AOH :: ISNQ4907.HTM

Passport security breach repaired, official says




Passport security breach repaired, official says
Passport security breach repaired, official says



http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home 

By Kenyon Wallace
Globe and Mail
December 5, 2007

Passport Canada says that a security breach in its passport application 
website that allowed easy access to the personal information of 
applicants has been repaired.

"We're definitely looking into how this happened, but right now, it's 
fixed," said Fabien Lengelle, a spokesman for Passport Canada. "We are 
very committed to security and we would like to reassure the Canadian 
public that passport online is a secure application."

Mr. Lengelle added that the personal information of applicants is never 
stored online.

However, an Ontario man applying online for a passport last Thursday 
discovered he could access personal information - such as social 
insurance numbers, birthdates and driver's licence numbers - of other 
applicants by altering one character in the Internet address displayed 
by his Web browser.

Passport Canada shut the website down on Friday, but when it was 
reopened on Monday afternoon, the personal information of applicants 
could still be accessed. In November, 29,000 people entered their 
personal data into the website, according to Mr. Lengelle.

During Question Period yesterday, Foreign Affairs Minister Maxime 
Bernier told the House of Commons that he spoke with Passport Canada CEO 
Grard Cossette and was assured that the security problem had been fixed.

"Now the Internet site of Passport Canada is one of the most secure," 
Mr. Bernier said.

The security breach discovery comes in the midst of an audit of Passport 
Canada's handling of personal information. The audit, undertaken by the 
office of the federal Privacy Commissioner in the fall, is examining 
whether the federal agency is meeting its obligations under the Privacy 
Act.

Colin McKay, a spokesman for the Privacy Commissioner, said the audit 
will now include the website security breach.

Mr. McKay said Privacy Commissioner Jennifer Stoddart would not comment 
on the security flaw until she received more information from 
investigators.

The passport application website, launched in January, 2005, uses a 
combination of policy and technology - called Public Key Infrastructure
- that is supposed to provide secure online working environments. To 
apply for a passport online, users must obtain an e-pass that allows 
access to services with enhanced security. The e-pass Canada website 
states that session cookies - small pieces of data specific to an 
applicant's computer that are exchanged with the website - may be 
used.

But cookies are not the best way to ensure security, says Carlisle 
Adams, an Internet data security expert and professor at the University 
of Ottawa.

"People can hijack cookies from other people's sessions or someone could 
log on to somebody else's browser through a virus or by physically using 
their computer," Mr. Adams said. "It's not foolproof security by any 
means."

Identity theft in Canada is on the rise, fuelled in part by advances in 
technology, according to Inspector Barry Baxter, officer in charge of 
counterfeit and identity fraud with the RCMP.

Insp. Baxter said personal information is usually stolen to obtain goods 
and services under someone else's name, or to assume someone else's 
identity.

"You can submit false applications, apply for credit cards, apply for 
health services, and all those kinds of services that require you to 
identify yourself," Insp. Baxter said.

Combatting identity theft is especially difficult because the crime is 
global, he added. "There's a different scam every minute of the day."

The federal government is considering implementing legislation that 
would require private sector organizations to disclose security 
breaches. On Nov. 21, Justice Minister Rob Nicholson introduced 
legislation making it an offence to obtain, possess or traffic identity 
information for the purposes of committing a crime.


Major security breaches

The following are major security breaches in 2007:

January: TJX Cos., parent company of retail outlets Winners and 
HomeSense, told the public that computer hackers may have up to two 
million Canadian credit card numbers.

January: CIBC subsidiary Talvest Mutual Funds lost a computer file with 
account information for 470,000 customers while in transit between 
company offices.

April: A computer disc containing social security numbers, addresses, 
and birthdates of almost three million patients went missing from 
Affiliated Computer Services, a private contractor handling health-care 
claims for the Department of Community Health in Atlanta.

August: Monster.com announced that hackers broke into the U.S. online 
recruitment site's password-protected library and stole the personal 
information of at least 1.3 million job seekers.

September: Contact information for more than 6.3 million customers of 
the Omaha-based online brokerage firm TD Ameritrade Holding Corp. was 
stolen after a company database was hacked.

November: Britain's tax and customs service announced it lost disks 
containing banking and personal data of 25 million people.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/ 

Site design & layout copyright © 1986-2014 CodeGods