Hawks investigate City of Joburg billing website security issue

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
I must honestly say I am glad that it landed up with Commercial Crimes as I do believe that the people dealing with this are the most equipped dealing with a technical and IT-related issues. Meeting legal team in an hour, will then have some decent "me-time" and will feed back once I have more info.

BTW: I am pretty certain, that POPI would not have helped in this instance - wrote about it some time ago - http://mybroadband.co.za/vb/showthread.php/556279-Protection-of-Personal-Information-Act-(POPI)-not-applicable-to-all (government seems to be pretty much excluded from POPI)
 

Paul Hjul

Honorary Master
Joined
Aug 31, 2006
Messages
14,902
CoJ negligence is entirely irrelevant. All that is relevant is whether the terms of the statute give rise to an offence. Whoever wants to publicly say that they do puts there own reputation in peril. The law is clear that authorized access is legal - if you invited somebody into your house you cannot allege trespass even if they had malicious intent unless they deceived you into letting them in. If somebody comes to your front door and says may we come in to burgle your house then you should have them arrested for being stupid - a burglar must be trespassing and committing theft (or some other crime) not entering with permission to commit theft (or some other crime). The CoJ system said you have authorized access - beginning and end.

The CoJ filing a false charge - and knowing it to be false - in order to cover up incompetence however is a matter for the Hawks to investigate and if the Hawks pursue a bogus investigation in order to not investigate an actual offence of defeating the ends of justice it is a matter for the IPID to deal with and they certainly do have at least one investigator on computing matters ...
 

Bern

Expert Member
Joined
Apr 29, 2010
Messages
2,675
How do we get CoJ investigated or does someone need to sue them for publishing private info publicly? Surely this would fall under the NPA/Hawks/Public Protector?
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
How do we get CoJ investigated or does someone need to sue them for publishing private info publicly? Surely this would fall under the NPA/Hawks/Public Protector?
Criminally - Unfortunately not.

At best, and I do not have a lot of experience in this, one can look at civil actions, however, take a look at their terms and conditions in using their website, I do not think the COJ takes any responsibility and no actions can be instituted against them.

Abroad, they have specific laws, rules and regulations in place that will have a company fined an 'X' amount per record that was breached, which could lead to fines amounting to millions of dollars. However, in SA we do not have any such laws in place, as far as I know.
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
Just maybe worth mentioning....

I can confirm that the police will not be investigating all individuals that have accessed invoices. Currently, the matter is only against one individual. Information from my sources confirmed that the COJ cannot provide the required evidence (logs) that will link a specific IP address to a specific invoice that was accessed (which is required to institute prosecution).
 

koeksGHT

Dealer
Joined
Aug 5, 2011
Messages
11,801
The Hawks is probably the only investigative unit in the police that can conduct this investigation. Their Computer Fraud investigation team is small, but they all have more than 10 years of Internet / computer crime related investigation experience. They all received training both here and abroad and they have the best equipment in their arsenal than any other State department. Since 2003 they have set the most precedent cases on computer crime related offences and is also the unit with the most successful computer crime convictions. You are underestimating them quite a lot!
Well they admitted what he did was good.... idiots
 

Bern

Expert Member
Joined
Apr 29, 2010
Messages
2,675
Just maybe worth mentioning....

I can confirm that the police will not be investigating all individuals that have accessed invoices. Currently, the matter is only against one individual. Information from my sources confirmed that the COJ cannot provide the required evidence (logs) that will link a specific IP address to a specific invoice that was accessed (which is required to institute prosecution).
A question, if you wanted to open a case against CoJ/company responsible for the website how would you prove the invoices were available if you did not
a) Go to the pages
b) Keep copies of the data they provided without authentication?

I ask as they could fix the problem and claim it never happened.


Nice to know they are not going to be able to waste money and time trying to prosecute anyone who accessed the pages. Can you imagine how many Rands worth of productive time would have been lost just by having so many tech people not able to work for a day or two to go to court! Not to mention all the legal fees etc.
 

Sherbang

Executive Member
Joined
May 14, 2008
Messages
9,874
Just wondering - aren't there two separate issues here?
The first is the guy who initially discovered the lack of security and exposed it. He should not be prosecuted as he actually did them a service.
The second issue are the guys who wrote a script and then ran it overnight, downloading thousands of private records.
I think they could legitimately be prosecuted.

To me it's like this. I have a shop and I don't realise it has a secret back door.
Someone discovers it, walks in, takes something, then goes to the shop owner or authorities, hands what he took back and explains about the secret back door. If I was the shop owner I would thank him, lock the secret back door and be done with it.
However, on the way to inform the authorities, the guy mentions what he found to some friends.
They then use the secret back door to steal a whole bunch of stuff.
They could be prosecuted.
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
A question, if you wanted to open a case against CoJ/company responsible for the website how would you prove the invoices were available if you did not
a) Go to the pages
b) Keep copies of the data they provided without authentication?

I ask as they could fix the problem and claim it never happened.


Nice to know they are not going to be able to waste money and time trying to prosecute anyone who accessed the pages. Can you imagine how many Rands worth of productive time would have been lost just by having so many tech people not able to work for a day or two to go to court! Not to mention all the legal fees etc.
You will not be able to open a criminal case against the COJ. There so many aspects that will play a role. Number one being that they never made the documents public. Even though there were no security, they still did not make it publicly available. Number two is proving that your specific invoice was made public and accessed by third parties. Number three is proving intention or the COJ's role in assisting in making the invoices public. A badly coded system does not necessarily amount to intention to commit any crime against anyone. There are just so many more things that will not work in a criminal matter I can think of.

Civilly, you can go see an attorney and then an advocate for advise on this. I know that you do not have to proof the same as what you need to proof in a criminal matter. However, whether a civil case will succeed, I am not so sure.
 

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,288
Nobody stole anything in this case though, so the analogy is not accurate...
 

Paul Hjul

Honorary Master
Joined
Aug 31, 2006
Messages
14,902
by providing authorized access to all and sundry the published the information. If my record was leaked I would have opened a docket under the MFMA set
(a whole batch o legislation) already. So if anybody wants to lodge a criminal case against the CoJ you need to use the MFMA stuff http://mfma.treasury.gov.za/Pages/Default.aspx and probably charge the Accounting Officer (Municipal Manager). If you want to go the civil route you can also write the MM insisting on an undertaking that no further disclosure will be made by the municipality or an interdict will be sought.
 

Paul Hjul

Honorary Master
Joined
Aug 31, 2006
Messages
14,902
Just wondering - aren't there two separate issues here?
The first is the guy who initially discovered the lack of security and exposed it. He should not be prosecuted as he actually did them a service.
The second issue are the guys who wrote a script and then ran it overnight, downloading thousands of private records.
I think they could legitimately be prosecuted.

To me it's like this. I have a shop and I don't realise it has a secret back door.
Someone discovers it, walks in, takes something, then goes to the shop owner or authorities, hands what he took back and explains about the secret back door. If I was the shop owner I would thank him, lock the secret back door and be done with it.
However, on the way to inform the authorities, the guy mentions what he found to some friends.
They then use the secret back door to steal a whole bunch of stuff.
They could be prosecuted.
There are two problems with your analogy both of which explain the law quite well:
(1) This isn't a backdoor that you have to open that has a broken lock or whatever. This is an open front door with a doorman inviting you in. (The webserver is providing authorization to access) If it was a backdoor then the shop could claim that you were trespassing. And the wording of the Act about unauthorized access makes the triviality of security irrelevant - rather the requirement that the access must be unauthorized.

(2) As DJ says there was no theft. There were other guys using the same permission granting doorman and the shop looks like an ass - and is probably breaking the law. If there was theft though you wouldn't be able to claim burglary because there was no trespassing it would be theft plain and simple. Now if POPI was on the books you could have a case against people for intentionally accessing personal information or whatever offences arises under that Act but it isn't. Moreover the fact that the access was authorized does not make an otherwise illegal use of the information legal.
 

McT

The Humble Scot!
Joined
May 19, 2009
Messages
35,728
Hawks spokesperson Paul Ramaloko confirmed that they are investigating the City of Joburg case, but said that it is too early to give details on potential outcomes.
If this is a fair and impartial investigation, I suspect that there will be a lot of egg on face in the City of Joburg's IT department.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
39,427
I hope their investigation leads to the arrest of whoever gave this system the green light in the first place.
It might lead to the exposing of a scapegoat... that's as optimistic as I see it... Hawks.. investigating this? It's hardly a hacking affair - simple vulnerability at best and should be sorted out by now lol. Perhaps they're going to investigate the IP's of everyone who's accessed multiple accounts recently - that could be interesting :)
MyBB members?
 

MickeyD

RIP
Joined
Oct 4, 2010
Messages
139,117
It might lead to the exposing of a scapegoat... that's as optimistic as I see it... Hawks.. investigating this? It's hardly a hacking affair - simple vulnerability at best and should be sorted out by now lol. Perhaps they're going to investigate the IP's of everyone who's accessed multiple accounts recently - that could be interesting :)
MyBB members?
It was stated earlier that CoJ don't have the logs.
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
It was stated earlier that CoJ don't have the logs.
Correct. Confirmed that the case was only opened against one individual. No logs or evidence was provided on any person(s) who accessed statements. The investigation will stay focused on one individual only.
 

Paul Hjul

Honorary Master
Joined
Aug 31, 2006
Messages
14,902
but without logs how can they allege - yet alone prove UNAUTHORIZED access

it must be proved beyond a reasonable doubt that the access was unauthorized which cannot be done without presenting the best admissible evidence which is the HTTP server's logs. Of course they wont want those logs in question because they prove that the investigation is misguided at fact and law.
 

House

Banned
Joined
Aug 17, 2006
Messages
5,482
but without logs how can they allege - yet alone prove UNAUTHORIZED access

it must be proved beyond a reasonable doubt that the access was unauthorized which cannot be done without presenting the best admissible evidence which is the HTTP server's logs. Of course they wont want those logs in question because they prove that the investigation is misguided at fact and law.
Like I stated before, if the COJ presented these logs more people would have been investigated. More would have been charged. They are unable to present this and they only opened a case against Magicdude alone.

In short, they are basing all their evidence on the fact that he identified the problem, reported it to them and also made the whole method public on how the statements can be viewed. In fact, the whole case is based on the post here on MyBB.

Like I said before, there is only one charge they can bring which has the potential of a successful conviction - The ECT Act - Section 86(1) - and that was exactly the case they opened. There still exist the possibility of a successful conviction, irrelevant of security on their server, bad coding, or whatever else. The best here would be to try and get the case withdrawn before going to court.
 
Last edited:
Top