ICYMI: British spies, security researchers & finding value from BYOD
ICYMI: British spies, security researchers & finding value from BYOD

UK's new surveillance powers go against the tide

The British government is facing criticism after revealing that it is close to introducing a new law which will increase its surveillance powers over local mobile phone users.

The Data Retention and Investigations Power (DRIP) bill has been agreed on by all three main political parties and would require telecommunications companies and internet service providers (ISPs) to log customer data – such as internet browsing history or SMS messages – for up to 12 months. During this time, intelligence investigators would be able inspect this metadata if they had a warrant signed off by a government official.

The bill – which could be made law as early as next week – is controversial not only because it expands GCHQ's powers but also because it comes just three months after the Court of Justice of the European Union (CJEU) ruled that that the existing EU Data Retention Directive on mobile data collection was illegal. British Prime Minister David Cameron has stressed that the new law will comply with EU privacy legislation.

DRIP would replace the UK's own Data Retention Regulations from 2009 and would allow interception of metadata from webmail and other web services.

There are some safeguards – most notably a Privacy and Civil Liberties Oversight Board, a review of RIPA and an annual transparency report – but the news is surprising given the calls for greater transparency.

The National Security Agency (NSA) is embarking on reforms of its own, corporate companies are increasingly publishing government data requests, leading one former President Obama ally to say that transparency is unavoidable.

“We've been dragged kicking and screaming into the transparency world,” said Timothy Edgar, Obama's first director of privacy and civil liberties for the White House National Security Staff, last month.

Security researcher gets into hot water

It's the job of a security researcher to find and report vulnerabilities in products. By testing other systems for weakness, manufacturers and vendors can plug these gaps to prevent data leakage and potential breaches.

However, there have been concerns, voiced in particular at this year's BSides San Francisco conference, that security researchers are sometimes seen as the bad guys and that feeling is unlikely to subside given the on-goings at malware protection solution provider FireEye earlier this week.

On Monday, French researcher Jean-Marie Bourbon revealed on Twitter that he had been fired by IT vendor Sogeti after finding, and subsequently publishing, multiple vulnerabilities in the FireEye Malware Analysis System 6.4, along with proof-of-concept exploits for them.

The flaws were published to the Exploit-Database public repository, which is run by Offensive Security, but later removed.

Bourbon reportedly told FireEye of the flaw in May, but said that FireEye hadn't appeared to release patches for the flaws. [FireEye has now released a patch – crediting Bourbon's work]. He was then suspended from his role at Sogeti, with some reports suggesting that this was at the request of FireEye.

 “…I'm not [a] pentester, no NDA signed by me. Personal researches are illegals now,” he said, before adding: “Looking for a security job after getting fired.”  He says he found the flaws in his own time -  his company contends he should not have published them.