19 October 2011

The law and hacking

Privacy and bad security

Recently a major superannuation fund (pension fund to those of you overseas) in Australia was "hacked" - First State Super complained to the police that Patrick Webster had told them that member accounts were easily accessible by anyone, and proved it to them.

The so-called hack was incredibly embarrassing for First State. It seems that the URL for a member to access their account simply used the member's account number! As quoted in the Sydney Morning Herald by Asher Moses:
Plenty of computer security experts have rounded on First State, not only for the heavy-handed way it treated Webster but also for failing to detect such a glaring and easily exploited security flaw. "Changing a number in a URL bar isn't even hacking ... anyone who configures their systems to work that way is negligent," said Patrick Gray, a specialist security journalist who first broke the First State story on his podcast, Risky.biz.
I think I might have written a web site using a similar technique in the first few weeks I learned to code for .NET. Who knows what First State was thinking in deploying this software if this story is true.

Privacy

The discussion that has arisen around mandatory data breach notification laws is timely. In this case First State only notified people whose account was listed by Mr Webster, but the fact was that the entire web site was flawed and it could have easily been harvested entirely by someone with a few scripting skills. Instead of blaming Mr Webster for accessing the data, First State should have blamed itself for poor security. Instead of threatening him it should have thanked him.

The letter from Minter Ellison (three and a half weeks later) apparently was a typical lawyer's job - I trust Mr Webster obtained some good advice in response. The quotations in the SMH obviously can't give the full picture of what has gone on, but there's a flavour that First State are more interested in having a crack at Mr Webster than looking at their own failings. What First State should be doing is not worrying so much about Mr Webster deleting any data (and goodness, if he was going to misuse it or sell it it would have been long gone after three weeks) - it should be setting out to prove to its customers that no-one else has done it (a serious criminal isn't going to tell First State they've done it), and offering them free identity theft monitoring.

I'm pleased to see that the NSW Privacy Commissioner is going to take a look at this case - particularly since the limited notification by First State was not acceptable in his opinion.

Is hacking a crime? 

By way of example, the Criminal Code 1995  (Commonwealth) doesn't deal with hacking - it deals with unauthorised access to data. The Crimes Act 1900 (NSW) also deals with unauthorised access to data. Section 308B defines it as
acesss to... data... is unauthorised if the person is not entitled to cause that access...
It gets interesting when you read s 308H. It says (my paraphrase):
A person who accesses restricted data, and knows the access is unauthorised, and does it intentionally is guilty of an offence. (Max penalty 2 years imprisonment).
But did Webster access restricted data?

Restricted data is defined by s 308H (3) of  the Act to be:
data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.
Is it possible to say that First State had restricted access using an access control system? It's a pretty close call, and strongly arguable that they didn't.

Rather than an access control system we probably actually have a data access system inherent in software for extracting data from a database and displaying it through a web server. I'll make a few assumptions here:
  • Mr Webster logged in - presumably using his own account;
  • which set a session cookie or other session identifier allowing him to use the web site; 
  • he typed things into the URL box in his browser;
  • that data was parsed by normal operation of the software, put into a SQL query, and the results returned. 
That's not access control - that is just how simple web applications work.

So, if Minter Ellison actually told Mr Webster that he had breached various pieces of criminal legislation, they probably want to have a good look at themselves.

An example which borders on access control is someone who gets a new home internet router, such as a D-Link, and turns it on leaving the well-known admin username and password  of admin and password. Is that an access control system? It's a little sturdier than a URL with an account number, but it's still fundamentally flawed.

If First State Super used a master password of  "password" would that be an access control system? For a security consultant neither an account number in the URL nor an easily guessed password would be considered an access control system of any commercial value.

Why is all this important?

The law, if misunderstood by ill-informed people, makes it an offence to poke around your bank's or anyone else's web site to see how good their security is. If an account number in a URL is an "access control system" then it becomes a free-for-all for the baddies, because the goodies can't look. Luckily that is probably not the case.

Worse still, if you live in the USA you might run foul of the DMCA, where even the most hopeless access control system has been used to prevent competitors from producing rival compatible products, such as garage door openers.