SITA to hack back

Bonnie Tubbs
By Bonnie Tubbs, ITWeb telecoms editor.
Johannesburg, 27 May 2013
Government Web sites are vulnerable and require added security measures, say experts.
Government Web sites are vulnerable and require added security measures, say experts.

Government's IT agency is expected to launch a full-blown initiative to protect the state's sensitive online information after an incident last week that saw thousands of lives endangered through the hacking of the South African Police Service (SAPS) Web site.

The State Information Technology Agency (SITA), which hosts government Web sites (including, informed the police last Tuesday that the personal information of some 16 000 whistle-blowers had been unlawfully obtained and published on a bullet-proof site. SITA conceded the breach was due to an oversight on its part.

SITA this morning confirmed it has launched an initiative to address the security of government sites, which security experts have long said to be precarious. While the agency declined to provide further details at this stage - due to an address set to be given on the issue at the third Government CIO Summit in the Western Cape tomorrow - the initiative is believed to involve a team of ethical hackers.

Security mechanisms will be reviewed and processes put into place to plug existing security holes. Craig Rosewarne, director of Wolfpack Information Risk, says government Web sites are in need of extra security in light of the passionate nature of hackers likely to target them.

While industry experts have said the breach last week boils down to inadequate cyber security measures on the SAPS Web site and could have been avoided, the police have downplayed its severity.

SITA says, however, that it has acted and all will be revealed by the agency's chairperson Jerry Vilakazi during his keynote at the CIO summit tomorrow.

Ethical hacking

Philip Csaplar, a qualified ethical hacker, says ethical hacking generally involves teams or individuals that are requested by companies to identify security holes in their systems.

The company recruits the hacker - or team of hackers - to try and penetrate networks and/or computer systems, using the same methods as a hacker, for the purpose of finding and fixing computer security vulnerabilities.

Penetration testing and vulnerability scans, which SITA will institute via its own "hackers", is legal and will help the agency beef up its cyber security where it is needed most.

Csaplar says there are a number of processes ethical hackers go through before identifying and fixing security vulnerabilities. "First there is the reconnaissance phase, where you gather information about a particular company. This can involve the company giving you the information you require, or a 'black hat' attack (breaking into secure networks and DNS servers).

"Then you scan the system, which will give you information about the server, and allow you to check for vulnerabilities."

Csaplar notes there are various online tools freely available for the purpose of ethical hacking, including Google's own computer hacking technique and Metasploit (penetration testing software).