Angry in the Great White North

From computer security specialists SecuriTeam:

The Canadian Firearms Centre (CFC) is the Canadian Government's department responsible for implementing Gun Control regulations in Canada.

On their On-Line Services site, users may register non-restricted firearms, re-register restricted and prohibited firearms, check the status of their license application, check the status of their firearm registration application, and change their mailing and/or residential address.

Two related security issues allow a malicious user to not only test and extract valid/invalid License Numbers, but also brute-force accounts. However, it is only realistically feasible on accounts that have been secured using a Personal Identification Number (PIN).

The site uses a 2-stage method or requesting a client's License Number. Upon entering a valid License Number, users are presented with either a request for personal information, or a request for a PIN number. Upon entering an invalid License Number, users are presented with a screen stating the "License/FAC number is invalid. Correct format is first 8 digits of License or last 7 digits of FAC number as it appears on your card."

Since their is no protection against brute-forcing, it would be trivial for a malicious user to create an application to sequentially enter License Numbers, and therefore determine, not only what range of numbers are used, but also which precise License Numbers have been issued.

The site designers have included a hidden form field in order to track how many guesses have been made, but at no time is this form field ever modified, therefore invalidating it's use. The hidden field looks like this: <input type="hidden" name="logonAttempts" value="1">

Once a malicious user has determined which number sequences match valid License Numbers, they are presented with either a screen requesting personal information, or a screen requesting the client's PIN. The screen requesting personal information is the default, with users able to establish a PIN to allow easier logins.

If you find this too shocking to believe, then believe the man who managed the Canadian Firearms Centre website:

John Hicks, an Orillia-area computer consultant, has never owned a gun. However, during his three-year tenure as the webmaster for the Canadian Firearms Centre, he was shocked to discover that anyone with a home computer could have easily accessed names, addresses and detailed shopping lists (including make, model and serial number) of literally millions of registered guns belonging to millions of unsuspecting licensed firearms owners.

"During my tenure as the CFC webmaster I duly informed management that the website that interfaced to the firearms registry was flawed. It took some $15 million to develop and I broke it inside of about 30 minutes," said Mr. Hicks...

So what will the government do to protect the privacy of gun owners' information? I mean, besides the basic obligation of the government to protect all the information it collects from citizens, in this case, the information can lead to some serious and perhaps deadly consequences.

Mr. Hicks said he repeatedly warned CFC management to properly protect gun owners' personal information before he filed an official complaint with the Privacy Commissioner.

"The privacy commissioner actually responded that should anyone complain that they were targeted due to information gleaned from the CFRS database that they would investigate further," said Mr. Hicks.

Great. Our privacy will be protected only when it has been violated (and presumably if we can somehow show that this particular database or that was the actual source of information).

Have there been changes made? Yes, but according to John Hicks, the data is no more secure than before. All the government has done is revamp the login process to make it longer and more tedious.

Of course, tedium is no defence against an automated script designed to try hundreds of thousands of combinations in order to crack legitimate logins.

Ironically, if the tedious login process discourages Canadian gun owners from complying with the law and providing information about their legal firearms, Canadians will be safer. It seems that less the government knows about law-abiding citizens and their firearms, the safer we will all be.

Fortunately, the new Conservative government seems to understand that in principle, and the plan to obliterate the gun registry is a welcome one.

[Thanks to reader Robert for the tip]