MI5 e-mail list subscriptions now more secure than at launch
Sometime on Friday evening, the MI5 e-mail list subscription service has been modified from the shambolic version which was launched on Tuesday evening (see "MI5 e-mail alert signup shambles - all email subscription web forms sent to the USA, without encryption")
The e-mail list subscription service no longer seems to send your personal data to the USA in an unencrypted format, but it is still not being hosted entirely on secure UK Government IT infrastructure.
However, signing up this way, no longer gets you an email confirmation immediately, you will now have to wait "a few days". Will the terrorists also wait ?
There has been no indication of an update to the website on its front page, which still claims "Updated 9.1.07 17:00"
There has been no new news item on the What's New page, and so, it is not surprising that there has not been an email message to those people who have already subscribed to the MI5 website news update e-mail list.
The links to the web form
http://www.mi5.gov.uk/output/Page575.html
now take you to an SSL / TLS encrypted web page
https://www.mi5.gov.uk/output/Page575.html
You can now register "anonymously"
To subscribe, enter your e-mail address and, optionally, your name in the form below and press the "Subscribe" button. You can register anonymously if you wish, but providing your name (or a user name of some description) will enable us to help you more effectively if you report a problem with your subscription.
There is also now an extra paragraph at the bottom of the page :
SecurityYour subscription details will be sent over a secure Internet connection via a Secure Socket Layer (SSL), a protocol used for secure communications over the Internet. Web addresses that begin with "https" indicate that an SSL connection will be used.
Hooray ! This uses the already installed Digital Certificate for the www.mi5.gov.uk website, which was already being used for an SSL encrypted web form.
So far, so good, but why could this not have been done on Tuesday when the service was launched ?
So where is this e-mail list sign up web form being processed this time ?
It appears to be handled by:
https://mi5.h0st.biz/xdata.html
Using SSL ok.
The domain name does not inspire much confidence or trust, as the substitution of the number Zero "0" for the letter "O" in the name "host", makes it look like the sort of domain name used for spamming or phishing attacks !
However the whois information says:
Xwhois query for h0st.biz...Results returned from whois.biz:
Domain Name: H0ST.BIZ
[...]
Registrant Name: Guy Marson
Registrant Organization: Mailtrack
Registrant Address1: 2nd Fl King House
Registrant Address2: 5-11 Westbourne Grove
Registrant City: London
Registrant State/Province: London
Registrant Postal Code: W2 4UA
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.448707420558
Registrant Email: info@mailtrack.com[...]
Technical Contact ID: DOT-EJVGCCA772BA
Technical Contact Name: Guy Marson
Technical Contact Organization: Mailtrack
Technical Contact Address1: 2nd Fl King House
Technical Contact Address2: 5-11 Westbourne Grove
Technical Contact City: London
Technical Contact State/Province: London
Technical Contact Postal Code: W2 4UA
Technical Contact Country: Great Britain (UK)
Technical Contact Country Code: GB
Technical Contact Phone Number: +44.8707420558
Technical Contact Email: info@mailtrack.com[...]
Name Server: ELROND.MAILTRACK.COM
Name Server: ARWEN.MAILTRACK.COM
Name Server: CIRDAN.MAILTRACK.COM
Created by Registrar: DOTSTER
Last Updated by Registrar: DOTSTER
Domain Registration Date: Thu Jul 10 16:54:37 GMT 2003
Domain Expiration Date: Wed Jul 09 23:59:59 GMT 2008
Domain Last Updated Date: Mon May 08 19:51:18 GMT 2006
So the h0st.biz domain name has been around since 2003.
The traceroute information shows that
16 109 109 109 82.108.7.245 ae-0-25.br1.tclon.uk.easynet.net 17 109 110 110 217.204.60.51 fe1-1-0.ar0.rblon.uk.easynet.net 18 114 114 114 195.40.4.132 fa0-0.cr0.rblon.uk.easynet.net 19 110 110 109 195.68.228.53 merry-3.mailtrack.com
IP address: 195.68.228.53
Host name: mi5.h0st.biz
is hosted on a MailTrack.com machine,
IP address: 195.68.228.53
Host name: merry-3.mailtrack.com
with Easynet as the ISP.
Note the Lord of the Rings character names for the Mailtrack machines e.g. Merry, Elrond, Arwen, Cirdan etc.
At least Easynet and MailTrack are companies based here in the United Kingdom, so that is an improvement on the previous situation, where the web script was running on a server in the USA.
Why this software cannot be hosted on secure UK Government server, is still a mystery.
Thie https://mi5.h0st.biz webserver banners claim that it is running on:
Server: Apache/1.3.28 (Linux/SuSE) mod_ssl/2.8.15 OpenSSL/0.9.7b PHP/4.3.3 X-Powered-By: PHP/4.3.3
Obviously https://mi5.h0st.biz has a Digital Certificate installed, but a very recent one indeed !
The Digital Certificate is a "wild card" one issued to be valid for all *.h0st.biz domains for MailTrack Ltd, by www.DIgiCert.com, (a US based Certification Authority) which is itself certifed by the Canadian Entrust Certificate hierarchy.
This is no worse than the existing Verisign issued DIgital Certificate being used by the www.mi5.gov.uk website itself, and it does mean that it is accepted by most web browser software.
Valid from:
11/01/2007 00:00:00
(11/01/2007 00:00:00 GMT)
i.e. on Thursday 11th January - 2 days after the launch of the MI5 e-mail list subscription service, and after the initial Spy Blog article, but before, say, The Register reported it more widely.
Perhaps somebody in the UK Government is actually reading Spy Blog after all 8-)
Subscribing to the modified MI5 website news e-mail list:
The link from the News page announcing the service on Tuesday,, now takes you to the SSL page.
Filling in your name , surname and email address as before, and clicking on the the Subscribe button now takes you to
https://www.mi5.gov.uk/output/Page576.html
MI5 E-Mail Lists - Subscription VerificationThank you for submitting a request to subscribe to our mailing list(s).
We will send you an e-mail in the next few days asking you to click on a link to verify your subscription request.
So there is now no longer an online subscription verification system, such as the WhatCounts.com service which was being used previously.
It is unclear if there is to always now to be a delay, presumably for a manual check on e-mail list subscriptions requests, before you are added to the list, or if this is yet another temporary stage in a system which is still under development, after it has been launched with a fanfare of publicity.
It is unclear what the status is of the subscriptions which have been made between Tuesday and Saturday, on the old, as launched system - will everyone have to re-subscribe ?
Have all copies of the data, and any log files associated with the subscription process in the USA been securely destroyed ?
It remains to be seen if an email from the suspiciously named "mi5.h0st.biz" domain name actually triggers people's software or human email spam or phishing attack filters.
We hope that such emails are actually sent from a *.gsi.gov.uk email address, i.e. via the UK Government Secure Intranet gateways to the Internet, like most other Central UK Government Department emails are, something, which requires at least a "sanity check" by independent Government IT Security people.
We would still like to know who exactly ordered the MI5 e-mail subscription service to go live on Tuesday, in such obvious haste, without proper testing and security and privacy sanity checks.
Was it a civil servant, or a spin doctor or a Labour politician ?
Comments
thanks for the info. I think it was a civil servant. just kinding really but yeah I was wondering about how secure they really were thanks.
Posted by: tim's domain | January 13, 2007 3:06 PM
Hi WTWU,
Another story on the BBC website: http://news.bbc.co.uk/1/hi/technology/6262719.stm.
Cheers
Posted by: ukliberty | January 15, 2007 3:50 PM
And here on The Register:
http://www.theregister.com/2007/01/15/mi5_alert_shambles_reloaded/
Posted by: Anonn | January 15, 2007 5:00 PM
@ Anonn - so who gave Qinetiq the order to rush ahead with this system last Monday / Tuesday ?
Posted by: wtwu | January 15, 2007 6:00 PM
The MI5 emails sent from the USA not surprisingly got flagged as possible spam by spamassassin at work. Someone needs a clue about security (and properly coded HTML emails) - but I guess it's too much to expect MI5 to know anything about email security issues.
Those emails need to be sent from a gsi.gov.uk server, and not just from an blah@blah.gsi.gov.uk email address, at the very least.
Posted by: Phil | January 15, 2007 6:08 PM
I have not seen an answer to these two questions noted on the site. Where might one go to find the answers?
"It is unclear what the status is of the subscriptions which have been made between Tuesday and Saturday, on the old, as launched system - will everyone have to re-subscribe ?
Have all copies of the data, and any log files associated with the subscription process in the USA been securely destroyed ?"
Posted by: mn19522 | January 16, 2007 2:34 PM
@ mn19522 - we do not have any answers to those questions, yet..
David Geller said on Saturday, that he was surprised that nobody from the UK had contacted him about what to do with the data which his company holds. He has promised not to abuse this data, but he is under no legal obligation not to do so.
The WhatCounts.com emails were in HTML format, with embedded border spacer graphics etc., so many less security concious people with their email software still set at the default settings, could well have left their IP address and browser details etc. in the http://media.whatcounts.com web server log files, from a personal computer other than the one which they initially registered from e.g. home and work.
You could try enquiring via the MI5 encrypted web form,
https://www.mi5.gov.uk/output/Page133.html
about what has happened to your personal data, if enough of us do so, they may publish a statement.
If they publish it on their website, this should, in theory, trigger a "What's new" email alert.
On past form, it is very likely that they will not reply .
You can also complain to the Information Commissioner' Office - just because we have done so,does not mean that this busy Office will instantly spring into action on our behalf, the more people who express their concerns about the data protection issues, the better.
http://www.ico.gov.uk/complaints/data_protection.aspx
Posted by: wtwu | January 17, 2007 12:44 AM
RE: The e-mail list subscription service no longer seems to send your personal data to the USA in an unencrypted format, but it is still not being hosted entirely on secure UK Government IT infrastructure.
The naïvety of this blog staggers me. Secure UK Government IT Infrastructure???
There is no such thing on several levels.
For a start, the UK Goverment doesn't have a single cohesive IT infrastructure, it is all fragmented and contracted out to private companies like EDS, Cap Gemini, Accenture, Capita et al..
Secondly, it is only as secure as the people who designed, built and currently maintain it. All of those stages are accomplished by employees of the aforementioned companies who are paid considerably less than those who work for private hosting companies.
Thirdly, seldom is anyone ever held accountable for disasters that take place in Government IT systems, for reasons which should, by now, have dawned on you. Private hosting companies lose clients when they mess up, whereas the UK Goverment is still awarding contracts to those companies I listed above, despite each one being involved in some monumental cock-up in the last 5 years (do you not at least read Private Eye?).
Finally, in-house developed Goverment systems are not necessarily secure. The only secure IT infrastructure, is one that is not connected to the Internet, such as the systems at GCHQ and, precisely because they are not connected to the Internet, they cannot be used in this situation.
All IT infrastructure systems are vulnerable to their own employees (especially if they're paid less than others in the private sector), people who deliberately get a job at an IT company specifically to hack from the inside, people who pose as cleaning/security staff, or simply people who phone up and pretend to be an employee working from home.
Ironically, this email subscription system (which handled nothing more confidential than email addresses) was far more 'secure' in its intial form than it is now. I am sure MI5 know this, but have undoubtedly been forced to react to an adverse (but completely baseless) media panic.
Posted by: RC | January 19, 2007 1:19 PM
@ RC - do you have any evidence that the http://www.mi5.gov.uk website has any technical security vulnerabilities, or that the people who are in charge of it, i.e. Qinetiq and MI5 staff, have been suborned or infiltrated in the way that you allege ?
Could you please explain how the system which was launched on Tuesday 9th is, in your view, more secure than the current one ?
The email subscription system is in limbo, as there have not been any confirmation email sent from the new system since it was modified you have to "wait a few days".
The statement from the Cabinet Office claimed that the changes to the system were not made in response to Spy Blog or to the Mail on Sunday reports.
This blog has been as critical of some of the disastrous UK Government IT schemes over the years.
We do know, however, from personal experience, that there are many competent, hardworking and loyal people working to try to keep these systems secure and running properly, despite the stupid policies of their political masters.
Posted by: wtwu | January 19, 2007 4:01 PM