On Monday of this week, UK television Channel 4 broadcast “Watching the Detectives”, an analysis of the ease with which ‘our most personal and confidential information’ can be bought and sold. The programme noted that almost 25 civil servants are reprimanded every week for breaching rules governing the Department of Works and Pensions (DWP) huge database. It seems that private detectives, under the pay of who knows whom, have little difficulty in gaining access to government databases.
One of the security firms that took part in the Channel 4 programme was RandomStorm, whose head of the social engineering team, Gavin Watson commented, “An individual’s private data is only as secure as the businesses that handle it.” Channel 4 demonstrated social engineering is a simple and direct route to that data.
Infosecurity asked Watson what sort of target the data likely to be held under the proposed Communications Bill would present to cyber criminals and social engineers. This bill is expected to require UK ISPs to store all communications ‘metadata’ of all communications users for a period of 12 months. The government stresses that it will not include communications content.
But, says Watson, “as any social engineer will tell you, seemingly innocuous metadata can already be used to infer a huge amount of potentially sensitive information.” He points out that aggregation and inference are key to targeted attacks. “Geolocation information gathered from your smartphone can be used to infer your home address, place of work, friends’ houses, favorite shops, favorite coffee shop, local bank, and so on. Email metadata can be used to work out everything from friends and family to banks and building societies.” All of this metadata can be pieced together to build “an immensely detailed profile of an individual and their life.”
It is this detailed profile that is clearly of interest to law enforcement, and while Watson comments that “most of us trust that the authorities would use these privileges for the right reasons,” (civil liberties groups are not always so confident) this data is of equal interest to criminals. “The real issue,” he told Infosecurity, “is the secure storage of that surveillance data... Imagine a spammer getting hold of thousands of people’s private email addresses AND who they bank with.”
One problem is that the government is downplaying the sensitivity of the data it wishes to capture and store. “One can only assume,” Watson said, “that the security controls over metadata would be less secure than those put in place to control and audit access to directly sensitive information such as bank account details.” Such as the DWP database which pays directly into claimants’ bank accounts and has 25 staff reprimanded every week for breaching controls.
“There is a significant risk to collecting and storing this information in a single location for a full twelve months,” concluded Watson. “Even the most sensitive databases have been breached.” The data collected by the Communications Bill will be a huge magnet for cyber criminals and social engineers; and the Channel 4 documentary is a warning of what might lie ahead.