Feeds

Rush job MI5 security alert service wide open to snoopers

Shambolic service violates user privacy, Spyblog warns

Choosing a cloud hosting partner with confidence

MI5 new e-mail alert service sends web subscription forms to the US without encryption, according to an investigation by Spyblog.

The service, launched by MI5 on Tuesday, is designed to allow subscribers to receive email notification of changing national security threat levels by email. This information is already available on MI5's website for anyone who cares to look.

Worse than being of limited value, Spyblog discovered data submitted to the form is sent to US email marketing and tracking firms without the informed consent of subscribers, evidence of either incompetence or "indifference to the privacy and security of the general public". The privacy campaign website described the heavily promoted service as a "rush job" and a "shambles".

"Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them," Spyblog rants.

Spyblog looked at the source code of the sign up page and discovered that the web form processing the scripts (http://pmv2.co.uk/bin/listctrl) uses no SSL or TLS encryption and is not even on the MI5 web server. MI5 have outsourced the email subscription process to a third party commercial direct email company, UK-based Mailtrack. This in itself isn't necessarily a bad thing but the server involved in processing these forms is located in the US, hosted by Level 3 in California. The back-end email list marketing software used in the service is provided by another US firm WhatCounts.com.

Spyblog concludes that the set-up of the system means that privacy assurances given on the sign-up form, and promises of adherence to the Data Protection Act 1998, are invalid. "Any ISP or telecomms network administrators, or the Governments of the USA or perhaps also the Canada, can snoop on this MI5 e-mail subscription traffic with impunity," Spyblog reports.

"We will not be surprised if the entire list of MI5 e-mail list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts".

Transactions processed by the list are "outside of the direct control and protection of the UK Government" and may even be the legal property of these US Companies, Spyblog adds.

Since MI5 uses standard SSL protections elsewhere, Spyblog concludes that system has been set up as rush job. "The MI5 website handles its own SSL / TLS encrypted web forms already, so they know exactly what they should be doing," it notes.

Spyblog's comprehensive analysis of the shortcomings of the service can be found here. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.