I fought the law...
Posted on 12 Jul 2007 at 17:00
Davey Winder reveals how he took on the government and won, and why incident disclosure is so important to your business...
If you're responsible for any web-based service that holds or processes personal information then take note, because this is important. The UK government got itself into all kinds of trouble when a Channel 4 investigation revealed that the NHS Medical Training Application Service (MTAS) database was seriously compromised: all it took to access data about doctors' sexual preferences and career choices was to change numerical identifiers in the URL. Naturally, this was big news, and the whole MTAS system has now been abandoned. Imagine my surprise then when I found an almost identical security breach within a more sensitive web-accessible database, one with national security implications. Here's how I broke the Online Visa Application security story, got the service shut down and an investigation by the Information Commissioner launched. The moral of this tale is that if a body with the budget and organisation of the UK government can make such mistakes, how confident are you of your security?
It started a year before I became involved, when an Indian citizen called Sanjib Mitra applied for a visa to work in the UK. The Foreign & Commonwealth Office (FCO) has outsourced the online collection of applications (not the whole process, just the form-filling) in various countries to VFS Global, a subsidiary of the Kuoni Travel Group. Mitra was using this system when he encountered a blank screen and his browser refused to go back. Wondering if he could salvage his application data by changing one of the numbers at the end of the complex URL to go back a page, he found that data certainly did appear, but it wasn't his!
Mitra had stumbled across the old "change the URL and access database records" security breach. This system is meant to provide "security by obscurity", the theory being that if you don't know the URL you can't get the data - unless, that is, the system is so insecure you can guess it. Not being a terrorist or identity thief, Mitra emailed VFS Global and received no response, so he contacted the British High Commission in India and received an automated "thanks for your concern". A year later, the breach remained open, which is when I got involved.
I steeled myself to contravene the Computer Misuse Act by hacking the application database (don't try this at home folks) to get the required hands-on evidence, and discovered a breach that made the MTAS affair look insignificant by comparison. Thousands of applicants' data was exposed online, which anyone with a browser could view just by changing numbers in a URL. I accessed six people's applications, taking screenshots as I went - which proved to be hugely important later - that revealed not just names and addresses, spouses and children, employment histories, but also passport numbers and even travel plans. Armed with this evidence and my reputation as IT Security Journalist of the Year, I approached VFS Global and the FCO stating my intention to publish the facts, but not before giving them the chance to fix the problem.
As a member of the National Union of Journalists, I've signed a code of ethics that I take very seriously, under which it's quite wrong to publicly disclose a breach of this nature without doing everything possible to secure it first. If more journalists and "security researchers" were to take an ethical approach to disclosure, even at the expense of forfeiting a more sensational story, perhaps the IT industry would be more inclined to work with us over dealing with such problems. To cut a long story short, it took less than 24 hours, and just a handful of emails, to get this serious breach closed and, once I was happy that was the case, I went public with the story on my Inside Edge blog (you can read the original posting at www.daniweb.com/blogs/entry1466.html).
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools
- Microsoft targets Windows in next Patch Tuesday
- Microsoft to block old ActiveX controls in security push
- Samsung and Apple call off all legal disputes, except in the US
- Microsoft ordered to hand over European data