You should join our great online community now - you can win great prizes
Register now
You should subscribe to our free MyBroadband newsletter


+ Reply to Thread
Page 1 of 9 12345 ... LastLast
Results 1 to 15 of 121

Thread: Website security flaws in SA: why shoot the messenger?

  1. #1

    Default Website security flaws in SA: why shoot the messenger?

    Website security flaws in SA: why shoot the messenger?

    The City of Joburg and Sanral have angered tech-savvy consumers with the way they handled exposure of their website security flaws

  2. #2

    Default

    Its because the grossly incompetent entities feel that they have to defend themselves in some way in order to deflect some of the rightful criticism coming their way.

  3. #3

    Default

    Its government creating opportunity for business why would you be a good citizen and report it if you can make money of others misfortune.

  4. #4

    Default

    I don't think it's "goverment vs private business" inasmuch as it has to to with how technically savvy the organisation is. In the case of Vodacom/CellC I suspect they both understand the technicalities, ease and value of the issues that were identified. In the case of most government organisations, they do not understand these things whatsoever, they look at anything that seems out of the ordinary as a possible hack.

    It's the same mentality that one gets when my mother gets a message on a website that says something unexpected, she proceeds to ask me if people are hacking into her computer. The issues are not understood, so the response and assumptions made are extraordinarily extreme as a result.

    These issues should only be ever dealt with by people or a group within an organisation who understand what's going on. That means end to end, from fault identification, to resolution, to response. And please for the love of god, let those people actually be experienced and not just some technical/IT guys you found off the street.

  5. #5
    Super Grandmaster AfricanTech's Avatar
    Join Date
    Mar 2010
    Location
    In front of a computer...
    Posts
    31,705

    Default

    Nice article.

    A good first step in exposing these incompetent liars!

    Now it needs to get into Business Day and Business Report.

    The Emperor Has No Clothes people, The Emperor Has No Clothes.

    Catch and expose the Big Lie wherever and whenever you can.
    -------------------------
    MyBB LFC Supporters Club
    D3 - GDruid#1919 - S7 - Monk.
    MyBB BattleTag & Clan Officer List

  6. #6

    Default

    Competent and confident people/organisations welcome criticism, positive or negative.
    Incompetent and insecure people/organisations detest criticism, positive or negative.

  7. #7
    Super Grandmaster AfricanTech's Avatar
    Join Date
    Mar 2010
    Location
    In front of a computer...
    Posts
    31,705

    Default

    Quote Originally Posted by Tharaxis View Post
    I don't think it's "goverment vs private business" inasmuch as it has to to with how technically savvy the organisation is. In the case of Vodacom/CellC I suspect they both understand the technicalities, ease and value of the issues that were identified. In the case of most government organisations, they do not understand these things whatsoever, they look at anything that seems out of the ordinary as a possible hack.

    It's the same mentality that one gets when my mother gets a message on a website that says something unexpected, she proceeds to ask me if people are hacking into her computer. The issues are not understood, so the response and assumptions made are extraordinarily extreme as a result.

    These issues should only be ever dealt with by people or a group within an organisation who understand what's going on. That means end to end, from fault identification, to resolution, to response. And please for the love of god, let those people actually be experienced and not just some technical/IT guys you found off the street.
    I refuse to believe this in these cases - it's a thought out PR/Damage Control strategy - when caught, shout loudly that someone else has wronged you - it's a time-tested propaganda tactic.
    -------------------------
    MyBB LFC Supporters Club
    D3 - GDruid#1919 - S7 - Monk.
    MyBB BattleTag & Clan Officer List

  8. #8

  9. #9

    Default

    Quote Originally Posted by AfricanTech View Post
    I refuse to believe this in these cases - it's a thought out PR/Damage Control strategy - when caught, shout loudly that someone else has wronged you - it's a time-tested propaganda tactic.
    I don't know, the CoJ has proved to dramatically incompetent in all interactions that I have had with them.

  10. #10
    Super Grandmaster evilstebunny's Avatar
    Join Date
    Dec 2007
    Location
    It's my world, you're just living in it.
    Posts
    15,195

    Default

    The answer is easy .. two of these are not like the other.

    Noteworthy to read both non-governmental companies had their flaws fixed within 24 hours, while the other two ran to the lawyers and their problem's still not fixed. Shows you the power of the mantra .. 'right person for the job'.

    Edit: Also

    The city also opened a criminal case against “a suspected perpetrator” after a “thorough forensic investigation by the city and its private IT experts"
    They have IT experts to do forensic investigations but not one developer to actually sit down & fix the flaw? Sounds legit.
    Last edited by evilstebunny; 09-01-2014 at 02:42 PM.

  11. #11

    Default

    It is endemic to government: Think about it, CoJ and Sanral both work with high profile IT service providers in this country (companies which are ISO certified and should have COBIT and ITIL skillset on board). A security flaw is highlighted and the finger pointing starts. Government has to rely on their outsourced IT service providers who will not admit to any wrong-doing and point the finger elsewhere. There is simply nothing easier to shout "cyber attack" instead of implementing e-services based on best practises.

    I for one am grateful that CoJ made such industry wide news as many computer literate people have become more aware of trivial security flaws such as present in CoJ, CellC, Vodacom, Ekurhuleni and have started reporting those to the organisations. Many security specialist attempts to find vulnerability with the intention to improve systems for the greater good and not to cause malicious damage as claimed by the likes of Sanral. TBH organisations such as CoJ or Sanral cause themselves more reputational damage by not owning up to the faults in their systems (and any reasonable person would expect a complex system to have faults).

    In all cases those IT service providers will never take accountability for it and I think the government could not be bothered trying to understand IT - hence gross negligence in the implementation of systems and overpriced tenders (the famous Wordpress blog comes to mind) - in most cases, those issues will just "disappear" or dragged out through some wild accusations and lawsuits. Also government has no really accountability like a business (funding is received from the fiscus, so there is no worry that people will be fired or a department will shut down for inefficiencies - contrary to that, more consultants will be hired to fix the problem)

    BTW: Ekurhuleni had a similar security flaw as CoJ, but it quietly fixed it (even so, their service provider mentioned security audits and due-diligence, which was never done as claimed though).

    Side note: It is horrendously shocking to read how the new-media reports on cases like this - where has journalism gone to?
    Last edited by MagicDude4Eva; 09-01-2014 at 02:43 PM.

  12. #12
    Grandmaster
    Join Date
    Jun 2007
    Location
    Home is where the heart is
    Posts
    2,045

    Default

    Great article. The government just wants to create fear, and control us. They don't need the peoples help, nor are they willing to accept it.

  13. #13

    Default

    When you're found wanting, attack is the best form of defence. Throw mud where it sticks.

    Though not personally an IT person, I suspect that some of the government IT "specialists" only knowledge extends to filling in a PIN number on a Kentucky Fried Chicken card machine. Remember, you get three chances at that as well.....

  14. #14

    Default

    organizations that think of themselves as "too big to fail" will fail repeatedly and when they do fail it has to be somebody elses fault and necessitating a bailout of some form

    CoJ don't follow the practices it must be the fault of a hacker and the police and NPA have to bail them out

  15. #15

    Default

    Quote Originally Posted by evilstebunny View Post
    The answer is easy .. two of these are not like the other.

    Noteworthy to read both non-governmental companies had their flaws fixed within 24 hours, while the other two ran to the lawyers and their problem's still not fixed. Shows you the power of the mantra .. 'right person for the job'.

    Edit: Also

    They have IT experts to do forensic investigations but not one developer to actually sit down & fix the flaw? Sounds legit.
    As a web developer I understand what was needed to fix the CoJ vs Vodacom issue:

    * For CoJ it was a simple validation rule, a one line piece of code: Is this invoice id linked to this user? Yes, display : No, do not display

    * For Vodacom it was more complex (and no, it was not a URL hack) yet their turnaround was very impressive especially for this time of the year. I expected them to originally take down the bulk of their service for a couple of days to resolve this issue as this exploit was linked to complex business rules.
    Do something today for those than cannot do anything for you.

+ Reply to Thread
Page 1 of 9 12345 ... LastLast

Similar Threads

  1. Mobile operators hit by security flaws
    By rpm in forum Broadband and IT News
    Replies: 0
    Last Post: 06-01-2014, 10:00 AM
  2. Windows XP and Firefox take 25-year lead in security flaws
    By mercurial in forum Broadband and IT News
    Replies: 0
    Last Post: 27-02-2013, 11:14 PM
  3. Don't shoot messenger... (sorry, yet another Assange article)
    By copacetic in forum News and Current Affairs
    Replies: 23
    Last Post: 09-12-2010, 02:45 PM
  4. Online security flaws
    By Telkomhater in forum Off Topic
    Replies: 1
    Last Post: 08-11-2006, 12:54 PM
  5. Microsoft to fix Windows, Office security flaws
    By rpm in forum Broadband and IT News
    Replies: 0
    Last Post: 08-10-2006, 10:21 PM

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •