If you recall, earlier this year there was a big todo about the MTAS databse thingy for junior doctors in the NHS. You may recall it was about as secure as a house with the door open and a doormat saying "ID thieves welcome". Those of us who follow the UK's laughablestellar record in IT procurement - motto "we pay more of your money and you get crap service if you're lucky" - will not be surprised to learn that some very similar errors have shown up elsewhere. One difference: they were first reported to HMG over a year ago. Via the Register there is this description of the problem:
Sanjib Mitra is a man who likes to be responsible and do the right thing. A year ago he discovered, quite by accident, that a little bit of URL tweaking could reveal personal data about people other than himself within a website database. He was completing a complicated application form himself when he was faced with a blank page and a browser back button that did nothing, so he tried changing numerical data at the end of the URL in an effort to salvage some of the information he had spent the previous hour entering. His reward was not time saved and the application retrieved, but rather the applications of pretty much anyone who had ever used the system at any time in the past, and all it took was a different number to be substituted in the URL.
Now this is nothing unusual, poorly designed sites make this kind of security gaff all the time. Of course when it is a commercial site and it is customer data we are talking about then things take on a rather different perspective than the local bowling club membership database being exposed. Unfortunately, the website that Sanjib was logged on to at the time was VFS India, the British High Commission’s commercial partner in India to which it outsources the operation of visa application centers on behalf of the four visa departments in India. Indian citizens wishing to travel to the UK and requiring visas use this service to make their applications online.
Just to refresh your memory this is what the MTAS system allowed before it was fixed in April 2007:
This has affected first year junior doctors - hundreds and hundreds of them. Whose sexual orientation, whose mobile telephone numbers, home addresses, etc have been left wide open for anybody knowing the URL.
Now let us return to our Indian friend and the blog post I quoted above dated May 15 2007:
Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?
Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.
Well after a year of being told about the thing privately and ignoring it the FCO and its outsourcers did, sort of, fix the issue by closing the website and an independent inquiry was launched. The investigator's report has now been produced and no punches are pulled. Here are some of the relevant paragraphs:
UKvisas recently obtained an expert assessment of the basic data security provided by the VFS online website. The findings were that the site had many security weaknesses, and that many of these weaknesses were amongst the most understood and documented security concerns in the computing industry. The expert view was that none should be present within a securely designed website.
I note that during the technical investigations, several screenshots provided by VFS highlighted wider security concerns. These screenshots of the management console used to access and configure the firewalls also showed users actively engaged in Skype3 conversations and logged onto webmail4 packages. These entities are considered to have poor security when used in isolation. Using them whilst accessing security device management consoles shows that standard acceptable usage policies are either not in place or not followed.
In addition to these technical assessments, I formed my own view that VFS procedures in relation to passwords for its own data users fell far short of even basic good practice. That view has been confirmed by a recent (June 2007) gap analysis report for VFS in relation to its work in specific visa application centre. VFS staff did not each have a unique user ID and password and there was inadequate advice provided on password confidentiality. Although this issue is not directly related to unauthorised external access to personal data provided to and processed by VFS, I mention it as it demonstrates a very poor level of real understanding of information assurance and data security. There has been, in my view, inadequate protection of data security within VFS itself.
A later report from the hosting company, S, has been examined by IT experts, who consider that the details within the report do not provide all of the information required for a standard vulnerability report, and appear to merely list the state of patching of the server infrastructure. They noted that the report highlighted the existence of a Windows 2003 server that had Service Pack 2 installed, recommending that this equipment should use the earlier Service Pack 1. This was, in the expert’s view, a fundamental mistake that, if implemented, might have resulted in regressing the security of the product because, for example, any new patches or security enhancements delivered through Service Pack 2 would be lost.
My independent IT advisers have provided a helpful and technically detailed report, which I shall, in due course, provide to VFS and UKvisas for their information. From the information available, they noted that authorisation on the website was ineffective for a number of reasons. The application had not, for example, been designed to require authorisation for Mr Mitra to view the information that he accessed accidentally. The application appeared to create, and then allow public access to certain files in publicly viewable directories on the webserver.
My IT advisers also noted that the tester who owed a duty of care to UKvisas was able to view a user’s security question from the database using an SQL injection technique. Structured Query Language (SQL) is a platform independent way of interrogating databases and SQL injection is a well known (in the industry) method that can be used by an attacker to bypass the intended security controls of a website if these security controls are poorly configured.
I note also that VFS were not collecting SQL logs. As part of the normal operation of an SQL database, logs are generated which reflect activity of that database - these are typically configurable, and can include a record of write, modify, deletion of data. The lack of SQL logs means that the probability of being able to detect SQL injection was low. IT experts noted that the log collecting mechanism was of low integrity as logs were left to reside on servers for significant periods of time without specific protection.
I note the expert view that the VFS online system is so poor that it should be completely re-written - one expert described it as an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over. I recommend that the VFS online application system should not be re-opened, though I note UKvisas’ has already reached that decision. I also note that VFS has accepted that it is not an IT company and that it needs to outsource its software writing.
I suspect that whatever report has been made into MTAS will come to similar conclusions. The government outsourced the project to the low bidder who was incompetent and the government performed no 3rd party audit or other validation to ensure that the end result was secure. Furthermore, unlike any reputable commercial enterprise, the government and it outsourcers pay little or no attention to security issues that are raised privately. The only way to get their attention is to tell Channel 4 news.
I note all this becase, as TimW noted yesterday, the government issued the initial tenders for the ID card scheme. I can't be arsed to read the verbiage as it will undoubtedly be almost as incomprehensible as the EU "not a constitution honest guv" treaty but although I sincerely hope that whoever implements it will think about security and do it properly I fear that the opposite will occur. I also fear that the first whistleblowers to go public with reports of breaches will find themselves arrested and prosecuted for hacking.