Subscribe

ETC promises to fix security flaws

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 07 Apr 2014
Sanral's security lapses are "shocking, even criminal", says Prof Basie von Solms, director: centre for cyber security, University of Johannesburg.
Sanral's security lapses are "shocking, even criminal", says Prof Basie von Solms, director: centre for cyber security, University of Johannesburg.

ETC, the operating company managing Sanral's e-toll project, says it is reviewing its password-handling mechanisms in the wake of ongoing security problems.

In March, Sanral issued a password reset across its user base, after a security flaw on its Web site exposed users' personal information. "There was an issue identified on the Web site and ETC subsequently decided to reset passwords," said Jamie Surkont, CEO of ETC. "This was a precautionary measure."

But the password reset was itself flawed, with new PINs e-mailed in plaintext, revealing deeper security concerns.

"It's generally not a good practice to store and mail out shared secrets in the clear," said security architect Marinus van Aswegen. "If you have to use an insecure channel like e-mail, you need to use something temporal like a one-time password."

"PINs or passwords should never be sent out in plain text," agreed Manuel Corregedor, operations manager at Wolfpack Information Risk. "The correct way to do it would be to establish a password reset process where you validate yourself."

ETC and Sanral's security failures speak to elementary breakdown of best practice and the duty of care to protect user information, said professor Basie von Solms, director: centre for cyber security at the University of Johannesburg. "It is shocking, and even criminal. This is at the basis of security management. I cannot believe that such stupid actions can take place by people who are responsible for the security of systems."

Surkont has confirmed ETC will review password handling in the wake of this criticism. "ETC is in the continuous process of evaluating security controls," Surkont said. "The current password notification process is one of the items being evaluated. ETC confirms they will implement additional controls where deficiencies are identified. This has been prioritised for remediation."

'A really bad place to be'

Security lapses may stem from deeper architectural flaws within Sanral and ETC's systems, and fixing them may be extremely difficult now the system is operational and processing millions of transactions.

"Many organisations get caught out because their approach to securing a product or service is to throw security at it at the last possible moment and hope it sticks. Security is not treated as a feature, but rather some kind of bolt-on. Playing whack-a-mole is a good indicator that it's a bolt-on," Aswegen said.

"This is a really bad place to be, since any intervention to counter a security issue could have unintended consequences leading to more issues. You can't quickly mock up the security architecture, after you've built the product. It's also very expensive to make any foundation changes since they would inevitably need to be regression tested to ensure you didn't break something else."

"In my opinion, the first mistake made by Sanral was the decision to use four-digit PINs in the first place," Corregedor added. "The problem with using a four-digit PIN is that it is a lot easier to brute-force guess as opposed to a longer password that has alpha numeric characters with special symbols. When users registered accounts, Sanral also e-mailed the user their PIN after registration, which further increases the chances of the user's PIN being discovered or intercepted. It is entirely possible that some users may have entered the same PIN they use for their bank cards!"

Whack-a-mole

Faced with deep-rooted flaws, a major overhaul may be required, and until then more security flaws are likely. "If such stupid steps have been taken, I seriously doubt the security of the rest of the system and am, therefore, not surprised that the Web site has had security problems," Von Solms said.

Moving forward from such a difficult position is something many organisations face after security flaws are discovered in Web services, and moving forwards needs careful handling, Van Aswegen said.

"They need to establish a security architecture, determine the gaps and work towards remediating them. During this time, push up monitoring so that they can pick up any anomalies and feed this back into their design. All controls need to be tested to ensure they work as designed. They can also make use of some specialist third-party services to try and weed out obvious bugs. Security engineering is hard, even when you are doing it right!"

"A large amount of effort would be required to test the system thoroughly to ensure that a change that was made to fix one flaw didn't create another flaw elsewhere in the system," added Corregedor.

Best practice

"Sanral are taking a reactive approach to dealing with the security flaws on their Web site," Corregedor said. "After the first flaw was discovered, Sanral should have re-evaluated the entire system thoroughly. It is also evident that when the system was designed and developed that no secure coding practices were taken into consideration: security was an afterthought. This can be seen from one of the first flaws where the PIN was embedded in a Web page.

"It is important to remember that secure coding practices are a critical component of the larger secure software development life cycle as they provide developers with guidelines to securely code applications; ie security needs to be integrated into the software development life cycle at each phase from the design to putting it into operation and even the maintenance.

"Sanral would be wise to refer to secure coding practices, such as the OWASP Secure Coding Practices and the Microsoft Secure coding guidelines that have been around for many years. In particular, they should at a minimum look at the OWASP Top 10, which represents a broad consensus about what the most critical Web application security flaws are."

Calls for oversight

Organisations like Sanral should not be allowed to operate without independent oversight of their security when handling personal data, said Von Solms.

"This whole matter supports my view, as stated twice before Parliamentary portfolio committees that we need a Parliamentary Cyber Security Oversight Committee to oversee such security risks.

"Such a committee should hold hearings where evidence can be given about precisely the type of cases above, and call relevant parties in to explain and be held accountable for such bad design. We get more and more government and commercial systems being hacked and nobody takes responsibility. If a bridge collapses there are always consequences, but never in IT systems!"

Share