Privacy Breach In Canadian Passport Application Site

Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."

Wonderful

[Grey_14]

Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.

what's being done

[Anonymous Coward]

Like many institutions, the Canadian government has their own security initiative: MITS (Management of Information Technology Security [tbs-sct.gc.ca]). It aims specifically at being proactive at safeguarding information and IT systems. It is mandatory for all systems to be certified before they are put into production. It would appear that MITS compliance doesn't mean the system is hacker proof or that there are no bugs. To be more effective, I hope there will be something added to this policy in order to better test applications and not to simply be a paper exercise. Apparently they were able to address the problem rather quickly.

Basic Encryption?

[LaskoVortex]

I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.

Wish we could say this was unique.

[loraksus]

Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too.

One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.

The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.

I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.

Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.

Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.

Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.

Why are state computing projects always like this?

[Richard Kirk]

This is not just a moan - it is a serious question.

In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.

The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,

Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.

Re:Basic Encryption?

[CastrTroy]

I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.

Re:Wow

[porpnorber]

I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.

I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!

Re:Bad Monkey!!!!

[billcopc]

Consultants. Consultants. Consultants. Consultants. Consultants. *throws chair*

Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low on contracts tend to be the people who aren't worth their carbon in the first place (because good consultants typically aren't desperate).

Now I only had a tangential involvement with "big IT", but they seemed to have a mostly healthy bunch of skilled techies, at least the ones I cared to know ;) Those guys did what they could, but it always seemed like they were getting trumped by outsiders. I know nothing about the contracting processes, but there was clearly a tendency to outsource all the big stuff while the in-house staff handled maintenance and other "little jobs". Maybe that's just how they do things, but it always struck me as inefficient and insecure. As far as I know, there were never any in-house code audits - else they would have publicly executed all the contractors IMHO.

Now again, I wasn't involved in this particular app, I was in a support department. Maybe it was different for the production staff. I'm not necessarily saying that the zillion-dollar system that handles passports was coded in VB by a bunch of Volvo-driving ignorants, but I wouldn't be surprised if that were true, either. It's just far too easy to screw the government, because there's no real boss, just a bunch of PHBs trying to cover their asses.

Re:Are they incompetent?

[Nos.]

Canadian students rank third in the world in science: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20071204/pisa_test_071204/20071204?hub=SciTech [www.ctv.ca] (USA rated in at 29th)