Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

High performance access to file storage

"How can they stop that?"

"The minister states the data cannot be 'downloaded', but what about Trojans that take pictures of your desktop and send those images back to base? If their security precautions don't account for that then there will be lots of people using infected laptops sending data galore on these children to malicious third parties. Not to mention the issue of simply writing the data down. How can they stop that?"

Boyd added that once the system goes live there'll be no shortage of people willing to have a crack at it.

"Two things will likely happen when the database goes live - the first is that hackers will target it simply for the challenge of accessing such supposedly 'unobtainable' data.

"Secondly, desperate ex-partners (the kind that will happily use so-called 'family keyloggers' to monitor their spouse's actions on a PC) could try to jump on this kind of technology in an effort to grab information regarding their estranged family's whereabouts, perhaps by paying blackhats to do the dirty work for them.

"Based on anecdotal tales from groups who help women abused by partners who use such tech, the husbands tend to have a good grasp of malicious programs, so it's not unreasonable to assume they'll easily find a blackhat who can help them out.

"I doubt the creators of this database have prepared for every attack vector imaginative people will come up with - it's just not possible."

Stuart Okin, UK managing director of security consulting Comsec and a foster parent for four years with knowledge of how the system works, also expressed concerns about how to prevent the leak of sensitive information in both the input and output process.

"As data is going to come from multiple sources and a variety of different systems there will be a temptation to use the lowest common transport method, such as non secure channels (e.g. CDs, unencrypted USB sticks etc.) Every input and output channel needs to be as secure as possible. In addition, data leaving the system will need to be examined. There is little that can be done to prevent a legitimate user screen printing - except to educate them in the need to securely dispose of information."

Some data may be hidden or shielded, for example the address and telephone information for those children who have been subject to physical or sexual abuse. Furthermore the database will not store case information, Okin noted.

Okin added that the sheer number of professionals allowed access to the system will become its greatest security challenge over time. Authorised users will include those working in health, education, youth justice, social care and voluntary organisations.

"Commentators have estimated that around 330,000 users could claim legitimate access to the database (upon Criminal Records Bureau check and training)," Okin told El Reg.

"With this large user base, the problem will not be the hacker or malware attack, but more potentially accidental loss or worse intentional data stealing. In addition, if ContactPoint decides to trust the authentication systems with the current local authority Case Management Systems, then the user population could be even larger and audit trails within ContactPoint would be insufficient to help with preventative abuse."

Layered security controls may limit, while not eliminating, the potential risk; but this may itself have drawbacks, Okin explained.

"The only way to secure a system like this, will be to either dramatically reduce the user population or partition the data and access to it (by role) - both of which could affect the usefulness of the system."

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.