Forgot your password?
typodupeerror
Security

Privacy Breach In Canadian Passport Application Site 197

Posted by kdawson
from the didn't-need-that-old-identity-anyhow dept.
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
This discussion has been archived. No new comments can be posted.

Privacy Breach In Canadian Passport Application Site

Comments Filter:
  • Wonderful (Score:5, Interesting)

    by Grey_14 (570901) on Wednesday December 05, 2007 @06:31AM (#21583145) Homepage
    Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.
    • Re: (Score:3, Informative)

      by Wowsers (1151731)
      In the UK, applying for a passport _now_ gets around the UK's ID card laws and it's Nazi-esque data gathering, oh, and is considerably cheaper now compared to IF the ID cards ever come into existence.

      As for this security flaw, there was a similar one found a few months ago in the UK's own online visa applications system http://www.channel4.com/news/articles/business_money/online+visa+security+flaw/517157 [channel4.com] . Maybe they hired the same idiot programmers?
  • by Smordnys s'regrepsA (1160895) on Wednesday December 05, 2007 @06:36AM (#21583165) Journal
    3...
    2...
    1...

    Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.

    No word yet on any arrests.

    More at 11.
  • 31337 h4x0r (Score:4, Funny)

    by martinX (672498) on Wednesday December 05, 2007 @06:41AM (#21583183)
  • by TheeBlueRoom (809813) on Wednesday December 05, 2007 @06:43AM (#21583191) Homepage
    Sounds like some web monkey needs a beating....
    • by chuckymonkey (1059244) <(charles.d.burton) (at) (gmail.com)> on Wednesday December 05, 2007 @06:50AM (#21583233) Journal
      *Waves hand in the air* I am not the monkey you are looking for.
    • Re: (Score:3, Insightful)

      by statusbar (314703)
      Where do these people get educated anyways? And how much of my tax dollars are going to pay for this incompetence?

      This is such a simplistic error - it means that there are more simplistic errors hiding in the website as well, not only this one.

      passport security is so important, why don't they audit the website BEFORE it goes live?

      --jeffk++
      • Re: (Score:3, Insightful)

        by berzerke (319205)

        passport security is so important, why don't they audit the website BEFORE it goes live?

        Because those directly responsible for the bad design have little, if any, liability for screw up. They aren't out any money. Their information isn't public/stolen. They don't face jail time, and it's unlikely their career will take any real hit assuming they can be identified at all.

        BTW, it *may* not be the coders that are responsible for the bad design. More than once I've been directly ordered by my past bosses

        • Re: (Score:3, Interesting)

          by billcopc (196330)
          Consultants. Consultants. Consultants. Consultants. Consultants. *throws chair*

          Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low o
    • by canuck57 (662392)

      Sounds like some web monkey needs a beating....

      While some grade D web monkey made a fundamental mistake, you have to look towards management for this. Or it will happen again. Where was the pen testing? Peer code review? Design review? (Assuming it was designed and not hacked).

      I am NOT a government insider but have visited the government web sites enough to know how it's I/T operates. It is operated by department level politics and fragmented so bad it has no effective leader or policies. Sort of l

  • Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...

    But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts

    HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security
    • Most web developers know about url hacking but don't care at all. Especially externally contracted ones.
      Heh, i'm responsible for internal testing, and when i find such things, even our internal developers usually say: 'who cares' :)

    • by canuck57 (662392)

      Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...

      And absolutely nothing in the management process to stop it.

      Code reviewed, probably not.

      Code designed, not likely,

      Security risk assessment, obviously not.

      Formal security model reviewed? Not likely.

      Project management? Incompetent.

      Software design process, absent.

      Specifications document? Probably not.

      Pen testing, obviousl

      • by mpe (36238)
        But most Canadians already know our SIN numbers are in essence public, have been for some time.

        If things are set up sensibly in the first place the only thing anyone knowing these details should be able to do is contribute to your income tax/state pension. On the other hand they have no relevence to passports...
    • by mpe (36238)
      Not so much a security flaw is it is incompetence.

      Incompetence is the cause, security flaws are one of the results.

      HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security they totally passed on the low tech?

      Most likely the underlaying reason is that the whole process of assigning and managing government IT projects is fundermantally broken. (I don't just mean in Canada either.)
  • Wow (Score:5, Informative)

    by asifyoucare (302582) on Wednesday December 05, 2007 @07:04AM (#21583307)
    This is a simple and fundamental error and I'm amazed that the 'security technique' made it into production on such a major site. Doesn't ANYONE know what they're doing. Geez, this is Web Security 101.

    A lot of sites were vulnerable to this sort of thing in 1995 ... If you're going to make URLs user or session specific you need very long random-looking strings.

    Who wants to bet that the 'unrelated problem' that resulted the the site shutting down was SQL injection. If you're stupid enough to allow access to other people's details via slight URL changes, you're probably also stupid enough not to check or parameterise form fields.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Essentially all web development technologies are shit. It doesn't matter if they were using Perl CGI scripts, PHP, some JSP-based framework, ASP, ASP.NET, ColdFushion, Ruby on Rails, Django, or whatever other language/framework/technology you want to consider.

      The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't
    • Re:Wow (Score:5, Funny)

      by tttonyyy (726776) on Wednesday December 05, 2007 @08:05AM (#21583615) Homepage Journal

      Who wants to bet that the 'unrelated problem' that resulted the the site shutting down was SQL injection. If you're stupid enough to allow access to other people's details via slight URL changes, you're probably also stupid enough not to check or parameterise form fields.
      I blame that Canadian called '; drop table passport_info -- ' and password = ''; myself.

      Irresponsible name to have these days.
      • Re:Wow (Score:5, Informative)

        by MMC Monster (602931) on Wednesday December 05, 2007 @10:05AM (#21584327)
        ObXKCD link: http://xkcd.com/327/ [xkcd.com]
      • Re: (Score:3, Interesting)

        by porpnorber (851345)

        I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.

        I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!

        • by caluml (551744)
          Hiya, yes, I'm \x00John\n\nFrank Smith\a, how can I help?
        • by mpe (36238)
          I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.

          It depends on the country. IIRC there are countries which have lists of approved names, which of course only apply to citizens.
          Another issue is where translating someone's name into another langauge e.g. Arabic to English is a one to many operation. As well as all the common IT issues of assuming names c
          • Yeah, I recently took a Chinese class. Acquiring a Chinese given name turned into a lengthy negotiation (my name even has a specified algorithm for translation—my parents are a bit odd—but unfortunately it sees to have failed in this case because of some historical/linguistic misfortune), and my surname is an unresolved disaster. :) (And yes, you recall correctly. Holland, for example, unless they changed matters.)
    • by loraksus (171574)
      Doesn't ANYONE know what they're doing
      No. Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but a whole metric fuckload - incompetence and lack of any accountability are systemic problems in virtually every government project. Possibly even corruption.

      One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government p
      • by Dr Caleb (121505)
        "One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit."

        Government? While I'm all in favour of blaming our elected overlords - this is what happens when you give a big contract to CGI. A simple task, much like the nationwide vehicle registry, all they had to do was take the source, file off 'Make
      • by mpe (36238)
        Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth,

        But probably far less than they cost the British taxpayers.

        $100,000 for a book about dumb blondes

        Wonder if there's a book about dumb politicans. Maybe they could be persuaded to all dye their hair blonde :)

        Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can.

        Replace "Canadian
        • by loraksus (171574)
          But probably far less than they cost the British taxpayers.
          Maybe, but Canada really only got 3 subs (for the price of 4) since one had to be stripped for parts. One man also died and 8 were injured when a fire broke out a couple miles off the coast of the UK.
          Pretty sure we got "proper fucked" on that one.
    • by PhotoGuy (189467)
      If you're going to make URLs user or session specific you need very long random-looking strings.
      I disagree. That's the ugly (and wrong, in my opinion) way of doing it. I think the better approach is having nice, consice, meaningful strings (http://blah.com/info/?uid=200 is just fine). *BUT*, you authenticate your session with a login (or other authentication) cookie (and do it over an HTTPS session).

      Long complicated strings are almost an ugly security through obscurity approach; requiring login creden
      • If you have the cookie, do you need to make the URLs user or session specific at all?
      • by PhotoGuy (189467)
        It depends, but I would say, yes. For example, on facebook, I'm allowed to see the detailed profiles of people who are on my friends list (authenticated by my cookie). The URL's are specific to each user, but the cookie associates my credentials for what I am allowed to see.

        There are undoubtedly cases where it's not necessary, and the cookie can carry all the state, but I think that actually leads to *more* confusion. (If someone is left logged in, and you go to your favorite bookmark, seeing their stuff
    • It really is unforgivable, but unfortunately it is not as uncommon as you might think. I used to review completed projects from an Indian contractor of a company that I was consulting for and they were about to go into production with a health care information related website that was vulnerable to SQL injection of the login allowing full visibility of all health records of all users. Heck, even after I told them how to fix the problem they fixed it with client side javascript (which of course isn't a fix b
    • by mpe (36238)
      This is a simple and fundamental error and I'm amazed that the 'security technique' made it into production on such a major site. Doesn't ANYONE know what they're doing. Geez, this is Web Security 101.

      We are talking government IT here. The Canadian government appears to be caught in a "race" with the US and British Governments to make the most possible mistakes when it comes to the security of their IT systems... (No doubt the Aussies will be joining in soon, now that they have got an election out of the
    • The article you link to was published yesterday. Exactly how recent does news have to be to escape your oldnews epithet?

      As an aside, I see we are dealing with yet another IIS server. What is it with IIS installations and dodgy security?
      • by Yetihehe (971185) on Wednesday December 05, 2007 @08:36AM (#21583759)

        What is it with IIS installations and dodgy security?
        If you make a server even idiot can run, idiots will be running it.
    • by CRC'99 (96526)

      http://www.cbc.ca/consumer/story/2007/12/04/passport-security.html?ref=rss

      Yeah - but weird things start coming up when you change the ref=rss to ref=rsr.
  • Basic Encryption? (Score:3, Interesting)

    by LaskoVortex (1153471) on Wednesday December 05, 2007 @08:11AM (#21583649)
    I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.
    • Re:Basic Encryption? (Score:4, Interesting)

      by CastrTroy (595695) on Wednesday December 05, 2007 @09:50AM (#21584191) Homepage
      I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.
      • by mpe (36238)
        I think the problem doesn't even go as far as encryption.

        Encryption probably wouldn't help here. Since the people involved probably don't have the first clue how to use it effectivly.

        From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure.

        As well as rather more scalable.
    • The web application detects no cookie is set, a RANDOM GUID is created and your IP address recorded in a database or session cache. The GUID is recorded in a cookie.

      For each subsequent page of the form, your cookie is transmitted and the application knows which partially complete record you're filling out, what page of the form you're on, and so forth (sessions in J2EE/PHP/ASP).

      Client-chosen GUIDs are unlikely to be valid. Any GUID in a cookie that exists but isn't coming from the right IP address is denied
  • by loraksus (171574) on Wednesday December 05, 2007 @08:46AM (#21583813) Homepage
    Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too.

    One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.

    The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.

    I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
    At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
    Yes, we have 3 territories too, where firearm laws are pretty much ignored.

    Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.

    Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.

    Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
    • by Arimus (198136)

      "Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too."

      Fixed version:
      Basically the majority of all government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in every government project together with corruption and bri

      • "Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too."

        Fixed version: Basically the majority of all government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in every government project together with corruption

      • by mpe (36238)
        Canada is no different to the rest of the world. The majority of projects are run by bean counters who wouldn't no the correct solution if it jumped and bit them on the ass.

        IMHO they would better be called "idiots". Since any half way competent "bean counter" could at least count beans and stop things going completely over budget. i.e. pull the plug long before things were costing a thousand times the initial estimate.
    • Rumor was that the Gun Registry was implemented with Siebel CRM, a major contractor, and major hardware purchases.

      This fits with my theory that large bureaucracies, projects are intended to preserve or shift power structures, not to actually accomplish anything useful beyond a 10% improvement of what came before.

  • by Richard Kirk (535523) on Wednesday December 05, 2007 @08:56AM (#21583867)

    This is not just a moan - it is a serious question.

    In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.

    The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,

    Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.

    • This tendency for computing projects in non-computing organizations to be "just barely functioning" is discussed by Joel Spolsky in a talk he gave to some students of CS at Yale recently: http://www.joelonsoftware.com/items/2007/12/03.html [joelonsoftware.com]

      Rings true to me.
    • All the good programmers go to work for private companies that pay more.
      • by HungWeiLo (250320)
        And all the sucky programmers go to work for government contracts that pay more in one year than one can earn in a typical private company job.

        Sad, but true.
    • The point is that in large bureaucracies, projects aren't actually supposed to DO anything. They're just supposed to alter the power structure (or preserve it).

      This game requires some way to keep score as to who has the power. That would be capital.

      "A few lines of Perl code" is not power in a bureaucracy's eye, because it doesn't require capital expenditure. Ninety consultants, over 6 months, with $250k in hardware, and a $50m annual operating expense budget -- now that's power.

      Anything that looks to re
    • In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing.

      At least in those days MP wern't afraid to stand up and ask "Why have we paid Mr Babbage enough money for a couple of warship and ended up with a useless pile of cogs."

      Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little mo
  • We get "Service Alerts" with "helpful" information for how we're supposed to do business. Some of these "Service Alerts" contain information that, apparently, only certain people are supposed to know. As a result, they are password protected.

    If you save the webpage, the default filename that it will save as is also the password for the super-secret information.

    So, this story doesn't surprise me.
  • It's ASP.NET, which the Canadian Government has swallowed hook, line and sinker.

    And third-rate programmers using it.
    • by CastrTroy (595695)
      Could you please list a web development language that's invulnerable to idiot developers using non-random session ids? Yeah, I thought not. I guess it has nothing to do with ASP.Net after all.
      • Could you please list a web development language that's invulnerable to idiot developers using non-random session ids? Yeah, I thought not.


        ASP.NET is not a language.

        I guess it has nothing to do with ASP.Net after all.


        I guess it has to do with ASP.NET being a bloated encumbrance that is an obstacle to people's learning how to develop Web applications.

  • I mean, you can tell the real Canadians from the fakes ones easily enough. Just look for the plethora of Canadian flags sewn to their backpacks and bags.
  • OK, this is a simple two-part problem.

    1. Government IT workers are average at best. That is the very nature of their existence there. They tend to use old technology and they are definitely under-trained. The best IT workers don't need government benefits and security so they work for more money. Of course, even the average workers (heck the 80% and under mark) often don't understand these security issues. I'm pretty sure that none of the people on this project have CISSP certifications or even week-long se
  • by vinn01 (178295) on Wednesday December 05, 2007 @04:09PM (#21589227)

    I recall at least a couple cases of guys getting charged with hacking for altering URLs.

    I'm not sure that I would have reported this if I had discovered it. Your mileage may vary.

A rock store eventually closed down; they were taking too much for granite.

Working...