It’s been a while since my last post but recent events in SA around security have prompted me to write this post.
It starts with an open website containing what is now believed to be upwards of 70 million entries for names, ID numbers, income, addresses and other information on South African citizens/residents including possibly around 12 million children. This data leak was originally exposed by Troy Hunt from HAVEIBEENPWNED fame, and came in the form of a website from (now believed to be) Jigsaw Holdings, an apparent IT partner of ERA, the property group. It took service provider almost 3 days to plug the leak.
The data was also available in the form of a database file seeded through torrents which means there was widespread access to this data. The fallout from this leak is likely to be big and long lasting, and identity theft is a primary result from leak data such as this. Everyone needs to be extra vigilant on their personal data in the coming years.
Ster Kinekor is also on HAVEIBEENPWNED’s list and unfortunately SK have not come forward with details or advised their customers of this breach. I’ve contacted them on 3 occasions in an attempt to get details on the breach but so far they have remained mum. #sterkinekor #securityfail …
Just found out about @sterkinekor's security breach last year – wondering if they think that little of me not to tell me. #securityfail
— aslowhutter/xz-in-a-nutshell (@robbypedrica) October 18, 2017
#computicket also remains stubbornly out of touch with web security and the safety of their customers – their public website has offered non-SSL access to their site/booking system forever and after contacting them 3 times over the last 2 months to advise them as such, nothing has been done. This is a simple matter of putting in a web-redirect from HTTP to HTTPS which should take a seasoned admin all of 30 seconds to do.
Their front-end staff responses to my calls show their utter ignorance on the matter:
After notifying @Computicket their website allows un-encrypted logins a month ago, they still have not fixed this … #dontcareaboutsecurity
— aslowhutter/xz-in-a-nutshell (@robbypedrica) October 13, 2017
Be rest assured, all transactional pages are currently secured and additional security measures are currently underway.
— Computicket (@Computicket) October 13, 2017
Apparently the main login to their site that is used by all customers is not a transactional page …
I do believe we use a secure site. Would you like me to book something for you Robby?
— Computicket (@Computicket) October 28, 2017
So let’s take a look at the site as of last week:
Yip no padlock, no security …
There are many examples of this kind of incompetence all around the web/world and also here in SA. There are a lot of people without the necessary skills, putting up websites and publicly accessible systems and not securing them properly.
The best advice I can offer on these types of shenanigans is to use a password database (like KeePass) and a unique password for each site. If one of the sites you use is compromised, at least that data can’t be used to access your other sites.
Stay safe!