I fought the law...
Posted on 12 Jul 2007 at 17:00
Davey Winder reveals how he took on the government and won, and why incident disclosure is so important to your business...
If you're responsible for any web-based service that holds or processes personal information then take note, because this is important. The UK government got itself into all kinds of trouble when a Channel 4 investigation revealed that the NHS Medical Training Application Service (MTAS) database was seriously compromised: all it took to access data about doctors' sexual preferences and career choices was to change numerical identifiers in the URL. Naturally, this was big news, and the whole MTAS system has now been abandoned. Imagine my surprise then when I found an almost identical security breach within a more sensitive web-accessible database, one with national security implications. Here's how I broke the Online Visa Application security story, got the service shut down and an investigation by the Information Commissioner launched. The moral of this tale is that if a body with the budget and organisation of the UK government can make such mistakes, how confident are you of your security?
It started a year before I became involved, when an Indian citizen called Sanjib Mitra applied for a visa to work in the UK. The Foreign & Commonwealth Office (FCO) has outsourced the online collection of applications (not the whole process, just the form-filling) in various countries to VFS Global, a subsidiary of the Kuoni Travel Group. Mitra was using this system when he encountered a blank screen and his browser refused to go back. Wondering if he could salvage his application data by changing one of the numbers at the end of the complex URL to go back a page, he found that data certainly did appear, but it wasn't his!
Mitra had stumbled across the old "change the URL and access database records" security breach. This system is meant to provide "security by obscurity", the theory being that if you don't know the URL you can't get the data - unless, that is, the system is so insecure you can guess it. Not being a terrorist or identity thief, Mitra emailed VFS Global and received no response, so he contacted the British High Commission in India and received an automated "thanks for your concern". A year later, the breach remained open, which is when I got involved.
I steeled myself to contravene the Computer Misuse Act by hacking the application database (don't try this at home folks) to get the required hands-on evidence, and discovered a breach that made the MTAS affair look insignificant by comparison. Thousands of applicants' data was exposed online, which anyone with a browser could view just by changing numbers in a URL. I accessed six people's applications, taking screenshots as I went - which proved to be hugely important later - that revealed not just names and addresses, spouses and children, employment histories, but also passport numbers and even travel plans. Armed with this evidence and my reputation as IT Security Journalist of the Year, I approached VFS Global and the FCO stating my intention to publish the facts, but not before giving them the chance to fix the problem.
As a member of the National Union of Journalists, I've signed a code of ethics that I take very seriously, under which it's quite wrong to publicly disclose a breach of this nature without doing everything possible to secure it first. If more journalists and "security researchers" were to take an ethical approach to disclosure, even at the expense of forfeiting a more sensational story, perhaps the IT industry would be more inclined to work with us over dealing with such problems. To cut a long story short, it took less than 24 hours, and just a handful of emails, to get this serious breach closed and, once I was happy that was the case, I went public with the story on my Inside Edge blog (you can read the original posting at www.daniweb.com/blogs/entry1466.html).
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- CeBit 2014 diary: Cameron comes to town
- The 5 most interesting UK businesses at SXSW
- Quickest way to upload 1GB? Hop on a train
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Sony revives optical discs with 1TB Archival Disc
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware