Privacy Breach In Canadian Passport Application Site 197
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Wonderful (Score:5, Interesting)
Re: (Score:3, Informative)
As for this security flaw, there was a similar one found a few months ago in the UK's own online visa applications system http://www.channel4.com/news/articles/business_money/online+visa+security+flaw/517157 [channel4.com] . Maybe they hired the same idiot programmers?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: Wait times??? (Score:2)
All you do is pay the extra fee for expedited processing, which anyone with a job can afford after a couple weeks savings.
Re: (Score:2)
I think we just found the reason why it takes so long without the fee.
Re: (Score:2)
Well, of course, with your incredibly shrinking small-dicked dollar, you probably can't afford to go anywhere else.
Any why would anyone want to visit Vienna, and sit through Mass at St. Stephen's, built over 1,000 years ago? Or visit Rome, look at the ruins of the Colosseum, and wonder how the hell that was built without any power tools at all? Eat sardines quay-s
Re: (Score:2)
Ugly American is an epithet used to refer to perceptions of arrogant, demeaning, thoughtless behaviors of Americans at home or abroad. The term originated as the title of a 1958 book by authors William Lederer and Eugene Burdick, The Ugly American.
From the Washington Post, July 13, 2004, regarding Michael Moore:
In the international online media, the pudgy filmmaker from Flint, Michigan, is often seen as all too American. He is more th
Trash the World (Score:4, Funny)
2...
1...
Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.
No word yet on any arrests.
More at 11.
31337 h4x0r (Score:4, Funny)
http://www.freedom-to-tinker.com/index.php?p=780 [freedom-to-tinker.com]
http://www.tjmcintyre.com/2005/06/morris-tribunal-learns-pitfalls-of.html [tjmcintyre.com]
http://blogs.zdnet.com/threatchaos/?p=464 [zdnet.com]
Any site that documents these breeches? (Score:2)
Re: (Score:3, Funny)
Bad Monkey!!!! (Score:3, Funny)
Re:Bad Monkey!!!! (Score:5, Funny)
Re: (Score:3, Insightful)
This is such a simplistic error - it means that there are more simplistic errors hiding in the website as well, not only this one.
passport security is so important, why don't they audit the website BEFORE it goes live?
--jeffk++
Re: (Score:3, Insightful)
passport security is so important, why don't they audit the website BEFORE it goes live?
Because those directly responsible for the bad design have little, if any, liability for screw up. They aren't out any money. Their information isn't public/stolen. They don't face jail time, and it's unlikely their career will take any real hit assuming they can be identified at all.
BTW, it *may* not be the coders that are responsible for the bad design. More than once I've been directly ordered by my past bosses
Re: (Score:3, Interesting)
Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low o
Re:Bad Monkey!!!! (Score:5, Insightful)
Option A and B: A & B achieve identical functionality but B comes with an enormous security breach. Implementing A costs one million dollars more than implementing B.
WWDPHBD? [What Would Dilbert's Pointy Haired Boss Do?]
Re: (Score:2)
Re: (Score:2)
Can anyone name a government which dosn't
Re: (Score:2)
Sounds like some web monkey needs a beating....
While some grade D web monkey made a fundamental mistake, you have to look towards management for this. Or it will happen again. Where was the pen testing? Peer code review? Design review? (Assuming it was designed and not hacked).
I am NOT a government insider but have visited the government web sites enough to know how it's I/T operates. It is operated by department level politics and fragmented so bad it has no effective leader or policies. Sort of l
Incompetence! (Score:2)
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts
HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security
Re: (Score:2)
Heh, i'm responsible for internal testing, and when i find such things, even our internal developers usually say: 'who cares'
Re: (Score:2)
Re: (Score:2)
Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...
And absolutely nothing in the management process to stop it.
Code reviewed, probably not.
Code designed, not likely,
Security risk assessment, obviously not.
Formal security model reviewed? Not likely.
Project management? Incompetent.
Software design process, absent.
Specifications document? Probably not.
Pen testing, obviousl
Re: (Score:2)
If things are set up sensibly in the first place the only thing anyone knowing these details should be able to do is contribute to your income tax/state pension. On the other hand they have no relevence to passports...
Re: (Score:2)
Incompetence is the cause, security flaws are one of the results.
HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security they totally passed on the low tech?
Most likely the underlaying reason is that the whole process of assigning and managing government IT projects is fundermantally broken. (I don't just mean in Canada either.)
I'm not surprised (Score:3, Funny)
Well you did say it was a government contract.
Comment removed (Score:5, Informative)
Re: (Score:2, Insightful)
The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't
Re: (Score:2)
I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.
Thing is that it's generally possible for customers to change their bank without having to change everything else. When it comes to changing your government things are a lot more tricky. Generally moving is a requ
Server Side Scripting == Security (Score:2, Insightful)
...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the firs
Re: (Score:2)
The underlying idea is that no one person or group is responsible for everything. This should ensure that nobody works beyond their abilities.
Re: (Score:2)
Re: (Score:2)
Especially if the person deciding how things were split up didn't know what they were doing and/or the group to put things together was under resourced.
Re:Wow (Score:5, Funny)
Irresponsible name to have these days.
Re:Wow (Score:5, Informative)
Re: (Score:3, Interesting)
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!
Re: (Score:2)
Re: (Score:2)
It depends on the country. IIRC there are countries which have lists of approved names, which of course only apply to citizens.
Another issue is where translating someone's name into another langauge e.g. Arabic to English is a one to many operation. As well as all the common IT issues of assuming names c
Re: (Score:2)
Re: (Score:2)
No. Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but a whole metric fuckload - incompetence and lack of any accountability are systemic problems in virtually every government project. Possibly even corruption.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government p
Re: (Score:2)
Government? While I'm all in favour of blaming our elected overlords - this is what happens when you give a big contract to CGI. A simple task, much like the nationwide vehicle registry, all they had to do was take the source, file off 'Make
Re: (Score:2)
But probably far less than they cost the British taxpayers.
$100,000 for a book about dumb blondes
Wonder if there's a book about dumb politicans. Maybe they could be persuaded to all dye their hair blonde
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can.
Replace "Canadian
Re: (Score:2)
Maybe, but Canada really only got 3 subs (for the price of 4) since one had to be stripped for parts. One man also died and 8 were injured when a fire broke out a couple miles off the coast of the UK.
Pretty sure we got "proper fucked" on that one.
Re: (Score:2)
I disagree. That's the ugly (and wrong, in my opinion) way of doing it. I think the better approach is having nice, consice, meaningful strings (http://blah.com/info/?uid=200 is just fine). *BUT*, you authenticate your session with a login (or other authentication) cookie (and do it over an HTTPS session).
Long complicated strings are almost an ugly security through obscurity approach; requiring login creden
Re: (Score:2)
Re: (Score:2)
There are undoubtedly cases where it's not necessary, and the cookie can carry all the state, but I think that actually leads to *more* confusion. (If someone is left logged in, and you go to your favorite bookmark, seeing their stuff
Re: (Score:2)
Re: (Score:2)
We are talking government IT here. The Canadian government appears to be caught in a "race" with the US and British Governments to make the most possible mistakes when it comes to the security of their IT systems... (No doubt the Aussies will be joining in soon, now that they have got an election out of the
fixed AND old news. (Score:3, Informative)
Re: (Score:3)
As an aside, I see we are dealing with yet another IIS server. What is it with IIS installations and dodgy security?
Re:fixed AND old news. (Score:4, Funny)
Re: (Score:2)
You are either trolling or know nothing of web security. This kind of vulnerability is caused by a lack of code in the web application - it has nothing to do with the web server or platform. There should be code present to check that the credentials of the logged on user are valid to access the data that is requested - in this case that code is missing.
It is a very common vulnerability and is the fault of the web developers who wrote and tested the code, this class of vulnerability can exist on any platform from IIS to PHP on Apache to JSP on proprietary platforms.
I know this type of problem can occur on any platform. But the fact remains that most security fubars this year have occurred on IIS hosted sites. I suspect its something to do with the type of organisation that defaults to solutions pedalled by the big vendors, I.E. organisations with weak IT departments.
Re: (Score:2)
Yeah - but weird things start coming up when you change the ref=rss to ref=rsr.
Basic Encryption? (Score:3, Interesting)
Re:Basic Encryption? (Score:4, Interesting)
Re: (Score:2)
Encryption probably wouldn't help here. Since the people involved probably don't have the first clue how to use it effectivly.
From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure.
As well as rather more scalable.
No, it's much simpler than that. (Score:2)
For each subsequent page of the form, your cookie is transmitted and the application knows which partially complete record you're filling out, what page of the form you're on, and so forth (sessions in J2EE/PHP/ASP).
Client-chosen GUIDs are unlikely to be valid. Any GUID in a cookie that exists but isn't coming from the right IP address is denied
Wish we could say this was unique. (Score:3, Interesting)
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
Re: (Score:2)
Fixed version:
Basically the majority of all government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in every government project together with corruption and bri
Re: (Score:2)
Re: (Score:2)
IMHO they would better be called "idiots". Since any half way competent "bean counter" could at least count beans and stop things going completely over budget. i.e. pull the plug long before things were costing a thousand times the initial estimate.
Re: (Score:2)
This fits with my theory that large bureaucracies, projects are intended to preserve or shift power structures, not to actually accomplish anything useful beyond a 10% improvement of what came before.
Re: (Score:2)
It is nothing of the sort. ABSOLUTELY ALL of this information is correct. Whether or not you believe a national database of firearms will actually reduce firearms deaths does not factor in here.
Government incompetence was not the only factor for sure--there were political considerations, but it was NOT the federal Conservative party that derailed the project i
Why are state computing projects always like this? (Score:5, Interesting)
This is not just a moan - it is a serious question.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.
Re:Why are state computing projects always like th (Score:2)
Rings true to me.
Re:Why are state computing projects always like th (Score:3, Insightful)
Re: (Score:2)
Sad, but true.
Computer projects have become tools of bureaucracy (Score:2)
This game requires some way to keep score as to who has the power. That would be capital.
"A few lines of Perl code" is not power in a bureaucracy's eye, because it doesn't require capital expenditure. Ninety consultants, over 6 months, with $250k in hardware, and a $50m annual operating expense budget -- now that's power.
Anything that looks to re
Re:Why are state computing projects always like th (Score:2)
At least in those days MP wern't afraid to stand up and ask "Why have we paid Mr Babbage enough money for a couple of warship and ended up with a useless pile of cogs."
Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little mo
Re: (Score:2)
I worked for the MoD, but a while ago now. It was very difficult to get equipment from non-UK suppliers if a UK supplier existed, with one or two strange exceptions. HP somehow got recognized as 'reliable' so you could ask for HP computers or calculators. porobably one of the Men in Suits, who did
Where I work (Score:2)
If you save the webpage, the default filename that it will save as is also the password for the super-secret information.
So, this story doesn't surprise me.
ASP.NET (Score:2)
And third-rate programmers using it.
Re: (Score:2)
Re: (Score:2)
ASP.NET is not a language.
I guess it has to do with ASP.NET being a bloated encumbrance that is an obstacle to people's learning how to develop Web applications.
No worries, eh... (Score:2)
Average workers? Fire them all!! (Score:2)
OK, this is a simple two-part problem.
Altering a URL is hacking (Score:3)
I recall at least a couple cases of guys getting charged with hacking for altering URLs.
I'm not sure that I would have reported this if I had discovered it. Your mileage may vary.
Re: (Score:2)
Re:25% of Canadians not born in Canada. (Score:4, Funny)
I wouldn't say Americans are that bad at English...
Re: (Score:2)
The problem is not knowing when it's proper to insert "eh", and not always making things like "about" sound like "aboot".
There's a lot more that goes into sounding Canadian than just making your whole head flap.
Re:25% of Canadians not born in Canada. (Score:5, Informative)
I work at a company with fifteen employees, representing eight distinct nationalities and we operate in perfect harmony. This place is not anomalous; I have lived through several similar situations at other companies.
However, I am also a sample of one. Let us look at statistics. Immigration accounted for two-thirds of Canada's population growth in 2006/2007 (http://www.statcan.ca/Daily/English/070927/d070927a.htm/ [statcan.ca]) and has always been a significant contributor to our population (http://www40.statcan.ca/l01/cst01/demo03.htm?sdi=population%20growth/ [statcan.ca]).
Does this trend pose difficulties? Certainly. However, were such a policy not embraced by the majority of Canadians, it certainly would not persist. The tolerance is real. Join us and see for yourself.
Re: (Score:2)
You make excellent points. Indeed, I am a sample of 'one' but the number of people I have met is much larger than just 'one', in fact during the 5 years I have spent in Canada I have probably met several thousand people. And it's true that not all of them are bigots, but by far the majority of the 'real Canadians' that I have met would definitely fit that category. More so outside of the major population centers than in them (most experience with Toronto and M
Re: (Score:2)
You know something... now that I pause to think about it for a moment, my company probably represents a comparable number of nationalities, but I had never really considered it before.
I won't suggest that attitude is universal, but to me at least, that is what it means to be Canadian.
Re: (Score:2)
Re: (Score:3, Insightful)
Re:.aspx (Score:4, Informative)
Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.
Re: (Score:2)
But i prefer exposing parameters and ID, and check for validity when parsing the request so that a hacker would need to hijack the session to perform any operation.
Re: (Score:2)
No it's incredibly shoddy coding that could be done on any platform.
Eh, I wouldn't be so quick to condemn, as your encryption system doesn't look too strong, either. It would take more effort to break it than plain text, but I can see at least two fatal flaws in it that could be exploited with a little bit of effort. I hope you're not using it to secure anything critical.
Your best bet is to generate a random GUID and use that to identify the user. Any data you don't want to be tampered with, such as usernames or access rights, you shouldn't let out of the server, even in a
Re: (Score:2)
1. IIS won't run on Win ME.
2. This sort of security hole could just easily happen on any web platform - ASP, PHP,
Re:Accidentally on purpose (Score:4, Funny)
Re: (Score:2, Informative)
Re: (Score:2, Interesting)
Re: (Score:2)
I would put my finger on Gouverment security. Public services are low funded operation that don't have all the right ressources at the right place. And most of the time, I would say that the staffing have their hand tide because of management policies. Nough said!
Did you not mean out of control, over funded and incompetently managed including kickbacks?
With government, it is all about priorities and political will. Resources, the Canadian government has plenty, but why run a tight ship when every depart
Re: (Score:3, Insightful)
Havi
Re: (Score:3, Insightful)
Re: (Score:2)
And this is different from a private sector job?
I've worked in both public and private sector long enough to know that there is negligible difference in productivity or waste between the two.
During my time at the Dept of Tran
Re: (Score:2)
Such "initiatives" are only any good if they are followed and actually meaningful in the first place.
If the same bunch of fools are involved in both managing projects and drawing these up then it's unlikel