Joint Statement Issued on behalf of the National Cybercrime Programme and Pervade Software

We are aware that a blog post was published online by an individual claiming to have uncovered security issues with Police CyberAlarm.

The individual’s conclusions are completely untrue and if left unchallenged, potentially damaging to the Police CyberAlarm project. The review is not a review of the Police CyberAlarm tool. It is in fact a review of an old development tool which has never formed part of the Police CyberAlarm system in any live version.

The individual is fully aware of that fact, but has chosen to go ahead and publish a misleading review about a completely different piece of software which does not feature in Police CyberAlarm and never has.

The actual Police CyberAlarm tool has undergone penetration testing by an independent CREST STAR and NCSC-approved CHECK consultancy, which found none of the issues raised in the review. It would, in fact, be impossible to find the issues raised, as they are not part of the Police CyberAlarm system.

Despite having tried to have a reasonable dialogue with the individual about his claims over a number of weeks, including arranging direct access to the developer of Police CyberAlarm, he has continued to post false claims about the security of Police CyberAlarm and tweet selective quotes out of context from the detailed correspondence and discussions we have had with him.

We are genuinely saddened that this individual has taken steps which have the potential to undermine a police led project which is intended to support thousands of businesses and organisations in England and Wales in their fight against cybercrime.

Regrettably, this individual’s lack of good faith has left us with no other option but to publish the full response sent to him to reassure the information security and business communities that Police CyberAlarm is safe. The Police CyberAlarm is a force for good and is designed entirely with the goal of helping businesses better protect themselves from cyber criminals.

It is absolutely right that people challenge the security of any product or system backed by law enforcement. We will always take any issues raised seriously, as we did in this case. But it is not right for an individual to ignore the facts and post false and misleading information wrongly discrediting a product, and its developer, which has been designed to help protect businesses.

The response below has been redacted to remove contact information.



Letter of Response

s40(2)

s40(2)



26th November 2020

Dear s40(2),

I have made the NPCC’s position clear and do not think there is anything for us to discuss, nor do I consider that there is any value in meeting with you, not least because the Programme team took the time to engage with you and provide you with clear information and this has either been ignored or misrepresented in your publications, and also because of concerns regarding other representations you have made regarding your conduct, described in further detail below.

As a matter of law, it is for you to be in a position to prove the accuracy and truthfulness of your publications, not the other way around, although we in fact provided you with information demonstrating the falsity of your allegations prior to publication. If you were not and still are not in a position to verify the accuracy of what you have published, this demonstrates that it should never have been published in the first place.

Nevertheless, we are happy to clarify the below in respect of your blog:

You state that:

Their installation guide suggests running it inside a DMZ (de-militarized zone, an isolated segment from other network assets) or "on your internal network".

Our response is that:

We recommend installing the Police CyberAlarm Data Collector in a DMZ or segregated network, but for those who do not have one available we suggest it can be installed on its own server on an internal network; this is because the system does not require any inbound access, only outbound, and should not be accessible from the Internet.

You state that:

Disable SELinux?!

Our response is that:

SE Linux is disabled as it inhibits the functionality of the Police CyberAlarm Data Collector in many circumstances. Disabling SELinux does not give apps root control of the server; the Police CyberAlarm application does not run as root, nor is it a jailbroken device as suggested.

You state that:

I noticed a screenshot with the download link and without an access code or authentication

Our response is that:

You have not identified the screenshot to which you refer. Nor have we been able to identify the alleged screenshot. No member has been directed to the url you accessed.

In fact, you spent a significant period of time over a number of days browsing the site, before it would appear that you took it upon yourself to access a /downloads/ directory, which was not intended for member use, and which did not contain the Police CyberAlarm software. You will have become aware of this when you were subsequently provided with an access code and directed to download the Police CyberAlarm software.

You state that:

I proceeded to download the 5.7GB virtual machine image and launched it with VMWare Workstation

Our response is that:

What you downloaded was an OpView Collector that contains debugging and testing tools, not a Police CyberAlarm Data Collector; it does not contain the registration page required for a Police CyberAlarm Data Collector and contains many tools a Police CyberAlarm collector does not. As you can see from your own screenshots, it attempts to connect to a Pervade.co.uk server, not a CyberAlarm.police.uk server. Having subsequently downloaded a real Police CyberAlarm Data Collector you could very easily see it was a different piece of software.

You state that:

PHP 5.4 was end of life in September 2015. No more security patches or updates, it is dead and should never be used in a production app.

Our response is that:

Police CyberAlarm does not use PHP 5.4, and never has. The testing tool you downloaded did. Police CyberAlarm uses PHP 7.2.

In your blog as originally published, you stated that:
CentOS 6 is due to be deprecated/end of life in November 2020 (just 6 days away!)

Our response is that:

Police CyberAlarm does not use CentOS 6, and never has. The testing tool you downloaded did. Police CyberAlarm uses CentOS 7 with support for other OS coming soon. While you updated your blog to state “25/11/20 3PM: Thanks to Dave Walker on Twitter for pointing out a mistake regarding CentOS. My screenshots show a later build with CentOS 7 / PHP 5.4 so to avoid confusion, I've removed that section. Apologies folks.”, that does not address the actual inaccuracy in your original post. Furthermore, even the correction is inaccurate as the latest version is CentOS 7 / PHP 7.2.

You state that:

The app has a file called "getmon.php" which literally serves as an RCE (remote command execution) endpoint

Our response is that:

Police CyberAlarm does not contain a file called “getmon.php”, and never has. The testing tool you downloaded did.

You state that:

Here, we use the SMB protocol to connect to another PC inside the network and grab sensitive data from it

Our response is that:

Police CyberAlarm does not contain a file called “getmon.php”, and never has. The testing tool you downloaded did, therefore this is not possible with a Police CyberAlarm Data Collector.

You state that:

If you have sensitive data, trade secrets or anything else important on your network, it's now remotely accessible to anyone, anywhere when you view a web page.

Let me be really clear about this. This vulnerability allows a remote attacker to entirely bypass your firewall and exfiltrate any data accessible over your network; you only need to visit a vulnerable web page once.

Our response is that:

Police CyberAlarm does not contain a file called “getmon.php”, and never has. The testing tool you downloaded did. Despite this not actually being a vulnerability, we should be clear that no attackers are able to remotely bypass a firewall because of any feature of Police CyberAlarm; the Police CyberAlarm Collector requires only OUTBOUND access, and it is not possible for any Internet based entity to initiate a connection with the Police CyberAlarm Data Collector. This is a point made very clear to people genuinely signing up for Police CyberAlarm, rather than happening across tools and misunderstanding how they are used.

You state that:

an attacker can remotely inject malicious code into any page on the box

Our response is that:

A Police CyberAlarm Data Collector only has one page, a registration page, which was not present on the testing tool you downloaded, so you would not have been able to see what protection is/is not in place. On the actual Police CyberAlarm Data Collector a process exists, that cleanses the user input and disables the page if malicious attempts are made.

You state that:

It should go without saying, but if your security certificate expires, it's no longer secure

Our response is that:

The certificates on Police CyberAlarm Collectors are not expired; it is possible that they are on the defunct testing tool you downloaded. You can clearly see from your screenshot that the certificate is for pervade.co.uk, not a CyberAlarm.police.uk domain.

You state that:

It's absolutely vital to generate a cryptographically random key and handle it securely. Sadly, CyberAlarm does neither. The "key" is static and hard-coded: "P3rv4d3S0ftw4r3".

Our response is that:

This is not an encryption key. You have misunderstood its purpose. Encryption keys on all Pervade collectors, including the real Police CyberAlarm Data Collectors, are pulled down by the collector when it registers; the key is updated regularly by the Processing Server and is a unique lengthy random string.

You state that:

A MAC is vital; it allows the recipient to ensure the data hasn't been manipulated during transit. Without it, they're actioning harvested data collected from "data collectors" with absolutely no guarantee of its integrity.

Our response is that:

Source identification does occur in the Police CyberAlarm Data Collectors, new collectors require validation from multiple sources to ensure they are genuine and Data Collectors can only be registered once, as you are aware having attempted to use your registration code on multiple occasions.

You state that:

One sure-fire way to ensure your product is entirely insecure is to disable all security checks on your certificate, which of course, CyberAlarm does.

Our response is that:

The Police CyberAlarm collector is based on a commercial product that is usually installed on private networks without signed certificates, therefore all OpView Data Collectors, including the testing tool that you downloaded do not validate HTTPS certificates. However, the Police CyberAlarm Data Collectors do.

You state that:

This means all updates are insecure - allowing an attacker to put anything on the device remotely

Our response is that:

This scenario is impossible because certificates on the CyberAlarm Data Collector are validated.

You state that:

In a screenshot underneath the heading ‘Broken Encryption - Part Deux’, you have inserted the comment “$SERVER IS A SUPERGLOBAL, REMAPPED EARLIER. SUPERGLOBALS AREN’T SAFE, BUT NEVER MIND…”

Our response is that:

This is not true. You appear to be confusing the reference to $server with the default PHP superglobal variable called $_SERVER, but the $server variable is completely different with limited scope made available only to functions that need it.

You state that:

When the app needs to grab a list of "jobs" or tasks to carry out locally, it logs in with a password of "3jscove".

Our response is that:

This is not a password, nor is it used after a collector is registered (which you can clearly see from your own screenshot).

You state that:

The link I'd "found" (from their installation guide) was a 2yr old "test" version never intended for public use! Great, it's 2 years old... now your dependencies are only 3 years out of date instead

Our response is that:

As indicated above, contrary to your suggestion that you accessed the tool by following a URL in a screenshot, you actually accessed a defunct testing tool, not a version of Police CyberAlarm of any kind or relevant to any live Police CyberAlarm system. It actually lacks the ability to connect to any Police CyberAlarm system at all, as you can clearly see from your own screenshots where it attempts to connect to a pervade.co.uk server not a CyberAlarm.police.uk server.

You state that:

This pilot should be pulled immediately. I'd actually go one step further and question how a product with so many simple but critical security flaws could ever be promoted by the Police.

Our response is that:

The software you stumbled upon and downloaded has never been released or promoted by anyone, least of all the Police. You know that having downloaded the real collector that we gave you only 2 days later; yet, some 6 weeks later, you have posted a “review” of the defunct testing tool claiming it to be the Police CyberAlarm collector.

You state that:

CyberAlarm is sadly nothing more than an insecure, poor-designed/engineered wrapper around OpenVAS - an open-source vulnerability assessment scanner

Our response is that:

OpenVAS is not installed on the Police CyberAlarm collector, OpenVAS does not monitor logs (which is the purpose of the Police CyberAlarm collector) and vulnerability scanning (which is the purpose of OpenVAS) is not required for the service, it is merely a small add-on. This sentence alone shows a great misunderstanding of what the system does, something that people who sign up in the correct and appropriate way would not have.

In relation to your tweets, in response to a question as to whether the NPCC were aware of the issues you raised and nevertheless launched Police CyberAlarm,

You state that:

Yep, but argued the issues don’t exist in the live version.

Some do, some have been patched.

Our response is that:

None of the issues you raised exists in Police CyberAlarm, and never has.

You state that:

To check the system is working, they appear to have collected their own internal traffic containing admin usernames/passwords and left it in a simulation file.

Oh… and their Fortinet creds & config.

Our response is that:

Police CyberAlarm does not contain a simulator file; the testing tool you downloaded did. As the file name clearly suggests, this is simulator data - it is used to populate the system for demonstrations and to test rules (for example a rule that looks for a password in a URL or one that checks if the configuration contains a line that says “# I'm a sneaky hacker!;”). If you had checked or were to check the data yourself, you would realise that the URLs do not exist and the configurations are not real.

Please note that the mere fact that we haven’t engaged with each and every single inaccuracy in your publications should not be taken to mean that we don’t take issue with them; we felt it appropriate to highlight the most significant issues, and it is not conducive to the delivery of the programme’s objectives to spend further time and public money engaging with these issues or with you.

We note that you have already made one update to your post to correct inaccurate information contained within it which has been pointed out to you by a third party, and that other inaccuracies have also been raised with you by such individuals.

The fact that you now appear to accept that your sensational publications were not accurate is demonstrated by your own further publications, although these have not been published on the same scale as your original publication and have been compounded by further falsities. For example, in reply to a tweet (and therefore not brought to the attention of those who have seen your original publicity) you state, “I’ve no doubt that it’s an old version”, but have then gone on to state “The majority of the issues remain in the actual live version”. In reply to another tweet querying the veracity of your statements, you responded that, “You’re likely looking at the current version Dave, which is CentOS 7”. The truth is that you know and have known for a number of weeks that this has never formed part of Police CyberAlarm and that the issues you identified have never formed part of and do not form part of Police CyberAlarm. Despite this, you continue to publish you blog post including that: “This pilot should be pulled immediately. I'd actually go one step further and question how a product with so many simple but critical security flaws could ever be promoted by the Police”; and, “Following my criticisms over the "old" version, I was given an access code to allow me to download the "live" one. Suffice to say, little has changed”. If and as far as these may represent your opinions, as you have suggested to one individual who raised concerns regarding your approach and conclusions, they are based on facts that you know or should know are false and are not conclusions that could be reached by any reasonable person.

It is of particular concern that you have continued to maintain your erroneous position, even following receipt of my letter of yesterday, which merely serves to demonstrate that your conduct was and remains malicious in the legal sense, that is to say that you are publishing material with knowledge of or reckless disregard as to its falsity. Given the fact that you failed to reflect fairly any of the information you had been provided with by the NPCC’s Cyber Crime Programme team, your publications are not an honest attempt to highlight legitimate issues “so serious questions should be asked”. We note in this regard that you were engaging with third parties indicating that you had received “No official response yet” yesterday, but have not now published anything to the effect that you have received an official response refuting all of your allegations and pointing out that you were aware of the NPCC’s position prior to publication, and nor have you removed your publications.

In your email to me of 21:09 last night, you stated, “I registered my interest and received an installation guide; the contents of which led me to a site to download "CyberAlarm". There are no date stamps, version numbers or indeed anything to suggest the version I was sent was outdated or not intended for public use… It makes sense that anyone else in possession of the incorrect link may also have downloaded the wrong image and as such, it could be running inside a firm's network. As a result, I'm afraid that brings it into scope”. Contrary to what you have suggested, I do not believe you were provided with an incorrect link, and had you followed the instructions that are actually provided to members, you would never have gone down this misguided path.

On 11 November 2020, at around 12:46, you engaged in discussions with Pervade when it was made clear to you that the purported issues you raised were simply not present in Police CyberAlarm and never had been. Despite this, you maintained your position, and at Pervade’s invitation, you committed to sending through the alleged deficiencies with Police CyberAlarm. You failed to do so and instead simply proceeded to publish your inaccurate blog post and tweets.

We also note that you continue to use the Police CyberAlarm logo in breach of copyright and without permission or other lawful justification.

We must insist that you remove the post and tweets, publish the requested retraction and commit that you will cease and desist from publishing the same or similar falsities in future, and that you do so today. Should you fail to do so then we reserve the right to publicise our position regarding your allegations, including our letters to you.

We should also make clear that Pervade Software and its officers and staff reserve all their rights in respect of your publications.

Yours sincerely

s40(2)

s40(2)

s40(2)

s40(2)