backtop

Print E-mail del.icio.us 28 comment(s) - last by serouscipher.. on Dec 10 at 3:46 PM
Changing a single letter in the URL allows applicants to see the data of others

Not to be left out of the spotlight -- or interrogation light -- currently shining brightly on the UK for losing the personal data records on 25 million citizens, Passport Canada recently saw fit to have a data breach of their own, and expose the personal data of Canadians using its website to apply for the travel documents.

 Jamie Laning, of Huntsville, ON, found that by altering just a single character of the URL during his application in an "ID" field, he was able to view the personal information of other applicants -- drivers licenses, firearm acquisition certificates, and social insurance numbers -- with no prompting or complaint from the site whatsoever.

 Thankfully, Mr. Laning decided to inform Passport Canada of the breach directly rather than announcing it openly and the site was taken offline for maintenance and allegedly repaired. But on Tuesday afternoon, when the site was reopened, the exact same flaw existed. The site was once again taken offline and finally repaired -- Passport Canada is currently "looking into" how the problem was made possible.

 In an attempt at damage control, spokesman Fabien Lengelle stated that Passport Canada was "very committed to security" and that applying for a passport online "is a secure application." Another Ontario resident whose data was accessed by Mr. Laning, however, didn't seem as convinced, telling a Globe And Mail interviewer "You'd think it wouldn't be that bloody simple" to get access to his personal data. Unfortunately, many applicants whose data may have been compromised may never know, as Canada does not currently have any law requiring organizations to disclose security breaches at all.

 The breach comes at a doubly inconvenient time -- not only is the requirement for passports for travel to the USA approaching rapidly, but the Canadian Privacy Commissioner's office is currently auditing Passport Canada to check compliance with Canada's Privacy Act.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
looking into it huh?
By darkpaw on 12/5/2007 5:24:26 PM , Rating: 2
Not much to look into really, its pretty obvious how it happened:

1) Lazy and or inexperienced programmer uses non random id codes AND compounds the failure by not using any sort of per code authentication
2) Lack of proper testing and validation before going live with a website that processes PII

Sad part is, we'll be seeing a lot more of this in the future and the bad guys won't be nice enough to notify anyone about the problem.




RE: looking into it huh?
By arazok on 12/5/2007 9:14:20 PM , Rating: 3
I say inexperienced. There was clearly no attempt at making this secure at all.

It's all to typical in the IT industry. Our company does online e-Bill payment/presentment over the web. I'd say only 10% of our programmers would even think about security when designing software, and only half of those would know how to do it correctly. Fortunately, we only let that half build our platforms. ;)

From my experience, 2/3 of our 'programmers' are not capable of doing anything beyond writing simple loops, and the struggle with that.

I saw one person use an ever increasing integer as a boolean. It was nested in a loop and just incremented by 1 where you would normally set it to true. If it was 0 it was False, otherwise True....worked great until the integer overflowed.

THESE are the people building websites out there. Be afraid.


RE: looking into it huh?
By gmyx on 12/6/2007 7:33:30 AM , Rating: 2
quote:
I say inexperienced. There was clearly no attempt at making this secure at all.


I have to agree with this but add on to it. There is virtually no proper training on simple negative testing or secure programming made available to government programmers.

This site, and many other Canadian government sites relies on what they call Secure Channel. They automatically assume that Secure Channel will take care of their security when really all this beast does is user credentials and encrypted pipe.


RE: looking into it huh?
By arazok on 12/6/2007 12:26:32 PM , Rating: 2
It goes beyond training. The CIO's responsible for these things aren't even versed in security, and don't ask the right questions about the platforms they are overseeing. If the guy at the top doesn't understand it, your doomed.

My company has an excellent CIO at the helm. From what I have seen, this is rare. The average CIO I have encountered has plenty of business smarts, and limited IT smarts. They were never programmers, or haven't done any coding in 20 years. This is understandable - finding a programmer is hard enough, let alone one who isn't all introverted and incapable of seeing the big picture from a business perspective. Without a true IT guy running the IT department, you'll never get anything good out of them. It starts at the top.

This is why you continue to see massive amounts of sensitive information stolen from unencrypted/secure hard disks, web sites etc. This always happens to Government organizations, or retail outlets. Never from Microsoft, Banks etc. If you know anything about IT where would you prefer to work - Microsoft, or Costco? The exciting companies get all the talent, and the rest are left with the crums on the floor.


RE: looking into it huh?
By serouscipher on 12/6/2007 4:03:10 PM , Rating: 2
Well obviously when hiring these guys you did not test them properly for what they say they can do. Most programming languages are "Languages" so you need to know how to use the correct grammer and syntax if you want the desired results. Its as easy as turning a word of the dictionary into slang. Writing good code is an easy thing just follow the right grammer.
And just to refute the claim that most programmers can only write a loop and struggle with them Id challenge you to write some code before you even say something like this. These are the guys who work so that your decesion making/ Working is made easy.


RE: looking into it huh?
By Hase0 on 12/7/2007 1:26:52 PM , Rating: 2
Uh.. if it was a syntax error the program wouldn't even run in most situation, the problem with passport Canada was a design error, or logic error.


RE: looking into it huh?
By serouscipher on 12/10/2007 3:46:35 PM , Rating: 2
so youre saying that if you had designed the website it would have been better, since you know so much about it?? Its easier said than done. Its easier to point a finger than actually put your money where your mouth is.
Sitting here and commenting is easy id like to get my hands on some of the websites you designed!
As for getting into any website is not impossible. Any one who is persistant will eventually find a flaw and then exploit. An d how can you say it was a design or a logical error. Maybe the programming language used had a bug in it that was easy to exploit which was not known.
Even testing is done of specific cases. Testing cannot be done for all real life senarios. Its a learning curve.


RE: looking into it huh?
By Hase0 on 12/7/2007 1:21:50 PM , Rating: 2
I'm actually doing programmer system analyst coop at a Canadian government cluster, and everything we do has to go through corporate testing, vulnerability testing, penetration testing, and all other kinds of testing. Most testing is done by other clusters or organizations. Also when designing government public websites there usually comes a huge text book full of standards that you have to comply with before you can even release it to the public.

It's not a simple process to make a government website, it usually takes many different people, hours of designing, programming, testing, etc.


Bringing shame to millions
By wordsworm on 12/5/2007 10:02:13 PM , Rating: 1
I'm not too worried about people stealing the IDs because I figure that no one who would know what to do with the information had time to do something about it. I can't believe that the bug was up for long. The fact that it went up twice with the same problem is what disturbs me. What a bunch of freaking idiots we have running the nation at the moment.

For the past few years, I'm ashamed of having been born into the unofficial 51st state. Even when Chretien, 10x better than Harper though he was - but still an idiot, stayed out of Iraq, I realized it was a farce, because he still went into Afghanistan. It was typical Canadian politics: try to look like we're not getting involved while we are getting involved. Stupid Canadian government. It pretends to be against hate propaganda, but for a week, culminating every November 11, it gives us our hate week. It pretends to care about security, but then the buffoons make it so that any idiot with an ability to script can download one of the nations most sensitive bodies of data.




RE: Bringing shame to millions
By tedrodai on 12/6/2007 9:51:16 AM , Rating: 2
quote:
For the past few years, I'm ashamed of having been born into the unofficial 51st state.


Not that they don't deserve to be criticized, but if you had a list of all the nations in the world and seperated them into 2 columns {would be proud of this government if I were a citizen | would not be proud of this government if I were a citizen}, the number listed in column 1 would be a tiny fraction of the overall number of nations. Frankly, the nations in column 1 are there because you're simply overlooking a few problems that are less important to you than they are to others. Nations in general are run by idiots--there's just so many idiots--and even the non-idiots have opposing ideals.

To improve the government, it's more effective to try to run the government yourself, and hope you don't turn out to be an idiot.


RE: Bringing shame to millions
By KraftyOne on 12/6/2007 10:08:14 AM , Rating: 2
Not to get totally off topic, but, if people in the States are looking for someone who isn't an idiot to vote for next year, and if you don't know about him already, you really ought to check out Ron Paul. Nevermind what the worthless media says about him, just go watch some of the videos on youtube about him.

Here's a pretty good one:
http://youtube.com/watch?v=yCM_wQy4YVg


RE: Bringing shame to millions
By masher2 (blog) on 12/6/2007 12:04:14 PM , Rating: 2
Ron Paul already has my vote in the primary.


RE: Bringing shame to millions
By Screwballl on 12/6/2007 12:23:04 PM , Rating: 2
Anyone who is looking for an idiot chooses Ron Paul. What better way to completely screw up this country than to go for someone who will isolate the US worse than any president in the past 100 years. He will sever all trade agreements with China and other countries that hold much of our debt thus sending us into a downward spiral thus making the depression of the 30s look like a short period of deflation. He will pull us out of a country that needs help rebuilding and protection from the wackos.. what better way to encourage suicide of a country than to pull out our troops at a time like this.


RE: Bringing shame to millions
By Hase0 on 12/7/2007 1:44:14 PM , Rating: 2
You make it sounds like it's easy to handle security issues, there are so many possible holes in security that it is very hard to make a website completely secure. The problem is a lot of organizations don't properly train there programmers on how to program securely, and don't establish standards that enforce this. You can get certifications and training in this area, but security itself is a life long study, same as computer programming both fields are changing and both fields require constant upgrading, which means time, money, and patience something a lot of people cant afford.

Considering the states pentagon recently got hacked by what appeared to be china, and took god knows what data out, doesn't make it any better then most other governments out there, and the issue with Britain, I'd say Canada is not that bad off.


By Captain Orgazmo on 12/5/2007 5:53:14 PM , Rating: 2
The question is, how many not so benevolent people made the same discovery before Mr. Laning did.




By Captain Orgazmo on 12/5/2007 5:54:46 PM , Rating: 2
Subject line should have read "Damn glad..."

Really need an edit button.


By mmntech on 12/5/2007 7:29:35 PM , Rating: 2
I consider myself lucky too since I need to have my passport renewed. Fortunately I didn't do it before this got discovered. It's not the first time this has happened. I seem to remember Revenue Canada having whole load of personal data stolen from one of their office computers not too long ago.


passport required
By InsaneGain on 12/5/2007 5:53:51 PM , Rating: 3
quote:
not only is the requirement for passports for travel to the USA approaching rapidly


January 2008 is the deadline for travelers by sea or ground. Canadians traveling by air were required to present a passport to enter the U.S. for months now. Since January 2007 I think.




RE: passport required
By flurazepam on 12/7/2007 4:55:48 PM , Rating: 2
Actual quote from the government of Canada's website about travel to the U.S.

"As of January 31, 2008, the WHTI will require Canadian citizens entering the United States by land or sea to present :
a government-issued photo ID, such as a driver's licence;
AND
a birth certificate or a citizenship card;
OR
For youth under 16, a birth certificate;
OR
A valid Canadian passport.

Air Travel
Since January 23, 2007, the WHTI requires Canadian citizens entering or transiting the United States by air to present :

A valid Canadian passport;
OR
A NEXUS card when used at a NEXUS kiosk"


"Big Brother" was a joke
By Dfere on 12/6/2007 12:26:07 PM , Rating: 2
I never understood how anyone thought that a true Big Brother scenario could come about, and I was out of high school before the wall fell.
In the Orwellian sense of this word-
The fact that governments can't simply control the information they are entrusted with seems to prove this out. The shame is that no one really seems to worry about Big Business (esp Big Insurance), or modern day thievery.

I recently had a credit card hijacked for a balance transfer, and was kind of disconcerted when the company said, "no problem, we'll just send you some forms. Thank you for your business."

Wow. What kind of watered down world are we living in now? And what is being done by the above to take advantage of that, and us?




A non-issue
By Cunthor666 on 12/5/07, Rating: -1
RE: A non-issue
By wordsworm on 12/5/07, Rating: 0
RE: A non-issue
By fleshconsumed on 12/6/2007 9:20:26 AM , Rating: 1
quote:
I don't know why he got down rated.

Probably because he said they ...


RE: A non-issue
By InsaneGain on 12/6/2007 12:01:46 PM , Rating: 2
That is a ridiculous comment. Stephen Harper is a leader and he is Canada's own. He is widely believed to be very intelligent and has a masters degree in economics. Canada is not obliged to the Queen, but it does acknowledge it's heritage of being a part of the British empire in the past.
Yes I have heard stories about the Liberal party and their abuse of unlimited expense accounts for ministers, but that doesn't make Canada a real country.


RE: A non-issue
By wordsworm on 12/6/2007 8:38:02 PM , Rating: 2
quote:
Stephen Harper is a leader
Stephen Harper is not a leader. He's a follower. An American follower.

quote:
that doesn't make Canada a real country
I agree with you 100% on that point. However, the Governor General isn't a minister. She is Canada's highest ranking official: appointed, not elected. I don't mind the senate being appointed, since their powers aren't as great as the body that appoints it. Having the highest position in Canada appointed is another concern altogether.


RE: A non-issue
By mmntech on 12/6/2007 1:24:25 PM , Rating: 2
"we're still obliged to the Queen"

So is India and Australia, and every other Commonwealth nation. Are they not countries? The queen has no power in Canada unless she is physically in the country. The Governor General also has no real power. Both only act on advice of the government.
Harper was elected democratically. He is our Prime Minister. How can you say we don't have our own leader?


RE: A non-issue
By wordsworm on 12/6/2007 8:50:54 PM , Rating: 1
quote:
The Governor General also has no real power.
You are really clueless aren't you? The Prime Minister has no real power. All the power is granted to the PM et al through the Governor General as the representative of the Queen. The Queen has all the power in Canada. The fact that it hasn't been exercised in more than 100 years doesn't change that. It's quite possible that if she actually tried to do something, the puppet government of Canada might find a way to rebel. For so long as that government is a lapdog for the world's only super bully, it would probably succeed. If not, the UK could quite easily force Canada to submit to her once again, since it has virtually no defensive capabilities and its 1 tank, 2 forty year old working helicopters. A country with no military exists only for as long as it follows the dictators with the military, which is currently the world's only super bully.


RE: A non-issue
By xphile on 12/6/2007 6:30:32 PM , Rating: 2
And from a Kiwi in New Zealand which is another Commonwealth country I think he is quite barking mad. All of us are real countries, with real leaders in our own right, despite what you, or he, may think. We just still support the recognition of a monarch on the basis that we were once colonised by the United Kingdom. That's the only real recognition or meaning still associated with any actual difference between any Commonwealth country and any other country.

And here's a news flash for you - America was pretty well colonised by the United Kingdom too - they just had this little fight in Boston over some tea and things got a bit ugly and they went their own way.

That's why he was rated down.

Cant personally say in terms of incredible rulers of nations the OP is actually doing that hot either - does that actually define what a REAL country has to be? Count me out please I'm happy here in my little "unreal" part of the world. Funny though, comment often made by foreigners visiting New Zealand. "Just can't get over your country - it's unreal!"


"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation











botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki