Feeds

Rush job MI5 security alert service wide open to snoopers

Shambolic service violates user privacy, Spyblog warns

Internet Security Threat Report 2014

MI5 new e-mail alert service sends web subscription forms to the US without encryption, according to an investigation by Spyblog.

The service, launched by MI5 on Tuesday, is designed to allow subscribers to receive email notification of changing national security threat levels by email. This information is already available on MI5's website for anyone who cares to look.

Worse than being of limited value, Spyblog discovered data submitted to the form is sent to US email marketing and tracking firms without the informed consent of subscribers, evidence of either incompetence or "indifference to the privacy and security of the general public". The privacy campaign website described the heavily promoted service as a "rush job" and a "shambles".

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them," Spyblog rants.

Spyblog looked at the source code of the sign up page and discovered that the web form processing the scripts (http://pmv2.co.uk/bin/listctrl) uses no SSL or TLS encryption and is not even on the MI5 web server. MI5 have outsourced the email subscription process to a third party commercial direct email company, UK-based Mailtrack. This in itself isn't necessarily a bad thing but the server involved in processing these forms is located in the US, hosted by Level 3 in California. The back-end email list marketing software used in the service is provided by another US firm WhatCounts.com.

Spyblog concludes that the set-up of the system means that privacy assurances given on the sign-up form, and promises of adherence to the Data Protection Act 1998, are invalid. "Any ISP or telecomms network administrators, or the Governments of the USA or perhaps also the Canada, can snoop on this MI5 e-mail subscription traffic with impunity," Spyblog reports.

"We will not be surprised if the entire list of MI5 e-mail list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts".

Transactions processed by the list are "outside of the direct control and protection of the UK Government" and may even be the legal property of these US Companies, Spyblog adds.

Since MI5 uses standard SSL protections elsewhere, Spyblog concludes that system has been set up as rush job. "The MI5 website handles its own SSL / TLS encrypted web forms already, so they know exactly what they should be doing," it notes.

Spyblog's comprehensive analysis of the shortcomings of the service can be found here. ®

Remote control for virtualized desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.