Wednesday, October 27, 2004

Tomorrow's Headlines - Today! Another good reason to say NO to ID cards


At Kingston Crown Court today, former Siemens Business Systems IT worker Barry Dodgy was jailed for five years for his part in a plot to sell information held in the national ID database - to terrorists. Database analyst Dodgy, 37, of Uxbridge, accepted large sums of cash from the banned Ba'athrobe organisation in exchange for providing them with the Citizen Reference Numbers, addresses and medical records of people the group targeted for assassination. As a supervisor with the giant IT contractor that runs the national citizen registry, he had full access to all levels of data in the system, including the independent audit trail system that is meant to detect unauthorised access by recording every time an ID record is checked.

The terrorists found plenty of uses for the system. Once they had a contact within SBS, they were able to provide almost any piece of information on a target - a car number for example - and get back their address, biometric data, ID number, access to medical, police and Inland Revenue files, and even details of their children's schooling. Although Dodgy came under suspicion when his colleagues noticed his sudden wealth, it is unknown whether or not he also took advantage of his position to change records in the database or even to issue perfect fake IDs. Although agents from MI5, the Serious and Organised Crime Agency, and computer engineers are investigating, independent expert Ima Geek told the Ranter that such changes would be undetectable in the vast quantity of information involved.

The Ba'athrobe, whose ideology combines Nasserite nationalism and socialism with a passionate advocacy of European integration and an elegant taste in pyjamas, used the data to assassinate a string of public figures including Marks and Spencer executives, politicians and journalists...

Well, it wasn't quite like that. But Barry Dickinson did indeed penetrate a huge government database of personal information on behalf of terrorists. Link There are differences, of course. Davies was a civil servant, not a contractor, and he acted out of conviction rather than pure greed. The terrorists in question were an extremist animal-rights group, and the database was the DVLA's register of motor vehicles. But the security breach was pretty bad all the same. Dickinson was given car registration numbers collected by terrorists staking out a farm in Staffordshire. He simply ran them through the database and returned the names and addresses associated with them. The group then began to harass the people living at those address, vandalising their homes and vehicles, sending hate mail, attempting blackmail and threatening to kill. They didn't go quite that far, but they are probably up for it given suitable weapons. After all, they clocked up no less than 50 incidents of violence or intimidation and stole an old lady's remains from her grave. Any sensible person should see the relevance of this to the prospect of a national ID card scheme.

Criminals, terrorists and unscrupulous political or commercial marketers are all likely to make extreme efforts to get access to a citizen database. Can any person experienced with IT put their hand on heart and say they are confident that such a huge scheme will be watertight? The struggle between sysadmins and hackers is just another of the ceaseless updates of the eternal struggle between armour and weapon. The crucial feature of this struggle is that the weapon is always in the lead - just as the attacker has the advantage in all strategy. This is to say nothing of the human factor. In the Dickinson case, the computer system functioned perfectly, but one of the people deputed to work it was sympathetic to the attackers. This defeats all technical security. There is always at least one person with access to the root directory, and as the geek proverb goes, Root is God. Better yet, the possibilities for an infiltrator in the development team who build the system would be literally without limit. They could set up back-door access to the database or even add extra fields of information hidden to other users. The biggest security system we build must, by definition, be the biggest security risk.

Curiously, the only newspaper to grasp this story was the execrable Daily Mail, which splashed the story under one of their extremely long screamer NOW IT'S THE FRANKENFISH! headlines.

No comments:

kostenloser Counter