Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

Combat fraud and increase customer satisfaction

"How can they stop that?"

"The minister states the data cannot be 'downloaded', but what about Trojans that take pictures of your desktop and send those images back to base? If their security precautions don't account for that then there will be lots of people using infected laptops sending data galore on these children to malicious third parties. Not to mention the issue of simply writing the data down. How can they stop that?"

Boyd added that once the system goes live there'll be no shortage of people willing to have a crack at it.

"Two things will likely happen when the database goes live - the first is that hackers will target it simply for the challenge of accessing such supposedly 'unobtainable' data.

"Secondly, desperate ex-partners (the kind that will happily use so-called 'family keyloggers' to monitor their spouse's actions on a PC) could try to jump on this kind of technology in an effort to grab information regarding their estranged family's whereabouts, perhaps by paying blackhats to do the dirty work for them.

"Based on anecdotal tales from groups who help women abused by partners who use such tech, the husbands tend to have a good grasp of malicious programs, so it's not unreasonable to assume they'll easily find a blackhat who can help them out.

"I doubt the creators of this database have prepared for every attack vector imaginative people will come up with - it's just not possible."

Stuart Okin, UK managing director of security consulting Comsec and a foster parent for four years with knowledge of how the system works, also expressed concerns about how to prevent the leak of sensitive information in both the input and output process.

"As data is going to come from multiple sources and a variety of different systems there will be a temptation to use the lowest common transport method, such as non secure channels (e.g. CDs, unencrypted USB sticks etc.) Every input and output channel needs to be as secure as possible. In addition, data leaving the system will need to be examined. There is little that can be done to prevent a legitimate user screen printing - except to educate them in the need to securely dispose of information."

Some data may be hidden or shielded, for example the address and telephone information for those children who have been subject to physical or sexual abuse. Furthermore the database will not store case information, Okin noted.

Okin added that the sheer number of professionals allowed access to the system will become its greatest security challenge over time. Authorised users will include those working in health, education, youth justice, social care and voluntary organisations.

"Commentators have estimated that around 330,000 users could claim legitimate access to the database (upon Criminal Records Bureau check and training)," Okin told El Reg.

"With this large user base, the problem will not be the hacker or malware attack, but more potentially accidental loss or worse intentional data stealing. In addition, if ContactPoint decides to trust the authentication systems with the current local authority Case Management Systems, then the user population could be even larger and audit trails within ContactPoint would be insufficient to help with preventative abuse."

Layered security controls may limit, while not eliminating, the potential risk; but this may itself have drawbacks, Okin explained.

"The only way to secure a system like this, will be to either dramatically reduce the user population or partition the data and access to it (by role) - both of which could affect the usefulness of the system."

Top three mobile application threats

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
UK.gov chucks £28m at F1 tech for buses and diggers plan
Well, not really F1 but who's heard of LMP and VLN*?
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.