Is this really an improvement in security?

I like to keep up to date with technology but the consumer tech industry issues 'must have' updates far too often for this to be possible, at least with my financial resources. So when I heard that Android 4.0 aka 'Ice cream sandwich' was out on some new smartphones I was both interested and irritated; I already own, and am really pleased with, a Samsung Galaxy SII. There does not seem to be a killer feature on the new os so I will probably wait until it is free upgrade time again.

However one of the features being touted as a reason to buy a new device running ice cream sandwich is the face unlock feature. This means that rather than having to type in a four digit unlock code, which is apparently so tricky to remember, you just hold the phone up to your face and it unlocks. Hmmmm... How many people out there have to carry a security pass to enter their office building? How many of you have a head shot photo on your pass? Am I being stupid but unless this face recognition is cleverer than I predict it is, can it not be fooled by someone else holding up a picture of my face to the screen?

Can I guess your iPhone passcode?

1234
0000
2580
1111
5555
5683
0852
2222
1212
1998

If your iPhone passcode is one of those then you are, according to recent research, amongst the 15% of iPhone users who use one of those codes...

Data security and the UK census

The claim:

'Census data security measures

Data security and confidentiality is a top priority for the census. In addition to the strong protection provided by the law, ONS has put in place stringent additional safeguards.

All census employees and contractors working on the census sign a declaration of confidentiality to guarantee their understanding and compliance with the law which makes unauthorised disclosure of personal census data an imprisonable offence.

All staff who have access to the full census data set in the operational data centre will work for ONS.

All staff processing any personal census data will be security cleared to the UK Baseline Standard. This requirement has also been extended to all employees of the supplier and their sub-contractors handling any personal Census data.

Staff with access to the full census data set or substantial parts of it will have security clearance to handle material classified as ‘Secret’.

Underlying security requirements for census data are based upon UK Government Security Guidelines issued by the Cabinet Office and by Communications – Electronic Security Group.

Census data is classified as restricted under the scheme of classification of government information. For more details see the link to Cabinet Office website pdf of classifications.

This classification brings a whole set of standards and safeguards which have been put in place to ensure that the data remains secure. This includes control of physical access to any site or room where the data is kept, secure control of access to IT hardware and of course IT systems.

ONS will control system access rights to all systems and data.

All security measures cover the completed questionnaires, the electronic data set, the website, the archive image system and the communications links relating to any of these items.

All of the electronic communications links over which personal census information will be routed, will be encrypted (scrambled) to the levels recommended by the Government Security Services.

The census security programme is being managed to the framework of ISO27001 - the internationally recognised Information Security Management Standard.

ONS will commission an independent review of systems and procedures covering both its own systems and those of all contractors. These reviews will include systematic checks during the operations. The independent security auditors will be accredited by the government security services to carry out these reviews.

Use of census data and data confidentiality

We have secure systems in which to hold data, with stringent controls and procedures in place. We do not store any financial details, and names and addresses are removed from the data sources used for the day to day production of statistical tables.

The information in questionnaires is used only for census related publications and analyses published for geographic areas. These outputs do not attribute any of the statistics back to specific individuals.

Once the analyses are complete and the information is published, archived copies of the forms will be securely filed away and the personal details they contain will not be released for another 100 years.

All handling and storage of data complies with the Data Protection Act.
Census data and the US Patriot Act

Concerns expressed about the possibility of the US Patriot Act being used by US intelligence services have been addressed by a number of additional contractual and operational safeguards. These arrangements have been put in place to ensure to that US authorities are unable to access census data.

Existing law already prevents the disclosure of census data – it is a criminal offence to disclose personal census data and is punishable by a fine and/or up to two years in prison.

All census data is owned by ONS and all of the legal undertakings of confidentiality of personal Census information will apply to both ONS and any contractors.

All census employees and contractors working on the census sign a declaration of confidentiality to guarantee their understanding and compliance with the law.

All staff who have access to the full census data set in the operational data centre will work for ONS.

Contractual arrangements ensure that only sub-contractors registered and based in the UK and either UK or EU owned will have access to any personal census data.

Staff with access to the full census data set or substantial parts of it will have security clearance to handle material classified as ‘Secret’ under the UK Government’s classifications.

The prime contractor is Lockheed Martin UK Ltd. Additional specialist services will be provided by Cable & Wireless, Logica, UK Data Capture, bss, Steria, Polestar, Oracle and Royal Mail. Lockheed Martin UK will design the processing systems for ONS using its expertise and past experience. The day to day running of operational services will be provided by the consortium of specialist service providers. All of these specialist subcontractors are registered and owned in the UK or elsewhere in the EU.

This contractual structure means that no US companies will have any access to any personal census data.

No Lockheed Martin staff (from either the US parent or UK company) will have access to any personal census data.

All data will be processed in the UK and remain in the UK.'

The reality (?):
This morning I am hearing claims that the hacking group LulzSec say that they have obtained a copy of the entire 2011 Census.



My conclusion:
If true this is more than a little disturbing. Will I have a claim against the Office For National Statistics under Information Commissioner legislation?


Oddly I didn't want to fill in the Census but Mrs NotaSheep got jittery at all the reminders and said that we must do it...

Sunday catchup (part 1)

1. Computer World report a story that shows that even IT experts are not security conscious when faced by a pretty face -

'Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named "Robin Sage," whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking. '

2. Spiked report that:

'A group of volunteers will shortly board some ships in order to deliver aid to suppressed minorities and send a political message to the world: It’s time for an end to occupation and oppression!'

So what's the news in this story about yet another flotilla heading towards Gaza? Well

'This time it’s an Israeli ‘peace flotilla’ organised by the National Union of Israeli Students (NUIS). And it will be heading for Turkey – where the ship that was attacked by the Israel Defense Forces (IDF) set sail from – with the aim of bringing attention to the plight of Turkey’s minorities and to challenge the global image of Israel as an evil, murderous state.'

3. Harriet Harman was the subject of much controversy:

'(Harriet Harman) was last night facing damaging claims that she lobbied the
Home Office on behalf of a Labour Party donor’s immigrant wife who is living in Britain unlawfully.

The Leader of the Opposition was forced to deny furiously any impropriety over the wife of Monday Osaseri, a Nigerian-born businessman who donated money at a pre-Election fundraiser in Ms Harman’s Peckham constituency.

Just days later, in April, he emailed her Commons office to request a meeting to discuss his wife, who has been in the country unlawfully for more than six years.

Within weeks, Ms Harman had emailed the Home Office to ask about the progress of her application for leave to stay in the UK.

Last night, sources close to Ms ­Harman denied any connection between the donation and her request, insisting that the issues were dealt with by separate offices and in accordance with strict rules.

But critics said high-profile MPs should avoid even the appearance of a conflict of interest, particularly over such a politically sensitive issue as immigration.'

4. THe Telegraph have an article by the much missed PC David Copperfield, a former UK PC now serving in Canada, explaining why his new force is so much better – and cheaper – for the public. DO read the whole article, it most instructive and gives ammunition to those who know that 'front-line' services will not have to suffer to make 25% cuts.


5. The Telegraph has video of Canadian fighter pilot, Captain Brian Bews, ejecting from his cockpit seconds before his plane crashed and exploded into a ball of flames...



6. Health and Safety lunacy from Scotland where The Telegraph reports that

'Isle of Muck residents ordered to stop drinking spring water - The inhabitants of a remote Scottish island have been ordered to end centuries of tradition by drinking bottled water instead of drawing it from the natural springs that surround their homes....'

7. The Mail report that 'Being kicked out of Number 10 was 'not bruising' says a cheerful (Gordon) Brown' - Shame!


More later...

The Labour government, the Labour party, Tony Blair, Windrush and Data Protection

Greg Hands on Conservative Home have the details of a fascinating story.

Data Security EU style

The Schengen Information System (SIS) holds information regarding immigration status, arrest ­warrants, entries on the police national ­computer and a multitude of personal details about EU residents. So you would think that access to this database would be restricted very carefully. Would you, would you really think that?

In fact it seems that:

"large amounts of confidential personal information held about British citizens on a giant computer network spanning the European Union could be accessed by more than 500,000 terminals."

Statewatch are worried:

"Statewatch, a group that monitors civil liberties in Europe, said it was aware of a case in Belgium where personal information extracted from the system by an official was sold to an organised criminal gang.

"It is well known that the greater the points of access, the greater the number of people who have access and the greater the chance that data will be misplaced, lost or illegally accessed," said Tony Bunyan, director of Statewatch. "The idea that mass databases can be totally secure and that privacy can be guaranteed is a fallacy.""

and so am I. This is a fraudsters idea of heaven; get one dodgy person with access to SIS on your side and the world is your oyster.

It's not the viewing porn that concerns me as much as the breaches of privacy

The Mail are concerned that:

"Hundreds of police workers have faced disciplinary action for looking at internet pornography and social networking sites, figures show.

More than 400 officers and support staff have been sacked or given warnings after being caught looking at inappropriate material online."

Naughty, naughty officers; but I am more concerned that

"Officers have also been dismissed for using police databases to check out people’s backgrounds for personal reasons."

Anyone still believe that your data would be safe in the National Identity Register?

Hotmail passwords compromised

Neowin report that:

"Neowin has received information regarding a possible Windows Live Hotmail "hack" or phishing scheme where password details of thousands of Hotmail accounts have been posted online.

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts."

Information from other sources suggests that the compromised accounts are @hotmail.com, @msn.com and @live.com but are only accounts that have fallen foul of a phishing attack.

I would still recommend that you change your hotmail password NOW.

Database Britain

This Labour government do seem to have a grasp of literary history, the introduction of their latest surveillance database comes on the 6th of April 2009. The novel 1984, which this Labour government seems to have taken as an instruction manual rather than a warning, starts on 4 April 1984: "It was a bright cold day in April, and the clocks were striking thirteen".


The end of the era of internet freedom came this morning as the EU and this Labour government's plan to monitor their citizens' every move takes another step closer to completion. From this morning all internet activity by every internet connection must be stored for one year by the ISP, this includes email traffic, visits to web sites and telephone calls made over the internet. Of course this information will be accessible by police and the security services so as to combat crime and terrorism. Of course in reality the information will be accessed by many public bodies and quangos, including local councils, who will thus be able investigate any number of minor misdemeanours or just look for evidence to embarrass difficult or undesirable persons.

The UK's Labour government who seem to have an insatiable desire to monitor and control every aspect of their citizens' lives was the prime mover for this EU-wide system of recording and it is to the UK's Home Office that we must turn for the justifications:

"It is the Government's priority to protect public safety and national security. That is why we are completing the implementation of this directive, which will bring the UK in line with our European counterparts."

"Without communications data, resolving crimes such as the Rhys Jones murder would be very difficult if not impossible."

And then the excuse that has more holes in it than a piece of Swiss cheese:

"Access to communications data is governed by Regulation of Investigatory Powers Act which ensures that effective safeguards are in place and that the data can only be accessed when it is necessary and proportionate to do so," he said. "

We all know how well the RIPA safeguards have worked to date, just look through the cases that I and other bloggers have reported and see councils using the Act to fight littering and to check whether parents are abusing school catchment area rules. Now councils and the government will have access to almost unthinkable levels of personal data without any real safeguards.


This database is not an isolated example of Labour implemented state surveillance, here's a few examples that I could think of, please feel free to add your own in the comments:
1. DNA Database - 3 million entries so far of anyone who is arrested, even if never charged let alone found guilty. The data stays on the database forever as it is virtually impossible to have it removed.

2. Automatic Number Plate Recognition (ANPR) systems record the movements of millions of vehicles every day and are in the process of being linked to a central database to record every movement you make in your vehicle.

3. Oyster Cards - If you register your Oyster Card, currently still optional, then every journey you take is recorded and stored.

4. Spy in the sky - The introduction of black box type equipment in every car is set for 2013, so every vehicle journey would be monitored foot by foot for speed limit infractions or in the future unauthorised journeys by carbon criminals

5. Every journey outside of the UK now has to be logged in advance along with personal data. How long before this is used to restrict foreign travel by "carbon criminals" or persons suspected of taking currency out of the Peoples State of the EU?

6. ID cards - "papers please"

7. NHS database - It is rumoured that MI5 already have access to the patients records stored on this database; who else might have access soon?

8. Galileo European tracking - the EU's rival to GPS is an unnecessary and expensive system unless the rumours that the Galileo chip will be placed in every new mobile are true. In which case if you own a mobile telephone your every movement will be tracked and recorded, and if you don't own a mobile telephone that will look suspicious.


Welcome to the sort of State surveillance that the Stasi could only have dreamt of. From today the State and its subsidiary vectors of control can monitor every web site you visit, every telephone call you make over the internet and every email you send or receive.

What of the future? I blogged some time ago about the state information televisions in public places ahead of the 2012 Olympics that are likely to become permanent fixtures. How long before CCTV cameras are plentiful enough that they are monitoring every street, to fight crime and terrorism, one every 100 metres... 50 metres... one per house...

The Labour government want to track our every movement and record them for 10 years

This increasingly totalitarian Labour government is introducing yet another database to record their subjects movements. The Telegraph report that:

"The travel plans and personal details of every holidaymaker, business traveller and day-tripper who leaves Britain are to be tracked by the Government... Anyone departing the UK by land, sea or air will have their trip recorded and stored on a database for a decade.

Passengers leaving every international sea port, station or airport will have to supply detailed personal information as well as their travel plans. So-called "booze cruisers" who cross the Channel for a couple of hours to stock up on wine, beer and cigarettes will be subject to the rules.

Anyone departing the UK by land, sea or air will have their trip recorded and stored on a database for a decade."

The news that really got me riled this morning was this:

"(the)rules which will require the provision of travellers' personal information such as passport and credit card details, home and email addresses and exact travel plans"

Some thoughts: When we go away I tell hardly anyone; the neighbours who keep an eye on the house, parents and a few clients, we do not advertise the fact that we are going away. We do not put our home address on our luggage labels, just surname and a mobile phone number. Now I will be required to enter all this information (and more) online into a "secure" Government database, that seems a bright move. Who will have access to this database? No really who will have access to it? With this Labour governments' record on data security I have major doubts as to its access security. Why should I put my house and possessions at risk because this Labour government have finally realised that they have no border controls worth speaking of.

Why do the Labour government want my credit card details? Do they only want the details of the card we paid for the holiday with or all of our credit cards? Do they want all Debit Card details as well? Do they also require the PINs for each of these cards? How about my online banking account details and passcodes?

Why do they need my email address? Which email address do they want? Do they want the one that I booked the holiday under, not my main one as I don't want to be spammed? Do they want every email address I have? Will they also want SMTP/POP3 passwords so they can check my emails?

The Labour government want to have details of our exact travel plans? What if we don't have "exact" travel plans? What if we have booked a flight to Pisa and a hire-car for two weeks and plan to meander through Tuscany and Umbria for two weeks, staying wherever takes our fancy? Will we not be allowed to go unless we have a booking for every night of the holiday? Will we be allowed to leave the Country but have to amend our filed holiday plans every day as our plans change? What if we have booked to stay in a particular hotel or villa and then find that it is horrible and so move to another hotel or villa, will this not be allowed or will we have to ask permission from the Labour government before we make such changes to our filed itinerary? What if our holiday plans change but we cannot alter our filed itinerary as there is no internet access where we are staying? What if the airline suffers a delay that means we have to spend a night in a transit hotel, will that need logging?


Some more thoughts: This Labour government has a history of passing legislation purportedly for one reason but leaving the system open to additional functionality, so what mission-creep could be added to this one? It would make a fine starting point for a travel rationing system; if they are logging all travel plans, then how long before you get the message "I am sorry but you have exceeded your travel miles ration, you do not have permission to travel unless you pay an "eco-surcharge" - click "OK" and we will deduct the charge from the credit card details that we store for you". The system would also make a nice research tool for HM Revenue and Customs - Mr Jones, we note that you have had five holidays to Florida over the last three years and always stay at the same holiday villa. How can you afford such a holiday on the income you have declared on your tax returns? Do you have any financial interest in this villa?


This Labour government database is being introduced under the pretext of fighting terrorism and crime, they tend to be, but its real purpose will only be seen some time down the road. I think it was Cecil Rhodes who said that "To be born English is to have won first prize in the lottery of life." I don't think that many of us would agree with that any more. The English are over-taxed, over-regulated, subject to endless surveillance and State control.


UPDATE:
The best time to introduce this sort of database would be when there will be minimal activity so February or October/November; but this is a Labour Government database so it is being introduced over the Easter weekend. Do you think this Labour government are taking the piss now.


UPDATE 2:
The Telegraph also has this quote:

"The e-Borders scheme has already screened over 82m passengers travelling to Britain, leading to more than 2,900 arrests, for crimes including murder, drug dealing and sex offences. e-borders helps the police catch criminals attempt to escape justice."

So an enormously expensive and intrusive database is being implemented partly because of the success so far of e-Borders in finding that around 0.003% of tracked journeys lead to arrest.

Another Labour surveillance database

I learn that our surveillance database obsessed Labour government are now compiling a database to track and store for 10 years the international travel records of millions of Britons. The database will store the names, addresses, telephone numbers, seat reservations, travel itineraries and credit card details of travellers.

Isn't that brilliant a government database with my credit card details and address details on it just ready for the data to be lost and to fall into the hands of the unscrupulous. A database with my travel records on it that might establish likely patterns of holidaying so that a dishonest civil servant could extract such information and pass it onto burglars who would be happy to pay for such information.


I assume that this Labour government will claim that the database is essential in the fight against crime, terrorism and illegal immigration. I also assume that they are lying about this as they are about most everything else that they tell us.

This Labour government seem to think that they can justify almost any restriction of personal freedom in the name of "fighting terrorism"; meanwhile suspected terrorists are allowed to live in the community because of fear of infringing their human rights by expelling them and preachers of hate can spout their poison because of the fear of inflaming race relations by arresting them.


The Labour government have destroyed the economy of this economy, that is becoming very clear; they have also almost destroyed the very fabric of society, that will become clearer soon.

Data security

The Telegraph reports the loss of a USB memory stock with data on 6,000 prisoners. The line that caught my attention was this one -

"The information was encrypted but a password to get around the security was attached to the device"

Will the civil service ever learn from their mistakes?

Don't bother answering that question.

Another regulatory failure

What a surprise, the US Securities and Exchange Commission are reported to have received warnings about Bernard Madoff's activities as far back as 1999 but did not act appropriately. A failure of a banking regulatory authority, how surprising. The SEC and the FSA are overstaffed bureaucratic bodies without the expertise to properly regulate the investment companies that they are meant to police.

Shcok horror a Government agency sells our data despite Government promises

I am shocked...

Another Labour Government IT security disaster

The Government Gateway IT system has been compromised. A USB memory stick containing user information and access passwords was found in a pub car park. As a result the Government has had to order an emergency shutdown of a key Government computer system to protect millions of people's private details. Not good timing as people frantically try to register their tax returns on-line after the official deadline of 31 October and before the unofficial deadline of 3 November.

You can read more in The Mail.

This Labour government's record on IT system implementation and IT security has been abysmal, the ID card/National Identity Register and the NHS IT project have wasted too much money and as we cannot be assured as to their integrity they should be scrapped forthwith.

They want to know everything that we do

News in The Times that:

"Ministers are considering spending up to £12 billion on a database to monitor and store the internet browsing habits, e-mail and telephone records of everyone in Britain.

GCHQ, the government’s eavesdropping centre, has already been given up to £1 billion to finance the first stage of the project.

Hundreds of clandestine probes will be installed to monitor customers live on two of the country’s biggest internet and mobile phone providers - thought to be BT and Vodafone. BT has nearly 5m internet customers."

Unsurprisingly:

"The Home Office stressed no formal decision had been taken but sources said officials had made clear that ministers had agreed “in principle” to the programme.

Officials claim live monitoring is necessary to fight terrorism and crime. However, critics question whether such a vast system can be kept secure. A total of 57 billion text messages were sent in the UK last year - 1,800 every second. "

As usual this is being justified under the pretext of fighting crime and the usual helpful fools will be spouting "if you have nothing to hide...", "if it prevents one serious crime...." and "will nobody think of the children?". These arguments are spurious, this measure like so many from this Labour government is about control. The only cheery piece of news is that this Labour government are so inept and unable to implement big IT projects that any introduced system will not work properly, on the downside the security will also be crap and have more gaps in it than Peter Mandelson's CV.

Security?

The Telegraph report that:

"The eBay sale of digital camera said to have contained MI6 images of terror suspects is being investigated by police.

A bidder, who bought the camera for £17 on the auction website, discovered photos of terror suspects, their names and fingerprints and even images of rocket launchers and missiles.

The 28-year-old from Hemel Hempstead, Hertfordshire, only found the secret images when he downloaded his own holiday snaps from the Nikon Cool Pix device.

He told local police about the find and was shocked when Special Branch officers arrived at his home days later to seize his new purchase.

Officers have made five visits to his home in the last week to quiz him and his family, The Sun newspaper reported.

A Foreign Office spokeswoman confirmed that the police were investigating but said she could not confirm or deny the intelligence service’s involvement in the probe.

She refused to comment on reports that the camera was sold by an MI6 agent.

Among the images which are reported to have been found on the camera is a document, marked “top secret”, which gives details of the encrypted computer system used by MI6’s agents in the field.

The material found on the camera is reported to be related to 46-year-old Abdul al-Hadi al-Iraqi, a high-ranking al-Qaeda officer, who was captured by the CIA in 2007.

Neil Doyle, author of Terror Base UK, said: “These are MI6 documents relating to an operation against al-Qaeda insurgents in Iraq.

“It’s jaw-dropping that they got into the public domain.

“Not only do they divulge secrets about operations, operating systems and previously unheard-of MI6 departments, but they could put lives at risk.”"

Security to the fore, as always... and as always it's the poor sap who discovers the problem that gets investigated.

The latest breakdown in government data security

Reports of the latest breakdown in governmental data security, the loss of a memory stick containing personal details about tens of thousands of criminals has been making the news this morning. The memory stick was lost by PA Consulting and apparently the lost data includes details of around 10,000 prolific offenders as well as information on all 84,000 prisoners in England and Wales.

One remark caught my eye and that is that Dominic Grieve, the shadow Home Secretary, said

"The British taxpayer will be absolutely outraged if they are made to pick up the bill for compensation to serious criminals."

Why is there any chance of having to pay compensation to any of these prisoners? Were the parents whose details were compromised last year ever thought to be due compensation?

That's an 84% improvement, well done Labour"

The BBC report that

"Sensitive data potentially affecting more than four million people was lost by government departments in the year to April, BBC analysis has found.

Whitehall departments have included details of personal information losses in their annual financial statements.

Cases included the theft of a laptop with details of 17,000 Sats markers, and the loss of the National Insurance numbers of a further 17,000 people."

Following the loss of the details of 25 million child benefit claimants in the previous year, we were promised that lessons would be learnt and that security would be tightened. I suppose that a 84% drop in the volumes lost is an improvement, although that will be of little comfort to the four million whose details were lost this year.

Meanwhile the Labour Government presses ahead with the National Identity Register (and ID cards), the NHS "Spine" and the DNA database; all programmes with huge security of access queries.

Data security BBC style

One piece of news regarding a data security breach is not being reported by the BBC, mind you at the moment if it isn't happening in Beijing then it probably isn't going to be reported at all. This news regards a memory stick containing the personal data of hundreds of children which has been stolen. Apparently parents of the children have been sent a letter by the BBC informing them that details such as the names, addresses, mobile phone numbers and dates of birth of children who applied to take part in a cookery show had been taken. Also on the disk were details of when the children and their parents would be away on holiday.

I presume that hard questions about data security and encryption will be asked by the BBC Newsnight team, maybe not. Any coverage at all of this story on the BBC?