While giving a live demo on “Google Dorking”, security researcher Bright Gameli Mawudor stumbled upon a treasure trove of MultiChoice credentials on the open Internet. He reported them to MultiChoice and they have since been taken down.
Mawudor was a speaker at the recent MyBroadband CyberSec Conference. He is the head of Cyber Security Services at Internet Solutions in Kenya, and the co-founder of AfricaHackOn.
In an interview with MyBroadband, Mawudor explained how he accidentally uncovered a text file full of MultiChoice credentials on a misconfigured web server in the middle of a live demo.
He was demonstrating a technique known as Google Dorking — where you use Google’s advanced search operators to find information people didn’t think would be searchable on the open Internet.
One example of this is where people put ripped media on Internet-connected servers, which Google inadvertently crawls and indexes.
In this case, Mawudor wanted to demonstrate how easy it was to find credentials for streaming services like Netflix and Hulu with a Google search.
“Then I thought, wait, let me look for DStv.” When Mawudor clicked on the file, he got more than he bargained for.
“Nobody knew what happened,” he said. “I took it off quickly. I didn’t want anybody to see. Later I went to analyse the details.”
Mawudor said that what he found was very concerning. If he was not an ethical hacker, he could have done a tremendous amount of damage with the information in the file.
“I would have been able to use those credentials to log into the monitoring of live [sports] matches that were going on, [or] into the VPN and into the internal network.”
From there, Mawudor said he could have shut down systems, or he could have manipulated live broadcasts if he wanted to.
When asked what companies can do to try and catch such simple vulnerabilities before an attacker does, Mawudor said that it’s a matter of prioritising security.
“Thing is, security is usually an afterthought,” he said.
When you develop a system, security needs to be considered while you are designing it.
“If you design for security from the outset […], you’ll be able to see the gaps.”
You should also make sure that you have a checklist of “do’s” and “don’ts” with respect to security.
Penetration testing is also useful to determine whether the security of your organisation is up to scratch, but Mawudor said that it’s important to remember that such tests are only a snapshot.
“It’s like a doctor telling you: ‘I’ve checked you. You look like you’re sick here and there.’ That is it,” he said.
Organisations need to go beyond occasional penetration testing and do vulnerability management — frequently doing an assessment of all your systems, networks, and appliances to make sure they always screened for the latest vulnerabilities.
Mawudor said that there are tools available for vulnerability management, and that frequent scans of your environment can be automated.
In short: Build a cyber strategy for the whole year, set a budget of what you’re willing to spend on all of it every quarter, and execute it.