Thursday, July 05, 2007

eNaTIS response to hackers is really sad

Yesterday the eNaTIS web site was hacked twice. This morning a defiant message has been posted on the eNaTIS web site. Unfortunately the message is not in the least bit reassuring, and is clearly on the defensive. It reads:
eNaTIS "Hackers" on wrong track
Some media hype has suggested that the eNaTIS system was hacked recently[most of the reports specified the web site]. This was apparently due to someone leaving a comment on a page of a section of the eNaTIS public web site (this site)[So that's how they did it]. The suggestion that eNaTIS was hacked is actually laughable. The eNaTIS public web site is in no way connected at all to the eNaTIS system. [Not yet, but on-line transactions will be possible "later this year"] This choice was a deliberate design choice.
The eNaTIS system and database is still secure and cannot be accessed via this web site.
The truth is that the eNaTIS web site is running on a public hosting area on a public hosting service. The hosting service is not inside the eNaTIS data centre at all. There is also no connection of any kind between this web site and the eNaTIS system.[Not yet] The Department of Transport deliberately decided to host the web site on a completely different server than the eNaTIS system servers to ensure that any hacking attempts would be fruitless.
Any attempt to hack this web site (www.enatis.com) is totally fruitless in respect of the eNaTIS system. The eNaTIS system can only be accessed by work stations that are authorised to access the system and all communication with the eNaTIS system is encrypted. In addition, a pre-defined user name and password is needed to connect to the eNaTIS system. [I wonder how often these passwords are changed?] An eNaTIS user will only be given access to the system after signing a confidentiality agreement regulating the security of passwords. The South African public can rest assured that the eNaTIS system is not open to the public and hackers of the web site will not get one millimeter closer to the eNaTIS database by doing this.
Now for the hard truth about eNaTIS: the web site was hacked twice because the people responsible for the web site are incompetent.
It's reassuring that access to the eNaTIS database cannot be gained via the web site yet, but the facility for on-line transactions has been promised "later this year" according to the same web site.
Hopefully this security wake-up call will be correctly interpreted as such, but judging by the tone of the statement posted they have completely missed the point: the security of the web site is as important as the security of the rest of the system. Judging by the reports in Beeld, the rest of the system is not secure either.

No comments: