410759
story
Comments: 197 +- IT: Privacy Breach In Canadian Passport Application Site on Wednesday December 05 2007, @05:26AM
Posted
by
kdawson
on Wednesday December 05 2007, @05:26AM
from the didn't-need-that-old-identity-anyhow dept.
from the didn't-need-that-old-identity-anyhow dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Related Stories
Submission: Privacy breach in passport applications in Canada by Anonymous Coward
Writing is easy; all you do is sit staring at the blank sheet of paper until
drops of blood form on your forehead.
-- Gene Fowler
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Wonderful (Score:5, Interesting)
Re: (Score:3, Informative)
As for this security flaw, there was a similar one found a few months ago in the UK's own online visa applications system http://www.channel4.com/news/articles/business_money/online+visa+security+flaw/517157 [channel4.com] . Maybe they hired the same idiot programmers?
Re: (Score:2)
Trash the World (Score:4, Funny)
2...
1...
Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.
No word yet on any arrests.
More at 11.
31337 h4x0r (Score:4, Funny)
http://www.freedom-to-tinker.com/index.php?p=780 [freedom-to-tinker.com]
http://www.tjmcintyre.com/2005/06/morris-tribunal-learns-pitfalls-of.html [tjmcintyre.com]
http://blogs.zdnet.com/threatchaos/?p=464 [zdnet.com]
Any site that documents these breeches? (Score:2)
Re: (Score:3, Funny)
Bad Monkey!!!! (Score:3, Funny)
Re:Bad Monkey!!!! (Score:5, Funny)
Parent
Re: (Score:3, Insightful)
This is such a simplistic error - it means that there are more simplistic errors hiding in the website as well, not only this one.
passport security is so important, why don't they audit the website BEFORE it goes live?
--jeffk++
Re: (Score:3, Insightful)
passport security is so important, why don't they audit the website BEFORE it goes live?
Because those directly responsible for the bad design have little, if any, liability for screw up. They aren't out any money. Their information isn't public/stolen. They don't face jail time, and it's unlikely their career will take any real hit assuming they can be identified at all.
BTW, it *may* not be the coders that are responsible for the bad design. More than once I've been directly ordered by my past bosses
Re: (Score:3, Interesting)
Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low o
Re:Bad Monkey!!!! (Score:5, Insightful)
Option A and B: A & B achieve identical functionality but B comes with an enormous security breach. Implementing A costs one million dollars more than implementing B.
WWDPHBD? [What Would Dilbert's Pointy Haired Boss Do?]
Parent
Re: (Score:2)
Sounds like some web monkey needs a beating....
While some grade D web monkey made a fundamental mistake, you have to look towards management for this. Or it will happen again. Where was the pen testing? Peer code review? Design review? (Assuming it was designed and not hacked).
I am NOT a government insider but have visited the government web sites enough to know how it's I/T operates. It is operated by department level politics and fragmented so bad it has no effective leader or policies. Sort of l
Incompetence! (Score:2)
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts
HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security
Re: (Score:2)
Heh, i'm responsible for internal testing, and when i find such things, even our internal developers usually say: 'who cares'
Re: (Score:2)
Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...
And absolutely nothing in the management process to stop it.
Code reviewed, probably not.
Code designed, not likely,
Security risk assessment, obviously not.
Formal security model reviewed? Not likely.
Project management? Incompetent.
Software design process, absent.
Specifications document? Probably not.
Pen testing, obviousl
I'm not surprised (Score:3, Funny)
Well you did say it was a government contract.
Wow (Score:5, Informative)
A lot of sites were vulnerable to this sort of thing in 1995
Who wants to bet that the 'unrelated problem' that resulted the the site shutting down was SQL injection. If you're stupid enough to allow access to other people's details via slight URL changes, you're probably also stupid enough not to check or parameterise form fields.
Re: (Score:2, Insightful)
The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't
Server Side Scripting == Security (Score:2, Insightful)
...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the firs
Re:Wow (Score:5, Funny)
Irresponsible name to have these days.
Parent
Re:Wow (Score:5, Informative)
Parent
Re: (Score:3, Interesting)
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!
Re: (Score:2)
No. Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but a whole metric fuckload - incompetence and lack of any accountability are systemic problems in virtually every government project. Possibly even corruption.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government p
fixed AND old news. (Score:3, Informative)
Re: (Score:3)
As an aside, I see we are dealing with yet another IIS server. What is it with IIS installations and dodgy security?
Re:fixed AND old news. (Score:4, Funny)
Parent
Re: (Score:2)
Yeah - but weird things start coming up when you change the ref=rss to ref=rsr.
Basic Encryption? (Score:3, Interesting)
Re:Basic Encryption? (Score:4, Interesting)
Parent
Wish we could say this was unique. (Score:3, Interesting)
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
Re: (Score:2)
Fixed version:
Basically the majority of all government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in every government project together with corruption and bri
Why are state computing projects always like this? (Score:5, Interesting)
This is not just a moan - it is a serious question.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.
Re:Why are state computing projects always like th (Score:2)
Rings true to me.
Re:Why are state computing projects always like th (Score:3, Insightful)
Where I work (Score:2)
If you save the webpage, the default filename that it will save as is also the password for the super-secret information.
So, this story doesn't surprise me.
ASP.NET (Score:2)
And third-rate programmers using it.
Altering a URL is hacking (Score:3)
I recall at least a couple cases of guys getting charged with hacking for altering URLs.
I'm not sure that I would have reported this if I had discovered it. Your mileage may vary.
Re:25% of Canadians not born in Canada. (Score:4, Funny)
I wouldn't say Americans are that bad at English...
Parent
Re: (Score:2)
The problem is not knowing when it's proper to insert "eh", and not always making things like "about" sound like "aboot".
There's a lot more that goes into sounding Canadian than just making your whole head flap.
Re:25% of Canadians not born in Canada. (Score:5, Informative)
I work at a company with fifteen employees, representing eight distinct nationalities and we operate in perfect harmony. This place is not anomalous; I have lived through several similar situations at other companies.
However, I am also a sample of one. Let us look at statistics. Immigration accounted for two-thirds of Canada's population growth in 2006/2007 (http://www.statcan.ca/Daily/English/070927/d070927a.htm/ [statcan.ca]) and has always been a significant contributor to our population (http://www40.statcan.ca/l01/cst01/demo03.htm?sdi=population%20growth/ [statcan.ca]).
Does this trend pose difficulties? Certainly. However, were such a policy not embraced by the majority of Canadians, it certainly would not persist. The tolerance is real. Join us and see for yourself.
Parent
Re: (Score:3, Insightful)
Re:.aspx (Score:4, Informative)
Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.
Parent
Re: (Score:2)
But i prefer exposing parameters and ID, and check for validity when parsing the request so that a hacker would need to hijack the session to perform any operation.
Re: (Score:2)
1. IIS won't run on Win ME.
2. This sort of security hole could just easily happen on any web platform - ASP, PHP,
Re:Accidentally on purpose (Score:4, Funny)
Parent
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
Havi
Re: (Score:3, Insightful)