Paul Moreno arrested in Ecuador for showing web vulnerabilities state
Paul Moreno has been arrested in Ecuador for publishing an article demonstrating the vulnerabilities of the state web Datoseguro.gob.ec by order of the National Public Data Registry (DINARDAP) with the charge of “fraudulent access to computer systems and databases “. Moreno showed failure data accessing President of Ecuador, Rafael Correa.
According to information published by the newspaper today, the National Police raided his house, arrested him, confiscated his computer, papers, documents, hard drives and more.
Acceso fraudulento a sistemas informáticos y bases de datos ese es el cargo que me imponen. 11am es la formulación de cargos.
— PaulCoyote (@paulcoyote) November 30, 2012
In the article, Moreno explains the method followed to undermine a system that turned out to be extremely easy to break: Raising easy to find information (date of birth, identity card number) in people especially known (as Rafael Correa) is accessible private data and in some cases quite sensitive as:
- Police record
- Travel abroad
- Vehicle Registration
- Registering Property
Obtaining these data as private as easily from an official government website is a time bomb for anyone with minimal effort and a little time to impersonate any person included in the Register of Public Data . Paul Moreno’s actions, far from being destructive purposes, were made to draw the attention of the Ecuadorian government and take immediate action. Unfortunately the reaction has been the opposite, accusing him of fraudulent access.
No system is perfect, no unbreakable security. There should be no problems with accepting the ruling and for the peace of all Ecuadorians DINARDAP know that you are taking all necessary steps, as soon as possible to fix the security hole. But the only public action we see by this company is the criminalization of those who basically did them a favor.
It is also a public relations fiasco for the Correa government, the only public reaction from the DINARDAP internet is the following tweet:
DINARDAP, Ecuador, Paul Moreno
Tu información está segura una vez que te registraste confirma tus datos vía telefónica contesta las preguntas de validación
— DINARDAP (@DINARDAP) November 30, 2012