A little chat about penetration testing

Like ethical hacking, penetration testing – or pen testing to use its more popular name – is a way of assessing the security credentials of a network and/or system. Not to be confused with testing whether your dried up bic biro still works, it “tests” a system’s ability to keep information and data secure by identifying weaknesses that can be exploited. Therefore, what does work is commendable, but it doesn’t figure in this strategy. Recognising what doesn’t work is the goal of pen testing.

It can be argued then that professionals with a penetration testing job adopt the purported persona of cyber criminals and hackers. To beat ‘em is to join ‘em, so to speak: “If I was a hacker, what would I be looking to do to infiltrate or compromise a network?”

Pen testing is a proactive strategy rather than a reactive one, its philosophy being that preventing attacks is better than cleaning up “the mess”.  And many organisations swear by it. If you can spot what your system is lacking in terms of data protection before a criminal does, well, you put yourself in the enviable position of being one step ahead of the game.

However, for all its merits and popularity, there are questions within the industry as to whether the high-tech evaluative method is running out of steam, and entering into the murky world of bubbles. Is it, argue some professionals, reaching the zenith of its powers?

Arguments about the limits of pen testing would be of that conclusion. Limit is the buzzword. For example, a pen tester is restricted in the amount of access they have to assess, geographically speaking. While an internal test can be carried out, it can’t, for example, evaluate the vulnerabilities of outside interference. Equally, local access wire points are negligible when testing via the internet. Limits, limits and limits.

In an engaging LinkedIn discussion two years ago, H Wayne Anderson, managing member of General Business Consulting, LLC, commented:  “You might develop a false sense of security from addressing the wrong vulnerabilities, since an angry, incompetent or malicious insider often poses a greater risk to your data than outsiders do.”

That said, he did concede that proper penetration testing can identify such practices, so long as it is not the “starting place” for boosting the security of any given system.

“The basics must already be in place,” he wrote. “You should have a proper, tested backup regimen, patches tested and installed up to date, properly-sanitized SQL inputs, properly configured firewalls, network monitoring, and other preventative measures in place long before you start pen testing.”

However, in an intriguing and recent article from John Yeo, director of Trustwave SpiderLabs EMEA, he revealed is optimistic about the future of pen testing, its relevance to companies big and small and, accordingly, its strength.

He points out, cannily, that penetration testing and vulnerability scanning’s relationship is often confused, therefore, one assumes, criticism of pen testing might be misleading.

“Vulnerability scanners are great at identifying ‘low-hanging’ vulnerabilities, like common configuration mistakes or unpatched systems, which offer an easy target for attackers,” Mr Yeo wrote in SC Magazine.

“What they are unable to determine is the context or nature of the asset or data at risk, but they are also less able than humans to identify unknown unknowns.”

In contrast, pen testers are much more capable of doing this. Mr Yeo elucidates that he has experience of visiting a network that has undergone an automated scan for vulnerability and still, after human pen testing has occurred, vulnerabilities have been discovered.

“By incorporating pen testing activities as part of a wider information security strategy, organisations can validate the robustness of their security controls and identify as-yet unknown risks to their business,” he concludes. “The results of a penetration test and guidance provided help organisations to better protect sensitive data from falling into the wrong hands.”

Acumin rocks into the USA

Acumin, an international information security and information risk management recruitment specialist, which has been delivering expert advice and assistance since 1998, is now expanding its operations into the US market.

The recruitment agency, which is comprised of a number of specialist consultants, delivers a comprehensive range of services across a number of platforms, catering for all sorts of professionals looking to enter the industry, change direction or move up.

This includes governance and compliance; penetration testing, forensics and intrusion analysis; technical security; business continuity management; sales engineering and executive management. Inclusive it most certainly is.

One of the things that distinguish Acumin as a quality recruitment specialist is its experience in the business. Let’s take the US director Jeff Combs as a case in point. With a decade of personal and professional development at Alta Associates in information security recruitment to boot, Mr Combs knows the business inside and out. He spreads his knowledge wide and fair, regularly contributing to CSO Online, the ISSA Journal and SC Magazine’s Skills in Demand.

As such, you can be confident that you’re going to get tailored, accurate and thorough advice, with jobs that are, in a sense, bespoke to what skills you have and where you want to go.

Below is a list of some of the positions waiting to be snapped up by either US residents or Brits looking to move abroad. As you can see from this selection, there is breadth and depth in the jobs available. For more information, visit the website.

Software Services – Product Manager (Chicago, Illinois)

Candidates who are looking to lead the charge in developing software to the exacting needs of a client, will surely agree that this position is one that will interest them greatly

One of the absolute requisites for this position is knowledge and ability to produce a product backlog, with experience in delivering quality assurance procedures.

Along with the skills to engage and work with a wide group of people – from clients to managers to team members – it is essential prospective applicants have a knack of developing swift prototypes and concepts accurately.

IT Security Architect (Sheboygan, Wisconsin)

This brilliant position will suit a talented, proactive and energetic individual looking to add vigour to their career.

You have to be a go-getter, enterprising, with the skills to find, track and manage a variety of security risks and shortcomings that can compromise the integrity of a network.

Ideally, the candidate will be a seasoned pro with a degree to boot. The employer is looking for someone who has spent at least ten plus years in the business, a decade of becoming rather au fait with IT security systems and networks.

Senior Security Consultant (San Francisco, California)

Can you add a tick to the following: CISSP certification? SANS GIAC (GREM, GWAPT) certification? Certified Ethical Hacker certification? Well then, you might be interested in the following job in the fantastic city of San Francisco.

You’ll be working with the crème de la crème of the business, delivering mobile assessments, network and penetration tests and source code reviews, among other things.

As such, the client is seeking a professional with a minimum of three year’s worth of mobile assessment experience; to be savoir-faire in scripting and tool development (for example, Python and/or Ruby); and experience in consultancy in information security.

The men in white hats

White hats; the good guys,
They are the folks that really care,
On a rally, all for charity,
Raising finance with natural flair.

All are dare devils; true thrill seekers,
To them skid pads provide no fear,
They will drive the oddest vehicles,
A strange experience they will share.

Who would think that Geeks could do this?
The men and women who by day,
Keep the black hats from your data
So that you all may safely play.

The real winners are the children,
Barnado’s gets to keep the cash.
As the chariots burn out their message
Wheels of fire make one last dash.

So if you see them, give them money,
As they drive through middle earth,
Watched by Brummie Orcs and Goblins
Faces filled with joy and mirth.
Dave Brooks, vice president at Credit Suisse, has kindly penned a charming, expressive and astute poem on what The White Hat Rally is all about. There’s a career in the art of rhythmic verse for Mr Brooks should he consider it because the poem really hits home what this event is all about.
To deconstruct the narrative of the prose, the participants of the charitable cannonball-esque adventure, which takes petrol head enthusiasts and adventure seekers on a scenic tour across the UK, will this year be raising cash for Barnado’s. Well, when we refer to the attendees as being zealous motorcar aficionados, we perhaps embellish. They are not as ardent as say a Fast & Furious character but, they are jovially enthusiastic lovers of cars nevertheless.
This event has caught the attention of the actress Tina Hobley, The UK actress best known for being in Coronation Street and Holby City. As an ambassador for Barnardo’s, a well-known children’s charity, she appreciates the importance of such an event. Beyond the fun, the dressing up of cars, the wonderful lingering conversations after a long day’s drive and the opportunity to network, there is the very real and positive outcome – the raising of funds which help make a difference.
“I hope everyone taking part in the White Hat Rally has a fantastic time,” Tina has said. “I wish I could join you as it looks amazing. I hope you blaze a trail for Barnardo’s and raise lots of money for a cause that’s very close to my heart.”
There are a few ways you can help. You can either get your inner “Vin Diesel on” and bring together a motley crew of brooding car aficionados from your workplace, donate some cash or kindly sponsor the event.
We at Acumin are participating because one, we like to have fun, two, we love road trips, three, we believe in the charity, and four, we love a good catch up with the InfoSec community. We would be thrilled for you to join us on this amazing journey through a beautiful slice of picturesque England. Note, the last date for registering is 11th May, so put your foot to the metaphorical pedal and get things organised.
White Hat Rally is on the look out to add more corporate sponsors and trust us, it’s worthwhile. You get to promote your brand to relevant people in the information security industry, you get to network with likeminded people and you get to do your bit for charity. There are now two packages to choose from: bronze (minimum donation of £350), or silver (minimum of £1,000). The Gold package has recently been snapped up by NCC Group, so please get in touch if either Bronze or Silver are of interest.
Everyone’s a winner. With faces filled with “joy and mirth”, who can say no?
The event runs from June 22nd to 24th.
For more information, visit the official website or give them a tweet over on Twitter and see our earlier post here.
Equally, get in touch with Gemma Paterson, marketing manager at Acumin and White Hat Rally Committee member. She can be contacted at gpaterson@acumin.co.uk or gpaterson@whitehatrally.org and is more than happy discuss sponsorship details.
P.S. Although we utterly adore Only Fools and Horses, three-wheeled Reliant Regal vehicles, a thing of understated beauty if ever there was one, are not allowed. You got to have four wheels. It’s a tough world, we know.

To name and shame

Let’s call it a concept. To name and shame, it goes without saying is an interesting moralistic tool, used to punish those who are purported to have committed a crime or wandered off the path that keeps society together.
Like those Ronseal adverts, name and shame does exactly what it says – in this case – on a metaphorical tin, it punishes those that affronted others by revealing what their misdemeanours were.
So, for example, earlier this month, Anne Widdecombe, the former Conservative MP, said she wants to name and shame those who get excessively drunk on the weekend and breach the peace.
“Then people going out specifically to get drunk would risk finding themselves in court on the Monday with their names and photographs in the papers,” she explained.
The idea being, of course, that having experienced public humiliation, people subsequently clean up their acts. It acts as a deterrent.
On the flip side, the argument against it is that it can be construed as a sort of witch-hunt, unjustly embarrassing people. For example, last month, students at a school in Oxfordshire went on protest after such a policy was introduced. Larkmead School felt that putting up a notice board with the photos of underperforming students. Needless to say it backfired.
In our industry, such a thing is going to be piloted by the Trustworthy Internet Movement (TIM), a non-profit, vendor neutral organisation that looks to bring innovative solutions to the many tricky problems that exist in the digital world of the internet.
What it is proposing to do is publish the names of websites that perform well in terms of security and those that fall short of what TIM deems to be acceptable. The obvious outcome, it hopes, is for those who are grace the “wall of shame” to remedy whatever security faults they have.
It aims to focus the initial testing on a website’s use of secure sockets layer (SSL) to encrypt data between a user’s web browser and the website. Or, in short, it obfuscates some of your internet traffic. As the BBC reports, it is often used to protect, for example, sensitive data that people want kept private for obvious reasons, like credit card numbers that zip along the virtual highway when people purchase goods or access a service.
The reason for choosing SSL as a barometer of a website’s security is because it is “one of the fundamental parts of the internet,” explained Philippe Courtot, founder of TIM and chief security officer at the security firm Qualys. Indeed, it’s a fair point, we can’t argue much with that.
Using ethical hacking techniques, TIM will ethically hack selected websites to gauge how secure they are, the results of which, good or bad, being published online for everyone’s perusal. The web being the web, you’ve got a global readership. This will matter. After all, when you have a rep to protect, it pays to ensure one’s name lives up to it.
Do let us know what your thoughts are on this blog and whether you think naming and shaming in this context is an innovative step forward or a sort of misadventure that might fuel animosity if anything.

The problem with everyone knowing who you are

The more successful you are, the wider your reach, and, sadly, the more likely it is that the number of critics and opponents you have is going to significantly multiply. You can’t please everyone.

This is the fate of governments, of big corporations, of uber-rich sports stars and people in the public sphere. They have to contend with the tough duality of being extremely popular and visible, while also being the object of loathing.

Why? Well, haters, they are most certainly going to hate. It then comes as no surprise that the number of large organisations have been hacked into. In the last year alone, one in seven organisations of this stature has had its security breached. On average, a large organisation faces a noteworthy attack every week, whereas a small business is liable to being hit at least once a month.

You see, it’s a basic science – if no-one knows your business, if your scope is limited, your audience even smaller, you simply ‘lose yourself’ amidst the crowd. It’s not that you’re insignificant, far from it. It’s just that everything you do is on a miniature level. Thus, it’s fair to say that if and when you break into the public consciousness and widen the net, with the good times will come challenges. You’re the ‘apple of my eye’ to some and the ‘ants at a picnic’ for others.

The findings of the 2012 Information Security Breaches Survey from PricewaterhouseCoopers (PwC), the global professional services firm, confirm that a new age is upon us: “the number of large organisations being hacked into is at a record high”. The cost of this to companies in the UK now runs into the billions.

In spite of this, many organisations are still not treating this, it seems, as seriously as they should. The poll above found that 20 per cent of organisations spend less than 20 per cent of their IT budget on information security, with 12 per cent of the opinion that senior management give it a low priority.

As professionals in our industry appreciate, this has obvious consequences, something which the researchers of this study reported. Businesses that have experienced very serious incidents of hacking spend, on average, 6.5 per cent of their IT budget on security.

“The key challenge is to evaluate and communicate the business benefits from investing in security controls,” observed Chris Potter, PwC information security partner.

“Otherwise, organisations end up paying more overall. Given that most organisations take a lot of action after a breach to tighten up their security, scrimping and saving on security creates a false economy. The cost of dealing with breaches and the kneejerk responses afterwards usually outweigh the cost of prevention.”

He did accept, rather perceptively, that with security, it is difficult to measure the benefits of any system because it is doing its job and keeping threats at bay, no-one notices. It suggests, therefore, that come a board meeting, when the powers that be are discussing a return on investment, it might be difficult to measure the value of the financial investment that has gone into security measures.

But, if anything, the threat is very real and indeed, cyber crime, as Mr Potter has noted in the survey, is a rising risk to business. This is the status quo. It’s better to be proactive than reflexive, the latter a response when an attack has been achieved. These haters, they’re gonna keep on hating, c’est la vie. Rain on their parade and beef up your security.

History today – BYOD and the need for a smartphone policy

We all live through history. Seminal events, big changes in life, landmark breakthroughs and the like, however noteworthy, come to have a greater significance in the future, seen from afar, analysed, placed in a wider context. Like when the internet came – some of us remember hearing about it at school, a teacher remarking you could use it a lunchtime, but that was time for gossiping, kicking a football about. We didn’t know how important it was. It was just something new.

Needless to say, the internet has, in its relatively short history, come to transform life on earth radically. We look back at the day of dial-up and bland, static pages of content, and we see primitive beings working out how to exist within the confines of this new medium and it’s rather sweet, like children’s scribbles. And then one day, that scribble begins to take shape and an artist is born, shifting paintings worth millions of pounds. Back then it was just another picture, who would have known how important the work was?  History allows us to assess it.

What will they say of BYOD (bring your own device) in five or ten years time? Was it a fad, a stroke of genius or an inevitable consequence of the mass proliferation of powerful portable and handheld devices, the stuff of which was unimaginable a decade ago? It’s hard to say, this history is for those writing in the future. To us, whether it’s someone working in an information security or risk management setting, BYOD is just something that happened, like flexible working. It wasn’t a black and white thing where one day it wasn’t there and bam, the next day it was… it evolved.

Whatever your sentiments, it is definitely part of the discourse. And so, we stick to the present with this blog. BYOD is very open, complex and multifarious nature, meaning it is predisposed to any number of security issues. Smartphones in particular, because of the sheer volume of data, traffic and work conducted on them, are increasingly becoming part of the regular apparatus at work, yet policies governing their use are lax.

According to Darrin Reynolds, vice president of information security at Agency Services in New York, one of the key things is to have a policy in place and for it to be communicated in as simple a manner as possible, or as he puts it, for it to be written in “crayon”.

In an interview with SearchSecurity.com, he explained the canons that govern his organisation when it comes to BYOD and mobile phones.

“The rules are you can use any device you want, but if it is going to support or receive corporate data then you have to play by our rules,” he elucidates. “Our rules are: you have to have a [personal identification number] PIN; it has to support a code lock; it has to have an auto lockout feature; it has to support encryption; and it has to support remote wipe. We kept it really simple to those four things.”

And that’s it, he says, no additional security measures. He may well be correct in surmising that those four methods of security – which are top notch by the way – are enough to keep fraudsters and cyber criminals at bay, but, if history tells us anything, it’s that nothing stays static for long. In technology, what is new, what is current is immediately yesterday’s news. More measures will have to be developed either proactively or reactively when the time comes. History repeats itself, albeit it differently.

Thinking about cookies

We love cookies here at Acumin. We adore them, we ‘heart’ them and dig them like we dig the Rolling Stones when they were pushing a more R&B vibe back in the Swinging 60′s. We have come across Maggie Loves Cookies recently, we have to say, they are a pretty good bet, perhaps you will get a sample at the next Risk and Network Threat forum. They have a variety of flavours and designs to suit any mood.

You might have thought that this post was going to end up as a sort of treatise on the baking treat popular throughout the world, but alas, it isn’t, but wouldn’t that have been fun? Instead, we’re looking at cookies, which, to reduce it to its basic form, is simply a piece of data – or text files – that a website stores within a browser.

A cookie’s raison d’être is altruistic; at least it was from the outset. It was designed to make things easier. In short, every time you visited a website, a cookie was downloaded to your computer, which would then, on visiting that website again, let it know that you had been there before. In terms of efficiency, it allows you to log into a certain website that requires a user ID and password – let’s say Amazon or Google Mail – and revisit the site without having to log in again.

Now while to you and me that sounds wonderful, as easy as making the coffee and tea rounds at work – Jack likes coffee black with sugar, Jill likes her tea super-milky with no sugar, Sanjay likes a fruity herbal tea with five sugars – since the turn of the century there has been a growing army of critics who are concerned with privacy issues. Some of their arguments have been thoughtful and welcome to the conversation.

In the UK, after much chit chat over cups of tea, coffee and, would you believe it, cookies, changes have been made to Privacy and Electronic Communications Regulations, which demands that websites obtain consent from users before installing cookies on their respective computers.

Now while much attention is focused on cookies, these alterations, which are convoluted, carry a far greater technical change. As one reader named Dave commented on The Lawyer’s website, things are not so black and white.

“Clear as mud? Thousands of businesses are entirely unaware they’re even running cookies,” the reader explained. “Most of the online world run Google Analytics, which provides the site owner valuable information to improve their site – do all those who’ve set up GA realise they’re at risk?”

At Acumin’s next RANT – as part of the huge InfoSecurity Exhibition in London – Alan Stockey, from the Institute of Information Security Professionals, is going to attempt to navigate this tricky minefield, delivering a brief history lesson; chuck in a practical illustration of the challenges; give a demonstration, and offer a personal view of where these regulations are taking us. Who knows, if you’re lucky, he might even have Maggie bake a few cookies for you (no pressure Alan).

In an interesting article for startup.co.uk, which is well worth a read, Nick Lockett, a solicitor at DL Legal LLP, discusses how the comprehensive directive – serious, just have a mosey here and you’ll begin to appreciate how much detail is involved – noting some of the things it covers: not only have you got conditions for use of traffic, location, and subscriber data, but there’s also new standards for direct marketing via SMS, email, fax and phone channels.

He ends the piece with a fitting flourish: “May lawyers and regulators be cursed for making us live in interesting times – again!”

Time for a cookie then.

The next RANT forum takes place on Wednesday 25th April, after second day of InfoSecurity Europe at Earls Court, London, which runs from April 24^th to the 26^th.

Kicking off at 5.30pm, attendees will be able to have a beer and network until 6.30pm, when Alan Stockey delivers Cookie…Doh. Following on, Ben William gives his talk on Exploiting Security Gateways via the Web UI.

For more information and to register for FREE for InfoSecurity Europe visit here or get in touch with Gemma Paterson at gpaterson@acumin.co.uk or call her on 020 7510 9041.

The Information Commission’s Office has also set up a page with the intention of helping businesses understand what they need to do to comply with the cookie law.

“Snoop bill” sparks fierce debate about privacy

“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live—did live, from habit that became instinct—in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinised.”

So reads an excerpt from the first chapter of George Orwell’s seminal, much quoted and prescient novel 1984, a dystopian work of literature that explores the oppressiveness of authoritarian regimes, where freedom is a word that doesn’t even exist.

The words of the novel, like the above quote, feel uneasy because the idea that at any single moment one’s privacy can be exposed to be a fallacy is a frightening way of living. Even in today’s open age, with Mark Zuckerberg ushering in an open way of existing, people still value some semblance of a life that is theirs and nobody else’s. They want to keep snippets of themselves to themselves, or at the very least privy to the people they trust and love the most.

It’s no surprise that since the government revealed plans that it is looking to change the law so that every single phone call, email, text message sent and received and every website visited by people living and working in the UK is to be recorded, stored and ‘monitored’, there has been a resurgence in discussion about the ideas and lessons explored in Orwell’s powerful novel.

This is an unprecedented step that will see Britain adopt the same kind of surveillance seen in China and Iran,” commented Nick Pickles, director of the Big Brother Watch campaign.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses. If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Nick Clegg, the deputy prime minister and leader of the Liberal Democrats, stated that this new “snooping law” as it has been dubbed by the media, does not represent an infringement on civil liberties, and reassured people that the government would ensure that there would be safeguards to make people feel comfortable.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” prime minister David Cameron added, trying to bring a sense of calm to the debate.

“But we should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

It’s unclear whether the proposed bill will be included in the Queen’s speech in May, but what is certain that in the meantime, this fascinating debate, with powerful arguments on both sides of the divide, will generate some fascinating ideas and viewpoints.

Anonymous attack mocks government security measures

They knew it was coming, yet they still couldn’t stop it. A few days before Anonymous launched a DDoS (distributed denial-of-service) attack against the coalition government’s Home Office website; it announced its plans to the world. And still it couldn’t be thwarted.

This proclamation, loud and vocal the digital way, is seen by many as a clear sign from the hacktivist collective that it means serious business and it doesn’t care how big you are as an organisation, everyone is liable for getting ‘hit’. Anonymous wants to be the preeminent force for political and social good, it argues, and if that is to be achieved through underhand means, then so be it – this is a “war” and rules don’t apply as they do in peacetime. This declaration was a sort of “come on have a go if you think you’re hard enough”.

It was audacious behaviour. As PC Advisor’s Anthony Savvas noted on April 5^th, it meant that the pressure was on the government to show that it is on top of its game and able to quash such wildly flagrant threats. If it didn’t, then it would be unable to say, confidently, that it has the resources and savvy to stop “more serious cyber attacks” from taking place.

On April 7^th, people trying to log onto the Home Office website were greeted with the following message: “Due to a high volume of traffic this page is currently unavailable. Please try again later.”

Now, this might have passed as a routine –  certain websites do, on occasion, get really busy – yet everyone knew what had caused the high volume of traffic: Anonymous and its motley crew of hacktivists.

Like a poker player bluffing with a decent but by no means winning hand of cards, the government was forced to show, losing face. They got beat. Even if no data was extracted and the website was back up and running again the next day, it has exposed some shortcomings, which security professionals will be, no doubt, keen to get to the bottom of.

2011 was the year that DDoS entered into the popular lexicon and made its mark as a bothersome security threat. What will 2012 bring? As the second quarter of the year gets comfortable, the big question is what can be done? Survivability is a word that gets thrown about in this conversation, but that comes across as weak, as if to imply that it’s not something that can be fully thwarted.

While that may be the case – all attacks evolve in a responsive sense – there is certainly scope for significant improvement. If Anonymous can be so brazen as to explain that it is going to attack, surely this should be met with an equally robust response. We have to work harder.

The big snooping debate

After announcing that it is considering introducing a new bill that will give the GCHQ unprecedented powers to monitor people’s emails, texts, social media content, phone calls and web browsing history – in real time – the government has had to defend itself from a barrage of condemnation.

Critics of the proposed legislation, which may be included in the Queen’s speech in May, have dubbed it a “snooping bill”, claiming that it is a clandestine way of monitoring the activities of everyday people.

The government, however, has assured the public that there is nothing sinister about the bill, no echoes of an Orwellian future, there will be no centralised database storing people’s information, and all information will remain “invisible”.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” explained prime minister David Cameron, attempting to assuage opponents.

“We should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

Advocates of the bill have asserted that this is its focus – to protect people and curb crime whether it’s tackling cyber criminals or terrorists. Akin to a software update, the new legislation is designed to respond to the significant changes that have taken place by virtue of the digital revolution, which has, in no short way, radically transformed most aspects of society. As Mr Cameron noted, a warrant will be needed to access the private information.

Others, however, are less sanguine. Nick Pickles, director of the Big Brother Watch campaign, sees it as leading to a reality that is comparable to the kind of surveillance that is prevalent in Iran and China, two countries known for having, for example, limited press freedoms.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses,” he stated. “If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Although details of the proposed bill have yet to be finalised, it is believed that one of the most significant aspects will be for internet service providers and mobile phone companies to keep hold of all data travelling through their respective spheres.

At present, such information is accessible by intelligence agencies, the police and other public bodies, without any external organisations signing off. If the law is to go ahead, there is a desire to see an impartial body set up to monitor requests to ensure that freedoms are being protected and not abused.

“Whoever is in government, the grand snooping ambitions of security agencies don’t change,” Isabella Sankey, director of policy at Liberty, was quoted by the government as saying.

“The coalition agreement explicitly promised to ‘end unnecessary data retention’ and restore our civil liberties. At the very least we need less secret briefing and more public consultation if this promise is to be abandoned.”