Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

Top three mobile application threats

Striking a difficult balance

A difficult balance between useability and security needs to be struck, Okin argued.

"A database of this nature is very sensitive, and even more so in this case as the content concerns children. The security of such a database is critical to ensure the safety of the children's personal data. It needs to be ensured that the proper security controls around such data are in place before deploying this system.

"While it is important to facilitate the quick response and handling of these cases and streamline the processes involved with ensuring their safety, this cannot be done at the expense of their security."

Peter Houppermans, an independent security consultant who designed the UK's government GSI intranet while working for Cable & Wireless, said that contrary to what the minister claims, there are "no real security implications in talking about an overall result" of a penetration test.

"If there are issues I think it is worth mentioning that 'further work is required' in the interest of transparency and the taxpayer knowing if value for money is delivered," Houppermans told El Reg.

Houppermans added that questions remain over the minster's assurance that "remote access is impossible from unsecured broadband and public locations".

"If ContactPoint is not part of the GSI or another closed network I would be concerned that the reality differs from what the minister presently understands to be the case. There is no denial that access can take place over wireless, just that this access would be 'secured'."

Houppermans is doubtful about the insistence that data from the database can't be downloaded.

"That would be a challenge unless every single system having access is subject to the same, stringently enforced rules and security policies (such as USB and CD drive lockdown). Not that it's needed - do they have email? How is that secured? And what about that favourite train deposit format, printed paper?"

Like Okin, Houppermans stressed the importance of security awareness training for ContactPoint users if there's to be any hope that the system will be secure.

Tories ready to 'pull the plug'

Of course, the developing and the worrying, may be in vain, as the Conservatives have promised to scrap the system, if elected.

The Conservatives are interested in both the financial and privacy implications of the proposed database. The Tories are calling for the publication of a government-commissioned security report from Deloitte, an executive summary of which was published by the government back in February. The Conservatives also intend to closely monitor the progress of the project ahead of the next readiness assessment, which is due out in June.

Tim Loughton, Shadow Minister for Children and Young People, commented: 'The expert verdict is clear - ContactPoint will not be safe. The Government needs to publish urgently the full security report so that everyone can know just how insecure the database is. The Government have a terrible track record of keeping our data safe - it needs to pull the plug on this unnecessary and potentially dangerous database."

Critics of the system are united in their belief that security has been designed as an afterthought. The presence of sensitive data with no effective opt-out, and questionable security controls, exercising researchers, opposition and other critics such as the Joseph Rowntree Reform Trust (paper of Database State here).

Many are concerned about how the proposed shielding mechanism will work in practice and whether the functions covered by the database will expand over time, so called mission-creep. Because the database provides a mechanism for registering all children that complements the National Identity Register its evolution and progress has become a political hot potato that New Labour government may find difficult to handle, even if the next phase of its roll-out runs smoothly.

Implementation of the system has already been repeatedly delayed by privacy concerns. Despite the ministry's superficially impressive security policy many privacy issues remain and could yet prove the undoing of ContactPoint, leaving a policy vacuum in how to co-ordinate the actions of care agencies that could prove difficult to plug. ®

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.