Feeds

Home Secretary in ID card gaffe

Unhackable? Up to a point, minister

Website security in corporate America

Security experts have rubbished claims by the Home Secretary that databases for the controversial National ID Cards will be "unhackable" because they are being kept off the public internet.

In an interview with BBC Radio 4's Today programme on Thursday, Jacqui Smith said "none of the [ID card] databases will be online, so it won't be possible to hack into them". Experts, such as GCHQ accredited penetration testing firm SecureTest, said the Home Secretary's claims demonstrate complete lack of understanding of the security issues affecting databases.

"There are numerous routes to compromise a database that is not available on the public internet," SecureTest managing director Ken Munro told El Reg.

Internal attacks, where a database could be compromised by an employee or visitor from the inside, and attacks via email are both possible vectors. If an external hacker was able to deliver an exploit to an unsuspecting internal user via email he might be able to get access to a machine that in turn allowed him access to the database.

"The Government Secure Intranet (GSI) mail filtering systems are not sufficient to prevent an unknown [zero day] vulnerability being delivered by email. Using this, the exploited machine would connect outbound to a third party, giving a degree of remote address, and potentially access to the database," Munro explained.

The UK's National Infrastructure Security Co-ordination Centre (NISCC), and other government agencies, have periodically warned of the active use of this kind of targeted attack since at least June 2005. The GSI's mail filtering system is well designed and blocks many of these attacks, but it would be foolish to think it provides complete protection against such assaults.

Munro describes Smith's faith in the inherent security of databases kept off the internet as "misguided" and symptomatic of wider government IT security shortcomings. "The minister's lack of appreciation gives us great concern that government ministers have no significant understanding of security, as evidenced by the recent data losses on CD," he said. "What hope have we got that the National ID card database will be any more secure?"

The Home Secretary's interview with Today can be found here. Smith's interview starts about the 12:00 minute mark and her comment on database security for the National ID Cards project can be found after the 18:20 mark.

In the course of her interview, Smith goes on to explain a revised rollout of ID cards, initially targeting non-EU foreign nationals and young adults. El Reg's take on this "boil a frog" plan can be found here. ®

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.