Security9.09.2013

Joburg hacking case: why you may get angry

By Staff Writer

The Police’s Hawks commercial crimes unit confirmed that it is investigating the City of Joburg website security issue which exposed its ratepayers’ personal information.

This news drew sharp criticism from online commentators, saying taxpayers’ money is wasted trying to cover up incompetence.

The security flaw was first reported online on Tuesday, 20 August 2013. The City of Joburg initially said the information about the discovered flaw was helpful to them, but later began to describe the incident as a malicious hack.

The City of Joburg then decided to open a criminal case against the person who “hacked into its billing system”.

It is debatable whether the incident can be described as a hacking. In fact, a security analyst told MyBroadband that the security flaw is a very common mistake made by developers.

He said that the City of Joburg’s security flaw points to a lack of knowledge about online security, sloppy design, and a poor security evaluation of a system.

City of Joburg cover up, argue online commentators

Many online commentators argued that the City of Joburg’s criminal case is merely an attempt to cover up their poor system design and own incompetence, and try to blame it on a “hacker”.

There are also arguments that, rather than opening a police case, the whistle-blower should have been rewarded for highlighting this security flaw.

The whistle-blower, BidorBuy CTO Gerd Naschenweng, first tried to alert the City of Joburg directly, but they were unable to assist. He then turned to MyBroadband to ensure that the problem was addressed.

Trying to stop people from reporting such security flaws means that systems may remain vulnerable for years. It means that cyber-criminals can exploit these flaws, but concerned citizens may not report them to draw attention to the fact that something must be done.

Gerd Naschenweng responds

Naschenweng said that he currently does not have much information about the case. “My legal team has asked CCU for extra information yesterday, and we are unsure when we will get it,” he said.

“We have no insight into the actual complaint, but do know that I seem to be the only person named in the COJ complaint lodged with SAPS,” said Naschenweng.

In a post on MyBroadband, Naschenweng made the following comments about the issue:

One should ask the question why COJ has not disclosed any information on how they will prevent the data leak and what corrective actions are taken. Aside from making ratepayers information publicly available, there seems to be still no ETA on resolution.
The COJ is not wasting tax-payer money as much as now keeping expert skills within commercial crimes busy with a case like this (I think there are more important issues to investigate)
Accountability is shifted and clouded via a laughable criminal case in order to distract from the actual problem (note that nowhere in the media any investigation is done around why data is leaked, who is responsible and what actions are taken)
Although it is made out as a criminal case, it is really all about politics and lack of governance in their IT and tender process. A court case with expert (technical) witnesses will make this visible for the broader public.
No entity or political party (DA?) seems to have any knowledge or experience with IT related legislation. POPI and ECT are poorly drafted and in due course it will be proven that those acts are incapable standing up in court. Those acts are drafted one-sided, and hardly provide any level of fairness protecting both parties (POPI excludes government, ECT is not very explicit)

“The most surprising realisation I came to is, that anyone like the COJ can go on and open a criminal case resulting in huge inconvenience for the accused (not just financially but also reputationally) and there will be hardly any recourse,” said Naschenweng.

“It is just the nature of how the South African legal system works. Be it as it may – we are at a point where those accusations need to be defended.”

No comment from the City of Joburg

MyBroadband was unsuccessful in getting comment from the City of Joburg about the issue. This is despite numerous phone calls and e-mails.

The City of Joburg also did not provide feedback on what any person who discovers a security flaw with the city’s website should do, or where they should report it.