Sanral sabotage and e-toll hacks
Are unnamed spokesmen misleading the transport minister?
As if the South African National Roads Agency (Sanral) didn't have enough problems, now "unnamed media houses" are hacking it, disrupting its operations, and sabotaging its workings. Business Day reports that transport minister Dipuo Peters made the claim while answering Parliamentary questions about Sanral's poor performance record, particularly with billing and records management.
"Some of the cyber attacks were deliberately perpetrated by... some media houses," minister Peters said. "These incidents have been reported to the law enforcement authorities."
Well, I should hope so. It's high time someone was arrested over this debacle.
Let's just get it out there and name ITWeb as the "unnamed media house" in question. We have been a thorn in the side of Sanral since it first started leaking customer information in a series of attacks starting last year, which demonstrated just how clueless the operators were, leaving credentials embedded in Webpage source code and other beginner mistakes.
It seems a bit late to be reporting it to the police, since the incident in question happened nine months ago, and ITWeb took pains to work openly and honestly with Sanral when handling sensitive issues. And this is a surprising U-turn, since Sanral did, in the interim, claim it had not been hacked at all. Which is it, minister?
From the outset, ITWeb's intent has been to ensure the public is informed about risks, and to help Sanral, no matter how unpopular it may be, to protect its customers. For example, when customer data was leaked last December, ITWeb confirmed the vulnerability, and did indeed access customer data. We then took immediate steps to inform those e-toll users that their data had leaked. Sanral, nine months on, has yet to inform its users of the breach. It did enforce a mandatory password reset, but that won't unleak the data.
Yes, we hacked your system, if verifying a publically-disclosed vulnerability counts as 'hacking'. Get over it.
In the meantime, ITWeb met with Sanral executives to discuss its vulnerabilities and to encourage it to adopt basic best practices in security and communication.
That its practices were deficient was no secret. Sanral's executives admitted they had no idea how many accounts had been violated, had no plan in place to communicate with them, and had been incorrectly advised about how long the site was being actively exploited.
That continues to rankle. Users should have been informed immediately, so they could be alerted to identity theft, spear-phishing, bank fraud, and physical crime. Sanral's failure to act responsibly would be a crime under the Protection of Personal Information Act, but luckily for the department that particular legislation is not yet in force.
Our information may be out of date; Sanral isn't talking to us any more. Back in March, spokesman Vusi Mona issued a terse statement: "In light of your publication admitting to hacking into our system, Sanral will no longer co-operate with ITWeb as you are dealing with us in bad faith." Yes, Vusi, we hacked your system, if verifying a publically-disclosed vulnerability counts as "hacking". Get over it.
Minister Peters, ITWeb is not some shadowy hacking collective. We are not "unnamed". We wear our name with pride, and we will continue to serve the public by revealing security breaches, data mishandling and incompetence, wherever it may occur. Attempting to blame us for the security incompetence at Sanral is like blaming the Mail & Guardian for government's overspending at Nkandla.