Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Breach In Canadian Passport Application Site

Posted by kdawson on from the didn't-need-that-old-identity-anyhow dept.

Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."

21 of 197 comments (clear)

  1. Wonderful by Grey_14 · · Score: 4, Interesting

    Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.

    1. Re:Wonderful by Wowsers · · Score: 3, Informative

      In the UK, applying for a passport _now_ gets around the UK's ID card laws and it's Nazi-esque data gathering, oh, and is considerably cheaper now compared to IF the ID cards ever come into existence.

      As for this security flaw, there was a similar one found a few months ago in the UK's own online visa applications system http://www.channel4.com/news/articles/business_money/online+visa+security+flaw/517157 . Maybe they hired the same idiot programmers?

      --
      Take Nobody's Word For It.
  2. Trash the World by Smordnys+s'regrepsA · · Score: 4, Funny

    3...
    2...
    1...

    Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.

    No word yet on any arrests.

    More at 11.

    --
    Just -1, Troll talking to another.
  3. 31337 h4x0r by martinX · · Score: 3, Funny

    That's some leet hakking going on there...

    http://www.freedom-to-tinker.com/index.php?p=780
    http://www.tjmcintyre.com/2005/06/morris-tribunal-learns-pitfalls-of.html
    http://blogs.zdnet.com/threatchaos/?p=464

    --
    When they came for the communists, I said "He's next door. Take him away. Goddam commies."
  4. Bad Monkey!!!! by TheeBlueRoom · · Score: 3, Funny

    Sounds like some web monkey needs a beating....

    --
    I wish I was clever!
    1. Re:Bad Monkey!!!! by chuckymonkey · · Score: 4, Funny

      *Waves hand in the air* I am not the monkey you are looking for.

      --
      "Some books contain the machinery required to create and sustain universes."-Tycho
    2. Re:Bad Monkey!!!! by Hotawa+Hawk-eye · · Score: 4, Insightful

      What if the boss had these options:

      Option A and B: A & B achieve identical functionality but B comes with an enormous security breach. Implementing A costs one million dollars more than implementing B.

      WWDPHBD? [What Would Dilbert's Pointy Haired Boss Do?]

    3. Re:Bad Monkey!!!! by billcopc · · Score: 3, Interesting

      Consultants. Consultants. Consultants. Consultants. Consultants. *throws chair*

      Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low on contracts tend to be the people who aren't worth their carbon in the first place (because good consultants typically aren't desperate).

      Now I only had a tangential involvement with "big IT", but they seemed to have a mostly healthy bunch of skilled techies, at least the ones I cared to know ;) Those guys did what they could, but it always seemed like they were getting trumped by outsiders. I know nothing about the contracting processes, but there was clearly a tendency to outsource all the big stuff while the in-house staff handled maintenance and other "little jobs". Maybe that's just how they do things, but it always struck me as inefficient and insecure. As far as I know, there were never any in-house code audits - else they would have publicly executed all the contractors IMHO.

      Now again, I wasn't involved in this particular app, I was in a support department. Maybe it was different for the production staff. I'm not necessarily saying that the zillion-dollar system that handles passports was coded in VB by a bunch of Volvo-driving ignorants, but I wouldn't be surprised if that were true, either. It's just far too easy to screw the government, because there's no real boss, just a bunch of PHBs trying to cover their asses.

      --
      -Billco, Fnarg.com
  5. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  6. Re:25% of Canadians not born in Canada. by meringuoid · · Score: 3, Funny
    It's not unusual to go to a mall, and see 45% to 50% of the people who are clearly not born in Canada. This is evident from their clothing, their mannerisms, and especially their near-complete lack of knowledge of English or French.

    I wouldn't say Americans are that bad at English...

    --
    Real Daleks don't climb stairs - they level the building.
  7. fixed AND old news. by notrandom · · Score: 3, Informative

    http://www.cbc.ca/consumer/story/2007/12/04/passport-security.html?ref=rss

    1. Re:fixed AND old news. by Yetihehe · · Score: 3, Funny

      What is it with IIS installations and dodgy security?
      If you make a server even idiot can run, idiots will be running it.
      --
      Extreme Programming - Redundant Array of Inexpensive Developers
  8. Re:Wow by tttonyyy · · Score: 4, Funny

    Who wants to bet that the 'unrelated problem' that resulted the the site shutting down was SQL injection. If you're stupid enough to allow access to other people's details via slight URL changes, you're probably also stupid enough not to check or parameterise form fields. I blame that Canadian called '; drop table passport_info -- ' and password = ''; myself.

    Irresponsible name to have these days.
    --
    biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
  9. Basic Encryption? by LaskoVortex · · Score: 3, Interesting

    I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.

    --
    Just callin' it like I see it.
    1. Re:Basic Encryption? by CastrTroy · · Score: 3, Interesting

      I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  10. Re:.aspx by Jellybob · · Score: 3, Informative

    I havn't looked at the article, but I doubt that's going to help against someone determined. Sure - Joe Blogs who found the bug this time probably wouldn't have, but that's just an URL encoded string, which are trivial to decode (I believe PHP has an urldecode function for just that).

    Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.

  11. Why are state computing projects always like this? by Richard+Kirk · · Score: 4, Interesting

    This is not just a moan - it is a serious question.

    In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.

    The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,

    Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.

  12. Re:Accidentally on purpose by schon · · Score: 3, Funny

    incompetent MCSE techies Umm, you realize you put a redundant term and an oxymoron in three words?
  13. Re:25% of Canadians not born in Canada. by kndyer · · Score: 5, Informative

    As a fourth generation Canadian, I too have met a large number of Canadians. While I have no intention of defending the AC, I resent the absurd generalization that Canadians are uneducated and racist. With any large sampling of people, you will encounter the good and the bad. I am sorry to discover that you have clearly encountered only the bad, yet you are a sample of one.

    I work at a company with fifteen employees, representing eight distinct nationalities and we operate in perfect harmony. This place is not anomalous; I have lived through several similar situations at other companies.

    However, I am also a sample of one. Let us look at statistics. Immigration accounted for two-thirds of Canada's population growth in 2006/2007 (http://www.statcan.ca/Daily/English/070927/d070927a.htm/) and has always been a significant contributor to our population (http://www40.statcan.ca/l01/cst01/demo03.htm?sdi=population%20growth/).

    Does this trend pose difficulties? Certainly. However, were such a policy not embraced by the majority of Canadians, it certainly would not persist. The tolerance is real. Join us and see for yourself.

  14. Re:Wow by MMC+Monster · · Score: 4, Informative

    ObXKCD link: http://xkcd.com/327/

    --
    Help! I'm a slashdot refugee.
  15. Re:Yet more mediocre software from the man ... by xystren · · Score: 3, Insightful

    I swear to god I hate the civil service. Basically as a government employee your only job is to not rock the boat too hard. Take your 2 hr lunch breaks, leave early on fridays, take expensive training classes [that nobody in private sector gets to attend], attend one useless meeting after another, and take 4 years to do what a bright 16 yr old could do over a weekend. That's ok. Because, hey, you're in a union, god forbid you actually have accountability and performance metrics that mean anything...

    Having being a civil servant in the past, I take great exception to your comments. In the 10 years I was with the provincial government, I was only able to attend one outside training session. Being in a smaller province, where training *rarely* came to, most training would require travel (typically to another province) which would never happen. I financed most of those out of my own pocket with no reimbursement. You make it sound like I had a free ride, and a free lunch, with all the extra toppings. It is not. I was refused to attend a conference in Vancouver that was specifically on what I was implementing within the department, because it was too "close" to Whistler/Blackcomb. WTF?!?!?!? The reason? The perception would be exactly the crap that you are spewing.

    With regard to the union, they screwed me more than they ever helped me. Ever play the "temporary" position game before? They prevented me from getting the "job" as I didn't have the seniority. Nothing worse than filling a position for 8 months and having someone that is completely incompetent that I had to train for the position, all because they had "more time in." The preventing me from getting a better position, because I didn't have a "degree" that was required for the position, yet I was the one that trained the "degree people" for the position. Go figure eh? The union prevented me from being paid what I was worth because the position that I had, didn't reflect the duties I performed. None of the union positions were accurate in this regards. The union screwed me more than they ever protected me. Don't make them sound like they are the golden cup.

    I have since gotten out of government, and went over to private sector, with a larger IT consultant company. This was no better, though I was able to get training very easily (x amount per year) and it didn't matter where it was (I attended something in Vegas, which would have never happened within gov't. While there were some benefits, working 12 hours, getting paid for 8, yet billing for the 12 got tiresome really quick.

    Government, private sector, independent contractor doesn't really make a difference. In this consumerism driven society, with the corporate mentality to do more, more, more with less, less, less, is what drove me out of the IT industry. And don't get me started on the politics... Gov't or not, the politics are what really wreck things.

    From your point of view, the grass may look greener on the other side of the fence, but look where the green grass is; Odds are it's right over the leaking septic tank. Make sure you check the ground before you start grazing.

    I'm not saying there aren't some that have ways to abuse the system, but it's not as common as you portray. There are projects out there that are just as bad, except you don't hear about them. Banks, credit card companies, and private sector is just as bad, except, you don't hear about it, except through the network with people within the fields. It doesn't get out there publicly.

    I've since turned my back on the entirety of the whole IT industry as a career. There is absolutely no enjoyment in it anymore. As a hobby, I still love it though.

    Your spewing the FUD of a stereotype that perhaps may have some truth to it. But that truth you are spewing is the exception, rather than the rule. There are good people that work within the civil sector. And have worked on both sides, one is no better than the other.

    Cheers,
    Xyst