Privacy breach nuked in Canadian passport site

Didn't they have this

same problem a while back with a phone surveillance company. I can't remember the name of them but they somehow snooped on a phone for you and put the data online and by changing the URL you could look at others data as well.Of course you need authentication at every request otherwise you could write a script and clean them out (mirror their database). By now every ID thief in Canada has a copy.

That hack has been

Around for a long time. You go to an interesting web site and look at the address bar and notice that it is four or five dep in to the site. So you start removing each link from the address to see where it takes you. And allot of sites just let you in to the previous area with no problem.

I have had some interesting finds on .gov and .edu sites and the other sites I like to go to.

Bank security challenge/response

On a closely related issue... Nationwide have decided to ask their on-line users to assist with improving security by asking them to volunteer some personal information, which can then be requested for additional verification. They ask one to supply answers to 5 out of 20 questions such as "what is your favourite song" or "what is/was the name of your first pet animal" etc...

I had an account with a bank which recently imposed a new set of challenge/response questions. There were a large set of questions to choose from, with 5 required. But I couldn't find 5 that applied to me, because most of them were "favorite author" or "favorite book" or something like that. These are supposed to be things that never change, but "favorites" can change anytime. The only thing I could do (besides complaining, which I did) was to select 5 favorites, with totally obvious but nonintuitive answers. My favorite book was "book" and so on.

They did eventually change their system, but now they've been bought out by another bank (after failing to maintain profitability).

From what I can see

It's not fixed yet. I'm just thankful my information doesn't seem to be up there, but I suspect when it comes time to renew my passport it'll still be a problem.

Really when has any government from any country actually 'wasted' any time on actually doing something intelligent like securing it's public IT infrastructure?

Passport Canada

The former Liberal government in Canada created this passport mess and had a pretty wide open (feed the world) immigration policy. The current minority Conservative government are on damage control but haven't had the type of problems that France , for example, has been experiencing what with all their immigrants (ah, excuse me) new citizens rioting in the streets. The Conservatives have introduced some new identity legislation but it's going to take some time to implement the changes. Hopefully before another Terrorist attack. A stronger case for BIOmetric passports in the NEW WORLD ORDER police state seems to be just around the corner and coming soon to a border near you. Origin of birth should soon become a helpful defining statistic in assisting those in authority define/choose Friend or Foe status. Your Freedom is worth defending.

Happy Holidays.

Since the article didn't explicitly say...

Please don't tell me that all this required was changing the ID on the query string? Jesus F***ing Christ...........

Whether it was that or something else, I don't know which is worse - that someone made an error that you wouldn't expect to see from a school kid, or that 'Passport Canada' didn't notice...

bank security

I'm with a great online bank that as far as I'm concerned is so far behind with the times it's login page (Asking for all details) is still on a single page and is has freetext textfields, thus any muppet with a key logger can break it. Considering HSBC got such a big rap about their security, I was surprised that before they got the rap this bank was still using worse login security and maintains doing so today

Politicians are too bullish with the upside

I dont think anyone here could doubt the benefits gained from well implemented computer systems in delivering consistent, constantly available services to people when they are needed.

Governments only ever consider this aspect of them.

Whereas we all know that there is a serious effort expended in developing these applications, running them and making sure they are fixed when problems occur.

This is the aspect that is ignored by governments, that to create the systems they want costs large sums of money. The companies bidding for this work, should that be company ?, has a historic record of failure, for under specifying function and resource requirements, to make the bid more palatable to the chancellor. They just wait for a change request, and then hit for the rest of the money that should have been committed in the first place.

When the government finds it embarrassing to admit they have been duped again they try to bury it or try to get along with a crippled application which is not fit for purpose.

I have been fiddling directly with urls for 13 years now, since I first started using the web. I would have thought that everyone would have known that people can type their own addresses into the address bar and see where it leads. There was a chat site that you could easily get into rooms unnoticed, and watch what people were saying to each other, the room list was obtained by causing an error, so it sent a large file, which mixed in with all manner of strange characters contained the private rooms that had been created. Just select a room name, type it into the url and you were in, easy.

To find a government site, even a foreign government, exposing personal information to anyone using this technique is absolutely disgraceful. They demand personal information, under threat of prison if not provided, and then go tell anyone who cares to look all about you. It really is time for data protection officers to have proper budgets and to start prosecuting people, including systems suppliers, for providing insecure systems which do not protect personal data.

Now.....

Someone mentioned Biometrics......

They always argue that the odss are ????????????:1 of someone having identical fingerprints etc.; so they must be unique. As I see it basic maths dictate that everyone must be checked in order to guarantee that it is unique because there is also a chance that they are all identical.

Very sloppy and wide open arguement follows but the odds of winning the european lottery are said to be in excess of 70,000,000:1 but I seem to recall that at one time something like 8 individuals had the jackpot numbers.

Strange things odds!

Would anyone seriously like to look at the logic and tell me I am wrong so that we can guarantee that no one else shares my fingerprints, DNA or Iris scan before I get sent to prison for something I didn't do.

Unforgivable ...

I am neither shocked nor surprised at this colossal screw up by my Government's Bureaucracy.

@Jeremy - the articles say it was as easy as altering the URL.

"an Ontario man applying online for a passport last Thursday discovered he could access personal information - such as social insurance numbers, birthdates and driver's licence numbers - of other applicants by altering one character in the Internet address displayed by his Web browser."[1] - URL manipulation

"Mr. Lengelle added that the personal information of applicants is never stored online."[1] - is either totally clueless, calling the report a lie, or both.

""When a passport has been issued, the information is deleted," said Mr. Lengelle."[4] - only online for a few weeks then. Well that makes it okay then, doesn't it.

"Minister Maxime Bernier told the House of Commons that he spoke with Passport Canada CEO Gérard Cossette and was assured that the security problem had been fixed."[1] - perhaps that one particular problem has been fixed/patched/bypassed.

"'The Web site of Passport Canada is now one of the most secure,' Mr. Bernier told the House."[4] - Unbelievable.

As a security professional with extensive security testing experience, I have some observations. Basically the error is inexcusable and strongly suggests that there are other problems.

1. This kind of mistake was kindergarten over 10 years ago!

2. The site was launched in 2005 [1]. Such an error was inexcusable long before then. Why did it take almost three years to find this?

2. If they can't get a simple navigation/access control issue right, what about issues that emerged after 1996! Cross-site scripting? SQL injection?

4. In my experience, a problem of this type suggests those who implemented the site were (possibly grossly) negligent and totally clueless about security. This error should have been caught in basic testing. A penetration test should have caught it. Clearly testing was neglected.

5. Fixing security problems of this sort are often more difficult than a quick fix will allow. I've seen quick fixes that can be easily bypassed. I've also seen real fixes that can take months. Often this is a function of the framework used. Possibly they can fix this fast, but I wouldn't bet on it.

6. The Government of Canada should launch a broad investigation to make sure this is not isolated. They should start with an inventory of all their online services prioritized by the sensitivity of data they process/transmit. They should sample by risk and by vendor/developer. And like in a real world infrastructure failure, they should carefully scrutinize anything the developers and maintainers touched.

Other articles/reference:

[1] http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home

[2] http://ca.today.reuters.com/news/newsArticle.aspx?type=domesticNews&storyID=2007-12-04T220025Z_01_N04527003_RTRIDST_0_CANADA-PASSPORTS-COL.XML

[3] http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home

[4] http://www.nationalpost.com/news/story.html?id=144179

By the way, I wonder when the third shoe drops … who’s going to have the next Commonwealth IT Security screw up.

Perhaps the Discovery Channel could do another reality show with the flavour of “Canada’s Worst Driver”, “Canada’s Worst HandyMan”. Welcome, “Canada’s worst web developer!” I’d be up to be judge!

Thankfully, when renewed after 2005 I did it offline!

Web Security 101 ...

Every web developer should be forced to write on a real blackboard 1000 times ....

1. Do not trust any information from the browser.

2. Ensure your application/sever securely maintains state.

3. Just because I can't see how to break it, doesn't mean someone else can't.

4. If I don't know what OWASP is or I don't understand OWASP practices, or if I am in doubt, get qualified help.

Cockup, not conspiracy

The green-ink paranoid responses to this news can be dismissed pretty easily: this is a clear and shiny newbie error. As someone who once built a public site with the "Little Bobby Tables" vulnerability, I can speak on newbie errors, I think :)

Thing is, it takes time and testing to pick up this stuff. You can say "hire boffins" all you like: if you've got your internal dev team, and this isn't their specialty, they may cock up and only testing will catch that. And time and testing are the first things that project managers cut out of any project.

Of course, this highlights the risks inherent in One Database Of Everything; when (not if) someone cocks up, only the data in that database is exposed.

Online IT Stupidity Nothing New in Ottawa

Another online IT cockup in Ottawa:

Canada conducted its regular quinquennial (or decennial) census a couple of years ago. For the first time, they set up a site for (optional) online submission of your responses to the census questionnaire.

I went to the website and was confronted with a message "You must have Java version <something or other> enabled", the version being very precisely defined. In the words of the profit, fuck that. I keep Java turned off, that particular version of Java may not even be available for my preferred combnation of browser & OS, and I don't install new software unless there's a compelling reason to do so.

Lowering Statistics Canada's census processing costs is not a compelling reason. I sent in the paper form instead.

One presumes Statistics Canada used Java to implement detailed client-side data validation instead of using Javascript or server-side validation, an implementation strategy of dubious merit. It's always harder to make sure client-side stuff works correctly in all cases, being highly dependent on the exact combination of browser, OS, and settings.

You have to wonder how many other potential users of their online systerm joined me in walking away from the online submission site, in the face of its demand for a specific Java version? Considering that Joe & Jane Sixpack probably don't even know what Java is, much less how to upgrade it, I suspect that the participation rate was a lot lower than they hoped for and the costs of developing the online site were not recovered.

Sometimes I think the Ottawa winter climate congeals the ability to think clearly...

Exactly ....

@Andy - no conspiracy just a cockup, a colossal and multi-level one at that

I have sympathy for newbies and newbie errors. Everyone has to learn.

I have no sympathy for a organization like Passport Canada with the resources available to them which has failed on so many levels. At the very least they've failed a minimum of two or three of the following:

- establish or hire competent developers or vendors

- set proper requirements

- manage the development of their system

- adequately test the system at launch or changes

- audit of their development processes

- enforce government wide security and privacy requirements

- conduct ongoing security testing

Sadly it's bush league. Worse, it's a very big league.