Serious security flaws highlighted in Crimestoppers site

Launched by Crimestoppers, Fearless is described as “a site where you can access non-judgemental information and advice about crime and criminality”. It says that what makes the site different is that it provides a safe place to give information about crime, 100 per cent anonymously.

It says: “Anonymous means you don’t have to give your name, where you live or any personal details. Calls aren't recorded or traced; we can't track where online forms are from; you won't have to give a statement, you don't have to go to court. Just tell us what you know, not who you are.”

However despite promising the ability to anonymously report crime, IT Security Guru has been informed of major flaws in the website that would allow traffic to be monitored.

Speaking to IT Security Guru, penetration tester Robin Wood pointed at the “Secure Online Form” which is not secure, as there is no certificate on the site. Also on the donate website he said that there is an HTTP link to Crimestoppers, but that then bounces over to the HTTPS version of the site.

Wood also looked at the privacy page, which explained how to clear caches on Firefox 2.0.0.9 and IE7, but had no mention of iPhone, Android or Chrome browsers. “It is as though the page has been written by someone who pulled these from other old sites and dropped them on the page without really understanding what they mean,” he said.

Andrew Barratt, European managing director of Coalfire, told IT Security Guru that it is an example of bad practice somewhere, and that it looks like it has probably just been put together by a small web design company with limited experience.

He said: “For anonymous information to really be captured, someone would have to be snooping on the user – my bigger concern would be that it is likely any evidence/leads submitted would probably be inadmissible in court as it could easily be demonstrated to have been tampered with.”

Wood doubted that if a court would accept evidence from an anonymous person, and also doubted that the court would worry about tampering. “Realistically, the people submitting issues over this and the people they are submitting them about are not going to be too technical, so sniffing and tampering isn't likely to be an issue,” he said.

Roger Critchell, Crimestoppers director of operations, said in a statement to IT Security Guru that it is aware of a technical issue with the Fearless website, and was making it a priority to rectify this.

He said: “Protecting the identity of those that wish to submit anonymous information to us is paramount, so we can assure you the correct measures are being taken to ensure the website is 100 per cent secure.”

Jon Baines, chair of the National Association of Data Protection Officers (NADPO), told IT Security Guru that he suspected that a section of the public do know that HTTP or the padlock symbol provides a level of security, and would spot its absence in an online commercial transaction.

“But a large section of the public still don't know that, and, furthermore, a charity like Crimestoppers engenders a level of trust which might mean people would be less alert to a potential lack of security,” he said.

“I do think this is one of the most concerning examples of poor security that I've seen. The site looked like it was knocked up as someone's project ages ago but it was still inviting people to transmit, over what appears to have been a very insecure connection, highly sensitive information.”

In an email to IT Security Guru, a spokesperson for the Information Commissioner’s Office (ICO) confirmed that that it had been made aware of a possible data breach involving the Crimestoppers’ website Fearless. “We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken,” a spokesperson said.

“The need for secure encryption when handling sensitive personal information was recently highlighted in our IT security report under the chapter on the configuration of SSL and TLS.”

Provided by ITSecurityGuru.