Theft of information… and why KRIPOS fucks it up.

Written by vidarlo on 20070916 in Censorship and english and privacy and rants with 12 comments.

Identitet
Recently, quite a lot of information about individuals have been aloft in Norway. The government seems to ignore the problem, and just silence the people complaining and uncovering the problem.

Traditionally, identity theft has not been much of a problem in Norway, but this has changed the last few years, and this incident could pave the road for really large scale identity theft.

A short time-line of the events so far

Here’s a short time-line, since most foreigners probably ain’t familiar the background of the case. It is accurate as far as I know.

The last incident is quite interesting. Notable persons, like Gisle Hannemyr maintains that nothing illegal is being done.

What birth numbers means in Norway

In Norway, each individual is identified by his birth-date, noted in the form ddmmyy. In addition, 5 digit personnummer is tacked on at the end, to uniquely identify persons. This is not quite the Norwegian version of the American Social Security Numbers, but it’s the best analogy I can think of.

The purpose of the birth number is to identify a individual. It has historically been treated as a secret, although the laws clearly says it is not sensitive or secret information.

For example, one can:

The security hole

The algorithm for generating/checking birth numbers is public. There’s no reason for why not, since it would be trivial to reverse engineer, and a quite useful tool to (legitimately) check if a birth number is entered correctly.

By starting off with a date of birth you’re interested in, you can quickly generate all valid birth numbers for that date, using the algorithm. Then, you feed the generated numbers into altinn.no, the website for reporting income and alike to the Norwegian government. Altinn has security hole #1: they confirm whatever you have a real number, assigned to a living person, or simply a number not in use. Security 101 says that a system should respond in exactly the same way whatever the user-name/credentials is incorrect or not.

Then, you take the validated numbers over to a website like Tele2’s, and feed them into the order form there. To make it easy, it was enough to enter ones birth number, and the system fetched your name and address from the central Norwegian Registry Office, maintaining records of all living and dead people. This is security hole #2, and by far the biggest: by assuming that a birth number is enough to authenticate a person, you let everyone with access to other peoples birth numbers authenticate as that person.

The program is really really trivial, as you can see. Any programmer which knows regexp, how to create a http request and some tiny weeny bit of HTML can create such code. Again, as you can see, this program bypasses no security measures!

The core problem is indeed that a birth number is a identificator, not a authenticator. In short: no cracking was done. In reality, the PoC-code only automated what you could have done with a normal calculator and a web browser!

The core problem

The really sad part about this story is that the core of the problem gets no attention. You can still steal one persons identity with just the social security number. Tele2 and the other companies has clearly broken Norwegian law (paragraph §13, part 1 of Personopplysningsloven, law about handling of information on individuals, for those interested), they have been reported to the police but the case got rejected.

In Norway, you need a permit from Datatilsynet to store sensitive information about individuals and plan to use them in a business/organisation-related setting. You don’t need any kind of permit to compose a database over individuals for your own, private use. However, Kripos don’t buy that. Any serious hacker cracking a site(!) must be harmful, and must be raided, even if he only got away with maybe a few hundred of the total hundred thousands.

Another scary part is that some bloggers that have have covered the case, and spoken in favor of the people that have used the program has been brought in for questioning by the police. They probably want to know their sources and to harass them.

And again: The funny thing is that the program just automated something you could do with your web browser and a bit of patience… So KRIPOS decides to go after those who have used it, and probably (according to several people) not broken a single law. However, Tele2 and other operators, which have clearly broken Personopplysningslove, §13, part 1, has got no reaction so far. POL §13.1 places the burden of protection on the owner of the database in question.

(Lars, 16, the author of the program has not yet been caught.)

Oh, and please take care to digg this entry.

Slashdot Slashdot It!

12 Responses to “Theft of information… and why KRIPOS fucks it up.

  1. It’s good that someone sheds some light on the PROBLEM instead of running around blaming scapegoats. KRIPOS really handled this wrong.

  2. About your time-line, regarding September 13: According to this news article ( http://www.dagbladet.no/nyheter/2007/09/15/512195.html ) the number of 52 raids by KRIPOS is probably not correct.

    Other than that I would like to thank you for highlighting this topic, and for seeking attention by writing in English for the audience abroad to see and laugh of our law-enforcing authorities. This is too important to pass without getting fixed!

  3. If no laws were broken by the 52 arrested, it should be pretty easy for them to clear their names and seek damages?

    And can’t any Norse citizen file complaint at KRIPOS against the telecoms?

  4. Willem: They have been reported to the police, but the case was just put away without any investigation.

  5. […] Theft of information… and why KRIPOS fucks it up. Posted by Deezire on Tuesday, September 18, 2007, at 9:15 pm, and filed under Media, Kripos, Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. […]