Sanral unapologetic about security flaws

Bonnie Tubbs
By Bonnie Tubbs, ITWeb telecoms editor.
Johannesburg, 09 Jan 2014
Sanral needs to take responsibility for the flaws in the system it developed, says an information security professional.
Sanral needs to take responsibility for the flaws in the system it developed, says an information security professional.

While the SA National Roads Agency (Sanral) has secured tagged users' online PINs following the uproar around a security flaw on its Web site, it has yet to take consolatory steps to assuage the fears of its self-proclaimed near-million tagged users - all of whom are at risk of having had highly-sensitive personal information tapped into.

ITWeb yesterday reported on the latest security flaw, which allowed would-be thieves or others with malicious intent to access personal data like car registrations, phone numbers, physical addresses and more. This about a month after ITWeb revealed a similar hole in the agency's Web site that allowed snoops to track motorists' movements with just a vehicle licence number in hand.

In both instances, Sanral moved to sever the functionality that yielded opportunity for exposure, after being alerted by external entities, but has not apologised to or advised users on steps to take in either case.

Yesterday, the state-owned entity condemned the researcher who uncovered the flaw, dubbing his actions "an attack on law-abiding citizens" - and suggesting vindictiveness towards people who purchase e-tags as the motive.

With regard to the latest - more serious - revelation, ITWeb asked Sanral if it planned to inform motorists whose information had been accessed by third parties - so that they could take the necessary precautions - to which spokesperson Vusi Mona responded: "Sanral is currently investigating the impact. Our first priority was to secure the login details."

Although the flaw has been patched, this will be scant consolation to anyone whose personal details have been stolen. Sanral could easily identify potential victims by analysing its site logs to find accounts subjected to the PIN identification process, and accounts that have been accessed from multiple IP addresses, in order to notify them of a possible breach.

The agency has also not yet disclosed whether it intends on advising e-tag holders to change their PINS as a precautionary measure.

Blame game

Asked to clarify Sanral's reference to its own Web site flaw as a "cyber attack", Mona presented a definition of the term: "A cyber attack is deliberate exploitation of computer systems, technology-dependent enterprises and networks" - and said this is what the researcher ("moe1") did "by posting a video on a public platform to explain to the public how to access other people's personal information".

Mona says if moe1 was concerned about the individuals whose information was exposed, he would have contacted Sanral to inform it of the flaw. "If they wanted to inform the public, they would have done so without explaining to the public how to access personal information."

Sanral yesterday said it would take legal action in the wake of the recent event, which it deems a cyber attack - but did not explain who or what party it would seek recourse from. "Sanral is currently investigating options available to it."

Meanwhile, Sanral has been criticised by anti-toll factions - and on social media - for not picking up on the said flaw sooner. Opposition to Urban Tolling Alliance chairperson Wayne Duvenage describes the agency as "unapologetic" and says it is far too easy for Sanral to fob issues it faces and has passed off as mere teething problems - "especially after claiming to be prepared following the testing of their systems for the past two years".

Duvenage questions why the vulnerability was not picked up by Sanral's technology experts earlier. "Clearly, Sanral hasn't been ready for two years."

Take responsibility

Winston Hayden, ISACA president and IT advisory consultant specialising in the field of information security, says while Sanral may have a case to take legal action against the researcher on ethical grounds, public shaming has become commonplace.

"The 'ethical' thing for the researcher to do would have been to inform Sanral immediately. But publicly shaming institutions for their transgressions has become quite common in today's society. It's a behaviour that has manifested due to institutions not taking responsibility for their failures, and not responding to them promptly.

"Governments and companies need to understand that this form of public shaming is intended to 'keep them honest' and hold them accountable."

Ultimately, says Hayden, accountability for the recent security issue rests on Sanral's shoulders. "Sanral needs to take responsibility for the security issue; it is their system and they developed it, flaws and all."

He says the highest levels of security measures need to be applied when dealing with personally identifiable information. "[While] a penetration test may have been performed on the system, penetration tests alone may not have detected the vulnerability - code reviews of the application should also be performed. But even if penetration tests and code reviews are performed, it depends on how well they were performed."