Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

Reducing security risks from open source software

"How can they stop that?"

"The minister states the data cannot be 'downloaded', but what about Trojans that take pictures of your desktop and send those images back to base? If their security precautions don't account for that then there will be lots of people using infected laptops sending data galore on these children to malicious third parties. Not to mention the issue of simply writing the data down. How can they stop that?"

Boyd added that once the system goes live there'll be no shortage of people willing to have a crack at it.

"Two things will likely happen when the database goes live - the first is that hackers will target it simply for the challenge of accessing such supposedly 'unobtainable' data.

"Secondly, desperate ex-partners (the kind that will happily use so-called 'family keyloggers' to monitor their spouse's actions on a PC) could try to jump on this kind of technology in an effort to grab information regarding their estranged family's whereabouts, perhaps by paying blackhats to do the dirty work for them.

"Based on anecdotal tales from groups who help women abused by partners who use such tech, the husbands tend to have a good grasp of malicious programs, so it's not unreasonable to assume they'll easily find a blackhat who can help them out.

"I doubt the creators of this database have prepared for every attack vector imaginative people will come up with - it's just not possible."

Stuart Okin, UK managing director of security consulting Comsec and a foster parent for four years with knowledge of how the system works, also expressed concerns about how to prevent the leak of sensitive information in both the input and output process.

"As data is going to come from multiple sources and a variety of different systems there will be a temptation to use the lowest common transport method, such as non secure channels (e.g. CDs, unencrypted USB sticks etc.) Every input and output channel needs to be as secure as possible. In addition, data leaving the system will need to be examined. There is little that can be done to prevent a legitimate user screen printing - except to educate them in the need to securely dispose of information."

Some data may be hidden or shielded, for example the address and telephone information for those children who have been subject to physical or sexual abuse. Furthermore the database will not store case information, Okin noted.

Okin added that the sheer number of professionals allowed access to the system will become its greatest security challenge over time. Authorised users will include those working in health, education, youth justice, social care and voluntary organisations.

"Commentators have estimated that around 330,000 users could claim legitimate access to the database (upon Criminal Records Bureau check and training)," Okin told El Reg.

"With this large user base, the problem will not be the hacker or malware attack, but more potentially accidental loss or worse intentional data stealing. In addition, if ContactPoint decides to trust the authentication systems with the current local authority Case Management Systems, then the user population could be even larger and audit trails within ContactPoint would be insufficient to help with preventative abuse."

Layered security controls may limit, while not eliminating, the potential risk; but this may itself have drawbacks, Okin explained.

"The only way to secure a system like this, will be to either dramatically reduce the user population or partition the data and access to it (by role) - both of which could affect the usefulness of the system."

Maximizing your infrastructure through virtualization

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.