Wednesday, June 08, 2005

Morris Tribunal learns pitfalls of security through obscurity

The Sunday Times (free reg. required) has an interesting story illustrating official ignorance of basic information security:
Tribunal hacker 'was in press agency building'
Stephen O’Brien

THE Press Association of Ireland was threatened with heavy fines and jail sentences by Justice Frederick Morris last week after revealing that it had gained access to his report on garda corruption in Co Donegal before the official launch.

The wire service, the Irish arm of the London-based Press Association (PA), was suspected of hacking into the tribunal’s website to obtain the report. Michael McDowell, the justice minister, claimed that more than 350 separate attempts were made to overcome internet security measures guarding a web version of the report, forcing the authorities to release it earlier than planned.

McDowell did not say who was responsible, but The Sunday Times has established that the “hacking” was traced to PA’s building in Harcourt Street, central Dublin.

Morris, a former High Court president, told journalists at the wire service that he would prosecute anyone who published his report before its official release for obstructing or hindering the work of the tribunal, an offence carrying up to €12,700 in fines and up to two years in prison.

The judge wrote personally to PA in an urgently faxed letter on Tuesday, after staff at the agency contacted the tribunal to verify the authenticity of the report they had found on the web. PA, Britain and Ireland’s largest news agency, immediately agreed to observe the embargo on publication.

PA declined to comment this weekend, but a source at the agency confirmed that the Dublin office got a phone call from a source who explained how to get the report from the website.

“Personally, I think it was a bit of a security cock-up by the tribunal,” the PA source said. “The web link was morristribunal.ie/ and then a series of numbers.”

A government source, however, said the computer used to attack the web security around the report was in the same Dublin building as the PA office. Rogue computer software known as spyware was attached to the server used to “air” the Morris tribunal website.

This spyware then uncovered the secret web link to the tribunal’s report when it was being stored in a supposedly secure location before the official government release.

The spyware notified the hacker when the report was put on the web at 10am on Tuesday, the source said. Over the 70 minutes, 350 attempts were made to access it.

The release of the report was brought forward several days by McDowell after discussions with the tribunal over the compromised security. No complaint has been made to gardai by the tribunal, although experts were able to trace the unique identification number of the computer used to hack into the tribunal site.
Strip away the breathless talk of "hacking", "internet security measures", "rogue computer software", "spyware" and "secret web links" and we have the mundane reality that somebody messed up by posting the report on a public web site, hoping that nobody would find it. An equivalent would be a person placing a book on the shelves in a library, but believing that it is "secret" because it does not appear in the library catalogue. The talk of "hacking" is a smokescreen.

So did reading the report amount to an offence? Unlikely. Under Irish law, the relevant offence would be access without lawful excuse. However, material published on the public web carries with it an implied permission to access that material. Where a publisher hasn't taken steps to limit that permission, then it will be difficult if not impossible to show, beyond a reasonable doubt, that (a) the reader acted without permission, and (b) the reader knew (or perhaps should have known) that they were acting without permission.

A similar issue arose three years ago when Reuters accessed an earnings report, posted on the public website of Swedish IT group Intentia, before its official release. Intentia filed a complaint with the Swedish police. The public prosecutor, however, found that no crime had been committed:
The prosecutor Mr Hakan Roswall chose to do nothing with Intentia's complaint. Mr Roswall concludes that it is illegal to access information stored in a computer that the proprietor deems to be secret and the proprietor protects. Mr Roswall states that Intentia did not clearly state that the information should be secret and did not protect the information. On the contrary it was very easy to access the information. Intentia stated that the report would be available at a certain time, and you only had to slightly change the URL (web address) from the report of the previous quarter in order to obtain the current report. Hence, Mr Roswall will not initiate proceedings against Reuters or any of its reporters.
Update: I've just found a post by Feargal McKay at the Sigla Blog which beats me to the punch on this issue.

3 comments:

  1. TJ - thanx for the link. I hadn't seen the Sunset Times piece, this was just a story I knew from the grapevine, but there's some additional info in that Sunset Times piece that amuses me, partic McDowell's allegation that "there were more than 350 separate attempts [...] to overcome internet security measures guarding a web version of the report." What he means is that the report was accessed 350 times. There was no security.

    For those who are curious as to how to "hack" like the Morris Tribunal "hacker", you might to like to visit the report's site (www.morristribunal.ie) and go to the download area (left nav, second from bottom). If you have a look in your browser's URL bar, you'll see that the URL contains certain info. The piece of info that interests you is the RecordID. Start changing that RecordID yourself, and you'll pull back the info behind that RecordID. Given the actual URL of the unpblished Morris tribunal report, I imagine that this is how it was found. So be careful, if you find something that isn't yet published, Minister McDowell will send you to sing-sing as a hacker.

    But is this hacking? I firmly believe it is not and think McDowell will have a hard time proving it is. If you asked me for the URL of the Morris tribunal download area, and I typed it rather that cutting and pasting it, but inadvertently made an error when it came to the RecordID part of the URL, would that error qualify me as a hacker? That would mean that every time any of us mistype any URL we are hacking.

    The people who supplied the Morris tribunal software could have avoided this issue by designing their content management system a little bit better. As a web developer, I am conscious of the fact that users will routinely delibverately or accidently change elements of URLs. It happens. You design against it happening in a way as would cause damage or embarassment.

    Alternatively, the Morris tribunal staff could have avoided this issue by not being so stupid as to leave their report sitting on a publicly accessible web server so far in advance of its publication date.

    ReplyDelete
  2. I would have thought that there was some argument to make that a public website should only be accessed through the interface as provided by the website owner, particularly where there was an AUP that stated such.

    ReplyDelete
  3. Planetpotato - you might well make that argument in a civil context. I don't think it would be successful in a criminal matter. It's unlikely that a court will be prepared to convict a person based on the uncertain parameters of the implied permissions of public sites, particularly when URL guessing is a well established web convention. Granted, an AUP could displace that implied permission, but in that case you'd have to demonstrate that the user read the AUP and realised that access was forbidden.

    ReplyDelete