I had been wondering what to write for the 1,000th post on this blog (!), but serendipity stepped in with a public sector data breach headline. This time it's Atos Origin who are in the spotlight, after a USB stick was found in a pub car park, and turned out to contain data and software relating to the Government Gateway server. You may remember the Gateway from this post back in September 2006, when it won a Liberty Alliance IDDY award for its implementation of interoperable authentication.
As far as the current breach report is concerned - I don't have any more details than what appears in the public record, but according to the Daily Mail (to whom the USB stick was handed after it was found), it contained
"confidential passwords, security software and the technical blueprint to the system known as the 'source code'."
That in itself raises a number of questions...
- for all the bickering about how the Government 'can't be trusted to keep our details secret', why is it that someone's first instinct, on finding a USB stick in a car park, would be to hand it to a national newspaper, rather than, say, the police?
- in 2008, are we really still at the level of IT literacy where 'source code' needs to be in inverted commas, and the best analogy the journalist can come up with is to say that it's a 'technical blueprint to the system'? For goodness' sake: a blueprint is a technical drawing from which a physical object can be constructed. By extension, it's a design document from which source code could be developed. Is that distinction too hard to grasp? (Please, don't feel you have to respond by reference to the Daily Mail's target readership... ;^)
If I've interpreted the Mail's story correctly, the USB stick also contained a high-level description of the Gateway's architecture, some individuals' tax/NI details and some user IDs and passwords. A DWP representative said the passwords were 'hidden using an industry standard technique', but seemed to stop short of using the word 'encrypted'.
And if I've interpreted the BBC's article correctly, the DWP said that the user details and passwords on the stick were dummy accounts used to test a previous version of the Gateway.
On the basis of the information available - tempered by the knowledge that it may have been imperfectly understood, and/or dumbed down for public consumption - it's very hard to do any kind of risk assessment. That said, the implications seem to be more of a concern for Atos Origin and their management of internal procedures than for the average citizen/Gateway user.
At present the DWP (who took ownership of the Government Gateway project from the Cabinet Office) haven't issued a press release on this topic, but if they do, I'll link to it here.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Hi Robin,
Of course we've spoken a little about this today, although the one aspect we didn't cover was how serious a breach this was.
Personally I think this is a very serious issue for three reasons:
1) The GG is the central authentication and authorisation system for the majority of online services. Get access to one account with lots of functionality enabled and eventually you should be able to access all the services that user has enabled. Ouch.
2) If the reasonable architectural information is included then it is possible to reverse engineer details of the systems; effectively allowing the potential threat to know what technologies are involved and thus what vulnerabilities they have. If this included things like IP addresses, etc., then that's even worse.
3) The IT press are already taking the approach that it was more serious than positioned by the Government, for instance:
http://www.theinquirer.net/gb/inquirer/news/2008/11/03/memory-stick-left-pub-car-park
The best thing that can happen from this is that a root cause analysis is performed, with subsequent security standards made more appropriate for the system in question, and then 'policed' in a more robust manner.
Engineering security into the system at an integral level might be nice too, although I suspect that with the current architecture and operational model that might not be possible (in the short term).
All the best,
Wayne
Posted by Wayne Horkan on November 04, 2008 at 06:26 PM GMT+00:00 #
Thanks, Wayne - there is, of course, the point that publishing the design of something does not have to compromise its security: locks, safes and cryptographic algorithms are all examples of things which have been specifically designed so that it's not secrecy of the design which keeps the system secure.
Indeed, there's that famous dictum (Kerckhoffs, Shannon et al.) that "there's no security in obscurity"...
There are arguments that obscurity (i.e. in this case, secrecy of the design) can enhance other security measures, but in general I favour the view that a system, over-all, will be more robustly secure if you assume that its design is known to an attacker and then develop countermeasures on that basis.
Posted by Robin Wilton on November 05, 2008 at 01:45 PM GMT+00:00 #