IGF cybersecurity fail: website leaks personal data with aid of participants
by Alex Comninos, 25 October 2013
When registering for the IGF, you may very well have exposed your personal data, including full name, ID/passport number to criminals, spies, intelligence agencies and dragnet surveillance programmes. Your personal data may very well have been leaked to anyone on the network on which you connected, or any point on the internet through which your confirmation of registration email passed.
After registering for the IGF you online, you received an email entitled “Confirmation of your registering to the 8th IGF meeting in Indonesia” the email looked something like this email below.
In the picture above, you will see that in the confirmation email there was a link that you clicked, the link looked something like this:
This link contained both your email address and passport number. Anyone snooping your mail would have seen this link. Anyone snooping on the websites you visit would have also seen the link. The link was to a PDF that contained amongst other information, your full name, date of birth, ID/passport number and expiry date, and residential address.
If your email is not encrypted the mail would be readable by anyone eavesdropping at any point on the internet through which the email passed. Even if you encrypted your email, making it unreadable to email snoopers, once you clicked on the link, the link could be read and your email confirmation downloaded by anyone on the same internet connection as you running a freely available eavesdropping programme like Wire Shark. The link did not expire after it was downloaded, it could be downloaded infinite times, from any location. Whats more all the participants emails remained on the IGF website, meaning that if the website was compromised by a hacker, they would have been able to download ALL the participants confirmation of registration forms.
What is really funny is that I attended the IGF primarily to hear a multitude of “experts” and stakeholders talk about cybersecurity. I am assuming that most of these panelists registered online and clicked and downloaded that link.
In general at IGFs a good rule of thumb is that if you want to attend a workshop in which panelists dont know what they are talking about yet all speak vociferously; then attend a cybersecurity session.
So you cybersecurity “experts” I did not believe a word you said. They say that cybersecurity starts at home. Before you lecture us about cybersecurity and scare me with nonsense about cyber terrorism, cyber warfare, Stuxnet and attacks on critical infrastructures, secure yourself. Secure your phone and your computer, understand the processes and issues involved. A good place to start would be Tactical Tech’s “security in a box” website, or the Cryptoparty Manual. Once you have secured yourself, then talk to me about cybersecurity
The IGF website is running a very old version of the Joomla content management system, with many security vulnerabilities. Our personal data was until the 24th of October sitting on the IGF website on a directory called http://www.intgovforum.org/cms/wks2013/registration/, and was very vulnerable to data breaches by ill intentioned hackers.
I approached Chengetai Masango who was very receptive to my concerns, and together we deleted the personal information off the website. Our data, if not allready leaked, is now safe.
The IGF has struggled with very limited resources to make an easy to access website with a wealth of historical information spanning 8 years of IGFs. The site however has no budget and only has Chengetai Masango and two skilled content managers from UNON Nairobi updating content and maintaining the site. Lets use this opportunity to thank them for their hard work, all the information needed is there, and remote participation works well. It however needs an upgrade to its security. I hope that we can do our best, financially, or by donating the skills to make a more secure IGF website and a more secure IGF.