About 24 hours ago (as I write this) journalist Keith Ng dropped a bombshell about lax security from one of our government’s biggest departments.

The Ministry of Social Development, it turns out, had some pretty big IT security issues in house and operate publicly accessible computer kiosks. These two things meant that anyone could literally wander in off the street and start browsing potentially sensitive data with a few mouse clicks.

The details have been widely covered in the media, and Ben Gracewood offered up a great post about the difficulty of doing things right in enterprise IT.

The Source

This evening the story took another interesting turn – after being alerted by inquiries from a journalist that the name of his source had been released (presumably by the MSD) Keith Ng decided to preemptively publish the source’s name and details of his dealings with the MSD.

There are two big bullet points that will gain attention in the media – the first is that the source, Ira Bailey, was one of the Urewera 17. The second is that he’d approached the MSD asking if they had a vulnerability reward program.

The first issue is a distraction – a co-incidence.

The second issue is more complicated. To someone who has no familiarity with IT security it could easily appear that Bailey was attempting to extort the MSD. As Ng describes it I don’t think that’s the case. Bailey appeared to make a genuine query about such a program. Upon learning there was no such program he did what I think is the next best thing – talked to a good journalist who would strive to properly understand and report the issue (while also giving MSD reasonable notice to mitigate risk).

Vulnerability Rewards are not uncommon (they are offered by Google, Facebook, Firefox, Paypal and many many others). The idea is that they reward people for reporting security issues to them. Generally all they ask is a reasonable time period to correct the issue before public disclosure.

It’s an acknowledgment that these security issues will have a value to someone.

Preemptive Exposure

It appears that the MSD has already floated the blackmail idea (scare quotes around reward in a Herald article quoting Paula Bennett for example) – the next step was naming the “hacker” in question. It seems they’d leaked the name to at least one journalist.

Keith Ng’s decision (with Ira Bailey) to disclose all the details preemptively seems like the right one to me. It assures that journalists writing about the story aren’t only presented with the details as the MSD wish to frame them. Ng and Bailey could have responded after his name was publicly disclosed but by then the MSD’s framing of the approach would have been presented unchallenged.

Avoiding a Repeat

So what should be done about this issue and how can similar things be prevented?

The answer is to be found within this event. A vulnerability reward program. The government should establish some sort of IT advisory or oversight group that can properly communicate and cooperate with various government IT departments and contractors, and that groups should establish and publicise a vulnerability reward program.

The information in question is far too important to simply hope that a “good citizen” will report any issue they find and that it will be properly addressed without any oversight or accountability.

Ideally this process would be transparent. All vulnerability would be publicly reported once they’d been addressed and credit given (if
desired) to those that reported them.

When I first heard about Wheedle I was immediately skeptical for two reasons… Firstly they thought it was a good idea to sink millions into competing with TradeMe. Secondly they felt it necessary to boast about their 40 servers. Both appeared to suggest a fundamental lack of awareness about the market and the technology involved.

Then it all started to unfold – the site was very flakey pre-launch. When it wasn’t offline or timing out it was returning a different user’s session on every page load. But that wasn’t really live yet.

On Monday, when the site went live, the session issue seemed solved. It was possible to register an account and sign in. In theory you could also add a listing or browse and bid on those that were there. At least for a little while. Within hours the site, all forty servers apparently, were breaking under the load and totally unable to provide responses to all but the most simplistic responses.

But that wasn’t all – there started to be some pretty serious questions. It was quickly noted that a ‘Forgot My Password’ request resulted in an email being sent to the user with the username and password in it. This was a huge warning sign. Wheedle said they’d address the issue “ASAP“

The site was up and down on Monday evening and Tuesday morning. And then things got really crazy. It became apparent that a lot of input validation was being done entirely on the client-side and people registered usernames they should not have been able to – the best I saw was 8===>~~~

Then came the Oh My God moment – Twitter user @ruatara discovered that it was possible for any logged in user to edit the prices (Starting, Reserve and Buy Now) of any auction. See a car you like? Add a Buy Now of $1 and then buy it.

Clearly this was completely impossible for Wheedle to ignore, it was impossible for anyone to run a reliable auction on the site. They did the only thing they could do and took the site offline. Then they did what, at the time, seemed like exactly the right thing – they annouced the site would be down indefinately while they seriously addressed the problems.

But then this evening I received a Personal Message from Wheedle CEO Carl Rees…

Dear Wheedle Member,

I made a decision yesterday morning to take Wheedle offline.

On Monday night our tech team made some tweaks and changes to the website to improve its performance and speed. These changes were deployed to the website without first passing through our normal test protocols. We quickly discovered that the changes were causing problems with the auction listing prices. There was also some concern raised around password security and retrieval. Please rest assured that your password has been, at all times, strongly encrypted and stored in our database. We are also exploring alternative ways to further increase password security.

In light of these events, we are undertaking a complete review of the website including engaging an independent firm to carry out a full a check of the security of the website.

We experienced a very positive interest in Wheedle and we had an astounding member uptake. We will be back soon, better, stronger and safer.

I apologise for any inconvenience this has caused and thank you for your support.

Unfortunately thie email is, at best, disingenuous; at worst, an outright lie.

It is simply implausible that the fundamental failures in the security model that allowed any authenticated user to edit the details of any auction were introduced as a result of the site tuning made on Monday night. And to describe this issue as “problems with the auction listing prices” completely fails to acknowledge the nature to the issue.

As for the passwords this is either a complete lie or the practices employed on the site were incredibly irresponsible. A website should never be able to retrieve your password in any meaningful way. The fact that it was possible to email users their password is a clear indication that either they weren’t encrypted in the database at all, or they were encrypted in an unencryptible way (and that the software was doing so to send passwords to people). Either option is totally unacceptable and flys in the face of established practices in web development.

Bear in mind this was a site that is asking you to trust it to handle financial transactions on your behalf, and soon would be asking you for your credit card details.

The fact that Wheedle still seems unable to properly address the nature of their failures suggest either that they still don’t fully understand where they’ve gone wrong, or that they are deliberately trying to wheedle their way out of the situation they’ve found themselves in.

Unfortunately at all stages it has appeared that Wheedle has tried to down-play the nature of the problems, attributing them to things like higher-than-expected traffic and lack of pre-lauch testing. And now the email above. But the evidence suggests the issues were a failure in design from the outset.

While I have no inside information on the development, it would appear from the outside that the developers of the site (an Indian-based programming team of about a dozen, apparently) were handed a brief that read, approximately, “take a look a TradeMe.co.nz… Now, make a site that does that” and left to their own devices. Indeed they made a site, that in a basic look and functionality sense, duplicated TradeMe, but they lacked the knowledge or guidance to properly develop the underlying architecture to support such a site.

Wheedle will be tainted for me until they can be honest about how they’ve failed and what’s being done to correct the issue. The site’s backers need to admit they’ve embarked on the project without the right expertise and then get some of that expertise on board.