Spliffcat

Executive Member
Joined
Jun 4, 2013
Messages
5,951
Try and explain this to a bunch of thick headed useless government officials. Who got the job for being a crony.
 

gregmcc

Honorary Master
Joined
Jun 29, 2006
Messages
24,501
I agree - they are going about it completely the wrong way!

They are just hiding their heads in the sand and not dealing with the problem. Idiots!
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
7,296
White said that a useful guideline is if a company has a security reporting page with guidelines for submitting vulnerabilities, it is worth at least trying coordinated disclosure first.

If the CoJ and SCAMRAL ever decided to become responsible corporate netizens and respond to reports of vulnerabilities via a reporting mechanism, it would be unwise to trust them with one's identity, rather take steps to conceal your IP and use a throw away email addy when contacting companies that have a history of trying to shoot the messenger.
 

Hedonism

New Member
Joined
Nov 3, 2005
Messages
8
Well the core of that article is garbage really.

“For example, if you figure out how to unlock a car and tell people, that’s not the same as using the trick to steal cars,” White said.

Well, no it's not. When Moe1 figured out the flaw in the eTolls website, he made it public, he didn't just quietly report it. That's like figuring out how to unlock a car and then telling the whole world before you tell the owner.

White said that the arguments for coordinated disclosure are that risks are minimised since the public only finds out about the vulnerability after it is fixed.

The arguments against it are that vendors have limited incentives to fix the flaw (or less pressure to). While the vendor takes its time to fix the flaw, others with more malicious intent may have already found it and started abusing it.

Also rubbish. One of the core precepts of information security is that if a flaw is discovered by one person, it can be discovered by anyone. The incentive to fix it remains the same.

Having said all of that, SANRAL's reaction was still immature. Government and parastatals in this country have a lot of growing up to do still.
 

BGE

Expert Member
Joined
Oct 13, 2009
Messages
1,494
SANRAL are just clueless... every interaction with the public seems to be seen as a full blown attack on the system. It's clear their backoffice processes and systems are in a bit of a shambles.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Well the core of that article is garbage really.

Well, no it's not. When Moe1 figured out the flaw in the eTolls website, he made it public, he didn't just quietly report it. That's like figuring out how to unlock a car and then telling the whole world before you tell the owner.

Also rubbish. One of the core precepts of information security is that if a flaw is discovered by one person, it can be discovered by anyone. The incentive to fix it remains the same.

Having said all of that, SANRAL's reaction was still immature. Government and parastatals in this country have a lot of growing up to do still.

Who is to say that Moe1 did not contact Sanral? You will find that the vulnerability was actually discovered beginning of December and the video itself was released towards the end of December. Perhaps we will never know what communication flowed and I doubt Moe1 will make himself contactable after being alerted about threats from Sanral (and seeing how CoJ reacted).

Take CoJ for example: The flaw was first reported on 13th August 2013 and then again on 20th August 2013. The first report was via email and although it was acknowledged via automatic receipt, the original reporter was never contacted. When I contacted CoJ on the 20th, the call-centre refused to connect me to a senior manager and eventually slammed the phone down. My subsequent email notification of the same day was responded to on the 29th August with the message "Good day value customer, we are aware of that and IT is working on that" - what happened afterwards is pretty clear to everyone (including how long it took to rectify the issue)

I doubt that without public pressure, the CoJ's IT service provider would have not made any "fast effort" to rectify the situation (even in "expedited mode" it took more than 4 months to fix what most IT professionals agreed would not take more than a few days). Ekurhuleni had a very similar issue to CoJ and they fixed the issue quietly without much media circus around the issue within 24 hours. CoJ's security flaw was in their IT infrastructure with the inception of the statement viewing and Google indexed statements as far back as 2012 - due to the lack of auditing and access-control, one will never know for how long and how many accounts were leaked.

Now @Hedonism, do you honestly believe that an entity like CoJ would have (1) acknowledged the issue, (2) made any reasonable attempt to fix it and (3) actually disclose to their users that there was an issue if the security issue was not made public after reasonable attempts to collaborate? Don't you believe that companies and governments, as custodians of your data, have the responsibility and accountability to inform their users about the issue and take security reports seriously? I can not recall seeing a single notification or apology about the security issue or keeping users up-to-date about the progress. That to me is not how IT governance should work - irrespective if it is in government, a large corporate or a small online business.

Right now, netizens of this country get intimidated and harassed for trying to provide feedback to government e-services, and yet the ANC has announced as part of their party manifesto, to make Internet accessible to everyone - what do you think will happen if the government does not learn to trust it's citizens and starts to collaborate with people raising issues or making suggestions.

With the current attitude you will find that people will remain complacent and just don't give a hoot if there is a security issue or not and eventually you will find a link to PasteBin with millions of records of rate-payers ---- all because of the negligence and arrogance of certain IT service providers and government entities.
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
7,296
I doubt that without public pressure, the CoJ's IT service provider would have not made any "fast effort" to rectify the situation (even in "expedited mode" it took more than 4 months to fix what most IT professionals agreed would not take more than a few days).

The coordinated/responsible disclosure vulnerability approach would definitely not have worked with the CoJ nor with SCAMRAL.

Knowing what we all know after the fact about the childish and irresponsible attitudes of the CoJ and SCAMRAL towards IT Security and the lack of respect they have for people's personal information, I think there should be a hybrid method of disclosure where one submits the details of a vulnerability to an online webservice along with the email addys of the entities responsible for fixing the vulnerability, and then a 7 day countdown starts, as soon as the 7 days are up, the details of the vulnerability are automatically released to media outlets. Each day, the entities responsible for effecting the fix would receive follow up notification emails including the time left on the countdown before full disclosure (of the vulnerability) kicks in. The person that submitted the vulnerability would be advised (by the webservice) to stay anonymous, but could choose to reveal their real name if they really wanted to when automated full disclosure kicks in.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
The coordinated/responsible disclosure vulnerability approach would definitely not have worked with the CoJ nor with SCAMRAL.

Knowing what we all know after the fact about the childish and irresponsible attitudes of the CoJ and SCAMRAL towards IT Security and the lack of respect they have for people's personal information, I think there should be a hybrid method of disclosure where one submits the details of a vulnerability to an online webservice along with the email addys of the entities responsible for fixing the vulnerability, and then a 7 day countdown starts, as soon as the 7 days are up, the details of the vulnerability are automatically released to media outlets. Each day, the entities responsible for effecting the fix would receive follow up notification emails including the time left on the countdown before full disclosure (of the vulnerability) kicks in. The person that submitted the vulnerability would be advised (by the webservice) to stay anonymous, but could choose to reveal their real name if they really wanted to when automated full disclosure kicks in.

This would fail already due to the lack of knowing who is responsible :wtf: (I doubt anyone wants to be responsible or accountable).

To be honest, large companies and organisations have stringent auditing processes and would have IT risk&governance staff dealing with compliance and security issues. I am sure those people do exist at CoJ/Sanral, but I doubt that they understand their jobs since the whole of IT is outsourced. Subsequent to CoJ I phoned a number of large companies for my own sanity and asked the general helpdesk who I would speak to with regards to their website security and guess what? Across all sectors (finance, insurance, transport, mining, retail, agriculture, hospitality, medical, pension) I tried, I got a positive response via the call-centre within 10-30 minutes.

I don't think the onus should be on us to ensure that government agencies do their jobs properly. There are sufficient frameworks, regulations and industry standards to govern this properly - one just needs to want to :whistling:
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
7,296
This would fail already due to the lack of knowing who is responsible :wtf: (I doubt anyone wants to be responsible or accountable).

To be honest, large companies and organisations have stringent auditing processes and would have IT risk&governance staff dealing with compliance and security issues. I am sure those people do exist at CoJ/Sanral, but I doubt that they understand their jobs since the whole of IT is outsourced. Subsequent to CoJ I phoned a number of large companies for my own sanity and asked the general helpdesk who I would speak to with regards to their website security and guess what? Across all sectors (finance, insurance, transport, mining, retail, agriculture, hospitality, medical, pension) I tried, I got a positive response via the call-centre within 10-30 minutes.

I don't think the onus should be on us to ensure that government agencies do their jobs properly. There are sufficient frameworks, regulations and industry standards to govern this properly - one just needs to want to :whistling:

The onus should definitely not be on members of the public, but the reality is that there are very irresponsible organisations out there that simply ignore vulnerabilities in their systems.

In the case of the CoJ and SCAMRAL, just doing an IP whois to get the abuse email addy for vulnerability notification purposes (even if that email addy is not monitored), would be sufficient for an automated webservice like I described. There could also be an optional short "public" description without any details of the vulnerability that is published and publicly viewable before the 7 days are up, and would soon be picked up by Google. The countdown clock would tick and the details of the vulnerability would automatically be released after 7 days no matter what. Irresponsible companies would soon learn that threatening to take a webservice to court would be futile.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Agree with you. I do however think that each and every company should own up to their mistakes and stop pleading ignorance or shifting blame to "hackers" to avoid taking responsibility.

You simply cannot create software that sits out there on the web facing billions of people (yes, billions, since your website is connected to the Internet, anyone can access it) and assume that every one of them will only use it the way you would like them to. That's the whole premise of why we have application security (look at Cobit and ITIL for very well documented processes and policies). People will try to do unkind things with your software - expect it (and be grateful if you get warned).

The one thing CoJ, Sanral and others forget however is liability and there are multiple international precedents where organisations have built shoddy software and then been held liable - legally liable - for some amount of damages as a result. Think Sony and the PSN breach. Think Tesco. Think Snapchat and as of late Target (leaking 40 million credit cards and affecting over 70 million customers).

I think as long as companies and government agencies implement "reasonable" measures to protect their data, they should be fine - neither CoJ nor Sanral did this and did not demonstrate reasonable responsibility to protect their data. Shifting the blame to a "hacker" does not absolve them of all responsibility and there is no doubt that their accusations and lack of accountability will backfire.

In all the recent cases it has become very evident, that the government agencies and their IT service providers lack complete knowledge and experience in implementing reasonably secure systems - this shows in using cheap SSL certificates (any organisation wanting to be credible would use EV certs), running servers with standard configuration, not hardening infrastructure, implementing simple hashing of data-record identifiers, pushing login information into "hidden" forms, serializing Java objects in Ajax requests, exposing HTTPS transactions over unconventional ports, hosting critical infrastructure on virtual and shared hosting infrastructure (nevermind the complete lack of auditability and change control)

While your initiative is a noble thing to do, it does not solve the core problem, that big IT service providers (we all know who you are and are embarrassed that you implement crappy solutions like this for several thousand Rand per hour in consulting fees) get away with nonsense like this. If you have ever dealt with ISPA (I had several cases in the last few months and I think Paul has a few going), you will find that not even a well-established body such as ISPA is in a position to arbitrate complaints between the complainant and their members in a reasonable time (my quickest turn-around was 49 days).

You would also find that the very same agencies would then attempt to sue/shut down the owners of said website in any case and you would be no further than where we are currently are. Simple solution is that those government agencies take ownership and run IT with the appropriately skilled staff.
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
7,296
I think as long as companies and government agencies implement "reasonable" measures to protect their data, they should be fine - neither CoJ nor Sanral did this and did not demonstrate reasonable responsibility to protect [highlight]their data[/highlight]. Shifting the blame to a "hacker" does not absolve them of all responsibility and there is no doubt that their accusations and lack of accountability will backfire.

The thing is that the CoJ and SCAMRAL are being cavalier with data that does not belong to them, that data is personal information that belongs to actual people like us.

Ask yourself what your motivation was when you tried to inform the CoJ that their eServices portal had no real access control measures in place. The answer I'm sure is that you were concerned about your own personal information being made available to anyone with an Internet connection, that is your data and not something that the CoJ can claim ownership of.

The CoJ was criminally negligent in its complete and utter failure to protect the personal information of rate payers, you were trying to get the CoJ to stop publicly publishing your personal details and those of all other rate payers, and you never encouraged nor contracted anyone to write scripts to scrape the data (that is on them and them alone).

You would also find that the very same agencies would then attempt to sue/shut down the owners of said website in any case and you would be no further than where we are currently are. Simple solution is that those government agencies take ownership and run IT with the appropriately skilled staff.

The only way that will happen, is if they are forced to do so as a result of very embarrassing revelations that they were informed of a vulnerability and they completely ignored it: eventually they would have to hire competent people (permanent or contracted out).
 

Tns

Executive Member
Joined
Sep 7, 2005
Messages
5,608
well when some "hacks" them again cant they just wipe the whole system mmm?
 
Top