Yearly Archives: 2014


1
Megan Geuss reports on the Arstechnica website that a hacker has been able to recreate a fingerprint of German Defence Minister Ursula von der Leyen just from photographs. The technique was revealed at the Chaos Computer Club (CCC) Convention in Hamburg by German hacker Jan Krissler, who used commercially available software and high resolution photographs taken of her hands at a press conference, to produce the fingerprint.  The significance of the research is that objects carrying fingerprints will no longer need to be acquired to obtain a given person’s fingerprints, which could then be used to access devices which use fingerprint readers such as Apple’s iPhone 6. Although fingerprints are a favoured biometric, because they can be reproduced some security experts have suggested that other biometric keys are used for identification such as vein patterns, which are not an outwardly identifiable physical trait.

Fingerprint reproduced from photos of a Politician’s hands


The medConfidential campaign has issued a press release following the publication of the Independent Information Governance Oversight Panel (IIGOP) on the care.data scheme. The report lists 27 areas of concern for the care.data Programme Board to address, which contain some 52 unanswered questions.  In addition, there are seven additional tests that the recently announced care.data pathfinder Clinical Commissioning Groups (CCGs) must meet. MedConfidential highlights that the sheer number of unanswered questions indicates just how fundamentally misconceived care.data was from its inception, and at this stage – 10 months after the programme was stopped – suggests continued mishandling by those running the care.data scheme. The IIGOP report can be found here.

27 fundamental areas of concern remain with care.data scheme


Craig Timberg reports in the Washington Post, that German researchers have discovered that phone calls and text messages between mobile phones are vulnerable to hackers and Government surveillance agencies located anywhere in the world, due to flawed infrastructure designed in the 1980s. The flaws are in the “SS7” protocol (Signalling System 7) used by mobile phone networks worldwide and are actually functions built into the system for other purposes, such as to allow mobile phones to switch between mobile phone base stations. Phone calls are vulnerable to interception even on networks using strong encryption, for example one type of attack involves recording an encrypted phone call and then requesting through SS7 that the caller’s carrier releases a temporary encryption key to unlock the communication after it has been recorded. Tobias Engel, one of the German researchers who discovered the flaws which will presented at the Chaos Communication Congress in Hamburg […]

Mobile phones ‘wide open’ to global hackers



Jason Noble reports on the Des Moines Register website that the US state of Iowa is developing a mobile phone app based driving licence. In order to check the validity of the licence the bar codes contained in the mobile app will have to be scanned using hardware inside an officer’s car.  However, as the article points out there are numerous pitfalls with this, such as what happens if the mobile phone battery is dead, the screen is cracked and the barcode cannot be read, or the owner wants to record their interaction with the Police. Of particular concern is the possibility of the Police accessing information on the phone either deliberately or accidentally, although the U.S. Supreme Court did rule earlier this year that searches of mobile phones require a warrant.

Iowa developing virtual driving licence


2
The United Kingdom electronic surveillance agency GCHQ has launched a free educational app called Cryptoy, to teach secondary school children about crpytography. The app allows teenagers to create their own encoded messages which can be shared with friends via social media, or more traditional means.  The recipients can then use the app to try to decipher the messages.  By using the app teenagers can learn about cybersecurity, basic encryption techniques and learn about the history of encryption.  The hope is that it will increase the uptake of STEM (Science, Technology, Engineering and Maths) subjects at school. Further details about Cryptoy can be obtained from the GCHQ website here. At the moment Cryptoy app is only available for download to Android tablets via Google Play, but it is hoped that an iOS version for iPads will be available in 2015.

GCHQ launches code making app to teach teens cryptography


2
The Manchester Gazette reports that a Greater Manchester Police officer has been jailed after accessing police computer systems and passing on confidential information to criminals. Pc Katie Murray repeatedly accessed police computer systems to pass information to her former lover, Jason Lloyd, who ran a crime gang in Stockport producing cannabis on an industrial scale.  This included intelligence information, details of criminal incidents and police investigations, including telling Lloyd about information police received in September 2012 relating to a cannabis factory run by him.

Corrupt Police Officer jailed after accessing police computer systems



4
Chris Baraniuk reports in New scientist magazine that footage from wearable body cameras contain a “motion signature”, unique to the user. Shmuel Peleg and Yedid Hoshen at Israel’s Hebrew University of Jerusalem collected footage from 34 people who wore GoPro cameras on baseball caps. They ran it through an algorithm that recognised motion signatures particular to each person. The algorithm predicted the wearer with 88% accuracy and only required 12 seconds of video to make an identification. This technique could be used to identify people who upload videos to sites such as Youtube, such as protestors uploading video from demonstrations. However, Peleg also pointed out that: “On the other hand, if police officers have to wear cameras, this may give another level of assurance that the video you are being shown is from that officer and not someone else. It’s a double-edged sword.” The original research paper can be found […]

Camera shake can identify you


MedConfidential published a background briefing concerning care.data and related issues, for the Health Select Committee meeting on held on Tuesday 9th December 2014. This covered amongst other things (1) MedConfidential’s proposed amendment to the role of the National Data Guardian, (2) the lack of the patient opt-out still not being on a statutory basis and (3) the situation with consent around the use of hospital data within care.data. A recording of the Committee meeting can be found here.

MedConfidential Background Briefing for Health Select Committee – December 2014


1
The Open Rights Group has prepared a briefing on the Counter-Terrorism and Security bill announced by the Home Secretary Theresa May on 26 November 2014. The Bill extends the scope of the Data Retention and Investigatory Powers Act 2014 (DRIPA). The bill introduces other measures such as a duty on certain authorities to prevent people being drawn into terrorism; the core requirement of the new legislation is that ISPs record the user of a specific IP address at a specific time. In April 2014 blanket data retention was ruled illegal by the Court of Justice of the European Union (CJEU) and it is doubtful that the new legislation complies with the permissible limits of data retention set out by this judgement. See also this previous post for further information on the proposed legislation.  

Open Rights Group – Briefing on Counter-Terrorism and Security Bill



Jennifer Baker reports on The Register website that the UK’s Investigatory Powers Tribunal (IPT) has ruled that GCHQ’s mass surveillance Tempora programme is legal in principle.  It made the ruling following a case brought by Privacy International, Liberty, Amnesty International and other parties. Tempora is the code name given to an operation run by GCHQ to allow huge amounts of intercepted internet data to be temporarily stored for analysis.  It is reported to hold content for three days and metadata for 30 days.  The  case put to the tribunal was that Tempora breached article 8 of the European Convention on Human Rights, which is the right to privacy, as well as article 10, which protects freedom of expression. Privacy International deputy director Eric King said of the decision: “Today’s decision by the IPT that this is business as usual is a worrying sign for us all.  The idea that previously secret […]

Tribunal says Tempora programme is legal


1
Michael Price writes on the Brennan Center for Justice website about the privacy issues with internet enabled televisions. Internet enabled, or “Smart” televisions have become very come in recent years; however, as Price points out the amount of data  collected by these TVs is staggering.  In the case of the TV he has purchased this includes records of the apps used, websites visited and when and for how long you use it.  The TV can also perform facial and voice recognition, the data from which is uploaded to a corporate server.  Little wonder the TV comes with a privacy policy 46-pages long. Much of the data captured and transmitted by his new TV is stored in the cloud and would be classed as “third party records”, but he highlights that (in the US) there is currently little privacy  protection for such data.

I’m Terrified of My New TV


Leala Padmanabhan reports on the BBC News website that Sir John Adye, the former head of GCHQ between 1989 and 1996, has highlighted security concerns with some biometric technology, such as fingerprint recognition used on Apple’s iPhone 6 and on other devices. He gave as an example of the lack of clear information on what happens to an individuals biometric data when used for identity checking on a smartphone and the lack of physical supervision of such devices versus for example, the way an ATM is supervised by a bank.  Commenting on Apple’s iPhone 6 biometric fingerprint recognition he said: “………They appear to have a good system at the moment for protecting their operating system, so it’s difficult for anyone outside to penetrate it and retrieve data from it.  But how long will that last, because the criminals … are very inventive at finding ways in, and although you can […]

Biometrics in smartphones need more control – ex-GCHQ boss



Symantec the computer security firm has published an article describing an advanced spying tool with sophisticated “stealth” features which has been used to spy on private companies, government entities, IT infrastructure providers as well as private individuals. The malware known as Regin is a back door-type Trojan.  What is particularly interesting about it is its technical sophistication, which indicates it would have taken months if not years to develop.  Given the time a resources required  to develop and use it, Symantec suggest it is likely that it was developed by a nation state for cyberespionage and long-term surveillance operations. Infections are geographically diverse, but concentrated in mainly in ten countries with the Russian Federation and Saudi Arabia suffering the most infections.

Regin: Top-tier espionage tool enables stealthy surveillance


Rob Evans reports in the Guardian that a group of journalists have launched legal action against Metropolitan Police who have been secretly recording their activities on the Domestic Extremist Database. They have started the legal action to expose what they say is a persistent pattern of journalists being assaulted, monitored and stopped and searched by police during their work, which often includes documenting police misconduct. The six journalists have obtained official files under the Data Protection Act that reveal how police logged details of their work as they reported on protests. One video journalist discovered that the Metropolitan Police had more than 130 entries detailing his movements. The group includes a journalist on the Times.  Jules Mattsson, who, police noted, was “always looking for a story”.  Mattsson said that when he had been a victim of crime, police had transferred on to the Domestic Extremism Database details of his appearance, […]

Police face legal action for snooping on journalists


5
The BBC News website reports that Theresa May the Home Secretary is proposing a law forcing Internet Service Providers (ISPs) to hand over to the police information identifying who was using a computer or mobile phone at a given time. Although the current proposals do not resurrect the full powers in the abandoned Communications Data Bill, which is commonly called the Snoopers’ Charter, Conservative MP and former leadership contender David Davis said the new measure was a “stepping stone back” to those proposals. The core requirement of the new legislation is that ISPs record the user of a specific IP address at a specific time. Although each device has its own IP address, these change over time and when a device is switched on and off and thus an IP address is typically shared between different users. At the moment ISPs have no business need to retain information on a […]

Internet data plan back on political agenda