Thousands of fingered crims, informants spaffed in web security COCK-UP

UK privacy watchdog pokes server config gaffe

Top 5 reasons to deploy VMware with Tegile

Exclusive An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal.

The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error allowed anyone to easily access a huge cache of CCTV footage, photos and information about companies that sign up to the service.

El Reg was able to look through almost 5,000 records containing images and films of suspects dating back to March 2011.

We saw shoplifters pilfering from department stores, a man brandishing a stick inside a bookies, and people looking shifty in packed pubs presumably just before a crime took place. Some of the images even had names on them, which would be legally problematic if those pictured turned out to be innocent.

We also saw long lists of shops around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any crook wishing to intimidate a witness or exact revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of betting shops. There were also extensive lists of small businesses.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said: “We have recently been made aware of a possible data breach which appears to involve the Facewatch website.

“We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

'Secured by design'

The website boasts it was declared "secured by design" by a police-run body that recognises products or business that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

You didn't have to be a light-fingered thief nor an elite hacker to get into the sensitive files: all that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting http://facewatch.co.uk/ redirects to http://facewatch.co.uk/cms/ but this did not happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find website code, databases of users and folders packed with images.

We were told about the security hole by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, he found https://facewatch.co.uk/ gave him full read-only access to Facewatch's file tree.

Our source said: "A novice who runs a church website would know not to allow directory browsing."

We reported the security flaw to Facewatch, which closed the hole immediately.

The organisation's chairman Simon Gordon told us the "accessible code related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf".

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". He continued:

We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure. The URL to which you referred us has been closed as this is no longer in use.

Facewatch takes the security of the information which it holds very seriously and works with its clients, including the UK police services, and the data protection regulators to ensure that all data is secure when it is being transmitted to the police or held on behalf of our clients.

The crimes which are reported through the Facewatch system do not relate to crimes against the person or which include violence and those using the system are aware that their business email addresses are made available to a variety of people, both by their own organisations and third parties.

Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned.

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

Some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times, we're told. As well as allowing officers and shop bosses to upload files, Facewatch allows Brits to use their mobiles to view CCTV stills and other photos of people wanted for questioning by cops.

Facewatch's Gordon claimed some of the images we found on the server were part of that public mug-shot gallery.

"Some residual images of individuals that the police would like to contact in relation to certain reported crimes were available, these images had been made available to see if members of the public would be able to help with their identification," Gordon said.

The scheme was first tested in London, before being rolled out across the UK. It is operated by a private company called FaceWatch Limited, based in Ipswich. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.