When security researcher Bright Gameli Mawudor stumbled upon a treasure trove of MultiChoice credentials on the open Internet, his attempts to disclose it responsibly were met with legal threats.
Mawudor was a speaker at the recent MyBroadband CyberSec Conference. He is the head of Cyber Security Services at Internet Solutions in Kenya, and the co-founder of AfricaHackOn.
In an interview with MyBroadband, Mawudor explained how he accidentally uncovered a text file full of MultiChoice credentials on a misconfigured web server in the middle of a live demo.
He was demonstrating a technique known as Google Dorking — where you use Google’s advanced search operators to find information people didn’t think would be searchable on the open Internet.
One example of this is where people put ripped media on Internet-connected servers, which Google inadvertently crawls and indexes.
In this case, Mawudor wanted to demonstrate how easy it was to find credentials for streaming services like Netflix and Hulu with a Google search.
“Then I thought, wait, let me look for DStv.” When Mawudor clicked on the file, he got more than he bargained for.
“Nobody knew what happened,” he said. “I took it off quickly. I didn’t want anybody to see. Later I went to analyse the details.”
Hacking SuperSport and DStv
Mawudor said he couldn’t find a current contact on the MultiChoice website for security researchers to make responsible disclosures, nor does MultiChoice appear to have a bug bounty programme.
He first tried to contact MultiChoice over Twitter. When he didn’t get a response in two weeks, a lawyer friend put him in contact with a person at MultiChoice Kenya’s legal department. The MultiChoice employee was quick to inform Mawudor that what he had done was illegal and would land him in trouble.
Mawudor’s lawyer friend stood up for him and explained to her contact at MultiChoice that he could have done a tremendous amount of damage if he wanted to, rather than provide free security consulting to MultiChoice.
Eventually, Mawudor called a friend in South Africa who works in the information security industry. This friend put him in contact with people at MultiChoice’s head office, who finally locked down the exposed web server.
It took almost a month for MultiChoice to address the issue.
“If I was a bad person, I would have done a lot more with that,” said Mawudor.
“I would have been able to use those credentials to log into the monitoring of live [sports] matches that were going on, [or] into the VPN and into the internal network.”
From there, Mawudor said he could have shut down systems, or he could have manipulated live broadcasts if he wanted to.
When asked what companies can do to try and catch such simple vulnerabilities before an attacker does, Mawudor said that it’s a matter of prioritising security.
“Thing is, security is usually an afterthought,” he said.
When you develop a system, security needs to be considered while you are designing it.
“If you design for security from the outset […], you’ll be able to see the gaps.”
You should also make sure that you have a checklist of “do’s” and “don’ts” with respect to security.
Penetration testing is also useful to determine whether the security of your organisation is up to scratch, but Mawudor said that it’s important to remember that such tests are only a snapshot.
“It’s like a doctor telling you: ‘I’ve checked you. You look like you’re sick here and there.’ That is it,” he said.
Organisations need to go beyond occasional penetration testing and do vulnerability management — frequently doing an assessment of all your systems, networks, and appliances to make sure they always screened for the latest vulnerabilities.
Mawudor said that there are tools available for vulnerability management, and that frequent scans of your environment can be automated.
In short: Build a cyber strategy for the whole year, set a budget of what your willing to spend on all of it every quarter, and execute it.