Thousands of fingered crims, informants spaffed in web security COCK-UP

UK privacy watchdog pokes server config gaffe

The Essential Guide to IT Transformation

Exclusive An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal.

The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error allowed anyone to easily access a huge cache of CCTV footage, photos and information about companies that sign up to the service.

El Reg was able to look through almost 5,000 records containing images and films of suspects dating back to March 2011.

We saw shoplifters pilfering from department stores, a man brandishing a stick inside a bookies, and people looking shifty in packed pubs presumably just before a crime took place. Some of the images even had names on them, which would be legally problematic if those pictured turned out to be innocent.

We also saw long lists of shops around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any crook wishing to intimidate a witness or exact revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of betting shops. There were also extensive lists of small businesses.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said: “We have recently been made aware of a possible data breach which appears to involve the Facewatch website.

“We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

'Secured by design'

The website boasts it was declared "secured by design" by a police-run body that recognises products or business that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

You didn't have to be a light-fingered thief nor an elite hacker to get into the sensitive files: all that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting http://facewatch.co.uk/ redirects to http://facewatch.co.uk/cms/ but this did not happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find website code, databases of users and folders packed with images.

We were told about the security hole by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, he found https://facewatch.co.uk/ gave him full read-only access to Facewatch's file tree.

Our source said: "A novice who runs a church website would know not to allow directory browsing."

We reported the security flaw to Facewatch, which closed the hole immediately.

The organisation's chairman Simon Gordon told us the "accessible code related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf".

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". He continued:

We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure. The URL to which you referred us has been closed as this is no longer in use.

Facewatch takes the security of the information which it holds very seriously and works with its clients, including the UK police services, and the data protection regulators to ensure that all data is secure when it is being transmitted to the police or held on behalf of our clients.

The crimes which are reported through the Facewatch system do not relate to crimes against the person or which include violence and those using the system are aware that their business email addresses are made available to a variety of people, both by their own organisations and third parties.

Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned.

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

Some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times, we're told. As well as allowing officers and shop bosses to upload files, Facewatch allows Brits to use their mobiles to view CCTV stills and other photos of people wanted for questioning by cops.

Facewatch's Gordon claimed some of the images we found on the server were part of that public mug-shot gallery.

"Some residual images of individuals that the police would like to contact in relation to certain reported crimes were available, these images had been made available to see if members of the public would be able to help with their identification," Gordon said.

The scheme was first tested in London, before being rolled out across the UK. It is operated by a private company called FaceWatch Limited, based in Ipswich. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.