Feeds

Home Secretary in ID card gaffe

Unhackable? Up to a point, minister

Choosing a cloud hosting partner with confidence

Security experts have rubbished claims by the Home Secretary that databases for the controversial National ID Cards will be "unhackable" because they are being kept off the public internet.

In an interview with BBC Radio 4's Today programme on Thursday, Jacqui Smith said "none of the [ID card] databases will be online, so it won't be possible to hack into them". Experts, such as GCHQ accredited penetration testing firm SecureTest, said the Home Secretary's claims demonstrate complete lack of understanding of the security issues affecting databases.

"There are numerous routes to compromise a database that is not available on the public internet," SecureTest managing director Ken Munro told El Reg.

Internal attacks, where a database could be compromised by an employee or visitor from the inside, and attacks via email are both possible vectors. If an external hacker was able to deliver an exploit to an unsuspecting internal user via email he might be able to get access to a machine that in turn allowed him access to the database.

"The Government Secure Intranet (GSI) mail filtering systems are not sufficient to prevent an unknown [zero day] vulnerability being delivered by email. Using this, the exploited machine would connect outbound to a third party, giving a degree of remote address, and potentially access to the database," Munro explained.

The UK's National Infrastructure Security Co-ordination Centre (NISCC), and other government agencies, have periodically warned of the active use of this kind of targeted attack since at least June 2005. The GSI's mail filtering system is well designed and blocks many of these attacks, but it would be foolish to think it provides complete protection against such assaults.

Munro describes Smith's faith in the inherent security of databases kept off the internet as "misguided" and symptomatic of wider government IT security shortcomings. "The minister's lack of appreciation gives us great concern that government ministers have no significant understanding of security, as evidenced by the recent data losses on CD," he said. "What hope have we got that the National ID card database will be any more secure?"

The Home Secretary's interview with Today can be found here. Smith's interview starts about the 12:00 minute mark and her comment on database security for the National ID Cards project can be found after the 18:20 mark.

In the course of her interview, Smith goes on to explain a revised rollout of ID cards, initially targeting non-EU foreign nationals and young adults. El Reg's take on this "boil a frog" plan can be found here. ®

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.