I fought the law...
Posted on 12 Jul 2007 at 17:00
Davey Winder reveals how he took on the government and won, and why incident disclosure is so important to your business...
If you're responsible for any web-based service that holds or processes personal information then take note, because this is important. The UK government got itself into all kinds of trouble when a Channel 4 investigation revealed that the NHS Medical Training Application Service (MTAS) database was seriously compromised: all it took to access data about doctors' sexual preferences and career choices was to change numerical identifiers in the URL. Naturally, this was big news, and the whole MTAS system has now been abandoned. Imagine my surprise then when I found an almost identical security breach within a more sensitive web-accessible database, one with national security implications. Here's how I broke the Online Visa Application security story, got the service shut down and an investigation by the Information Commissioner launched. The moral of this tale is that if a body with the budget and organisation of the UK government can make such mistakes, how confident are you of your security?
It started a year before I became involved, when an Indian citizen called Sanjib Mitra applied for a visa to work in the UK. The Foreign & Commonwealth Office (FCO) has outsourced the online collection of applications (not the whole process, just the form-filling) in various countries to VFS Global, a subsidiary of the Kuoni Travel Group. Mitra was using this system when he encountered a blank screen and his browser refused to go back. Wondering if he could salvage his application data by changing one of the numbers at the end of the complex URL to go back a page, he found that data certainly did appear, but it wasn't his!
Mitra had stumbled across the old "change the URL and access database records" security breach. This system is meant to provide "security by obscurity", the theory being that if you don't know the URL you can't get the data - unless, that is, the system is so insecure you can guess it. Not being a terrorist or identity thief, Mitra emailed VFS Global and received no response, so he contacted the British High Commission in India and received an automated "thanks for your concern". A year later, the breach remained open, which is when I got involved.
I steeled myself to contravene the Computer Misuse Act by hacking the application database (don't try this at home folks) to get the required hands-on evidence, and discovered a breach that made the MTAS affair look insignificant by comparison. Thousands of applicants' data was exposed online, which anyone with a browser could view just by changing numbers in a URL. I accessed six people's applications, taking screenshots as I went - which proved to be hugely important later - that revealed not just names and addresses, spouses and children, employment histories, but also passport numbers and even travel plans. Armed with this evidence and my reputation as IT Security Journalist of the Year, I approached VFS Global and the FCO stating my intention to publish the facts, but not before giving them the chance to fix the problem.
As a member of the National Union of Journalists, I've signed a code of ethics that I take very seriously, under which it's quite wrong to publicly disclose a breach of this nature without doing everything possible to secure it first. If more journalists and "security researchers" were to take an ethical approach to disclosure, even at the expense of forfeiting a more sensational story, perhaps the IT industry would be more inclined to work with us over dealing with such problems. To cut a long story short, it took less than 24 hours, and just a handful of emails, to get this serious breach closed and, once I was happy that was the case, I went public with the story on my Inside Edge blog (you can read the original posting at www.daniweb.com/blogs/entry1466.html).
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Will HP finally split into two companies?
- Chromebooks get version of Photoshop
- Toshiba beats retreat from consumer PC market
- Ellison steps down: but who's really running Oracle now?
- Microsoft set to make more job cuts
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports