British Telecommunications Plc, whose technology underpinned a UK minister’s much publicized digital signature signing on Tuesday, has been embarrassed by a two-man security consultancy that says it is riven with holes (CI No 3,806). Skygate Technology Ltd, based in Wimbledon, posted a spoof message from Stephen Byers on BT’s web site yesterday morning to show how easily its server could be fooled. BT demanded that Skygate take it down, and Pete Chown, Skygate MD, complied. We can’t afford to have a run-in with BT, he said.
The security gap seems to have been caused by a hole in BT’s software, which simply transfers any message sent to its TrustWise security demo site onto the site. BT angrily denied that there was a breach of security, saying that Skygate had simply replicated the message onto another web site. The UK telco also charged that Skygate had breached copyright with the spoof message. Chown responded, saying that BT shouldn’t have any complaints, and only Stephen Byers, if anyone, had a reasonable claim for being misrepresented. It’s obviously just a blunder on BT’s part, said Chown.
Although BT successfully had the offending message removed, Chown says that this kind of spoofing will happen again. The fault, he says, lies in BT developing its own digital signature technology. Why didn’t it use established, tested and secure software like PGP or X509? he asks. Chown might have had the last laugh on this occasion, wryly pointing out a free guide to internet security on BT’s web site.
