't necessarily a bad thing but the server involved in processing these forms is located in the US, hosted by Level 3 in California. The back-end email list marketing software used in the service is provided by another US firm WhatCounts.com.

Spyblog concludes that the set-up of the system means that privacy assurances given on the sign-up form, and promises of adherence to the Data Protection Act 1998, are invalid. "Any ISP or telecomms network administrators, or the Governments of the USA or perhaps also the Canada, can snoop on this MI5 e-mail subscription traffic with impunity," Spyblog reports.

"We will not be surprised if the entire list of MI5 e-mail list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts".

Transactions processed by the list are "outside of the direct control and protection of the UK Government" and may even be the legal property of these US Companies, Spyblog adds.

Since MI5 uses standard SSL protections elsewhere, Spyblog concludes that system has been set up as rush job. "The MI5 website handles its own SSL / TLS encrypted web forms already, so they know exactly what they should be doing," it notes.

Spyblog's comprehensive analysis of the shortcomings of the service can be found here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.