Monday, 17 October 2011

Some facts on the First State Superannuation Issue

Some blogger, has recently written a somewhat uninformed post on the whole Patrick Webster FSS issue. The author seems to be under some misapprehension about how these sorts of things work. Which is cocnerning for someone who claim to be a Web Application Security person, and is taking the pulpit to preach on the issue. Then again, why should we expect anything less from the Internet right?

In his post the author states: " It should go without saying that at this point that he could, just by the actions he had taken up to this point, be in violation of any number of data privacy laws."

Really, goes without saying? Actually it doesn't. Let's take a look. The first statue they claim he is in violation state the following:

308H   Unauthorised access to or modification of restricted data held in computer (summary offence)

(1)  A person:
(a)  who causes any unauthorised access to or modification of restricted data held in a computer, and
(b)  who knows that the access or modification is unauthorised, and
(c)  who intends to cause that access or modification,
      is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.

(2)  An offence against this section is a summary offence.
(3)  In this section:
restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.

Let's look at the other statute that is referenced:

478.1  Unauthorised access to, or modification of, restricted data
             (1)  A person is guilty of an offence if:
                     (a)  the person causes any unauthorised access to, or modification of, restricted data; and
                     (b)  the person intends to cause the access or modification; and
                     (c)  the person knows that the access or modification is unauthorised; and
                     (d)  one or more of the following applies:
                              (i)  the restricted data is held in a Commonwealth computer;
                             (ii)  the restricted data is held on behalf of the Commonwealth;
                            (iii)  the access to, or modification of, the restricted data is caused by means of a carriage service.
Penalty:  2 years imprisonment.
             (2)  Absolute liability applies to paragraph (1)(d).
             (3)  In this section:
restricted data means data:
                     (a)  held in a computer; and
                     (b)  to which access is restricted by an access control system associated with a function of the computer.

Look closely at (3) in both statues. This can only apply if an access control was circumvented. Insecure Direct Object Reference is not bypassing an Access control. It is a complete lack of an Access Control. I may not be a lawyer, but I suspect that this charge would have a VERY hard time standing up in court.

It really is not hard to look up these statues online. I would suggest that people actually read up on the subject matter.  all and all, I would be surprised if this whole matter doesn't blow over. The worst that I suspect will happen is that they make Webster sign that agreement on page 2 of their letter or refuse him any further online access. They could, theoretically, even drop him as a customer I suppose. I doubt any serious legal action will occur, but I could be wrong.

Mr Webster,  I am behind you, and i am sure many others are too. Good luck.


  1. thelightcosine,

    First of all, thank you for reading my post and commenting. I do respect your point of view, although I do not agree with certain points that you make. I should also state that I am no expert in Australian data privacy laws.

    The point that I was attempting to make was that this person, even being a customer of the FSS, was still performing a security test, however basic, without permission from the company, and that during the course of his actions knowingly accessed information he was not authorized to access. In many cases, this fact is enough to be constituted as hacking which is considered illegal. I know for a fact that it would be in the US and in the UK, and probably so in most of the EU.

    With that said, I do agree that as a customer of FSS he had the right to know that his data was sufficiently protected, however my argument is that he went about it the wrong way. A better way to gather this information would have been to simply ask, explaining his concerns to the company.

    Also, Insecure Direct Object Reference IS a bypass of the access control mechanism of an application, no matter how weak the implementation may be. As OWASP clearly states on the page:

    "Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy."

    The key point there is that the object reference was the intended access control. I do agree that it is weak, but within the context of the law, intent holds a lot of sway. As it can be assumed that he did not have legitimate granted access or links to other people's information, he therefore bypassed the application's access control. In addition, as he also developed a script to further exploit the vulnerability, he 1) caused unauthorized access, 2) knew it was unauthorized, and 3) intended to cause such access. That is all three statements in 308H. The same three apply to 478.1 accept for what appears to be 1d.

  2. Matt,
    i'm sorry but I need to address a couple of your points here.

    First, the US laws are phrased in very similar ways to the statutes in australia. They all revolve around bypassing an access control.

    Direct Object Reference does not in any way count as an Access Control. Authentication , also , does not count as access control. Within Web Application frameworks, Authentication and Authorisation are not always inherently linked, which is a common mistake in web application development.

    You cannot, for example, say that somebody bypassed a lock on the door when somebody left the door propped open. There is no access control in place in that scenario.

    As for his script, it was created for P{illar/FSS to test his finding with, as Patrick already explained. How does his creating that script somehow turn his actions into a crime?

    Your last 3 points may very well be true. You still have the matter of the definition of restricted in reference to these statues. If the data was not actually properly restricted then the statute cannot apply.

    There was quite simply no Access Control in place. Let's look at an example definition of access control:

    At no point did the system try to compare his identification against any access rights system. Authorisation was completely decoupled from authentication. Again, there is no access control here. To imply otherwise is simply a misunderstanding of what an access control is.

  3. On the point of access control, I think we will just have to agree to disagree. I do agree that the implemented solution is VERY weak, but I still think there is an IMPLIED access control mechanism there (it is just completely broken).

    As for the script, I also agree there. His developing a script should not be the deciding factor on whether his actions constitute a crime or not. If it trying to be used that way, the company is, in my opinion, in the wrong.

    In any case I hope you keep reading, and I fully intend to add you to my blog roll, as soon as I get the chance.