Sanral e-toll website security flaws galore

POPI

‘‘personal information’’
means information relating to an identifiable, living,
natural person, and where it is applicable, an identifiable, existing juristic person,
including, but not limited to—
...
(b)
information relating to the education or the medical, financial, criminal or
employment history of the person;
(c)
any identifying number, symbol, e-mail address, physical address, telephone
number or other particular assignment to the person
Click to expand...

6.
This Act applies to all public and private bodies.
Click to expand...

18.
(1) A responsible party must secure the integrity of personal information in its
possession or under its control by taking appropriate, reasonable technical and
organisational measures to prevent
(a)
loss of, damage to or unauthorised destruction of personal information; and
(b)
unlawful access to or processing of personal information.
(2) In order to give effect to subsection (1), the responsible party must take reasonable
measures to—
(a)
identify all reasonably foreseeable internal and external risks to personal
information in its possession or under its control;
(b)
establish and maintain appropriate safeguards against the risks identified;
(c)
regularly verify that the safeguards are effectively implemented; and
(d)
ensure that the safeguards are continually updated in response to new risks or
deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally accepted information
security practices and procedures which may apply to it generally or be required in terms
of specific industry or professional rules and regulations
Click to expand...

Then this ...
Notification of security compromises
21.
(1) Where there are reasonable grounds to believe that the personal information of
a data subject has been accessed or acquired by any unauthorised person, the responsible
party, or any third party processing personal information under the authority of a
responsible party, must notify the—
...
....
Click to expand...
lots of obligations here.

:whistle:
 
The following has to happen before I enter my vehicle registration number, ID number and bank or credit card details on a Scamral site:
  1. A credible organisation must audit the Scamral site's security measures and it's recommendations must be implemented and signed off;
  2. I want to have access to a full audit of the GFIP procurement process undertaken by a credible body;
  3. Criminal cases against all political office holders and government officials implicated in forensic audits, Public Protector investigations, etc. must be completed;
  4. All funds illegally or improperly acquired by political office holders must be refunded, with interest, and an audit report finalised by a credible institution be made available;
  5. Jacob Zuma must pay back all funds spennt for his personal benefit on his shack at Nkandla; and
  6. Hell must freeze over.
Until all of the above has happened I will not pay my e-toll account.
 
Last edited:
Allin said:
The following has to happen before I enter my vehicle registration number, ID number and bank or credit card details on a Scamral site:
  1. A credible organisation must audit the Scamral site's security measures and it's recommendations must be implemented and signed off;
  2. I want to have access to a full audit of the GFIP procurement process undertaken by a credible body;
  3. Criminal cases against all political office holders and government officials implicated in forensic audits, Public Protector investigations, etc. must be completed;
  4. All funds illegally or improperly acquired by political office holders must be refunded, with interest, and an audit report finalised by a credible institution be made available;
  5. Jacob Zuma must pay back all funds spennt for his personal benefit on his shack at Nkandla; and
  6. Hell must freeze over.
Until all of the above has happened I will not pay my e-toll account.
Click to expand...

Number 6 will happen first
 
They really should invest in a tool like McAfee's vulnerability scanner - clearly their testers either don't exist or aren't very good.
 
POPI is not in force yet and you could already lay criminal charges against SANRAL in violation of ECTA. TBH no-one really cares, as several government institutions violate ECTA and could not be bothered to rectify it. What makes you think that SANRAL will do anything differently.

I guess the most shocking part about this is that the underlying software is developed by Kapsch (obviously with custom-integration developed locally) and whoever is the local IT-partner has clearly no idea about the most basic aspects of data-security. You can be pretty certain that the whole Sanral database has been dumped by now and is used for all sorts of "activities".
 
Allin said:
The following has to happen before I enter my vehicle registration number, ID number and bank or credit card details on a Scamral site:
  1. A credible organisation must audit the Scamral site's security measures and it's recommendations must be implemented and signed off;
  2. I want to have access to a full audit of the GFIP procurement process undertaken by a credible body;
  3. Criminal cases against all political office holders and government officials implicated in forensic audits, Public Protector investigations, etc. must be completed;
  4. All funds illegally or improperly acquired by political office holders must be refunded, with interest, and an audit report finalised by a credible institution be made available;
  5. Jacob Zuma must pay back all funds spennt for his personal benefit on his shack at Nkandla; and
  6. Hell must freeze over.
Until all of the above has happened I will not pay my e-toll account.
Click to expand...

+1000
 
Allin said:
The following has to happen before I enter my vehicle registration number, ID number and bank or credit card details on a Scamral site:
  1. A credible organisation must audit the Scamral site's security measures and it's recommendations must be implemented and signed off;
  2. I want to have access to a full audit of the GFIP procurement process undertaken by a credible body;
  3. Criminal cases against all political office holders and government officials implicated in forensic audits, Public Protector investigations, etc. must be completed;
  4. All funds illegally or improperly acquired by political office holders must be refunded, with interest, and an audit report finalised by a credible institution be made available;
  5. Jacob Zuma must pay back all funds spennt for his personal benefit on his shack at Nkandla; and
  6. Hell must freeze over.
Until all of the above has happened I will not pay my e-toll account.
Click to expand...

+1^∞ , never paying you zooma+bandits!!
 
Bunch of noobs

Sasha_za said:
with all these flaws why has no one managed to delete all the fines from the system?
Click to expand...
You see Sasha, it's because they're all a bunch of noobs and script kiddies. (Good question though.)

Besides, a determined attacker would not destroy data, but subtly and progressively corrupt it.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X