what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, March 06, 2011

KenyaPolice Website Vulnerabilities

So, a new post showed up on Security list about how to get the relevant personnel know about the vulnerabilities that KP Website would be having. http://lists.my.co.ke/pipermail/security/2011-March/001725.html

If you check for obvious vulnerabilities with your browser e.g Cross Site scripting, SQL Injection, hidden directories, its much easier with lack of WAF (Web Application Firewall), and bad coding tactics.

With such obvious flaws, we can actually get a sense of how Government infrastructure is, and how vulnerable applications running confidential information are, e.g Civil Servant information, NSSF information, Health Organization, Ongoing Corruption investigations etc. With such information being in susceptible vulnerable infrastructures, in case of a cyber attack, its would be easy to overwhelm and bypass the Governments intergrity and confidentiality.

Back to KP website, pages like report_a_crime.asp, lost.asp, site_search.asp, crime_reports_processor.asp, contactus.asp and several others are vulnerable to serious security flaws, especial the Top Ten Owasp Risks. This is due to non-sanitized pages with page variables like, category, details, name, email_address, telephone, txtAnswer etc.

Security Assessments for Kenyan Goverment Infrastracture should be enforced, and use of Information Security Policies should be introduced. MOD or any other law enforcement organization should at least have a Task Force that does tests once in a while by assuming cyber attacks, and such common vulnerabilities on KP webserver should no longer exist (very embarrasing flaws).

NB, i have not disclosed to anyone how to inject or exploit these vulnerabilities, KP has not been informed yet, so the site is still vulnerable. Please also note that, any information i have shown here should NOT be misused, if so, use at your own risk.

Posted by Chucks


kisakye said...

Nice Disclaimer there!

Happiness said...

Great was to educate them. Please offer them training on security.