STE WILLIAMS

Animal Liberation Australia has acquired a drone and plans to fly over farms and film animal cruelty.

Mark Pearson, Animal Liberation’s executive director, told The Reg concerned members of the public told him about drones and their potential application capturing aerial surveillance of mistreated animals. Pearson said he put the idea to the organisation’s board, had it signed off and now has a CineStar 6 hexacopter on his desk awaiting deployment.

“If we are notified of serious animal welfare problems like hunger, thirst or lack of shelter, we will deploy the hexacopter above the farm and document what is going on,” Pearson said. Footage would then be reviewed by an animal welfare expert before the group sought to alert authorities.

Pearson said Australian common law allows overflight and filming of private property from an altitude of at least ten meters. He’s less certain of his organisation’s legal standing as an operator of the drone, as toy drones don’t require a licensed operator in Australia but commercially-flown craft do. As a not-for-profit, Animal Liberation isn’t quite sure where it stands, but Pearson is confident the two Animal Liberation team members trained to fly the drone will be cleared for take-off soon.

He’s also confident that farmers will not, as suggested by representatives of the Northern Territory Cattleman’s Association, shoot the drone out of the sky.

“It sounds like a flock of blowflies and at twenty metres you can’t see it,” Pearson said, explaining it will be hard to hear or see when in use. The potential for prosecution for damaging property is another deterrent he expects will see weapons remain holstered.

Pearson also acknowledged privacy concerns about Animal Liberation’s new air fleet, but said farmers with nothing to hide have nothing to fear. Those who mistreat animals, however, have plenty of recent evidence of the group’s influence: film of Australian cattle being treated inhumanely in Indonesian abattoirs recently saw live cattle exports suspended after a public outcry. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/02/animal_liberation_australia_drones/

The US Department of Homeland Security (DHS) has cautioned public-safety call centers against the rise of so-called telephony denial of service (TDoS) attacks, which it says have the potential to cripple local telephone exchanges.

The warning was issued in March in a confidential Situational Awareness Update that was obtained by security blogger Brian Krebs, published jointly by DHS and the FBI.

In much the same way that a DDoS attack brings down a server by flooding it with requests, a TDoS attack works by bombarding an organization’s phone numbers with calls, making it impossible for legitimate calls to get through.

According to the bulletin, DHS officials have received reports from “multiple jurisdictions” of such attacks being conducted against public-sector organizations. Private businesses have been affected as well, including financial organizations and hospitals.

The attacks appear to be part of an extortion scheme in which criminals phone organizations and pose as collections agents seeking payment for a bogus debt of $5,000.

The initial callers are described as having “a strong accent of some sort,” though no potential country of origin has been identified and it’s not clear if the accent might merely be a ruse.

An earlier report by the FBI’s Internet Crime Complaint Center (IC3) suggests that the callers may also spoof a police department phone number for their outgoing caller ID, in an attempt to convince the victim that a warrant exists for his or her arrest for nonpayment of the fake debt.

When the victim refuses to pay, the caller launches a TDoS in retaliation. The report says the attacks last “for intermittent time periods over several hours,” during which they might stop for a few hours and then resume. Worst of all, the attacks will sometimes persist for weeks or even months, with the call bombardments coming at seemingly random times.

The report speculates that government and public safety organizations are being targeted by these attacks because functioning phone lines are essential to their operations.

The FBI says victims of such attacks shouldn’t pay the blackmail. Instead, they should report all incidents on the bureau’s IC3 website. Reports should include as much information as possible, such as dates and times that calls were received, originating phone numbers, any account numbers offered for receipt of payment, and any other information that can be obtained about the callers and their place of origin.

“Additional insight into the scope and impact of the event – specifically how many communications centers have been attacked is critical to identifying the true scope of this occurrence,” the bulletin states. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/01/public_safety_tdos_attacks/

In an Arizona court case, the FBI has been forced to defend its use of a phony cellphone tower dubbed Stingray that it’s using to analyse mobile phone traffic and identify suspects.

The Stingray system came to light in the case of Daniel David Rigmaiden, who stands accused of reaping millions of dollars from filing phony tax returns on the basis of identity theft. The FBI were able to catch Rigmaiden in 2008 by tracking down the 3G card he was using as a modem, but it didn’t disclose that the Stingray had been used in this process without a warrant.

The Stingray system uses a dummy mobile base station that mimics a standard cellphone tower, and can locate cellphones by their International Mobile Station Equipment Identity numbers, and monitor calls. This works even if the phone isn’t in use, since the Stingray can provoke a response from any device that’s switched on.

It’s a broadly sweeping tool that collects data on all mobile devices in the area for analysis, and can then be used to triangulate down to a specific device by shifting to a new position and getting a new signal lock. But the FBI has argued in court that this device needs no warrant, despite the very broad nature of the information it collects.

“The government cannot obtain judicial approval for a search using sophisticated, uniquely invasive technology that it never explained to the magistrate,” reads the amicus brief on Thursday’s case from the ACLU and EFF.

“To construe this Order as a valid ‘warrant’ authorizing the use of the stingray would prevent magistrates from making informed determinations on warrant applications and encourage the government to keep magistrates in the dark.”

The FBI argues that the devices themselves are relatively new and their legal status hasn’t been fully considered. But documents obtained by the ACLU show that the device was in use for at least three years without warrants, despite judicial concerns being raised.

At issue is the Fourth Amendment, which states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Since the Stingray is capable of searching within someone’s home and on their property, the ACLU and others argue that its use requires a warrant, particularly as its information-gathering powers are large and include innocent third-parties – particularly if that data can be used in later investigations.

If the court rules against the FBI, it will be forced to ask for a warrant when using the device. While this might slow the organization down for a day or two, such a move would do a lot to reassure those not under investigation that their calls and location remain private.

“Judicial supervison of searches is most needed when the government uses new technologies to embark into new and unknown privacy intrusions. But when the government hides what it’s really doing, it removes this important check on government power,” said the EFF in a statement.

“We hope the court sees its been duped, and makes clear to the government that honesty and a warrant are requirements to using a Stingray.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/29/fbi_stingray_mobile_tracking/

A 37-year-old Wisconsin man has been charged over his alleged involvement in denial-of-service attacks against Koch Industries, run by the loosely knit hacktivist collective Anonymous.

Eric J. Rosol of Black Creek, Wisconsin, has been charged with damaging a protected computer and conspiring to damage a protected computer in the February 2011 attacks. At the time of the attacks, would-be hacktivists were urged by Anonymous to use the Low Orbit Ion Cannon (LOIC) to blitz quiltednorthern.com and Kochind.com, both run by Koch Industries.

The attack rendered the Kochind.com website unavailable. If convicted, Rosol faces a maximum penalty of five years in federal prison and a fine up to $250,000 on each count, a DoJ statement on the case explains.

Koch Industries is a Kansas-based conglomerate owned by billionaire brothers Charles and David Koch, who earned the ire of Anonymous for campaign donations in support of Wisconsin’s Republican governor Scott Walker and his crackdown on public employees’ unions.

An affidavit detailing the results of a preliminary investigation into the case leaked to The Smoking Gun last year named 12 possible suspects, although it seems that Rosol is the first to actually be charged over his alleged involvement in the attack.

Unless secondary precautions are taken, the LOIC exposes the real IP addresses of those who use it to flood sites with junk traffic, leaving them open to identification and arrest. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/28/koch_blocking_cuffing/

British spook hive MI5 has taken the unusual step of placing a front-page warning on its website about a financial scam carried out by people pretending to be spies or the agency’s director general.

The online alert was prominently posted on mi5.gov.uk, and occupies more space than the UK security threat level indicator, which describes the danger to Brits as “substantial”.

The blurb reads:

Warning: Financial scams referring to MI5 and its Director General

Members of the public in the UK and abroad have received requests for money by email or phone from individuals claiming they work for the Security Service (MI5). Some have purported to be from MI5’s Director General, Sir Jonathan Evans. These requests are a financial scam and have nothing to do with the Service or the Director General. If you receive such a communication, please do not respond to it and report it to the police.

As David Harley, a senior researcher at security software firm Eset points out, the warning is not specific and therefore difficult to act upon.

“It might have been useful to know more about the type of scam the warning refers to,” Harley noted in a blog post. “It could, after all, be anything from a 419 to some form of ransomware, and the ways of recognising and dealing with those different kinds of scam can be very different. But I have yet to find an actual example.”

Of the two possibilities suggested by Harley, ransomware would appear more likely than bogus offers to shift seized assets and the like, the staple of advanced-fee fraud (aka 419 scams).

Ransomware locks up systems and accuses the user of some crime, from using illegal file-sharing networks to distributing child-abuse images. Strains of ransomware, such as Reveton, often sport police logos to make them look legit. Victims are tricked into coughing up a “fine” of about €100 using untraceable cash vouchers in order to obtain codes to unlock their computers. Samples of Reveton masquerading as a piece of FBI software have been widely found, as an alert by the US Internet Crime Complaint Center (IC3) illustrates.

Similar software nasties flashing MI5’s logo and name around, instead of the Metropolitan Police or FBI badges, are all too easy to imagine. That said, MI5 specify contact by email or phone, which would seem to indicate other methods. It’s also possible the security agency’s warning actually refers to a round of 419 scams or even a hard-up rogue agent who really needs the cash. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/28/mi5_financial_scam_warning/

The Stuxnet attack on Iran was an illegal “act of force”, according to at least some of the legal experts who helped draw up a NATO-commissioned Geneva Convention-style rules of cyberwarfare document.

“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force,” and are likely to violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, which was put together by an independent group of legal scholars and lawyers assembled by NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Michael Schmitt, professor of international law at the US Naval War College in Rhode Island and lead author of the study, told the Washington Times that “according to the UN charter, the use of force is prohibited, except in self-defence”.

Senior US and Israeli officials last year unofficially admitted creating the Stuxnet worm that crippled Iran’s nuclear program by sabotaging industrial equipment used in Uranium purification. Stuxnet targeted systems controlling high-speed centrifuges used in the Iranian nuclear programme to enrich uranium, causing them to slow down and speed up repeatedly until they failed under the abnormal mechanical strain.

The manual states that “any cyber operation which rises to the level of an armed attack in terms of scale and effects and which is conducted by or otherwise attributed to a state constitutes a use of force”.

State-controlled Iranian media, such as the English language news outlet PressTV (here), were quick to seize on Schmitt’s comments and selective extracts from the manual in accusing the US and Israel of an illegal act of force over the Stuxnet deployment.

However the actual manual is unclear whether or not Stuxnet was an armed attack. The legal experts were hostile to any notion that Iran could be legally justified in striking back against its presumed cyber-aggressors at this point, so long after the worm had done its damage.

Schmitt said the legal experts who drew up the manual agreed that Stuxnet was an act of force but were divided on whether the malware constituted an armed attack. And even if it was an armed attack it might still be justified as self defense in the form of striking back at the aggressor in the face of imminent attack, as a paragraph on page 58 of the manual explains:

In light of the damage they caused to Iranian centrifuges, some members of the international group of experts were of the view that the attack had reached the armed attack threshold (unless justifiable on the basis of anticipatory self defence) [our emphasis].

No international cyber-security incidents to date have clearly crossed over into something comparable to an armed attack, according to the legal experts. The 2007 cyber-operations against Estonia were not characterised by anyone, neither the Estonians nor the international community, as an armed attack – because the scale and effects of the cyber-attack didn’t bear comparison to anything even a small scale armed attack might involve. Stuxnet was a better example of a potential cyberattack.

Iran didn’t even know that its infrastructure was under attack or by who until long after Stuxnet had done its damage. Rule 9 states that:

“A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state”.

However the manual adds an important caveat (rule 15) that “the right to use force in self-defence arise if a cyber-armed attack occurs or is imminent. It is further subject to a requirement of immediacy.”

The rules of international law imply that any attempt by Iran to respond to Stuxnet with its own attack or cyber-attack would be characterised as retaliation, and not self-defence, unless it has reason to conclude that cyber-attacks of the same scale are once again imminent.

Elsewhere during his interview with the Washington Times, Schmitt talks about the involvement of civilian hackers in cyber-conflicts.

If a cyberattack occurs before shooting starts, “It’s a crime”, says Schmitt. However if a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the cyberattack have effectively have joined hostilities as combatants and can be targeted with “lethal force”, according to Schmitt.

The cyber skirmishes that occurred between Georgia and Russia in 2008 during the course of a ground war between the two countries over a break-away region are the primary example to date of a set of circumstances that might leave hackers in the firing line. This might be justified by incidents such as cyber-attacks on an enemy electricity plant that causes explosions and injures workers, the manual suggests. Something has to be raised to a level akin to armed attack: so we’re talking Die Hard 4.0-style attacks against power grids, financial systems and transportation networks rather than mere website defacement or propaganda, it would seem.

The majority of the legal eagles took the view that an “informal groupings of individuals acting in a collective but otherwise uncoordinated fashion cannot comprise an organised armed group”. Which might be taken as removing the likes of Anonymous from a list of combatants but perhaps including groups similar to LulzSec that feature an informal leadership, list of potential targets and an inventory of hacker tools.

The manual is far clearer in comparing hackers-for-hire to mercenaries who “do not enjoy combat immunity or prisoner of war status” (rule 28). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/27/stuxnet_cyberwar_rules/

The government of Australia’s Capital Territory (ACT) has issued a statement about the use of Bluetooth-sniffing technology for traffic studies.

The isue arose as the result of grassroots activism from Canberra-centric news service The-RiotACT, which has its take on events here.

RiotACT considers the Bluetooth collection to be analogous to Google’s StreetView data slurp in which the Chocolate Factory decided that open WiFi access points were fair game for data sniffs. The organisation goes so far as to accuse the ACT government’s Territory and Municipal Services – the agency in charge of roads and therefore running the traffic studies – of breaching Australia’s Telecommunications Interception Act.

TAMS has responded that its activities are nothing nefarious and that it doesn’t collect “personally identifiable” information. In this brief statement, the agency says Bluetooth provides a useful gauge of travel times and route decisions. The agency says the technology is in use “around Australia”, although El Reg was only able to document this for NSW.

While RiotACT’s reaction seems overblown, The Register wonders whether recent research into how easily “anonymous” movement data can be tied to an individual would have privacy implications in this setting.

Bluetooth traffic technology doesn’t attempt to capture communication data from passing devices, but merely records a “signature” (most probably the device ID, MAC address or name offered over the link) as a car enters and leaves the footprint of the measuring device. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/28/riotact_goes_berserk_over_bluetooth/

Anti-spam organisation Spamhaus has recovered from possibly the largest ‪DDoS‬ attack in history.

A massive 300Gbps was thrown against Spamhaus’ website but the anti-spam organisation was able to recover from the attack and get its core services back up and running. CloudFlare, the content delivery firm hired by Spamhaus last week to guard against an earlier run of DDoS attacks, was also hit, forcing it into taking the highly unusual step of dropping London as a hub in its network – as a Twitter update by CloudFlare on Monday explained.

Our peering in London has been dropped due to a large attack. Modifying routes to avoid degradation. Affecting location: London, GB

Spamhaus supplies lists of IP addresses for servers and computers on the net linked to the distribution of spam. The blacklists supplied by the not-for-profit organisation are used by ISPs, large corporations and spam filtering vendors to block the worst sources of junk mail before other spam filtering measures are brought into play.

Spammers, of course, hate this practice so it’s no big surprise that Spamhaus gets threatened, sued, and DDoSed regularly. Those affected by what they regard as incorrect listings also object about Spamhaus’ alleged vigilante tactics.

The latest run of attacks began on 18 March with a 10Gbps packet flood that saturated Spamhaus’ connection to the rest of the Internet and knocked its site offline. Spamhaus’s blocklists are distributed via DNS and widely mirrored in order to ensure that it is resilient to attacks. The website, however, was unreachable and the blacklists weren’t getting updated.

The largest source of attack traffic against Spamhaus came from DNS reflection, launched through Open DNS resolvers rather than directly via compromised networks. Spamhaus turned to CloudFlare for help and the content delivery firm was able to mitigate attacks that reached a peak of 75Gbps, as explained in a blog post here.

Things remained calm for a few days before kicking off again with even greater intensity – to the extent that collateral damage was seen against services such as Netflix, the New York Times reports.

Spamhaus’ site remains available at the time of writing on Wednesday. Steve Linford, chief executive for Spamhaus, told the BBC that the scale of the attack was unprecedented.

“We’ve been under this cyber-attack for well over a week.But we’re up – they haven’t been able to knock us down. Our engineers are doing an immense job in keeping it up – this sort of attack would take down pretty much anything else,” he said.

Turning up the volume of DDoS attacks

A blog post by CloudFlare, written last week before the latest run of attacks, explains the mechanism of the attack against Spamhaus and how it can be usde to amplify packet floods.

The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number of open DNS resolvers. The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers’ requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.

In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we’d issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.

CloudFlare reckons 30,000 unique DNS resolvers have been involved in the attack against Spamhaus.

“Because the attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps – which is possible with a small sized botnet or a handful of AWS instances,” it explains. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/

The Stuxnet attack on Iran was an illegal “act of force”, according to at least some of the legal experts who helped draw up a NATO-backed Geneva Convention-style rules of cyberwarfare document.

“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force,” and are likely to violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, which was put together by an independent group of legal scholars and lawyers assembled by NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Michael Schmitt, professor of international law at the US Naval War College in Rhode Island and lead author of the study, told the Washington Times that “according to the UN charter, the use of force is prohibited, except in self-defence”.

Senior US and Israeli officials last year unofficially admitted creating the Stuxnet worm that crippled Iran’s nuclear program by sabotaging industrial equipment used in Uranium purification. Stuxnet targeted systems controlling high-speed centrifuges used in the Iranian nuclear programme to enrich uranium, causing them to slow down and speed up repeatedly until they failed under the abnormal mechanical strain.

The manual states that “any cyber operation which rises to the level of an armed attack in terms of scale and effects and which is conducted by or otherwise attributed to a state constitutes a use of force”.

State-controlled Iranian media, such as the English language news outlet PressTV (here), were quick to seize on Schmitt’s comments and selective extracts from the manual in accusing the US and Israel of an illegal act of force over the Stuxnet deployment.

However the actual manual is unclear whether or not Stuxnet was an armed attack. The legal experts were hostile to any notion that Iran could be legally justified in striking back against its presumed cyber-aggressors at this point, so long after the worm had done its damage.

Schmitt said the legal experts who drew up the manual agreed that Stuxnet was an act of force but were divided on whether the malware constituted an armed attack. And even if it was an armed attack it might still be justified as self defense in the form of striking back at the aggressor in the face of imminent attack, as a paragraph on page 58 of the manual explains:

In light of the damage they caused to Iranian centrifuges, some members of the international group of experts were of the view that the attack had reached the armed attack threshold (unless justifiable on the basis of anticipatory self defence) [our emphasis].

No international cyber-security incidents to date have clearly crossed over into something comparable to an armed attack, according to the legal experts. The 2007 cyber-operations against Estonia were not characterised by anyone, neither the Estonians nor the international community, as an armed attack – because the scale and effects of the cyber-attack didn’t bear comparison to anything even a small scale armed attack might involve. Stuxnet was a better example of a potential cyberattack.

Iran didn’t even know that its infrastructure was under attack or by who until long after Stuxnet had done its damage. Rule 9 states that:

“A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state”.

However the manual adds an important caveat (rule 15) that “the right to use force in self-defence arise if a cyber-armed attack occurs or is imminent. It is further subject to a requirement of immediacy.”

The rules of international law imply that any attempt by Iran to respond to Stuxnet with its own attack or cyber-attack would be characterised as retaliation, and not self-defence, unless it has reason to conclude that cyber-attacks of the same scale are once again imminent.

Elsewhere during his interview with the Washington Times, Schmitt talks about the involvement of civilian hackers in cyber-conflicts.

If a cyberattack occurs before shooting starts, “It’s a crime”, says Schmitt. However if a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the cyberattack have effectively have joined hostilities as combatants and can be targeted with “lethal force”, according to Schmitt.

The cyber skirmishes that occurred between Georgia and Russia in 2008 during the course of a ground war between the two countries over a break-away region are the primary example to date of a set of circumstances that might leave hackers in the firing line. This might be justified by incidents such as cyber-attacks on an enemy electricity plant that causes explosions and injures workers, the manual suggests. Something has to be raised to a level akin to armed attack: so we’re talking Die Hard 4.0-style attacks against power grids, financial systems and transportation networks rather than mere website defacement or propaganda, it would seem.

The majority of the legal eagles took the view that an “informal groupings of individuals acting in a collective but otherwise uncoordinated fashion cannot comprise an organised armed group”. Which might be taken as removing the likes of Anonymous from a list of combatants but perhaps including groups similar to LulzSec that feature an informal leadership, list of potential targets and an inventory of hacker tools.

The manual is far clearer in comparing hackers-for-hire to mercenaries who “do not enjoy combat immunity or prisoner of war status” (rule 28). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/27/stuxnet_cyberwar_rules/

Red-faced crypto and intercept intelligence agency GCHQ has admitted emailing plain text password reminders to people who register on its careers micro-site.

The issue came to light after prospective job applicant Dan Farrall blogged about his experience of receiving a plain text reminder of his GCHQ recruitment site password by email after filling out its forgotten password form. Farrall only got round to blogging about the issue this week, two months after the offending email.

Incredibly the signals intelligence agency had done nothing in the weeks in-between to address such well understood security bad practice on its careers site.

Website passwords should be stored by organisations only as encrypted and salted hashes. And password reminders shouldn’t be sent in unencrypted emails. Instead it’s far better to apply a password reset procedure. Password retrieval isn’t even possible where login credentials are stored only as encrypted and salted hashes, so it’s evident that in this case they weren’t.

Mistakes on these lines are all too commonplace. Plain Text Offenders, a site that aims to name and shame sites following such insecure practices, estimates 30 per cent of sites store plaintext passwords.

Last July supermarket giant Tesco was taken to task by software developer Troy Hunt over its storage of users passwords in plain text and plain text password reminders.

So plaintext passwords are commonplace, and in some cases may not be that big a deal. But GCHQ – whose CESG arm advises large corporations including banks and utilities on how to safeguard critical infrastructure systems, and which itself deals daily in absolutely critical national-security information belonging to the British and various other governments can reasonably be held to the highest possible standards.

GCHQ’s career site is, of course, not part of its core mission and might even be run by a third-party agency but that’s a weak excuse for not setting the best possible example in the case of such an agency. Apart from anything else, it is likely to seriously put off recruits of the calibre and security savvy the agency needs.

In response to queries from El Reg, GCHQ supplied a statement acknowledging and downplaying the issue, which it ascribes to a legacy system it’s in the process of changing anyway.

The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it. Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.

Plaintext password reminders are a problem not just because emails can be intercepted. Unless login credentials are stored as encrypted AND salted hashes then any breach on servers is liable to allow hackers to recover user passwords. Storing login credentials as hashes alone isn’t good enough because they are still vulnerable to brute-force (try every probable combination) attacks using readily available rainbow tables and other password-cracking tools. Insecure backups pose the same type of risk.

Hacktivists like Anonymous and LulzSec have shown an appetite for nobbling secondary websites run on behalf of national-security and police organisations like GCHQ, before leaking the data. They care little about collateral damage to individuals whose private details have been exposed – which might in this case include people who go on to become GCHQ personnel and could then be targeted by anyone from hacktivists all the way up to hostile human-intelligence agencies.

And, as Farrall points out, the potential harm that can come if anyone nobbled GCHQ’s career site is far worse than might normally be the case because applicants are expected to submit a great deal of private information for use in security vetting.

“For those that don’t think this matters, bear in mind the type of information you’re submitting,” he write. “Names, dates, family members, passport numbers, housing information. With this type of information identity theft is a major concern.”

Quite apart from the privacy issues it’s a real eye opener that GCHQ is not taking greater care of the personal details of people who may one day go on to become the UK government’s penetration testers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/27/gchq_plain_text_password_reminder/