Tuesday 23 June 2015

RIP IDA – who knows what they're talking about?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

22 June 2015, and Janet Hughes says:
GOV.UK Verify (RIP) offers people a convenient, secure way to prove their identity when accessing digital government services. It does not have any other connection with or ability to monitor people or their data.
Funny thing to say.

Why did she say that?

And why did she go on to say:
GOV.UK Verify (RIP) protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group [PCAG]. GOV.UK Verify (RIP) does not allow for mass surveillance.
The answer is, she had to.

Because four academics published a paper saying that GOV.UK Verify (RIP) is not secure and that it fails to implement the PCAG privacy principles and that it could provide a platform for mass surveillance.

Remember, if there's an impossible job to do, the Government Digital Service (GDS) call for Janet Hughes. This may be her most impossible job yet.

Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK, as ElReg demurely put it. Government Digital Service insists Verify safe despite claims of vulnerabilities, according to Computer Weekly. Or as Government Computing would have it, Government rejects ID assurance study’s security fears.

The academics are Messrs Luís T. A. N. Brandão and Nicolas Christin of Carnegie Mellon University, George Danezis of University College London and someone called Anonymous, apparently also known as 06ac01f8898481dd 2acdaacbe7cea1fd 5cdec8e65fe87db5 8605e865b1860f8e. It is unknown which university 06ac01f8898481dd works at, if any.

Their paper, Toward Mending Two Nation-Scale Brokered Identification Systems, is published in Proceedings on Privacy Enhancing Technologies 2015. Note that:
  • It's not just GOV.UK Verify (RIP) that they criticise but also the US equivalent, the Federal Cloud Credential Exchange (FCCX), recently rebranded as Connect.GOV.
  • They don't just criticise, they also make recommendations how to overcome the failings of both systems.
"We welcome the paper, and its contribution to the developing pool of knowledge and ideas about digital identity assurance", says Ms Hughes, "we are working with the author of the paper to clarify this aspect and provide assurance on the issues raised. We have invited one of the authors, Dr Danezis, to join our privacy and consumer advisory group (and we are pleased he has accepted the invitation), so that we can continue to consult a range of experts and privacy and consumer groups on our approach to these important issues".

Pure Mandarin. GDS must be furious and may feel threatened by this particular pool developing. RIP IDA and all that. They wouldn't have responded to the ElReg article so very quickly otherwise.

What the academics say, in a nutshell, is (p.8) ...
... or to put it more technically, everything GDS have told us about their identity hub is a pack of lies, GOV.UK Verify (RIP) isn't secure and it doesn't protect our privacy.

Ms Hughes disagrees. She asserts the opposite. That's her job.

Which of them knows what they're talking about? Who's right?


Updated 29.6.15

The nuts and dolts of security

It's a week now since the four academics' paper came to light alleging that there are gaping holes in the security and the privacy of GDS's identity hub. Maybe they're right. Maybe they're not, we still don't know. GDS have denied the allegations but, without adducing any evidence in support of their denial, that doesn't amount to much.

Paul George Danezis, one of the academics who criticises the design of the identity hub, says "in 2015, it is very strange that this is considered acceptable. If this system had been peer reviewed it would not have been passed even 15 years ago", and is recorded as suggesting that GDS are simply incompetent, not up to the job: "Perhaps GDS did not have the expertise, or appreciate the need for expertise to deal with this".

And then there's Kevin Curran.

The cricketer?

No. "Kevin Curran is a Reader in Computer Science and group leader for the Ambient Intelligence Research Group. Dr Curran has made significant contributions to advancing the knowledge of computer networking evidenced by over 800 published works. He is a regular contributor to BBC radio & TV news in the UK and is an IEEE Technical Expert for Security and a member of the EPSRC Peer Review College."

That Kevin Curran.

He was interviewed by SC Magazine UK, "the magazine for IT security professionals", who say "he described the plan to provide a UK-wide decryption hub as 'nuts. Not because it cannot be done technically but because it is quite simply nuts', he warned".

We get one more "nuts" in the Curran interview, then a "dumb" followed by an "un-implementable", before "Curran said that there are issues that most of the 'UK government numbskulls are unaware of ... it is pretty obvious that they have completely ignored the advice that any security expert would have given them' ...".

It is not known whether GDS welcome Dr Curran's comments as much as Paul George Danezis's.

The reputations of nine "identity providers" depend on the identity hub being secure, as promised by GDS, impossibly, and on its respecting everyone's personal privacy.

Experian, Digidentity, the Post Office, Verizon et al may now all be having second thoughts. They can probably live with a university lecturer calling them nuts. They can't withstand their shareholders following suit.

They lose control of their reputations once they depend on GDS's identity hub. Why take the risk?

There's nothing we doltish members of the proletariat can do to force GDS's hand. Their suppliers, though, the "identity providers", have leverage.

Expect an announcement soon, clarifying GDS's stance on the design of their identity hub.

And don't be at all surprised if the date changes in GDS's promise to have GOV.UK Verify (RIP) up and running nationwide by March 2016.

Updated 1.7.15

GDS continue to market GOV.UK Verify (RIP) as secure. Or safe.

That comes as a surprise to many of us, who weren't born yesterday, and who are faced with the daily diet of cybersecurity breaches served by the media, take for example yesterday's Audit finds new flaw at US Office of Personnel Management: "TEN MILLION people now counted as victims of original GovSec SNAFU".

The gormless promise of security must come as even more of a surprise to those working in the cybersecurity industry with, let's say, 14 years experience up at the sharp end, one of whom kindly sent DMossEsq a link to Secure Web Hosting for Client X, 4 May 2001 – and May 4th be with him.

Client X asked their security advisor to provide a 100% secure web server. CESG certified, the advisor made two proposals, as you will see in the link.

The first proposal involves ten steps which gradually reveal the enormity of the problem.

The second is shorter: "Don't implement a Web Server until you have a clue".

Nothing has changed in the intervening 14 years cybersecuritywise.

When will GDS stop making fools of themselves by making promises which everyone by now knows or should know that they can't keep?

Updated 7.7.15

"Tirez sur l'autre, il y en a des cloches attachées"

It's over a fortnight now since GDS told us that "GOV.UK Verify (RIP) offers people a convenient, secure way to prove their identity when accessing digital government services". Do GDS know what they're talking about?

Four academics disagree with GDS and argue that the GOV.UK Verify (RIP) identity hub is full of security holes. Do these academics know what they're talking about?

We don't know. We can't be sure. We have the benefit of the advice of the engaging security expert Peter Bance. In his opinion, if you want your server to be secure/safe, you shouldn't let anyone update the data on it and you shouldn't connect it to any networks and certainly not to the internet. But does Mr Bance know what he's talking about?

We all remember QinetiQ winning a contract to advise the Pentagon on how to counter cyberespionage. This upset HBGary, a small rival of QinetiQ's who pointed out that QinetiQ had themselves been hacked. But then HBGary were hacked, too.

Actually some of you may not remember about QinetiQ and HBGary being hacked. Not to mention Bloomberg and the New York Times. And Lockheed Martin. But a bell may have rung when you read the Guardian newspaper yesterday, Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim. Or maybe you read ElReg, Security world chuckles at Hacking Team’s 'virus torrent' squeals.

Either way, an Italian cybersecurity company, Hacking Team, was itself hacked and had 400 gigabytes of its records published including the alleged records of dodgy dealings with repressive regimes using Hacking Team's products, it is said, to repress people. And journalists.

Just like Gamma International, perhaps, the company that sold FinFisher, a surveillance software product. They were hacked last August.

And so it goes. On. And on and on and on until you're bored stiff reading DMossEsq.

Well that's the point. It's endless. It just goes on. It hits the good guys and it hits the bad guys. They all get hacked. There's no defence. Even if you're an expert. Connect a server to a network, and bang – you're hacked. Just ask the US Office of Personnel Management. Or ask their ten million parishioners, whose personal information has been hacked for months. Or years. No-one knows how long it's been going on.

Boring, yes. Unsurprising. Inevitable, even. But in that case who do GDS think they're kidding/confusing/misleading when they claim that GOV.UK Verify (RIP) is secure? Not you, obviously. "Tirez sur l'autre", you may be tempted to say, "il y en a des cloches attachées".

Updated 10.7.15

As reported in The Register:
5 June 2015 Hackers steal files on 4 million US govt workers
30 June 2015 TEN MILLION people now counted as victims of original GovSec SNAFU
9 July 2015 US govt now says 21.5 million people exposed by OPM hack – here's what you need to know ("... and by the way, that's in addition to the four million people whose records OPM had earlier admitted to letting slip into hackers' hands")
That series may not have finished yet.

From what you've seen of GOV.UK Verify (RIP), what reason is there to suppose that it will not one day embark on the same progression? What will you do then?

Updated 27.3.16

The Government Digital Service (GDS) told us the other day How we work with experts to make GOV.UK Verify [RIP] better: "We take the protection of GOV.UK Verify [RIP] and the security of our users and their data very seriously ... The privacy of our users comes first in everything we do ... Working with - and learning from - a wide variety of experts helps us make GOV.UK Verify [RIP] better for users".

GDS are responding here to the paper published by George Danezis and others describing security vulnerabilities in the identity hub for GOV.UK Verify (RIP). They are confident that they are doing the best they can.

The National Health Service disagree, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC: "The government’s Verify identity verification platform isn’t secure enough for the NHS, so Liverpool Clinical Commissioning Group and HSCIC are working to add extra levels of security".

Who knows what they're talking about?

Updated 27.1.17

Take a look at the tweets alongside. One Andy Pearce taps a slow serve over the net at the Government Digital Service (GDS): "... if an identity is hacked does that not open up more vulnerabilities"?

All they have to do is return the ball and see what Mr Pearce does with it. Instead of which, GDS lose the point in the most embarrassing way possible: "GOV.UK Verify [RIP] is built so that there’s no single point of weakness/failure".

What about the identity hub that GDS are so proud of building? Isn't that a single point weakness/failure?

Yes it is, please see above.

What GDS said in answer to Mr Pearce is blatantly false. It relies on what the Trump administration refers to as an "alternative fact". North Korea, maybe, but we don't expect this behaviour in Whitehall.

No comments:

Post a Comment