Thursday, July 05, 2007 8:58 AM
codingsanity
eNaTIS Security
Well, well, well, it appears that we will need a separate topic for this. My eNaTIS Performance post was very popular, with a lot of people expressing their dissatisfaction with the system. As before, I'd like to try and keep this to facts and figures, however in this case that may be difficult. There have been numerous rumblings about the security on this high-tech boodoggle, starting with [from my previous post]:
The Beeld has a report about the security issues with eNaTIS system. Very worrying was that one did "not need a password to log on as an ... administrator", that the "documents ... are not secured", and "can be circulated [without any protection]".
The eNaTIS website for a while had it's administration area unprotected, and now the site itself has been hacked. Apparently this was during the course of Wednesday. By the evening of that day, according to News24, the entire site had been defaced. The eNaTIS website downplays this incident claiming:
This was apparently due to someone leaving a comment on a page of a section of the eNaTIS public web site (this site).
Ummm, correct me if I'm wrong, but wouldn't this be the tried and true cross-site scripting attack? You know, the one that nobody gets anymore because it's so well known and so easily protected against? Sorta like buffer overruns, such an attack is largely a blast from the past, encountered only by those with very little understanding of security.
The eNaTIS system and database is still secure and cannot be accessed via this web site
Good, good, of course, the whole idea of eNaTIS was to have it available to the public via a website. So what they effectively appear to be saying here is "we're really happy we haven't got around to implementing the web access part of eNaTIS yet". It's not a proud day for security when only your project delays mean that your core database wasn't exposed.
From Fin24: "It's nothing to write home about," said Transport Department spokesperson Collin Msibi when told that part of the eNatis website had been hacked. Let's see some other prescient/accurate quotes by this man:
Yeah, not a high strike rate. I'll tell you exactly why it's something to write home about. The ease with which the website was hacked indicates a possible profound lack of security knowledge on the part of the administrators. This indicates that perhaps the auditor-general was right when eNaTIS was castigated for a lack of security. That's the system, not the website that was being talked about as a matter of interest. So, what we're seeing here is a possible pattern of insecurity which is quite worrying. The information coming out of the DoT and Tasima seems to be optimistic in the extreme given the numerous documented failings of this system.
This system is a debacle, recognised by such by all and sundry, except the DoT and Tasima. Exorbitantly expensive, late, unreliable, slow, and insecure, it seems to be a poster child for poor development practices. To cap it all off, us taxpayers who have already paid for this system once, must continue to fund Tasima's efforts to keep it stable through a R30 surcharge on our transactions.
Filed under: Security, Politics, South Africa