Thursday, July 5, 2007

eNatis: Nothing to see here, move along.


For those that read my column and are not from South Africa - eNatis is a new system that the Department of Transport (DOT) has implemented. It has a website portal and is the system used for registering cars, licenses, paying fines, etc. It has a lot of personal information. The website was hacked and the papers jumped on the story, though most calling it (correctly) a non-event.

Web hacks are (apparently) easy to do.

This is part of the reason why no company worth their salt (and some not even worth that) recommend that the webserver does not contain important information. That should be stored in a database and if the webserver needs to read the data, it should make a connection through a firewall. And the database should be closed up as tight as possible.

In fact, it is almost expected that the webserver will be hacked and the company (or government department) should have an incident response in place to deal with this minor breach.

I liken this hack to the real-life-equivalent of a criminal trying to break into an office of the D.O.T, not succeeding and spraying graffiti on their gate.

The media has jumped on this hack because of the issues eNatis has had in the past, but its the equivalent of reporting on a graffiti incident - the result of the attack is very embarrassing because of the fact everyone can see it but, no real loss occurred and once the mess is cleaned up there will be no further issue.

So, what sort of hack is news worthy? One that will not make it all the way into the papers! A newsworthy hack would be one where a criminal (or hacker..whatever terminology you choose) gets into the eNatis database, manages to manipulate the data for self gain or steal personal information from the database.

This will not get into the paper because:
  1. The user will not make it public that he has done anything wrong, it would make it easier for him to get caught.
  2. The D.O.T may not even know it has happened. Stealing information is not like other crime where if someone steals your stuff, you have no stuff left. Information can be stolen but a copy could be left in place.
  3. If the D.O.T finds that a hack has taken place in their database the last thing they will do is inform the press. (my guess)
  4. If information is stolen from the D.O.T, it may be used for identity theft purposes. (ie. pretending to be someone so you can get credit in their name or get access to their personal assets) and the investigation (if it gets that far) may not know the true source of the information used in identity theft.

That is not to say that I know of an instance where eNatis has had its database hacked, nor am I saying that it has been hacked or ever will be in the future. I'm saying that, if it were hacked in a way that was newsworthy, we probably would not be reading about it in the newspaper.

No comments: