Wednesday, October 7, 2009

UK's Website for Citizens to Spy is Insecure Itself

The UK has always had a keen interest in recording and monitoring the general population. Its all in the name of "personal security" but is often compared to Orwell's 1984 classic. With the recent announcement of the ability for home citizens to monitor the CCTVs, the UK has taken another step towards Orwell's nightmare scenario.

Casting aside the debate on big brother, I found it very interesting that the new website, which will allow the public to register to became a government paid voyeur, is in itself insecure. Internet Eyes fails to employ even the most basic security controls to protect its users.

For example:
  • The registration page does not use SSL. This means that an attacker could monitor the information you enter, including your username, password, name, address, email and paypal email. There is also mention that you may need to provide financial information to receive payment, so that info would be available for the attacker as well.
  • If you attempt to browse to the equivalent SSL page, you see a huge browser warning that the SSL certificate is both expired and also only supposed to be used for a site called
Both of these are huge red flags in the area of application security. And consider this, these items are some of the most fundamental security controls that can be easily observed by all users. If a site is having difficulty with these items, just imagine whats going on behind the scenes. It can't be good.

The other interesting item is that both of these security failures are in violation of the site's own privacy policy. (emphasis added)
13. Your information is stored on our servers located in the United Kingdom. We treat data as an asset that must be protected and use a number of tools (which may include encryption, passwords and physical security) to protect your personal information against unauthorised access and disclosure.
However, I think the next few sentences of item 13 really take the cake.
However, as you probably know, third parties may unlawfully intercept or access transmissions or private communications. Therefore we do not promise, and you should not expect, that your personal information or private communications will always remain private
Actually, I didn't know that. In fact, good security controls are supposed to be implemented to prevent this very issue. Though, judging by the security on your site, or lack there of, I guess you do have a valid point.

My advice, stay away from this site. Any user registering with this site will be putting their personal and financial information at significant risk.

-Michael Coates