CIPC hackers contact MyBroadband to warn the breach is much worse than people are told

skimread said:
The attackers told MyBroadband that they got in using an exploit in a system developed for the CIPC by software development house Sword South Africa.
...
This time, they also downloaded all of Sword South Africa’s source code for the exploited systems.

“The code is full of ridiculous security holes and it’s quite clear that these have never been through a security audit,” they said.

Dodgy looking site:
Click to expand...

If they are behind / involved with the code base, never mind any form of testing sword-sa should fall on themselves
 
Yeh… hacking into cipc then demanding ransom. Amateurs don’t know SA.
Hopefully they just get fobbed off. “We promise to delete your data if you pay” ja right lol.
 
For the biggest part, CIPC data, which include company ownership information, director information, including names, surname, identity numbers, phone numbers and addresses are all public information. This information will not form part of the IRs investigation as the information is not covered under POPIA. The fact that they want payment from people to view the information, does not make it less public.

The only problem they are facing is the credit card information that was not secured and breached.
 
I have to commend these hackers for not disabling the system, proving that the vulnerability is not new, calling out CIPC for their lazy lies, confirming prior beliefs that incompetence is the cousin of a non meritocracy, exposing the fixable vulnerability of a critical system, and providing proof of all their claims to this publication.
 
skimread said:
The attackers told MyBroadband that they got in using an exploit in a system developed for the CIPC by software development house Sword South Africa.
...
This time, they also downloaded all of Sword South Africa’s source code for the exploited systems.

“The code is full of ridiculous security holes and it’s quite clear that these have never been through a security audit,” they said.

Dodgy looking site:
Click to expand...

The exploit also gave them full access to company registrations. They could add or remove directors at will, or alter the records in other ways.

“They tried to cover their tracks when we pointed out the basic security holes. They are reckless with sensitive info,” the group said.

“This incompetence extended to them processing and storing credit cards in the clear.”
Click to expand...
1709617192454.png

Lekker Cadre deployment, Transformation, BEE and AA!
 
We need to protect us from ourselves apparently. No surprises considering the government are barely qualified as candle technicians
 
skimread said:
View attachment 1670875
Their developer studied information security at university of London. Getting a masters in Computer and Information systems security.

Who wants to best such a degree doesn't exist at that university?
Click to expand...
It's actually quite a prestigious "Ivy-league" institution, and they actually do have a Master in InfoSec program that is very aggressively marketed, and costs a fortune. I was tempted to follow it over a decade ago, but decided against it due to the cost.

It goes to show that possessing a Master's degree is no guarantee of security and quality output.
 
They actually used the CIPC engagement as a case study:

Automation of the IP Admin System at the South African Companies & Intellectual Property Commission (CIPC) - Billetterie

Is Your Organisation’s service delivery in Trouble? Consider this blueprint to build a responsive business to business services system that elevates your customer value proposition. With this case study, you’ll discover how the organisation utilised Billetterie as a self-service portal to give...
billetteriesoftware.com billetteriesoftware.com

An excerpt from the case study:

1709618354377.png
 
What’s next? Someone going to warn MyBB that the cabedocs municipal billing system is vulnerable with a predictable serial number attack… cough.
 
skimread said:
View attachment 1670875
Their developer studied information security at university of London. Getting a masters in Computer and Information systems security.

Who wants to best such a degree doesn't exist at that university?
Click to expand...
Fulltime computer science studies presented by the University of Liverpool. The part-time course that may be related was mentioned in another post.
1709619703422.png
 
Canggu said:
I wonder how many other government departments are being hacked and we dont know how much they have paid already.
Click to expand...
Its really crazy out there, just visit eservices.gov.za to appreciate the kind of damage hackers would do if they ever compromised that system.
 
Stinkbeaver said:
Its really crazy out there, just visit eservices.gov.za to appreciate the kind of damage hackers would do if they ever compromised that system.
Click to expand...

If they ever crack their way into the labor department's servers then God help us all.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter