I fought the law...
Posted on 12 Jul 2007 at 17:00
Davey Winder reveals how he took on the government and won, and why incident disclosure is so important to your business...
If you're responsible for any web-based service that holds or processes personal information then take note, because this is important. The UK government got itself into all kinds of trouble when a Channel 4 investigation revealed that the NHS Medical Training Application Service (MTAS) database was seriously compromised: all it took to access data about doctors' sexual preferences and career choices was to change numerical identifiers in the URL. Naturally, this was big news, and the whole MTAS system has now been abandoned. Imagine my surprise then when I found an almost identical security breach within a more sensitive web-accessible database, one with national security implications. Here's how I broke the Online Visa Application security story, got the service shut down and an investigation by the Information Commissioner launched. The moral of this tale is that if a body with the budget and organisation of the UK government can make such mistakes, how confident are you of your security?
It started a year before I became involved, when an Indian citizen called Sanjib Mitra applied for a visa to work in the UK. The Foreign & Commonwealth Office (FCO) has outsourced the online collection of applications (not the whole process, just the form-filling) in various countries to VFS Global, a subsidiary of the Kuoni Travel Group. Mitra was using this system when he encountered a blank screen and his browser refused to go back. Wondering if he could salvage his application data by changing one of the numbers at the end of the complex URL to go back a page, he found that data certainly did appear, but it wasn't his!
Mitra had stumbled across the old "change the URL and access database records" security breach. This system is meant to provide "security by obscurity", the theory being that if you don't know the URL you can't get the data - unless, that is, the system is so insecure you can guess it. Not being a terrorist or identity thief, Mitra emailed VFS Global and received no response, so he contacted the British High Commission in India and received an automated "thanks for your concern". A year later, the breach remained open, which is when I got involved.
I steeled myself to contravene the Computer Misuse Act by hacking the application database (don't try this at home folks) to get the required hands-on evidence, and discovered a breach that made the MTAS affair look insignificant by comparison. Thousands of applicants' data was exposed online, which anyone with a browser could view just by changing numbers in a URL. I accessed six people's applications, taking screenshots as I went - which proved to be hugely important later - that revealed not just names and addresses, spouses and children, employment histories, but also passport numbers and even travel plans. Armed with this evidence and my reputation as IT Security Journalist of the Year, I approached VFS Global and the FCO stating my intention to publish the facts, but not before giving them the chance to fix the problem.
As a member of the National Union of Journalists, I've signed a code of ethics that I take very seriously, under which it's quite wrong to publicly disclose a breach of this nature without doing everything possible to secure it first. If more journalists and "security researchers" were to take an ethical approach to disclosure, even at the expense of forfeiting a more sensational story, perhaps the IT industry would be more inclined to work with us over dealing with such problems. To cut a long story short, it took less than 24 hours, and just a handful of emails, to get this serious breach closed and, once I was happy that was the case, I went public with the story on my Inside Edge blog (you can read the original posting at www.daniweb.com/blogs/entry1466.html).
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out
- Will the next Windows 8.1 update arrive next month?
- BT One Phone lets SMBs ditch landlines for mobiles
- Microsoft shows Modern apps running in desktop windows
- Apple and IBM buddy up for enterprise push
- Windows Phone 8.1 starts rolling out to Nokia phones
- Government broadband plans "lack ambition"
- SMBs get Office 365 price cuts, new plans
- Windows 7: you can keep it until 2020
- BlackBerry Passport's square for spreadsheets
- Microsoft to release six updates this Patch Tuesday