The Register® — Biting the hand that feeds IT

Feeds

Home Secretary in ID card gaffe

Unhackable? Up to a point, minister

By John Leyden, 7th March 2008
  • print
  • alert

What you need to know about cloud backup

Security experts have rubbished claims by the Home Secretary that databases for the controversial National ID Cards will be "unhackable" because they are being kept off the public internet.

In an interview with BBC Radio 4's Today programme on Thursday, Jacqui Smith said "none of the [ID card] databases will be online, so it won't be possible to hack into them". Experts, such as GCHQ accredited penetration testing firm SecureTest, said the Home Secretary's claims demonstrate complete lack of understanding of the security issues affecting databases.

"There are numerous routes to compromise a database that is not available on the public internet," SecureTest managing director Ken Munro told El Reg.

Internal attacks, where a database could be compromised by an employee or visitor from the inside, and attacks via email are both possible vectors. If an external hacker was able to deliver an exploit to an unsuspecting internal user via email he might be able to get access to a machine that in turn allowed him access to the database.

"The Government Secure Intranet (GSI) mail filtering systems are not sufficient to prevent an unknown [zero day] vulnerability being delivered by email. Using this, the exploited machine would connect outbound to a third party, giving a degree of remote address, and potentially access to the database," Munro explained.

The UK's National Infrastructure Security Co-ordination Centre (NISCC), and other government agencies, have periodically warned of the active use of this kind of targeted attack since at least June 2005. The GSI's mail filtering system is well designed and blocks many of these attacks, but it would be foolish to think it provides complete protection against such assaults.

Munro describes Smith's faith in the inherent security of databases kept off the internet as "misguided" and symptomatic of wider government IT security shortcomings. "The minister's lack of appreciation gives us great concern that government ministers have no significant understanding of security, as evidenced by the recent data losses on CD," he said. "What hope have we got that the National ID card database will be any more secure?"

The Home Secretary's interview with Today can be found here. Smith's interview starts about the 12:00 minute mark and her comment on database security for the National ID Cards project can be found after the 18:20 mark.

In the course of her interview, Smith goes on to explain a revised rollout of ID cards, initially targeting non-EU foreign nationals and young adults. El Reg's take on this "boil a frog" plan can be found here. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (74)
Latest Comments
Doug

Only 30% voted for them last time...

We are encouraging the democracy craze to various parts of the world and yet we have the worst example of democracy. Our beloved dictator wasnt voted in and it only takes 30% of total votes to get into power! So no wonder its all a bit of a disaster.

Note that if you do bump into Jacqui at a kebab place in Peckham, dont give her any grief over this. She'll have a couple of bodyguards next to the sauces and the bulges in their trousers wont be cos they are pleased to be with her.

Alien, cos i reckon they are all from another planet.

0
0
Martin

tehnically correct?

i am sure the core databases wont be direcly connected to the web.

check out most EAI designs and you will find the core data sat back offiice side and the data presneted to the front end via some operational data sotres and or a web facing portal

the databases wont be "online" but surely the data would?

otherwise how could any validation against the records take place?

0
0
Anonymous Coward
Anonymous Coward

re: Why can't the biometric data be kept on the card, encrypted...

Because that would protect the privacy and security of the citizen, when the object of the exercise is to remove them and place them in the hands of the Home Office... to build One Big Reference File on everyone with all significant transactions logged: Total Information Awareness.

It doesn't matter that it can't work as they imagine. It's the bureaucratic Holy Grail of a paranoid governmentalist state. The more impossible it is, the more they want it.

....

@ George - You are Yogesh Raja and I claim the Westminster Gazette prize!

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
135
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
119
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68
NSA: We COULD track you by your phone ... if we WANTED to
Honestly, too much work, can't be bothered
53