Passport Canada web site suffers serious breach
Technorati Tag: Security Breach
Date Reported:
12/4/07
Organization:
Government of Canada
Contractor/Consultant/Branch:
Passport Canada*
*"As mandated by the Canadian Passport Order, Passport Canada is responsible for issuing, revoking, withholding, recovering, and providing instructions on the use of Canadian passports."
Victims:
Certain persons applying for Canadian passports online.
Number Affected:
Unknown
Types of Data:
Names, addresses, phone numbers, birth dates, social insurance numbers, driver's license numbers, and other information contained on passport application forms.
Breach Description:
Sometime during the week of November 26th (2007) an Ontario man noticed that by changing a single character in the URL provided by Passport Canada, he could access the passport application information of other people who had used the site. Passport Canada officials confirmed the security flaw and breach on Tuesday, December 4th.
Reference URL:
Reuters Canada News Story
680News.com News Story
The Globe and Mail News Story
The Register News Story (UK - Good commentary)
Report Credit:
Kenyon Wallace, Globe and Mail (CA)
Response:
From the sources cited above:
A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.
The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
[Comfyllama] This is one of the most simplistic attacks on web sites available. Change a character and see what happens. Heck, this is a piece of cake to automate with a script and grab ALL the available records. Running a site that acquires and stores confidential data which is vulnerable to the simplest of attacks is ludicrous.
That data included social insurance numbers, driver's licence numbers and addresses.
Also available were home and business phone numbers, a federal ID card number and even a firearms licence number.
Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport Canada of the breach last week and the passport application site was suspended through yesterday morning.
[Comfyllama] I would assume, in order to fix the problem?!
Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday's closing of the website was caused by "problems of a different nature," he said
"We've probed this issue today very thoroughly," Mr. Lengelle said. "This incident is an isolated anomaly. The online passport system is still a very highly secure application."
[Comfyllama] Huh? "Still"? Ever?
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts.
[Comfyllama] But no! The issue was not fixed after bringing the site back online!
Canadian law does not require organizations to disclose when they've suffered security breaches.
[Comfyllama] Canadian law SHOULD require it (and more).
Other Responses:
"I was expecting the site to tell me that I couldn't do that," said Jamie Laning of Huntsville. "I'm just curious about these things so I tried it, and boom, there was somebody else's name and somebody else's data."
"This is exactly how identity theft happens," said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name."
"If you read the disclaimer on the website, it's supposed to use high-tech security," Mr. Marsden said in an interview. "You'd think it wouldn't be that bloody simple."
[Comfyllama] Mr. Marsden was one of the people that had his application revealed on the site.
"I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa.
"The reality is, even with the resources and the best security people, you're only as good as your weakest link," Prof. Geist said. "One mistake can result in significant security breaches that can put huge amounts of personal information at risk."
[Comfyllama] A person with little information security experience, some common-sense, and a PC would have found this hole if it was their job. It is obvious that Passport Canada does NOT have "the best security people".
"Whether it was that or something else, I don't know which is worse - that someone made an error that you wouldn't expect to see from a school kid, or that 'Passport Canada' didn't notice..." - Jeremy, commented on The Register Story
"In my experience, a problem of this type suggests those who implemented the site were (possibly grossly) negligent and totally clueless about security. This error should have been caught in basic testing. A penetration test should have caught it. Clearly testing was neglected." - Anonymous Coward, commented on The Register Story
[Comfyllama] Excellent point! If you run a site that acquires, processes, stores, or transmits ANY data that you do NOT want to be PUBLIC data, the you must secure it properly which includes regular vulnerability scanning, penetration testing, code and third-party reviews. Cut corners, lose data. Simple.
Commentary:
This is such a simple security oversight with such large ramifications. Who knows how long the information contained on the site was exposed or how long the vulnerability existed? Anonymous Coward (in the comments above) stated it right, this is negligence and cluelessness.
Me reminiscing again:
In the late 90's to early 2000's I was in charge of security and infrastructure for a site that processed thousands of credit cards transactions and collected thousands of customer records monthly. This was before identity theft and privacy concerns were as prevalent as they are today. We regularly ran our own internal pen testing and security assesments as well as contracted a third-party to do so on a semi-annual basis. It just made good, common, business sense. There was no law requiring us to do it, there was not a VISA CISP requiring us to do it, heck there wasn't a SOX or GLBA either! What happened to companies and organizations that decide to do things because they are the right things to do? I suppose some exist, but many have gone.
Past Breaches:
November, 2007 - Stolen Service Canada laptop affects more than 1,600
Date Reported:12/4/07
Organization:
Government of Canada
Contractor/Consultant/Branch:
Passport Canada*
*"As mandated by the Canadian Passport Order, Passport Canada is responsible for issuing, revoking, withholding, recovering, and providing instructions on the use of Canadian passports."
Victims:
Certain persons applying for Canadian passports online.
Number Affected:
Unknown
Types of Data:
Names, addresses, phone numbers, birth dates, social insurance numbers, driver's license numbers, and other information contained on passport application forms.
Breach Description:
Sometime during the week of November 26th (2007) an Ontario man noticed that by changing a single character in the URL provided by Passport Canada, he could access the passport application information of other people who had used the site. Passport Canada officials confirmed the security flaw and breach on Tuesday, December 4th.
Reference URL:
Reuters Canada News Story
680News.com News Story
The Globe and Mail News Story
The Register News Story (UK - Good commentary)
Report Credit:
Kenyon Wallace, Globe and Mail (CA)
Response:
From the sources cited above:
A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.
The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
[Comfyllama] This is one of the most simplistic attacks on web sites available. Change a character and see what happens. Heck, this is a piece of cake to automate with a script and grab ALL the available records. Running a site that acquires and stores confidential data which is vulnerable to the simplest of attacks is ludicrous.
That data included social insurance numbers, driver's licence numbers and addresses.
Also available were home and business phone numbers, a federal ID card number and even a firearms licence number.
Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport Canada of the breach last week and the passport application site was suspended through yesterday morning.
[Comfyllama] I would assume, in order to fix the problem?!
Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday's closing of the website was caused by "problems of a different nature," he said
"We've probed this issue today very thoroughly," Mr. Lengelle said. "This incident is an isolated anomaly. The online passport system is still a very highly secure application."
[Comfyllama] Huh? "Still"? Ever?
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts.
[Comfyllama] But no! The issue was not fixed after bringing the site back online!
Canadian law does not require organizations to disclose when they've suffered security breaches.
[Comfyllama] Canadian law SHOULD require it (and more).
Other Responses:
"I was expecting the site to tell me that I couldn't do that," said Jamie Laning of Huntsville. "I'm just curious about these things so I tried it, and boom, there was somebody else's name and somebody else's data."
"This is exactly how identity theft happens," said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name."
"If you read the disclaimer on the website, it's supposed to use high-tech security," Mr. Marsden said in an interview. "You'd think it wouldn't be that bloody simple."
[Comfyllama] Mr. Marsden was one of the people that had his application revealed on the site.
"I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa.
"The reality is, even with the resources and the best security people, you're only as good as your weakest link," Prof. Geist said. "One mistake can result in significant security breaches that can put huge amounts of personal information at risk."
[Comfyllama] A person with little information security experience, some common-sense, and a PC would have found this hole if it was their job. It is obvious that Passport Canada does NOT have "the best security people".
"Whether it was that or something else, I don't know which is worse - that someone made an error that you wouldn't expect to see from a school kid, or that 'Passport Canada' didn't notice..." - Jeremy, commented on The Register Story
"In my experience, a problem of this type suggests those who implemented the site were (possibly grossly) negligent and totally clueless about security. This error should have been caught in basic testing. A penetration test should have caught it. Clearly testing was neglected." - Anonymous Coward, commented on The Register Story
[Comfyllama] Excellent point! If you run a site that acquires, processes, stores, or transmits ANY data that you do NOT want to be PUBLIC data, the you must secure it properly which includes regular vulnerability scanning, penetration testing, code and third-party reviews. Cut corners, lose data. Simple.
Commentary:
This is such a simple security oversight with such large ramifications. Who knows how long the information contained on the site was exposed or how long the vulnerability existed? Anonymous Coward (in the comments above) stated it right, this is negligence and cluelessness.
Me reminiscing again:
In the late 90's to early 2000's I was in charge of security and infrastructure for a site that processed thousands of credit cards transactions and collected thousands of customer records monthly. This was before identity theft and privacy concerns were as prevalent as they are today. We regularly ran our own internal pen testing and security assesments as well as contracted a third-party to do so on a semi-annual basis. It just made good, common, business sense. There was no law requiring us to do it, there was not a VISA CISP requiring us to do it, heck there wasn't a SOX or GLBA either! What happened to companies and organizations that decide to do things because they are the right things to do? I suppose some exist, but many have gone.
Past Breaches:
November, 2007 - Stolen Service Canada laptop affects more than 1,600
Posted by Evan Francen at 12/5/2007 11:34 AM 
Categories: Poor Business Practice, Government of Canada
Categories: Poor Business Practice, Government of Canada
Posts Atom 1.0
Comments