Highlights of this article:
• Provincial government employees who were made aware of the security failure with the Freedom of Information and Protection of Privacy (FOIPOP) website told Halifax police that the site had been “hacked” and that nearly 10,000 files “were taken” — which clearly overstated the nature of the case.
• The 19-year-old who was subsequently arrested for the supposed “data breach” had made a payment to access information on the FOIPOP website before he downloaded the private information that had been mistakenly placed on the public-facing website, which means provincial authorities had his name and address before going to police.
• The security failure was discovered by a Nova Scotia Archives employee who had mistyped the URL for a document he had accessed previously on the FOIPOP site.
• Halifax police assigned to investigate the security failure seem not to have basic knowledge of IT security and simply accepted the province’s IT security experts at their word.
• Police then made an application for a search warrant to a Justice of the Peace who had previously overstepped in a “cyberbullying” case.
Documents obtained by the Halifax Examiner and Cape Breton Spectator detail how provincial employees misled Halifax police in the FOIPOP security failure, and how the police in turn were not prepared to question the province’s narrative or to understand the issues involved.
The Examiner and Spectator went to court this morning to ask Justice Gregory Lenehan to unseal a search warrant Halifax police executed on the house of a 19-year-old Halifax man suspected of illegally downloading information from the FOIPOP website.
During the search, the man was arrested. His family told the CBC that some 15 police officers were involved in the search, and that police seized all the family’s computers. “They [police] rifled through everything. They turned over mattresses, they took drawers and emptied out drawers, they went through personal papers, pictures,” the man’s mother told the CBC. “It was totally devastating and traumatic.”
But while the Examiner and Spectator asked for the documents related to the search of the house, we got a different set of documents entirely — Justice Lenehan unsealed documents related to an order to Eastlink to produce the name of the owner of an IP address that was used to access the FOIPOP site.
Those documents included the production order itself, but more importantly also the “information to obtain” (ITO), which details the police investigation and why police wanted Eastlink to name the IP owner.
We obtained the court documents only after we agreed to allow the city to have the name of the target of the search and the names of the provincial employees who spoke with police to be redacted — see “How we obtained the search warrant documents.”
The ITO obtained by the Examiner and Spectator had been submitted to Justice of the Peace (JP) Judith Gass. Gass, who is the former president of the Nova Scotia SPCA, is perhaps best known as the JP who signed the cyberbullying order issued against Jonathan Baha’i; that order was subsequently overturned and the cyberbullying legislation was subsequently struck down by the courts.
Updated: read the documents here.
Provincial employees invented a “hack”
The ITO for the production order to Eastlink was written by Constable Steve Millaire, a former military police officer who worked for a short stint as a train conductor for CN before joining the Halifax police department in 2015.
Millaire’s ITO reads, in part:
On 7 April 2018, [redacted] of Corporate Security for the province NS […] contacted Detective/Constable Mike Sanford to make a complaint with regards to the NS Government’s computer system being compromised where nearly 10000 confidential files were taken. I read [redacted] complaint which stated the following:
a. [redacted] stated that on Thursday, 5 April, 2018, an employee of the province discovered that someone had “Hacked” into Province of Nova Scotia confidential files that were being stored off site at the private firm UNISYS.
b. UNISYS was contacted and they looked into the matter and discovered that between 3 March and 5 March, 2018, unauthorized persons made 40,735 access attempts to confidential Province of Nova Scotia files. These persons were successful in accessing 7,675 confidential files for which mostly [sic] related to files that person(s) had FOIPOP’d or could potentially be released in the future.
c. Of those 7,675 confidential files, 2,500 had already been vetted and released to the requesting party but a majority of the files were believed to be files that were releasable in whole or in part.
d. As a result of this, UNISYS immediately shut down access to this server and provided the I.P. address of the “Hacker” to the Province.
Millaire went on to write that a crime analyst at the Real Time Crime Centre (RTCC) used two online I.P. tracking services (Viewdns and IP Tracker Online) to locate the I.P. address of the supposed “hacker” on a single street in Halifax’s north end. (The Examiner and Spectator are withholding information that may identify the young man who was arrested.)
The crime analyst then took the names of the people living on the street — the ITO doesn’t explain how the analyst had those names — and “she [the crime analyst] reviewed each subject’s background via LinkedIn, Facebook and ResearchGate,” wrote Millaire. “Due to the subject having used a software that penetrated the system an extensive number of times, she specifically searched for any background information on subjects that would show knowledge of data Science, Network Penetration, Network Security and/or Machine Learning. During quick search [sic], none of the subjects listed in-house at nearby addresses displayed any knowledge relating to the skills involved in data breaching”
The terminology used in Millaire’s narrative overstated the case. IT security experts say there was no “hack” — it was clear from the start that the person accessing the files employed a simple and widely used line of code to access documents on a public-facing website. There was no need for extensive training or even a background in IT to access the files on the FOIPOP site — there are plenty of online tutorials and YouTube videos that show how to write the simple code and use software like WGet to run the code. Indeed, the editor of the Examiner, who has no formal training in coding, got a self-taught working knowledge of WGet after only a couple hours. Moreover, one didn’t even need to write code to get the information on the public-facing FOIPOP site — you could have simply manually typed in sequentially numbered URLs and have gotten the same information, albeit it would’ve taken longer.
It appears that the provincial employees purposefully overstated the nature of the so-called “security breach.”
“It makes a difference,” said Evan d’Entremont, an information security researcher, in an interview for this article. “They were publicly accessible documents, nothing was breached, compromised, hacked, broken, or otherwise tainted. And they [provincial employees] knew that. Or at least should have. It’s not a stretch to say they’re lying or incompetent.”
Moreover, says d’Entremont, “there’s a whole policy about it. Had they accidentally emailed [the information accessed by the teenager] to someone, the official response is ask them to delete it. They should have contacted the teen and asked him to delete it. By calling it a network penetration they got to bring in the big guns. Literally.”
It also appears that none of the police assigned to investigate the matter had even a rudimentary knowledge of IT security.
“Hacker” made a payment to FOIPOP site
Millaire’s narrative also relates that the manager for Business Support Services at UNISYS told police that the suspected “hacker” had actually made a payment to the FOIPOP website before the supposed “information breach”:
this IP address first appeared onto their [UNISYS] system at 8:21pm, 27 March 2018 where it made a legitimate transaction, including a payment, which last [sic] approximately 6 minutes.
The dates in Millaire’s narrative make no sense. After saying that the IP address “first appeared” on the FOIPOP site on March 27, Millaire then goes on to say that the IP address accessed the site on March 1 and March 3, dates which are obviously before the “first appeared” date. Maybe March 27 was a typo? Perhaps he meant February 27?
In any event, the IP address accessed the FOIPOP site at 11:24pm on March 1, “for approximately seven minutes browsing the website.”
This was followed by three March 3 visits from the same IP address.
The first March 3 visit was at 4:58pm, when the IP address “started making requests which lasted less than one minute.” The second March 3 visit came at 10:56pm, and involved “several unusual requests staying online for approximately 15 minutes.” The ITO doesn’t say if the manager for Business Support Services at UNISYS explained what “unusual requests” meant.
The third March 3 visit was the so-called “data breach”:
Firewall logs revealed that IP address [withheld by the Examiner and Spectator] unlawfully downloaded all of the files between 11:11pm, 3 March 2018 and 9:26am, 5 March 2018.
But besides the date mix-up, this narrative doesn’t make sense in terms of an intrusion attempt. Remember that the presumed “hacker” first made a payment to the site — presumably with a credit card, and so presumably provincial authorities already had his name and credit card information before he accessed the private information that had been mistakenly placed on the publicly accessible part of the site.
What kind of hacker gives the target of the hacking their name and credit card info first?
Moreover, who “unlawfully downloads” material without using a Virtual Private Network (VPN)? VPNs are readily available for free, and could have masked the teenager’s identity.
How the security failure was discovered
The ITO also explains how the security failure on the FOIPOP website was discovered in the first place by an employee at Nova Scotia Archives. Millaire writes that he received a statement from the employee “from which the following information was gleaned”:
a. On 4 April 2018, while employed at NS Archives, [redacted] attempted to review a redacted file which was recently released, however, he could not find the report 2018-05721, therefore he proceeded to his browsing history, retrieved the URL and entered it on a desktop rather than a phone.
b. [redacted] made a mistake keying in the URL and rather than going to the redacted document, he observed an incoming FOIPOP request.
c. Thinking it was a one-off, [redacted] typed in random numbers which led him to believe that he was no longer inside the government system and that the material was unprotected on the internet.
d. [redacted] confirmed his suspicions by turning off his Virtual Private Network (VPN), restarting his computer, and was still able to see the documents on an unsecured device using the URL https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=????
Charges dropped and questions to pursue
Yesterday, Halifax Regional Police announced that they would not be laying charges against the 19-year-old Halifax man, so at least that part of the story is settled.
But many questions remain, including:
• Why did provincial employees mislead police as to the nature of the security failure? Were they attempting to shift attention from their own failure to properly secure private information?
• Are Halifax police properly trained to handle IT security investigations?
• Would the police response — including the heavy-handed search of the Halifax man’s house — have been different had provincial employees more responsibly described the security failure?
• Why did JP Judith Gass sign off on a production order that was supported with an ITO that included an impossible sequence of events?
• Why was the production order sealed in the first place? What about the documents related to the search itself — where are they?
• How many search warrants are sealed, and are they sealed simply as a matter of course and not for justifiable reasons?
• Will anyone apologize to the 19-year-old and his family?
Some of those questions may be addressed by the province’s auditor general, Michael Pickup, who is now investigating the security failure. Others will be the subject for reporters.