What should have happened in the Master Deeds leak

It is great to see that the DPCI (Department of Priority Crimes Investigation) and the South African CCU (Commercial Crimes Unit) have started investigating the leak of over 60m South African identities as reported by Troy Hunt and published by a number of local media outlets.

It was not a hack or breach – the Server Admins screwed up

The South African media reported the incident as a “hack” or “breach”. It was never that. It was a “leak” or “dump” where an entity placed a MySQL-database file (a human-readable text file containing the schema of the database as well as all data) on a publicly available server. The information could have been indexed by any search engine and the file could be downloaded by ANYONE using a browser URL – i.e. http://ip-address:443/masterdeeds.sql. Despite it commonly known as a “leak”, the media insists to call it a “breach”, despite nothing being breached.

The server was not secured at all and anyone could browse all it’s content as has been posted on Twitter:

 

Although the files have been publicly available since at least March 2017 (that is when the files were submitted to security researcher Troy Hunt for assistance) and have file-dates from 2015. It is unclear if the files were accessible from 2015, but when you look at Tefo’s screenshot of the server directory you can see files called “select”, “show”, “use” which are common MySQL commands and it could very well be that the server got compromised on 24th February 2017.

The server administrator should have at least noticed something wrong when creating the “aida.co.za” folder on 8th March 2017 and should have seen the SQL dumps as well as the strange file “^CCtrl-C”. It is interesting to note, that the “CTRL+C” command is typically a cancel/break command executed on the command-line. And since all those files have the same time-stamps it could very well be that in February 2017 some other form of intrusion happened.

It is also important to note that the file-date of 2015-04-08 of the masterdeeds.sql is not necessarily when the file was created. It is very easy to set the file-date back to “blend” files in with the rest of the server – i.e. an admin would think “Hmmm, those are old files” whereas new files could possibly raise suspicion.

The leak was first found by a security researcher who tweeted about it in March 2017:

Without understanding the commercial agreements with the hosting company it is unclear if the responsibility of securing the server resides with the ISP (in this case Hetzner) or if this was managed by in-house staff (i.e. employees of the company running those websites). Either way, any server admin would not make those most basic mistakes. Customer data would never be placed on a public webserver without authentication and strict access control. Highly privileged/sensitive information such as this file, would never be sent over the network (at best only via VPN or at worst via physical media).

The overzealous reporting possibly destroyed evidence

Considering that the data was available since at least March 2017, there was no need to rush a story and not wait to follow proper process. I can only attribute inexperience in the InfoSec field in what happened next which ultimately resulted in files being removed, servers being shut down and evidence possibly destroyed.

The standard protocol of any leak or breach or security incident is to isolate the affected server from the rest of the network. In this case the most basic option would have been to turn the server off.

While most companies do not have security policies in place, an ISP and any hosting company must have them in place as many of their clients would host confidential information and ISPs are generally the target of large attack vectors. It would therefore be completely expected that an ISP informed of a leak or intrusion would follow their playbook of a security violation:

• Isolate the server affected
• Secure all past backups for historic evidence
• Make a forensic image of the storage affected (required for law-enforcement as it is tamper-proof)
• Secure any logs/reports (such as firewall, caching servers, access details and web-server logs)

It is unclear if any of the above happened. The only thing I have seen that the files in question have been deleted. I do hope that people dealing with the leak have followed at least the majority of steps above to ensure that evidence is retained for law-enforcement.

Journalists and IT publications need to understand protocol in dealing with security issues

It has become a known fact that BRICS countries will become a target for concentrated cyber-attacks. While the South African Citizen ID leak is the biggest known leak, there have been a number of equally sensitive leaks and breaches which have been handled without full disclosure by state agencies and local financial institutions.

As such it is soul-crushing to see how media outlets incorrectly report on such incidents and lack any understanding what needs to happen. In the case of the Master Deeds leak, the following should have been done (by the person having found the data or the reporters receiving the tip-off):

• Identify the ISP via IP or website (= Hetzner)
• Reach out to ISP and informed them about the leak
• Reach out to the company owning the domain
• Inform the DPCI (Department of Priority Crimes Investigation) and CCU (Commercial Crimes Unit)
• Lodge an immediate ISPA take-down request and phone them about the urgency of the request logged
• Reach out to the communication and state-security minister (yes, it is after all a national security issue too) via GCIS and DOC
• Reach out to PASA (Payments Association of South Africa), FSB (Financial Services Board) and SARS (South African Revenue Service) to inform them about the leak
• Contact the South African Information Regulator who is in charge of POPIA (note: the regulator has been established, but POPIA is not effective law yet)
• Once the forensic evidence has been secured (i.e. the ISP would have taken a forensic image of the server and also secured all auxiliary access details) the leak can be publicly disclosed via an article

Yes the above is “cumbersome” and not as exciting to run head-lines news / breaking a story, but would have avoided the scenario where the file was made available to other parties who only learned about it’s existence once the news outlets started reporting on it (and it then took almost 24 hours to have the files removed).

Post leak – your data is on the internet! Now what?

You can assume that the leak was accessed since at least March 2017 and could have leaked since it’s file creation dating back to 2015. Since the file contains sensitive information such as ID numbers, employer details, address information, gender, date of birth and salary information, the content lends itself to identity theft which allows the criminals to take out loans or contracts in your name or simply use it for targeted criminal activities such as house-robberies (after all they have your address and know how much you earn).

Phishing attacks will also be easy, as a perpetrator can not completely target you with information only you would know. Clicking on the wrong link could grant access to your banking details or any other financial records. It is very likely that any of your financial information will be targeted first (no banking details where in the leak).

The following actions should be taken:

Determine what was leaked

We know the content of the data. What is not known is what details are in the files leaked which makes it difficult to protect ourselves. Troy Hunt has said that he will not allow lookups via South African ID numbers. I am unsure who will assist citizens in determining how they are affected, as Troy’s website online allows the lookup of 2.1m emails contained in the leak (out of 60m).

The South African ID number is comparable to a social security number and is used for credit-vetting and identification purposes. This information alone is already problematic – especially since the records contain names and address details. With the ID number and your name, anyone can impersonate you.

Change affected passwords

Troy Hunt’s website allows you to look up details via email address – in my case an email address I stopped using in 2008 was part of the Master Deeds leak:

My suggestion is that you visit the above website and look up any of the email addresses (both private and work) you use at the moment. If any of the addresses is affected, change passwords on every website where you use the email address IMMEDIATELY. Also see if you can enable two-factor authentication (Apple, Google) – this adds an extra layer of security to your online services.

Do not reuse the password for and choose unique passwords for each and every account. If you forgetful as I am, I suggest 1Password as a password manager and to generate strong passwords. With a password manager, you’ll need to remember only one password; the software will take care of the rest. The downside is that if the “master password” is compromised, all your accounts will be as well – this is manageable as it is controlled via TouchID (Apple) or other biometric mechanisms.

 

Contact relevant financial institutions

Although payment information has not been stolen/compromised, it would be diligent to inform your financial institutions (insurance, bank, credit card company). Explain that your account is at risk of fraud and ask your financial institutions / card-issuer to alert you if it detects suspicious activity on your account. There is no point in cancelling cards or closing bank-accounts – just make sure that access to those are controlled.

Contact the credit-reporting bureaus

Contact the major consumer credit-reporting bureaus and ask each to place a fraud alert on your name. This way, if anyone tries to steal your financial identity — for example, by trying to open a credit-card account in your name — you’ll know. (You’ll also learn when anyone tries to look up your credit.)

The South African Fraud Prevention Service provides a certain level of protection and alerting. As it stands currently, SAFPS requires a report to the South African Police Service before lodging a request for Protective Registration:

You can also request from local credit bureaus a “credit freeze” which will not allow anyone to run a credit report on you and this prevents opening accounts in your name without explicit authorisation. It is my understanding that South African credit bureaus do not provide a “credit freeze” option.

A credit freeze won’t allow anyone with whom you don’t already do business to run a credit report on you, or open an account in your name, without your explicit authorization, so it’s pretty solid protection. But it may cause unforeseen complications when you apply for new credit cards or a mortgage, or even switch cellular carriers or cable-TV companies. Each agency will give you a PIN with which you can temporarily unlock your file in such instances.

Sign up for a credit- or identity-monitoring service

I am not aware of a free service in South Africa other than SAFPS mentioned above. Identity Guard is a paid service and ideally the entity having caused the leak of your information should foot the bill for monitoring your identity fraud of your details.

Contact law enforcement

In case of a leak or identity theft, open a case of identity theft at your local police station. In most cases the police will not be helpful as they are unfamiliar with this type of crime. Ask a supervisor to assist or contact CCU / DPCI mentioned above.