Theft of information… and why KRIPOS fucks it up.

Recently, quite a lot of information about individuals have been aloft in Norway. The government seems to ignore the problem, and just silence the people complaining and uncovering the problem.

Traditionally, identity theft has not been much of a problem in Norway, but this has changed the last few years, and this incident could pave the road for really large scale identity theft.

A short time-line of the events so far

Here’s a short time-line, since most foreigners probably ain’t familiar the background of the case. It is accurate as far as I know.

November 2006
Norwegian government agency Datatilsynet informs several Norwegian telephone operators of security holes in the operators websites.
Middle of June, 2007
Holes still unpatched. First attack against Talkmore takes place. Roughly 20000 names and birth numbers is leaked.
July 28., 2007
A proof-of-concept (PoC) code snippet is released to the public. This PoC-code utilises a security hole in Tele2’s web pages. The PoC was written by a 16 year old Norwegian.
July, 29.
Major Norwegian newspaper, dagbladet, covers it
July, 30.
Tele2 patches hole. Still not patched by at least two other phone operators.
July, 30-31.
4500 names are fetched from other operators in Norway.
August, 3-4.
63000 names are leaked from GoBergen, a subsidiary of Combitel
August, 8.
Tele2 Norway sends letters to 60000 Norwegians, informing about the leak. In this letter, Tele2 claims they were cracked. Tele2 reports the incident to KRIPOS, Norwegian criminal police.
September, 13.
KRIPOS, Norwegian criminal police branch, raids 52 persons across Norway. Common denominator for these 52 cases is that they have tried the PoC code, or in some other way fetched data from phone operators

The last incident is quite interesting. Notable persons, like Gisle Hannemyr maintains that nothing illegal is being done.

What birth numbers means in Norway

In Norway, each individual is identified by his birth-date, noted in the form ddmmyy. In addition, 5 digit personnummer is tacked on at the end, to uniquely identify persons. This is not quite the Norwegian version of the American Social Security Numbers, but it’s the best analogy I can think of.

The purpose of the birth number is to identify a individual. It has historically been treated as a secret, although the laws clearly says it is not sensitive or secret information.

For example, one can:

• Order mail readdressing from Norwegian postal service.
• Order mobile phone service from operators.
• Start bank accounts in f.ex. SkandiaBanken.

The security hole

The algorithm for generating/checking birth numbers is public. There’s no reason for why not, since it would be trivial to reverse engineer, and a quite useful tool to (legitimately) check if a birth number is entered correctly.

By starting off with a date of birth you’re interested in, you can quickly generate all valid birth numbers for that date, using the algorithm. Then, you feed the generated numbers into altinn.no, the website for reporting income and alike to the Norwegian government. Altinn has security hole #1: they confirm whatever you have a real number, assigned to a living person, or simply a number not in use. Security 101 says that a system should respond in exactly the same way whatever the user-name/credentials is incorrect or not.

Then, you take the validated numbers over to a website like Tele2’s, and feed them into the order form there. To make it easy, it was enough to enter ones birth number, and the system fetched your name and address from the central Norwegian Registry Office, maintaining records of all living and dead people. This is security hole #2, and by far the biggest: by assuming that a birth number is enough to authenticate a person, you let everyone with access to other peoples birth numbers authenticate as that person.

The program is really really trivial, as you can see. Any programmer which knows regexp, how to create a http request and some tiny weeny bit of HTML can create such code. Again, as you can see, this program bypasses no security measures!

The core problem is indeed that a birth number is a identificator, not a authenticator. In short: no cracking was done. In reality, the PoC-code only automated what you could have done with a normal calculator and a web browser!

The core problem

The really sad part about this story is that the core of the problem gets no attention. You can still steal one persons identity with just the social security number. Tele2 and the other companies has clearly broken Norwegian law (paragraph §13, part 1 of Personopplysningsloven, law about handling of information on individuals, for those interested), they have been reported to the police but the case got rejected.

In Norway, you need a permit from Datatilsynet to store sensitive information about individuals and plan to use them in a business/organisation-related setting. You don’t need any kind of permit to compose a database over individuals for your own, private use. However, Kripos don’t buy that. Any serious hacker cracking a site(!) must be harmful, and must be raided, even if he only got away with maybe a few hundred of the total hundred thousands.

Another scary part is that some bloggers that have have covered the case, and spoken in favor of the people that have used the program has been brought in for questioning by the police. They probably want to know their sources and to harass them.

And again: The funny thing is that the program just automated something you could do with your web browser and a bit of patience… So KRIPOS decides to go after those who have used it, and probably (according to several people) not broken a single law. However, Tele2 and other operators, which have clearly broken Personopplysningslove, §13, part 1, has got no reaction so far. POL §13.1 places the burden of protection on the owner of the database in question.

(Lars, 16, the author of the program has not yet been caught.)

Oh, and please take care to digg this entry.

Slashdot It!