SAPS hack spells negligence
The hacking of the SA Police Service's (SAPS's) Web site, that has put thousands of lives in jeopardy, spells gross negligence and raises questions around the police's IT systems and security.
This is according to security experts, following an attack on the SAPS's Web site by hackers yesterday, which saw the names and personal details of some 16 000 whistle-blowers and victims of crime being mined from www.saps.gov.za, and made publicly available via a bulletproof site.
Names, telephone numbers, e-mail addresses and identity numbers of the individuals, who reported criminal activity and provided the police with tip-offs on the premise that they were doing so completely anonymously, are now freely available online.
The hackers (@DomainerAnon) - believed to be associated with hacktivist group Anonymous - posted a tweet yesterday alerting the public to the fact that the group had breached police security. "A message to SAP: You are responsible for the data you hold.... we have merely shown that you do not live up to your own Code of Conduct!" (sic)
According to Craig Rosewarne, director of Wolfpack Information Risk, the secure sites set up with the whistle-blowers' information are hosted in other countries, which means SA has no jurisdiction over them and cannot take them down. "[Hackers] usually dump the credentials and paste them into bullet-proof sites like WikiLeaks."
One of the sites bears a message from the hackers that reads: "South African Police Service Web site hacked saps.gov.za database and e-mails leaked. The reason for this action is to serve as a reminder to the government regarding the murders of 34 protesting miners outside the Marikana platinum mine by police. To date no officers have been brought to justice... This situation will NOT be tolerated. #OpMarikanaMiners @domaineranon." (sic)
According to the site, the SAPS Web site was hacked last week, with details being posted on Friday.
Justin Lee, country manager at Blue Coat Systems, says the breach in police security boils down to pure carelessness on the part of the SAPS.
"It is crazy to have Web sites defaced and hacked in this day and age. It is ridiculous [considering] we have all the tools and means to protect Web sites nowadays. There are app-based firewalls, intrusion prevention system and data leak protection mechanisms that are there to prevent this kind of thing from happening."
With all the necessary intelligent technology at companies' fingertips, says Lee, a breach of this nature comes down to complacency and laziness. "The SAPS simply do not have enough measures in place and this could have been avoided."
Lee says the repercussions of the SAPS breach are vast and "scary" and that SA should not downplay the seriousness of the situation.
While neither the full truth, nor the true intentions of the hackers are known as yet, Lee believes "this goes a lot deeper".
The police will most likely launch a careful internal investigation, he says, adding that the entity that is supposed to protect the public "in every way, not just physically" may have a mass lawsuit on its hands.
"There are serious implications. It is phenomenal what you can do with the information [that has been made public]."
Lee says the fact that whistle-blowers are asked to provide their identity number when reporting a crime or providing a tip-off 'de-anonymises' the whole system.
Rosewarne believes the breach was carried out by hacktivists with a serious political agenda. "Hacktivism is dangerous, because, when there is a political or religious motive involved, there is a lot of passion."
He says Wolfpack is seeing a growing trend of hacktivist attacks, with about 60% of hacker attacks over the past six months being attributed to politically-motivated factions.
He says he was recently contacted by a hacktivist group, which said it was disappointed at the level of security of South African Web sites. "He [the hacker] gave us a list of sites that are open to compromise and we are looking into it."
While hacktivism is a global phenomenon, Rosewarne says SA's security systems are lacking. "We still don't have a centralised incident response team or centre - these are still being designed and built. One of our country's weaknesses is that we are still fragmented when it comes to cyber threats."
Government departments, he says, are particularly vulnerable. "As we have seen with the other sites, if something goes wrong or someone has a grudge against a government entity, they will go out of their way to attack and embarrass [the offending party]."
SAPS spokesperson Lindela Mashigo had not responded to requests for comment by the time of publication, but the police are expected to make a public statement later today.