Number-Plate Cam Site Had No Password, Spills 8.6 Million Logs of UK Road Journeys (theregister.co.uk) 48
The Register reports that Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people. From the report: The ANPR camera system's internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system -- which logs where and when vehicles, identified by their number plates, travel through Sheffield's road network. Britain's Surveillance Camera Commissioner Tony Porter described the security lapse as "both astonishing and worrying," and demanded a full probe into the snafu. He told us: "As chair of the National ANPR Independent Advisory Group, I will be requesting a report into this incident. I will focus on the comprehensive national standards that exist and look towards any emerging compliance issues or failure thereof."
The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number. A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week, The Register understands. This number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps. The dashboard was taken offline within a few hours of The Register alerting officials.
The unsecured management dashboard could have been used by anyone who found it to reconstruct a particular vehicle's journey, or series of journeys, from its number plate, right down to the minute with ease. A malicious person could have renamed the cameras or altered key metadata shown to operators, such as a camera's location, direction, and unique identifying number. A total of 8,616,198 records of vehicle movements, by time, location, and number plate, could be searched through the dashboard last week, The Register understands. This number constantly grew as more and more number plates were captured by the 100 live cameras feeding the system, and locations of vehicles were logged along with timestamps. The dashboard was taken offline within a few hours of The Register alerting officials.
Not the UK way to do it (Score:5, Funny)
Usually somebody has it all on an unsecured laptop and forgets in in the Underground.
Allegedly .... (Score:3)
... the next person to sit there is a journalist.
You know what will stop stuff like this? (Score:3)
Statutory liability. If you collect sensitive information, and you let it leak, you owe a per-datum fine. No need to show harm, no waiting for a class-action lawsuit (in the US) followed by a trivial penalty of a few years credit monitoring.
If a fine of $100 per user's data had ben assessed on Equifax, they would be out of business, as they deserved.
If the possibility of a business-breaking fine existed, businesses would be more careful about collecting and protecting data. Many of them would stop keeping data unnecessarily.
And, of course, this is why it will never happen.
Re:You know what will stop stuff like this? (Score:5, Interesting)
Statutory liability. If you collect sensitive information, and you let it leak, you owe a per-datum fine.
I've got an even better one: I once worked for a large military supplier. One of our customers was the special forces of a country I shall not disclose.
One day, one of the commanders of the special forces came to oversee the reception of very pricy products they had ordered from us. He was asking question after questions, making double and triple sure everything was working as advertised.
After a day of that, I (politely) asked him: "Aren't you convinced that the products work? We've run the test 5 times, you saw everything. What gives?"
"Tell you what" he replied, "I'm aware we're overpaying for the products. I'm okay with that, I don't sign the checks. But I'm responsible for what we purchase working perfectly, and if it doesn't, I get jail time. So we'll redo all the tests tomorrow, and we'll redo them again the day after if I feel it's needed, because I don't want to go to jail."
Wow...
That's what people putting together sensitive systems need to face: jail. Not puny fines. Real hard time in the slammer. Then they'll be extra-careful.
Re:You know what will stop stuff like this? (Score:4, Insightful)
>"I've got an even better one: I once worked for a large military supplier. [...] responsible for what we purchase working perfectly, and if it doesn't, I get jail time."
I have an even better one than that:
Stop spying on citizens in "free" countries. Stop collecting and storing the data in the first place. Data that is not collected cannot be abused, disclosed, hacked, stolen, leaked, aggregated, manipulated to frame someone, used to blackmail people, used to discredit people, used to profile and "socially engineer" people, used to foster and enforce ever more draconian laws, used to remove freedom and privacy, used to silence critics or suppress dissent.
"free" countries (Score:2)
'Stop spying on citizens in "free" countries.'
Hasn't the UK - like America and the rest of Europe - now given up all pretense of being a free country? Last I checked we were all living under dictatorships that had instituted brutally repressive prison states in order to combat an "Invisible Enemy".
Re: (Score:2)
On the other hand you are letting a whole infrastructure be built which a dictator would be gleeful to have, just waiting...waiting.
Here's a hint from actual history: don't build it to begin with. Then it can't be abused.
Re: (Score:1)
Sure, no one wants to live in a police state. But hey... At least someone is finally thinking of the children/women/muslims/whatever is next.
Finally a society of which Maude Flanders would be proud.
Re: (Score:1)
Stuff like this shouldn't even be collected in the first place. I guarantee that whatever the council's justification is it's not adequate.
Re:You know what will stop stuff like this? (Score:4, Insightful)
No, it'll just make software 100x as expensive. And kill open-source because no one will want to use Linux unless someone is willing ot step up and guarantee it.
The space shuttle software needed to be reliable and safe. And it was some of the most audited code on the planet - NASA paid a lot per line of code (and there weren't that many of them). Not just for each line of code, but each modification came with tomes of paperwork
It would however generate a lot of jobs - people who will sit through a month of meetings just to do a one line change, and people who would code review the change afterwards. The programmer in between doesn't really matter since it's just a line of code being changed and they're just getting which line is being changed.
Then people wonder why it costs $500 to buy a hammer. or $30,000 for a toilet.
Re: (Score:1)
Their well practised response to these revelations is <shrug>. If they are feeling truly contrite they
Re: (Score:1)
Governments are immune from prosecution. The Queen owns the land and whatever is on it. What you propose would result in nobody wanting to maintain personal records, so the only one doing it would be inept governments.
Re: (Score:3)
The correct thing would be to elect new politicians. That will scare them, and is the only power they recognize.
Re: (Score:2)
Now with Brexit, I guess the EU GDPR rules does not apply for them now. Otherwise they could receive a 20 million euros fine.
"There are two tiers of fines, which will be applied depending on whether the controller (the company that is using the data) or the processor (the vendor that is processing the data) has committed a violation in the past. And of course, the nature of the violation itself. But don’t be lax: even the lower threshold or tier will prove to be an expensive proposition; it calls for
Re: (Score:2)
Monetary punishments have very little effect on public services because they take it out on their consitutents as higher taxes or less services. If you fine the city council it's as if you set 20 million euros of tax revenue on fire, there's no investors losing money or sales lost. What happens is that your roads don't get paved, your public transport is cut and your schools are underfunded because the budget must be balanced. And if you raise hell about that the money must still come from your own pockets
Re: (Score:1)
Sigh.
GDPR was and is a British law passed by the UK parliament, and remains in force unless specifically repealed/replaced. Leaving the EU does not change *British* law.
Re: (Score:2)
If you collect sensitive information
Define sensitive information. All I see is pseudo-anonymous data on driving based on a record of information that is legally required to be public for all (license plates) in a non-private setting (public roads).
This is *nothing at all* like the Equifax leak, which actually had a serious and direct impact on people.
Re: (Score:3)
If a fine of $100 per user's data had ben assessed on Equifax, they would be out of business, as they deserved.
Except it's Sheffield council. If they go out of business then all of the residents (and particularly the poorer ones) will suffer.
Those people need to get with the times (Score:2)
In the old days, people would put together poorly secured servers, the servers would get abused, the data would get stolen by bad guys, and the admins would take raked over the coal for the lapse of security This is so 20th century....
Nowadays, smart admins put together instances, run them in the cloud, the cloud provider fucks up, and then they can blame the cloud provider.
ZERO OpSec (Score:2)
Re: (Score:2)
this only shows politicians aren't competent to manage tech, including tech that tracks people. I say take away all their tech. No cameras, no computers. They can hunt crime the old fashioned way, collect fees and issue licenses like its 1950, pretty much leave most of us alone other than those fees.
Re: (Score:2)
Re: (Score:2)
My previous employer would get hired by local municipal governments and police when things went terribly wrong with their systems. In other words, no operators nor security nor IT in the building normally until or except when something went wrong.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Orwell's, surely?
Re: ZERO OpSec (Score:1)
I must imagine it's quite challenging to hire competent staff at a reasonable price, when your "product" they'll be working on is literally the implementation of totalitarianism.
set the speed limit to 200 MPH (Score:2)
set the speed limit to 200 MPH
What does this remind you of? (Score:2)
Re: (Score:2)
It's a bit of a circular thing. Neology is owned by Smarttrac which is an RFID company owned by various layers of shells resulting with JPMorgan/Chase.
Security by Obscurity (Score:1)
That old chestnut. No one will ever find it, right?
Brexit (Score:2)
Re: (Score:2)
No because your license plate is not private information under law, and neither is your movement on public roads.
Re: (Score:3, Informative)
Re: (Score:3)
Actually, license plate numbers are specifically mentioned as an example of personal data.
https://gdpr.eu/eu-gdpr-person... [gdpr.eu]
That in itself doesn't make it a breach of GDPR, the location of any given license plate is not private. It only identifies an owner of a vehicle (indirectly) not a person. And if GDPR were applicable I guess various governments would have to shutdown their license plate lookup information, which they haven't.
Re: (Score:3)
No because your license plate is not private information under law, and neither is your movement on public roads.
Not so. GDPR defines personal data [gdpr.eu] as "any information relating to an identified or identifiable natural person". If you are holding any kind of personal data you must (a) have a valid reason for doing so and (b) secure the data against any access that is not directly related to your valid reason.
If you don't properly secure the data you commit a personal data breach [gdpr.eu] defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to
Re: (Score:3)
Indeed. Unfortunately just knowing a license plate or its location doesn't qualify and many countries in EU run open databases of license plate information precisely so you can lookup information about vehicles. All of that is held for a valid reason, and all of that is secure as public information needs to be.
I mean let's face it there are people who will get paid way more than us to argue this to death in court. But it's not a foregone conclusion.
Never outsource (Score:2)
Re: (Score:1)
SCC probably had to hire "inside IR35" contractors to do the work. Any contractor worth their salt would walk away from "inside IR35" work because it's really a code word for "zero rights employment", and go get work in the private sector. Thus, SCC could only hire idiots. And they delivered, exactly as idiots do.
SCC should of course be hauled over the coals for this. When they do, I sincerely hope they point the finger at HMRC for the utter shambles that is IR35.
Make it look like an accident (Score:2)