The state says its computer systems are secure. We looked. They’re not

State public-facing internet services are riddled with vulnerabilities. Illustration: Lisa Nelson

The State Information Technology Agency (SITA) is responsible for much of the state’s computer systems including websites. On 24 May SITA published a statement denying social media claims that “SITA and government infrastructure” had been hit by a “cyberattack or unauthorised access”.

“Our Systems Remain Secure,” said the statement.

We used a standard industry tool to examine the government’s internet services. These are hosted mostly, but not only, on the gov.za domain.

We looked at the section of the internet for which SITA is responsible separately to other government sites. In this article we show the results of the SITA network only.

We found that the government’s systems are insecure.

The details are technical, so we have divided this article into two parts. The first part is a simplified non-technical description of the problem. The second part, for those who are interested, is a technical description.

Simple explanation

We investigated SITA’s internet space using Shodan, a search engine for internet-connected devices. Our analysis shows that SITA has hundreds of public-facing services that use outdated technologies and have numerous known software vulnerabilities. Some of the insecure services include those of the Deeds Office, the Limpopo health department and the Western Cape government, but there are many, many more.

In response to our questions, SITA told us that it is only responsible for about 37% of government services. We’re not sure what on the SITA network SITA itself is directly responsible for. When we asked, SITA told us this information is confidential.

SITA said it “performs regular security assessments and vulnerability analyses on all systems under its direct management”. But its own site is vulnerable. (Read SITA’s responses to our first set of questions and second set of questions.)

When cybersecurity people identify vulnerabilities in commonly used software, they eventually publish these in a public database so that IT workers can be aware of them and take appropriate action. These vulnerabilities are called CVEs (for Common Vulnerabilities and Exposures).

CVEs get a score from 0 to 10. The higher the score, the more severe the issue is.

The SITA network has over 900 unique CVEs. Of these, 126 are critical. These CVEs are repeated across the SITA network, with just over 5,000 vulnerabilities in total.

Much of the software on the SITA network is outdated. The SITA website itself, https://www.sita.co.za, has outdated, insecure software.

It is hard to overstate how serious this is. For example, when the GroundUp site has only one serious outstanding CVE, we rush to sort it out, as any responsible maintainer of a critical system does.

This is despite SITA’s claim that their “security operations teams operate on a continuous, 24/7 basis and are equipped with monitoring and threat-detection capabilities”.

The oldest security flaw on SITA’s network was revealed in 2006 (see here, here and here, for example) when Thabo Mbeki was president. It is still there, repeated over and over across the network.

This graphic shows the HTTP response header that deeds.gov.za sends back to every browser, scanner, and attacker that connects to it. Each highlighted version has passed its vendor end of life date. The Deeds Office encryption mechanism also has a severe vulnerability, according to SSL Labs. Although the Deeds Office sits on the SITA network, the Deeds Office spokesperson told us that they use a company called DLRRD Deeds ICT to manage their IT systems. So it’s not clear to us who is responsible for preventing and fixing problems like this.

This graph shows the number of vulnerabilities (CVEs) and their severity (CVSS) for deeds.gov.za. The Deeds Office address is merely an example. There are many other gov.za addresses that are plagued with vulnerabilities.

SUCURi shows that SITA has been using an old version of Drupal (retired over a year ago), which is a high security risk. This is despite SITA telling us “There is a monthly vulnerability scanning process for all the SITA-hosted websites“ and as part of a “risk management process forgotten, unused, or legacy internet-facing services are removed following approval from owner departments / entities”.

10/10 vulnerabilities

Many of the CVEs have known exploits (ways to get into the system), including seven of the most critical CVEs. In other words, people with ill intentions can take advantage of the vulnerabilities on the SITA network. Some relate to Microsoft Exchange Server, which hosts some government email services.

In 2021, a group of state-sponsored attackers used an exact vulnerability (dubbed ProxyLogon) present on the SITA network to break into Microsoft Exchange Server sites belonging to organisations around the world. This allowed them to access the mail of all users. The vulnerabilities were fixed at the time by Microsoft, but some SITA assets still appear vulnerable.

Some of the CVEs relate to Microsoft’s file-sharing protocols. These carry the maximum possible severity rating of 10 out of 10. They have been used by attackers to break into servers and deploy ransomware and other malware.

These are not flaws that require highly sophisticated skills and tools to exploit. There are ready-made tools that have been publicly circulating for years that do it for you.

Technical details

We ran our Shodan analysis of the SITA ASN (AS37130) on 24 May, and re-ran it on 2 June.

Shodan identified 2,150 exposed services across 1,112 unique internet-facing hosts. Of those, 152 hosts were identified as having at least one known vulnerability - one in seven. The dataset spanned more than 30 identifiable government departments that have IT services managed by SITA.

There were over 900 unique CVEs. Of these, 125 are critical (9.0 - 10.0). In total (with duplication), there were 5,014 CVEs across the network.

Some Shodan vulnerability matches are based on detected software versions, and will be false positives. Nevertheless, it is clear that many systems on the SITA ASN are old, exposed, and insufficiently maintained.

Support independent journalism
Donate using Payfast