A scandal has been brewing in Latvia over the last half year and yesterday
the activity spiked shocking the media and some IT people in the country.
I'll go back and explain what happened first, what is happening now and
why this could have a heavy impact on IT and journalists in Latvia.
At the end of last year, there were rumours that the IT system of Latvia's
Internal Revenue System was 'hacked' and millions of documents had been
downloaded by multiple organizations. Shortly thereafter more details on
the glaring security hole became public (after it was closed).
There is a full electronic interface to give all reports to the IRS
electronically (at http://eds.vid.gov.lv) and as part of that system you
could also view and export monthly report summaries about your
organization into XML and PDF files. After the system checked that you are
authorized to access the report, you were redirected to the URL to
actually download the report by report ID (as a single param in a GET
request). Unfortunately, report IDs were predicable and the script that
gave the reports for download did not check if you were authorized to get
that report. It did not even check if were logged into the system.
There were suspicions that the authorization was disabled on purpose to
allow to leak data on purpose, but apparently it was an error of
forgetting to disable debug code in production environment.
The error was discovered only because the firewall administrator noticed
an unexplained stable increase of traffic, especially during night hours
when typically the traffic fully stopped. Apparently a single hacker (who
later identified himself as 'Neo' to the press) discovered the flaw and
wrote a script to just try all possible report ids and get as much data
out as possible. This had been going on for months, before someone
noticed.
After the flaw was discovered and a bit of time passed, Neo made his first
move - he published the list of top salaries in a governmental company,
that clearly showed that the top leadership of this company failed to cut
their salary by 40%, like everyone elses during harsh budget cuts of 2009.
He stripped the names and ids of the specific employees, but named the
company which made it pretty easy to figure out who was who.
The society was outraged that the top managers in a government owned
company failed to comply with the strict pay cut that everyone else in
government had to endure. But after a few weeks the outrage subsided and
no action followed from the government or law enforcement.
Neo continued to release documents detailing salaries of top managers in
different Latvian government companies. And each time after short outrage,
nothing happened. Neo gave an interview where he said that he was
disappointed in the passivity of the Latvian people in face of such
blatant injustices.
After a few month Neo went silent, promising to return before
parliamentary elections this fall.
However, this week a new development shocked everyone - in the middle of
the night two police SWAT teams went into action: one detained Ilmārs
Poikāns, a researcher in artificial intelligence at the University of
Latvia's Computer Science department and another raided the home of a
Latvian TV journalist Ilze Nagle who interviewed Neo. Poikāns confessed of
being Neo the next day and was released (with travel restrictions, pending
trial) today.
Politicians reacted immediately - opposition demanded the resignation of
the Interior Minister over 'such blatant disregard of freedom of press'
and another politician (who is also a famous lawyer) Aleksejs Loskutovs
volunteered to defend Neo pro-bono (on Twitter, no less). Almost all
Latvian online media have the arrest of Neo and the raid on the home of a
journalist as main stories of the day.
As a legal titbit, we also know that Neo is being charged with breaking
statutes 145 and and 244p2 of the criminal law. Statute 145 is hard to
find applicable in this situation as talks about actions done by 'people
authorized (..) to access [private] information'. Statute 244p2 will also
be hard to pin down as it mentions 'influencing system resources of (an IT
system)' and 'if such action caused severe harm'. It looks like the first
part talks about at least a DoS attack (which did not happen in this case)
and also there was no measurable harm from these leaks.
Also Neo was careful to strip all personally identifying information (such
as names, social security numbers and addresses of the employees in
question), so it will be hard to pin him on that. Also no actual breaking
or other modification of an IT system occurred. And no 'specialized
software' was used beyond a trivial script such as :
for i in range(0,7000000):
wget('https://eds.vid.gov.lv/getRep.aspx?id='+str(i))
A lot of commentators on the Internet likened the situation to walking
trough an unlocked door and stealing something. I think that analogy is
very incorrect - there was no door, and nothing went missing after the
action.
I came up with a different analogy - there was this corridor with a lot of
doors in IRS, locked steel doors. You were instructed to go to a room with
a specified number and given a key to that room to unlock it and see your
secret info. However, that corridor opened out to the street on one end,
oh and also the walls of the rooms with all the secrets were transparent.
So Neo walked into the corridor, looked at some of the secrets, wrote them
down (to remember them better) and then went out and discussed the worst
examples abuses of power he saw.
In the end IRS had to learn their lesson - if you have to put naked photos
of yourself on the Internet (or something equally embarrassing), then make
damn sure you password protect that, but if you don't then don't cry that
someone 'hacked' you and 'stole' you pictures.
What other people think:
http://freespeechlatvia.blogspot.com/2010/05/neo-released-under-restrictions.html
We'll see how the story develops soon.