Hacker 'Neo' caught in Latvia

A scandal has been brewing in Latvia over the last half year and yesterday the activity spiked shocking the media and some IT people in the country. I'll go back and explain what happened first, what is happening now and why this could have a heavy impact on IT and journalists in Latvia.

At the end of last year, there were rumours that the IT system of Latvia's Internal Revenue System was 'hacked' and millions of documents had been downloaded by multiple organizations. Shortly thereafter more details on the glaring security hole became public (after it was closed).

There is a full electronic interface to give all reports to the IRS electronically (at http://eds.vid.gov.lv) and as part of that system you could also view and export monthly report summaries about your organization into XML and PDF files. After the system checked that you are authorized to access the report, you were redirected to the URL to actually download the report by report ID (as a single param in a GET request). Unfortunately, report IDs were predicable and the script that gave the reports for download did not check if you were authorized to get that report. It did not even check if were logged into the system.

There were suspicions that the authorization was disabled on purpose to allow to leak data on purpose, but apparently it was an error of forgetting to disable debug code in production environment.

The error was discovered only because the firewall administrator noticed an unexplained stable increase of traffic, especially during night hours when typically the traffic fully stopped. Apparently a single hacker (who later identified himself as 'Neo' to the press) discovered the flaw and wrote a script to just try all possible report ids and get as much data out as possible. This had been going on for months, before someone noticed.

After the flaw was discovered and a bit of time passed, Neo made his first move - he published the list of top salaries in a governmental company, that clearly showed that the top leadership of this company failed to cut their salary by 40%, like everyone elses during harsh budget cuts of 2009. He stripped the names and ids of the specific employees, but named the company which made it pretty easy to figure out who was who.

The society was outraged that the top managers in a government owned company failed to comply with the strict pay cut that everyone else in government had to endure. But after a few weeks the outrage subsided and no action followed from the government or law enforcement.

Neo continued to release documents detailing salaries of top managers in different Latvian government companies. And each time after short outrage, nothing happened. Neo gave an interview where he said that he was disappointed in the passivity of the Latvian people in face of such blatant injustices.

After a few month Neo went silent, promising to return before parliamentary elections this fall.

However, this week a new development shocked everyone - in the middle of the night two police SWAT teams went into action: one detained Ilmārs Poikāns, a researcher in artificial intelligence at the University of Latvia's Computer Science department and another raided the home of a Latvian TV journalist Ilze Nagle who interviewed Neo. Poikāns confessed of being Neo the next day and was released (with travel restrictions, pending trial) today.

Politicians reacted immediately - opposition demanded the resignation of the Interior Minister over 'such blatant disregard of freedom of press' and another politician (who is also a famous lawyer) Aleksejs Loskutovs volunteered to defend Neo pro-bono (on Twitter, no less). Almost all Latvian online media have the arrest of Neo and the raid on the home of a journalist as main stories of the day.

As a legal titbit, we also know that Neo is being charged with breaking statutes 145 and and 244p2 of the criminal law. Statute 145 is hard to find applicable in this situation as talks about actions done by 'people authorized (..) to access [private] information'. Statute 244p2 will also be hard to pin down as it mentions 'influencing system resources of (an IT system)' and 'if such action caused severe harm'. It looks like the first part talks about at least a DoS attack (which did not happen in this case) and also there was no measurable harm from these leaks.

Also Neo was careful to strip all personally identifying information (such as names, social security numbers and addresses of the employees in question), so it will be hard to pin him on that. Also no actual breaking or other modification of an IT system occurred. And no 'specialized software' was used beyond a trivial script such as :


for i in range(0,7000000):
wget('https://eds.vid.gov.lv/getRep.aspx?id='+str(i))

A lot of commentators on the Internet likened the situation to walking trough an unlocked door and stealing something. I think that analogy is very incorrect - there was no door, and nothing went missing after the action.

I came up with a different analogy - there was this corridor with a lot of doors in IRS, locked steel doors. You were instructed to go to a room with a specified number and given a key to that room to unlock it and see your secret info. However, that corridor opened out to the street on one end, oh and also the walls of the rooms with all the secrets were transparent. So Neo walked into the corridor, looked at some of the secrets, wrote them down (to remember them better) and then went out and discussed the worst examples abuses of power he saw.

In the end IRS had to learn their lesson - if you have to put naked photos of yourself on the Internet (or something equally embarrassing), then make damn sure you password protect that, but if you don't then don't cry that someone 'hacked' you and 'stole' you pictures.

What other people think:
http://freespeechlatvia.blogspot.com/2010/05/neo-released-under-restrictions.html

We'll see how the story develops soon.