A fine line between ‘Accidental Discovery’ and Hacking
Lets set the scene using a local law (ECT Act of 2002) and set the scene for a few cases and use the following definition for the Act.
“Access” includes the actions of a person who, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data.
Disclaimer: I do not condone any form of unauthorised access to any system.
I would like to draw attention on two previous newsletters we have raised to the relevant contacts evidence of the website that was hacked many years ago.
- Government example
- First public notice August 2012 however evidence of the hack was seen by us on the 9th of May 2011 due to reading articles online
- Follow-up discussion in the January 2014 newsletter
- And finally today (4th of March 2015) when you visit the site you will still notice the evidence of the document (web page) of the hack
- The actual hack was done on the 22nd of October 2009 and the evidence link is located at ECLEGISLATURE. If the page did not exist it may indicate that they have fixed if after more than 5 years. the following video was done more than 1 year ago…
- Semi parastatal (name withheld due to legal requirement)
- During one of our network audits, evidence was acquired that an Administrator equivalent user
- The system allowed remote access via WinVNC (freeware remote access application) to the desktop
- The system was a database server which contained confidential information with very weak passwords
- The security officer was emailed with the information to ensure that he can address the anomalies and secure their system
- This was met with aggression and denial
- A few years later… the specific system is no longer used by the organisation but the security anomalies still exist
- Private company (In this example, an Insurance broker that is located in Pretoria, places any security professional in a predicament ethically)
- I was searching for an IBT (branch code) of a bank and came across a text file at a technical website that normally posts solutions
- This text file is a MySQL dump of all the data of their Insurance Clients with the company’s user IDs and passwords in the clear
- This data includes
- client data
- debit order details per client
- claims submitted by the client
- policy numbers
- vehicle details
- historical data and more…
- I contacted the owner of the company and he said he will get the ‘IT guy’ to contact me
- The ‘IT guy’ did contact me via phone as he was flying from Cape Town to Johannesburg and he will be contacting me as soon as he has landed
- This has been a few years ago, no contact and no follow up from the owner of the company to check if the data has been sanitised
- The data was uploaded during August 2009 (we do not know by whom) and this data is still on the Internet. It is still in the clear today, the 4th of March 2015
- My final example is a FTP (File Transfer Protocol) server hosted by a province in South Africa. This is their official server. This ftp server is accessible by an anonymous user
- Evidence of cracking/hacking tools to generate Windows 8.1 license keys
- Full ‘write’ access to the ftp server which means we can change the data illegally… (I do not recommend this of course)
- Confidential provincial data
- I have sent emails to a few in the province with no response…
This places us in a predicament as we are aware of a persistent threat, however the people accountable:
- DO NOT take action even after being made aware of the risk
- Out of their depth and have no clue what they are doing
- The message does not get to the top of the chain
- and my favorite… there in NO penalty for non-compliance. People just don’t care then.
What needs to be done?
- A central CERT (Computer Emergency Response Team) for the government should be created. Some will argue that it does exist but the evidence shows a different story
- My follow-up on the insurance broker will be lodged with ombudsman for short term insurance
- We need to be aware of any disclosure procedure where we cannot be seen as a ‘hacker’ in a company’s network
- Logical security staff in companies should be well educated and have experience to deal with incidents
Update 04-March-2015 – email sent to the ‘ombudsperson’ in the ftp server case. Recipient does not exist as defined on the web site for complaints.