Privacy Breach In Canadian Passport Application Site

Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."

Wonderful

[Grey_14]

Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.

Basic Encryption?

[LaskoVortex]

I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.

Re:Basic Encryption?

[CastrTroy]

I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.

Why are state computing projects always like this?

[Richard+Kirk]

This is not just a moan - it is a serious question.

In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.

The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,

Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.

Re:Bad Monkey!!!!

[billcopc]

Consultants. Consultants. Consultants. Consultants. Consultants. *throws chair*

Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low on contracts tend to be the people who aren't worth their carbon in the first place (because good consultants typically aren't desperate).

Now I only had a tangential involvement with "big IT", but they seemed to have a mostly healthy bunch of skilled techies, at least the ones I cared to know ;) Those guys did what they could, but it always seemed like they were getting trumped by outsiders. I know nothing about the contracting processes, but there was clearly a tendency to outsource all the big stuff while the in-house staff handled maintenance and other "little jobs". Maybe that's just how they do things, but it always struck me as inefficient and insecure. As far as I know, there were never any in-house code audits - else they would have publicly executed all the contractors IMHO.

Now again, I wasn't involved in this particular app, I was in a support department. Maybe it was different for the production staff. I'm not necessarily saying that the zillion-dollar system that handles passports was coded in VB by a bunch of Volvo-driving ignorants, but I wouldn't be surprised if that were true, either. It's just far too easy to screw the government, because there's no real boss, just a bunch of PHBs trying to cover their asses.