Key government services were taken offline over the weekend after the discovery in a pub car park of a pocket storage device containing details of the Government Gateway. The Gateway is intended to provide a central secure login service for a range of government systems, including tax credits and self assessment, so taking it …
More questions than answers
"If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12 million accounts and those details"
So did he crack them?
Could he crack them?
How does he know what they give access to if he didn't?
That's not to say that taking any data down the pub and losing it in the carpark is a good idea...
In other news: an expert said "if I could get access to confidential data, I would get access to confidential data"
it is no wonder we are under a tidal wave of cyber crime, people in positions of responsibility just don't have a clue.
It is like having an editor of a major English speaking paper, never having seen or heard of a dictionary, it is just ludicrous, we have the wrong people managing IT, it really is that simple.
...but reading between the lines it looks like whatever was on this storage key were log in details shared between more than one system or person...
Security 101... You don't share log on information between more than one system/user... That way when you *do* loose the info, you can just cancel one account and not have to wipe out the entire system for a weekend.
Then again, hat do you expect from a government project...
No tabloid headline milage in this anymore.....
So there will almost certainly be no repercussions.
What a fucked-up sense of priorities the "Great British Public" (aka Mail and Sun 'readers') have.
Makes you sick.
"Just a matter of time"
How much? 200 years?
Loosing things is human, the smaller the object the easier it is to loose. Put people under pressure and things will be forgotten, misplaced, not put away.
But then who would be stupid enough to put passwords on a USB stick, and how would, if the stick was encrypted, you know they were passwords for the government gateway.
That kind of password should be on paper, locked in a safe. Mind you if they are operational passwords, better on an encrypted stick than on a bit of folded paper in a wallet, or black & red.
BTW - a lot of admins have to know the admin passwords for multiple systems, before you start to criticise people for writing them down, how many 12 digit randomly generated passwords can you remember. I'm glad I don't have to remember.
Oh and it wouldn't matter which political party was in power, this would still happen, because it's a function of being human, not of process or procedure.
If it was encrypted...
If it was encrypted it would look like random numbers and they wouldn't know what they have. So it was encrypted, it was at best obscured.
Some ministers telling porkies.
"The Gateway is intended to provide a central secure login service for a range of government systems, including tax credits and self assessment, so taking it offline paralyses these too, before you can say 'single point of failure'."
The mind boggles ...
Occasionally, as I continue to learn and teach, I find someone capable of understanding the complexity of this new interconnectedness that exists, whether we like it or not.
To date, I have seen no evidence that any government gets it. Most large companies don't have a clue, either. For whatever reason, "marketing" seems to be in charge.
Not Quite to type
It is unlike ATOS Origin to be so careless with data.
A few years ago, there was a spate of violent muggings, some involving the theft of laptop computers, from a railway station frequented by personnel from ATOS Origin and one of its clients. Employees of the client company received a memo giving them advice about personal safety. Employees of ATOS Origin received a memo reminding them of the steps they needed to take to keep their data secure.
Mine's the one with the encription keys on the same ring as the car keys.
The single point of failure
Is those dolts residing in downing street & the soon we get rid of Gordon Clown and his pack of idiots the better
I see what you did there!
Ministers aren't stupid
They want to keep their own details off all of the planned national databases, they're no fools. They just think the rest of us are stupid.
How many more government data losses do we need before Jacqui Smith gets sacked? Let us know so the people with access can lose some more data quickly.
Mine's the one with the unencrypted data key in the pocket with the hole in it.
well it wasn't stolen by moslem-lefty-pedo-liberal-antiamerican-communist-unenglish-labour supporting-thugs so they wouldn't be interested ;)
Re: The single point of failure
"By N Posted Monday 3rd November 2008 10:00 GMT
Is those dolts residing in downing street & the soon we get rid of Gordon Clown and his pack of idiots the better"
I get the feeling you think the *other chaps* have never lost any personal information of their 56-60m subjects! I think yet another idiot needs to look at history beyond the newspapers and websites. Be sure you understand this: ALL THE PARTIES ARE THE SAME. So using your twisted political view to take over the discussion about incompetent civil servant outsourcing wont wash, chump.
PS, if Gordon were replaced by the other Monkey Team, this non-gov business: ATOS would still be in place with its contract! Starting to notice that predominantly this is the private sector (under contract to the Gov) that is losing this data? Thought not, but its true none the less!
Its about time some of you started to see beyond... ohhh blame the Gov, its always their fault. The truth is that its not always their fault (although its always their responsibility I must admit).
Not Maggies Mate
Single Sign On
@Steve - the entire concept of the GG is single online identity, single sign on. With that identity, you enroll into various government services to use them. Departments then use GG as a centralised authentication and authorisation facility.
Whilst renewing a drivers licence, or submitting a tax returns may not be particularly exciting, there are more sensitive services, such as ContactPoint. The idea of a user being enrolled into that service via the backdoor thus avoiding the various checks is quite concerning given the vast amount of personal data about children that the government are storing there.
Where the identity gives you access to a service, that is one thing. When the identity gives you access to large tracts of data, this is something else.
National Identity Database anyone?
The deadline for the submission of Self-Assessment Tax Returns on paper was 31st Oct, having been brought forward this year without huge fanfare. Between now and 31st January only a return submitted online will avoid a £100 penalty.
This might mean a windfall for HMRC of tens of millions.
@ Alan Fisher
Nor was it salaciously broadcast on Radio 2 for all of two people to complain about at the time...
Confusing from the article to know if the USB stick was encrypted. As far as I can see, it wasn't at all!
If it was, it'd be fine (ish). The Integral USB stick shown in the pic isn't an encrypted version, so the encryption is shown to be dealing with the system. Let's face it, if you have the source code of the system, the encryption will fall pretty quickly. But we'll leave Mr. "Erasmus" to tell us that..
No governmental USB stick should be unencrypted, regardless of cost.. in fact ALL business USB sticks should be encrypted (gov, or otherwise)
Media and Lost Property
Why is it that every time a lost device/laptop/file is found its handed into the BBC or a newspaper* ? Do the police not have any lost property bins anymore or are they full of spare knives?
*Mail on Sunday included for this one time.
re: Re: The single point of failure
How the FUCK does "the other side would have done it too" mean that we can't blame this government?
How about this, you retarded piece of putrid offal: SACK THIS GOVERNMENT. Then, of "the other side does it too" SACK THEM TOO!. When you sack them, remove all their pension from any government source. They fucked up big time.
After a while, neither side will do this sort of shit because they know they'll get sacked and have no pension.
Your way, they don't improve their act because there's no downside to being incompetent in government.
PS You REALLY looove Maggie. Else you would not be obsessing over her 20 years after she's left. FFS.
@AC (Not Maggie's Mate)
"Its about time some of you started to see beyond... ohhh blame the Gov, its always their fault. The truth is that its not always their fault (although its always their responsibility I must admit)."
The truth is that they are still planning more and more databases with my data held on them and with a track-record that is ludicrous. This is why people blame this government. It's not the loss of data that they're to blame for (though giving contracts to the lowest bidder is hardly the way we get quality now, is it?), it's the plans to lose more data that's pissing everybody off, including myself but not including you apparently.
Strange how somebody who supports the government (or at least doesn't condemn the government) over this issue should choose to remain anonymous. Are you scared we're gonna lose your data? If you value your anonymity then vote for a Government that won't waste taxpayers money on huge and unworkable centralised databases. Otherwise, just post all of your details here, your name, address, banking details, date of birth and mother's maiden name and I promise that we will look after it better than this present government ever could.
If you've nothing to hide then you've nothing to fear but if you have nothing to fear then you're either stupid or incredibly naive.
@ Media and Lost Property
" Why is it that every time a lost device/laptop/file is found its handed into the BBC or a newspaper* ? "
Because they are the only ones we hear about. Possibly only a small percentage of the actual losses.
Mine's the one with the USB stick chained to it..
@AC ("Hmm.. Perceptions")
"Let's face it, if you have the source code of the system, the encryption will fall pretty quickly."
That's strange, the source code for public key (asymmetric) encryption's been in the public domain for decades now, and we're still not seeing generalised cracks for it.
So how will they know?
"If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12 million accounts and those details"
So given the fact they they barely registered the loss, how are they even going to have a clue if the systems do get compromised?
Wacky-Jacqui wants to store all our details and comms? Sorry luv, but you couldn't be trusted to look after my Dad's Nectar points card!
Outsourcing at fault?
"Starting to notice that predominantly this is the private sector (under contract to the Gov) that is losing this data? Thought not, but its true none the less!"
Is that because the PS are inherently incompetent, or simply because pretty much all governmental IT is run by them nowadays?
Having worked for both I have serious doubt a civil service run IT function would be a lot more competent. Accountable maybe...
That's a pretty naive view from you as well as the OP. I would have thought that, if anything, Maggie taught us that sometimes, even when we want them out, it's too late when we can get them out. Just ask all the miners who lost their livelihoods. A lot of things should be looked at when deciding on who to vote for, and many of those things will be ignored. The idea of "get them out and get the others in" just to see what will happen is incredibly dangerous, especially when Mr. Cameron doesn't really have a single policy that is more elaborate than a headline. While I don't feel that I could vote Labour, because I felt betrayed by the war in Iraq, I do respect Gordon Brown for the work he has done rebuilding our economy (as does a large majority of the developed world), and I think the real problem are the people who have advised someone who was always going to be someone who listened to advisers over insinct (which I generally think is a good thing). Jacqui Smith and Ian Blair have given us a country that is run on fear, and have given us technological solutions worked out by people with no techonlogical knowledge. On the other hand you have people who are going to look at the economy, try to implement huge savings for people, and use money that we just don't have, and expect not to destroy our economy. It's what the Tories did before, and it's what they seem to be suggesting they'll do again. I remember Brown being pulled up on small discrepancies in his budget, and it making national news. Cameron has huge discrepancies, and all people can see is that they don't like what's happening right now, so it has to change. This severely worries me, especially in the current climate. Personally, I'm far more interested in the Lib Dems than either of the two main parties (and I have been a reasonably staunch Labour supporter for most of my life), because they offer policies that don't threaten to turn us into a police state, offer sensible policies on stopping our illegal wars, and also offer in-depth policies on what they will do funding-wise, with actual figures to back them up. Neither of the other two parties comes anywhere close to offering any of this.
Gateway Help Desk
Some time ago I mislaid my Gateway password, on contacting the Help desk for a reset I was advised to use my UTR (Unique Tax Reference) as a password to avoid forgetting it in future.
Pffff. In this day & age there is no excuse.
Truecrypt and/or KeePass are available for FREE. Both will allow the user to install the program to a flash drive as stand alone.
There's also : Ironkey
The Reg readers have more of a clue than these idiots we have in power.
God help us all come the Database state...
/Coat coz if i could i would leave.
" BTW - a lot of admins have to know the admin passwords for multiple systems, before you start to criticise people for writing them down, how many 12 digit randomly generated passwords can you remember. I'm glad I don't have to remember."
I have to do it all the time.... and i don't write them down, although the passwords i have to remember tend to only be 8-10 digit alphanumeric, so maybe htats easier... as well as the corresponding usernames and ip addresses of the servers, maybe thats why i've never been fired, or suffered any data loss..... yet.....
Truecrypt is great and I've used it to protect information when I haven't been offered something else - just to avoid being "that employee" if my laptop was nicked. But it is not accreditted by CESG for protecting UK government data at either baseline or enhanced level, so saying that such-and-such a civil servant or this-and-that private contractor should just download the panacea to all their problems is not correct.
Its pretty crap because anybody voluntarily using Truecrypt should be applauded not discouraged. The real issue is that UK Gov aren't on top of it and basically just recommend 3rd party products.
@AC with tax helpdesk - i thought you should be able to do a reset using your known facts, and I'm fairly sure that KFs aren't supposed to be used as passwords.
Everyone has missed the real story here
In the Daily Mail article, the accompanying screenshot of a browser window includes a bookmark in the bookmarks toolbar for a site called 'Doggahs.' - I have no intention of googling that, but I am left wondering why the art department at the Daily Mail might be frequent visitors. Someone should start a sensationalist moral campaign about that, surely!
>the passwords i have to remember tend to only be 8-10 digit alphanumeric
8-10 digit alphanumeric? let's hope the information protected by the passwords isn't important
>maybe thats why i've never been fired
Perhaps if you has anything to do with the strength of the passwords you should be, anyone so sloppy with their password strengh is probably hemoraging data and doesn't even know.
Most of the Government systems are antiquated There are still systems on DOS 6 / Windows 3.11, Windows NT4 amongst others - and no plans to replace them. There's so many security holes without needing passwords that all this talk of encryption products is stuff and nonsense.
It was where?
Hang on, they found it in Cannock of all places? Intact?
We should rejoice. Normally anything remotely advanced - for example the wheel - is regarded by the locals as black magic and summarily hung drawn and quartered.
Cannock is several dozen square miles of population but only four different surnames. A place where signs above the boundary markers say 'There Be Witches'. A place where burning crucifixes appear at night, the girls start shaving long before the boys, and where Sunny Delight is considered a health drink.
Believe me, this so-called device was safe and sound in cannock. No chance of it being hacked or broken into without a hammer being involved there.
@ Paul Buxton
"[Government ministers] want to keep their own details off all of the planned national databases"
I'm willing, once again, to bet a jelly donut that even the ministers in their lofty offices are going to be in for some rude surprises. Instead of actually purging their information from various databases, simple booleans will be set to indicate "invisible data", so when ministers leave office, all their data is easily restored.
Programmers being what they are (esp. the outsourcees) they won't always follow the prescribed logic in generating reports, so ministerial secrets (size of underclothing, preferred brand of personal lubricant, eyeglass prescription, dates when hair was cut) will pop out into view sporadically. And if the hackers penetrate the DBs, no secrecy at all.
And since the current UK government knows no limits to its sheer snoopiness, you may be sure that we'll even discover how many pairs of red lace crotchless panties Mad Jacqui owns.
Stay tuned. The show will be even funnier than the Saturday morning cartoons I used to watch on TV as a child.
thats a bit harsh, seeing that you have no idea what complexity arrangements are in place. There does seem to be this blinkered line of thought that size is everything.
Obviously length+complexity is better than length alone. But based on my personal experience when you forced user to used a long and complex password, the changes are they can’t remember it. System policy is one thing, user acceptance is another. More often than not if they can’t remember it they will write the password down. I have seen them do it, and know where their password is on physical medium. Furthermore long complex passwords will just tempt them to reuse the first few characters of the password. You can have the best system security but it’s useless if the users let you down.
"And since the current UK government knows no limits to its sheer snoopiness, you may be sure that we'll even discover how many pairs of red lace crotchless panties Mad Jacqui owns."
Though I appreciate the levity of your post, the paragraph above has forced me to book my lobotomy early. I mean... EUUUUWWW
Think of Paris, think of Paris, think of Paris.....
Who's to blame?
Whenever data gets lost the knee-jerk reaction is to blame 'the government'; but just who is this government? Correct me if I'm wrong, but have any of these losses been down to an elected official? I'm pretty sure that most/all of them have been the fault of the civil service or private companies, both of whom would still be there even if the elected government was changed tomorrow!
That's not to say that I agree with the totalitarian databases being banded around at the moment, and the risks involved do scare me silly. But let's put the blame for the ideas, and the current losses, at the right doors please.
Not harsh at all, either your passwords aren't protecting anything important (in which case your post is irrelevant) or you passwords are protecting something important, in which case the password strength is critical to protection of the data you are responsible for (and ultimately your job).
>you have no idea what complexity arrangements are in place
You said 8-10 digit alphanumeric, sounds like you're defining complexity, this obviously excludes special characters, immediately you are revealing some of your complexity arrangements, futhermore in your second post you say "tempt them to reuse the first few characters of the password" this indicates that users are allowed partial re-use, again I can garner some more information about your security (which sounds poor).
User password education is important, but it's not that difficult, give a user the password d0-@Qr-+S1[/^!+vP and you're asking for trouble, but enforce at least one special charater, at least one digit, no position re-use, minimum of 9 you have a strong password, then tell the user how to use word association and phrase acronyms as tecniques to remember them, then they don't do stupid things, if they *have* to write down passwords then educate them to write down something which reminds them of a password, or partial passwords, if the users let you down, it's your poor education, not them, they are like children, take some responsibility man.
This is all by the by anyway, we were talking about the passwords you have to remember, where's your excuse? if you are an admin (like you imply) why are you using and allowing your users to use weak passwords? are aren't you enforcing stronger passwords? (if you're that sloppy I wonder if you even enforce a regular password change or change all your passwords when another admin leaves) hope you work for some noddy organisation that doesn't do anything important or has any external auditing otherwise that job that you haven't been fired from yet could become one that you have been.
Please remember, the government doesn't care
It's true, the government doesn't care about privacy or identity theft. The government doesn't suffer when information leaks and so has no incentive to prevent data loss.
The curious thing in all this is that it seems to be trivial for any employee to walk out of a site with sensitive data in his/her pocket.
Are there no physical barriers? Why is someone allowed to carry a USB memory stick into an area when sensitive data is accessible?
Not so much amateur hour, more like amateur decade!
@ Paul Buxton
"Ministers aren't stupid
They want to keep their own details off all of the planned national databases, they're no fools. They just think the rest of us are stupid."
They just think the rest of us are stupid? In my book that MAKES them stupid. By definition. QED.
Think about it ...
Are you sure
that it wasn't a privately owned drive, no one reported the drive missing & it was found in a pub car park complete with encryption keys, it sounds to me like someone was moonlighting as a tracer for a Debt Collection Agency rather than a genuine loss. And if the keys were there how would they know if the drive had been accessed?
Still I'm a cynic when it comes to thing like this.
IT's all rubbish
These events are another illustration of the fact that IT systems as they are today are fundamentally not design to protect data. All current data protection measures are merely layered on top of something (the operating system and its hardware) that was designed to make the copying and distribution of data as unrestricted as possible. Sure, you can apply a veneer of user permissions and so forth but by and large most data remains unguarded.
What's needed is IT systems for everyone where data is encrypted by default no matter where it is (RAM, hard disk, USB memory stick, CDR, in transit on a network, etc), and a proper crypto key distrubution scheme so that only designated people can read it. This means a complete re-write of existing operating systems, a massive redesign of existing hardware and a whole lot of industry and government concensus. Until that happens there will always be accidents such as this.
Data insecurity effects everyone, one way or another. So why isn't the IT industry doing something about it. Laziness? Lack of vision? Why aren't governments worldwide pressurising the industry to address the issue? Laziness? Lack of vision?
Surely allowing them to take sensitive data out of the office in the first place is asking for trouble.
Haven't they heard of VPNs? You know, things like Citrix which allow users to access the corporate network from their home PC. And access the data remotely, over a secure connection...
Oh, of course, they'll be running Vista on their home PCs, which is incompatible with most VPN software...
The problem with taking data out of the office, even if it encrypted, is that the weak link will inevitably be the password. Too many people do not understand the concept of choosing a password that will simultaneously be easy for them to remember but difficult for others to guess. Having worked previously as a school sysadmin I've seen names, dates of birth, postcodes, telephone numbers, favourite football teams - none of which are mangled in any way whatsoever. And that's just the staff - who are likely to have sensitive data in their user areas! Once you get onto the pupils, you're likely to have "qwerty" or "abcdefg" as passwords - and one school, which didn't enforce minimum password length, had a sixth former whose password was 'a'. Unsurprisingly, his classmates frequently dipped into his account...
And of course if you enforce a password that's difficult for them to remember, chances are they'll have it written down somewhere...
@IT's all rubbish
So what if truly encryped systems were available? The government won't / can't pay for them. If you saw the crap they are using now you'd realise that.
There's a comment somewhere asking why it's always outsourcing companies that hit the headlines. It's because the government has outsourced pretty much every IT system there is. There's nobody left in the civil service who's accountable when things go wrong. I guess the government probably likes it that way - blame everyone and take no responsibility. If the government still took ownership of its IT, the same problems would still occur, but it wouldn't be able to point the blame elsewhere.