Skip to content

Theft of information… and why KRIPOS fucks it up.

Recently, quite a lot of information about individuals have been aloft in Norway. The government seems to ignore the problem, and just silence the people complaining and uncovering the problem.

Traditionally, identity theft has not been much of a problem in Norway, but this has changed the last few years, and this incident could pave the road for really large scale identity theft.

A short time-line of the events so far

Here’s a short time-line, since most foreigners probably ain’t familiar the background of the case. It is accurate as far as I know.

    November 2006
    Norwegian government agency Datatilsynet informs several Norwegian telephone operators of security holes in the operators websites.
    Middle of June, 2007
    Holes still unpatched. First attack against Talkmore takes place. Roughly 20000 names and birth numbers is leaked.
    July 28., 2007
    A proof-of-concept (PoC) code snippet is released to the public. This PoC-code utilises a security hole in Tele2’s web pages. The PoC was written by a 16 year old Norwegian.
    July, 29.
    Major Norwegian newspaper, dagbladet, covers it
    July, 30.
    Tele2 patches hole. Still not patched by at least two other phone operators.
    July, 30-31.
    4500 names are fetched from other operators in Norway.
    August, 3-4.
    63000 names are leaked from GoBergen, a subsidiary of Combitel
    August, 8.
    Tele2 Norway sends letters to 60000 Norwegians, informing about the leak. In this letter, Tele2 claims they were cracked. Tele2 reports the incident to KRIPOS, Norwegian criminal police.
    September, 13.
    KRIPOS, Norwegian criminal police branch, raids 52 persons across Norway. Common denominator for these 52 cases is that they have tried the PoC code, or in some other way fetched data from phone operators

The last incident is quite interesting. Notable persons, like Gisle Hannemyr maintains that nothing illegal is being done.

What birth numbers means in Norway

In Norway, each individual is identified by his birth-date, noted in the form ddmmyy. In addition, 5 digit personnummer is tacked on at the end, to uniquely identify persons. This is not quite the Norwegian version of the American Social Security Numbers, but it’s the best analogy I can think of.

The purpose of the birth number is to identify a individual. It has historically been treated as a secret, although the laws clearly says it is not sensitive or secret information.

For example, one can:

  • Order mail readdressing from Norwegian postal service.
  • Order mobile phone service from operators.
  • Start bank accounts in f.ex. SkandiaBanken.

The security hole

The algorithm for generating/checking birth numbers is public. There’s no reason for why not, since it would be trivial to reverse engineer, and a quite useful tool to (legitimately) check if a birth number is entered correctly.

By starting off with a date of birth you’re interested in, you can quickly generate all valid birth numbers for that date, using the algorithm. Then, you feed the generated numbers into, the website for reporting income and alike to the Norwegian government. Altinn has security hole #1: they confirm whatever you have a real number, assigned to a living person, or simply a number not in use. Security 101 says that a system should respond in exactly the same way whatever the user-name/credentials is incorrect or not.

Then, you take the validated numbers over to a website like Tele2’s, and feed them into the order form there. To make it easy, it was enough to enter ones birth number, and the system fetched your name and address from the central Norwegian Registry Office, maintaining records of all living and dead people. This is security hole #2, and by far the biggest: by assuming that a birth number is enough to authenticate a person, you let everyone with access to other peoples birth numbers authenticate as that person.

The program is really really trivial, as you can see. Any programmer which knows regexp, how to create a http request and some tiny weeny bit of HTML can create such code. Again, as you can see, this program bypasses no security measures!

The core problem is indeed that a birth number is a identificator, not a authenticator. In short: no cracking was done. In reality, the PoC-code only automated what you could have done with a normal calculator and a web browser!

The core problem

The really sad part about this story is that the core of the problem gets no attention. You can still steal one persons identity with just the social security number. Tele2 and the other companies has clearly broken Norwegian law (paragraph §13, part 1 of Personopplysningsloven, law about handling of information on individuals, for those interested), they have been reported to the police but the case got rejected.

In Norway, you need a permit from Datatilsynet to store sensitive information about individuals and plan to use them in a business/organisation-related setting. You don’t need any kind of permit to compose a database over individuals for your own, private use. However, Kripos don’t buy that. Any serious hacker cracking a site(!) must be harmful, and must be raided, even if he only got away with maybe a few hundred of the total hundred thousands.

Another scary part is that some bloggers that have have covered the case, and spoken in favor of the people that have used the program has been brought in for questioning by the police. They probably want to know their sources and to harass them.

And again: The funny thing is that the program just automated something you could do with your web browser and a bit of patience… So KRIPOS decides to go after those who have used it, and probably (according to several people) not broken a single law. However, Tele2 and other operators, which have clearly broken Personopplysningslove, §13, part 1, has got no reaction so far. POL §13.1 places the burden of protection on the owner of the database in question.

(Lars, 16, the author of the program has not yet been caught.)

Oh, and please take care to digg this entry.

Slashdot Slashdot It!

{ 6 } Comments

  1. | 20070916 at 19:21 | Permalink

    It’s good that someone sheds some light on the PROBLEM instead of running around blaming scapegoats. KRIPOS really handled this wrong.

  2. | 20070916 at 19:52 | Permalink

    They didn’t even show up in suits! Meh.

  3. | 20070917 at 01:51 | Permalink

    About your time-line, regarding September 13: According to this news article ( ) the number of 52 raids by KRIPOS is probably not correct.

    Other than that I would like to thank you for highlighting this topic, and for seeking attention by writing in English for the audience abroad to see and laugh of our law-enforcing authorities. This is too important to pass without getting fixed!

  4. | 20070917 at 02:51 | Permalink

    Great article. Give it some kudos to:…_og_KRIPOS_tar_ikke_de_ansvarlige

  5. | 20070917 at 12:27 | Permalink

    If no laws were broken by the 52 arrested, it should be pretty easy for them to clear their names and seek damages?

    And can’t any Norse citizen file complaint at KRIPOS against the telecoms?

  6. | 20070917 at 14:28 | Permalink

    Willem: They have been reported to the police, but the case was just put away without any investigation.

{ 6 } Trackbacks

  1. […] […]

  2. […] Tele2 gÃ¥r til motangrep mot de slemme hackerne som eksponerte den hÃ¥pløst dÃ¥rlige sikkerheten ru…   – Leave yours […]

  3. […] Theft of information… and why KRIPOS fucks it up. Posted by Deezire on Tuesday, September 18, 2007, at 9:15 pm, and filed under Media, Kripos, Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. […]

  4. […] Ref. Tele2-saken: […]

  5. […] Ref. Tele2-saken: […]

  6. […] […]