Thursday, May 31, 2007

eNatis

It is pretty rare for the general public to know about the I.T. workings of a government department. For example - when you go to pay your water and lights account or get your passport all you want is the transaction to go through - you don't care if they are using "PTS.4" or "QUSI-XGT" to process the transaction.

You only really are aware of it when something goes wrong. Which it did at the Department of Transport who are the guys who register new cars, licenses etc. They ripped out the old "Natis" system and to great fanfare implemented the "eNatis" system. Which has been in the papers (Google News turns up 295 articles) because it didn't work.

The staff had no idea how to get it working. The capacity was overwhelming and the IT guys ran around trying to plug the holes and put up new servers to make sure everything worked. This , after it was live, with no way to go back to the old system.

It even led to the Minister flying down from the clouds above and doing something never done in the history of the ANC... apologizing. He hasn't admitted he is wrong - but he apologized none the less, which is a start. In fact, in typical government style the problem remains unsolved but there is a task team in place to investigate whose fault the mess is.

There are many lessons to be learned from this whole ordeal on how not to perform an upgrade including having a backout plan, educating users, having a test case, testing with worst case load expectations (not best case), doing proper governance before hiring IT developers, etc.

But now, a public newspaper has received an audit report of the system that was published before it went live and the have won a court case to be able to publish details in their paper. Apparently the system has no security controls in it which means that any person who uses the system has "root" access.

The government has tried to block the newspaper publishing the details in an effort to have "security through obscurity".

A TV show recently showed that there is little to no physical access control in the Department of Transport's public interfacing offices which means that for a bit of cash one can get access to the terminals.

I'm just relating what I've read. I don't know the extent of the security on the terminals or exactly how the eNatis system works but I am interested in this saga and will publish more when it becomes available to me.

Friday, May 18, 2007

Only in Africa.... phishing is done on the street.

Today I had to do some (personal) work with the Government.

What I did is personal (so don't ask) and probably not offered in all countries but you can think of it as being similar to renewing a driver's license or getting health benefits, etc. Dealing with the Government.

The department I had to visit has moved and not done a very good job of Informing The Public. Also, unlike the Department of Home Affairs it is not a place you'd visit very often. Some people need never go there.

So... while I was in their waiting room I read a newspaper article they had stuck up on the wall about how they were being targeted by fraudsters. These are people who wait on the pavement just outside or near to the building. They can then spot people who are obviously lost and looking for the building and "help" them out.

They take the people to other buildings somewhere in the vicinity in which a little look-alike office has been set up and charge them about $20 to $100 to lodge an application.

The Government charges nothing (its covered by tax).

Even for me that amount is a lot of money but for the poor who would be most likely to use the service it can be almost half their monthly salary. They also leave in the (falsely) secure knowledge that their application has been processed and I'm not even sure if it does make its way to the Government.

And, of course, these guys also have personal details about the person and probably a photographed copy of their ID book and signature. Maybe even a copy of their last bank statement. These are all things needed to get credit.

Only 1% of Africans have access to the Internet and in the largest city built not near a major river or dam or coast phishing is done on the street.

Tuesday, May 8, 2007

The Plastic Swimming Pool Theory of Security


This is one of my theories of Security and why it is such a battle.

I'm not sure if I made it up or heard it somewhere but I stand by it.

"When one person pisses in a swimming pool it affects everyone"

This is why patching is so important but ignored. When a PC on the Internet is compromised by a worm the person who is running the PC may be affected a bit. Their link may slow down slightly but when 100,000 of them are used in a bot-net to attack companies it affects the companies, not the person who owns the PC.

It is the same with TJX etc, personal information stolen from their databases leads to identity theft and hence false purchases all over from many different stores. Everyone is affected.

So, just don't piss in the pool, please. And patch!