The Zimbabwe Stock Exchange website hacking

Posted by

We just got more information about the Zimbabwe Stock Exchange website hacking that happened 3 days ago. A source close to the issue says so far it has been established that the hacking happened at the application level of the website architecture. The nature of the hacking itself is not clear as the website has been shut down and the url (www.zse.co.zw) is redirecting to the hosting company’s website.

On Thursday, the Zimbabwe Broadcasting Corporation reported that the ZSE website had been hacked. According to ZBC, a crisis meeting was held yesterday between the ZSE officials and the company’s consultants to find a solution to the problem.

The ZSE website was developed by a local company called Adept Solutions. The company provides Microsoft products’ training, Kaspersky Antivirus implementation, web hosting, email hosting and other IT related services. A problem at the application level of the website means there were vulnerabilities in the current implementation of the ZSE website.

The website itself is hosted by Webdev, one of Zimbabwe’s largest web development firms.

image via 4castresearch.com

advertisement

18 Comments

  1. Macd says:

    Kabweza please, give us some technical soup, there is nothing which is in this story which l have not seen on other daily publications. lm very disappointed, l was waiting for this story to pop up on this site so that l can at get the technical side of events and this is what l get?

    This site is on the rise and surely it will be there together with high techs like the theregister.co.uk, but a lot of groundwork needs to be done.

    l had questions which l hope was gona be answered here like:

    how did it happen, was it spear phishing?
    was it social engineering?
    who are the perpetrators, what are tracelogs showing, an outside IP?
    what is the security setup like?
    Do they have there own internal specialist or they are outsourcing?
    who is going to take the blame, the ZSE or there hosting company?
    what OS are they using, is it a customised or its the standard?
    what was accessed and how much was taken?

    And more………

     

  2. Art (The Idea Factory) says:

    @Macd, That may be releasing more sensitive operational type information in my opinion. MY hope would be: We hope the ZSE has security processes that ensure the site is secure and penetration test are done periodically to ensure vulnerabilities are not inherent in the codebase. We are reminded that we have to consider security as one of, if not, the integral part of any software we develop.

  3. Anonymous says:

    @Macd – as far as I know, they were using a custom PHP application. I
    know this because I did a proof-of-concept a while back on scraping
    share prices from the ZSE site. Hopefully they’ll include an API when
    they redevelop the website, and join other stock exchanges in the 21st
    century (one can hope).

  4. Macd says:

    @230385e3239bbfa9803f3a39b2294757:disqus  the questions l have can be answered without revealing the technical details, hiding behind a blanket of secrecy will not help. This site is to provide information.

  5. Lon says:

    Yet another slop in basic security princiles. @ea25193fe8b994b12d8d7ce0e892a1b6:disqus
     and others, the screen is clear here, ZSE  hired a third party to develop their apps and no security architecture and design concepts were adopted  resulting in substandard  solutions being marshalled into the mainline network.
    Also not that some of the questions you are asking may not be answered becoz the guys who broke into the site are  professionals and there is no way they would leave their traces, moresore ZSE does not have any  dynamic logging and monitoring capabilities such as  Web Application firewalls, Security information Events Monitoring or IPS, so where do you think they will be able to scrouch the logs.

    @Macd:disqus
    , I am certain  there was no form of social enginearing or spearphishing used here. Such tactics are only used if  the targeted site is difficult to break. If there is so much security in place hackers resort to  social engineering. This was not the case for ZSE, there is/was not basic security , an entriprisewide web app clogged with loopholes and vulnerabilities was  in place and  It was  just like walking into a public toilet ..doors open for everyone type of scenerio.

    From a security governance  point of view, the ZSE senior management are responsible, and not Adept. They  should put in place policies and procedures to ensure that Service providers don’t bring in such insecure crap into their environment.

    The rise of Advance Persistent Threat(APTs) should change the culture of the big companies and they should start investing in reals security not the mumbling jumbling  retoric staff they always say……

  6. Anonymous says:

    LOOOL WEBDEV!!!! has anyone even looked at their site. How often do you feel like puking when you look at such a messy website. Well I love it when people recognise the vulnerabilities of such old age implimented sites. Any scriot kiddy can take such a webiste down. In as much as I cant say much be assured more site are coming down.

  7. ngth says:

    I agee with macd, it would be nice (if anyone is willing to give out any info) as to how the attack was done, was it cross site scripting, sql injection, phishing scam etc?

    Obviously exact details or logs should not be given to the public but it would be very interesting to know the method employed, it would also help other developers to learn about such loop holes.

  8. Munhu says:

    kabweza – more like : BlackBerry blog hacked with riot-related threats
    We know where you live, says hacking crew.

    check – http://www.theregister.co.uk/2011/08/09/blackberry_blog_riot_hack/

  9. macd says:

    This should be a wake-up call to those at ZSE, we live in a world of IT were secrecy can easily worsen your company or organization social and financial standing

  10. Lon says:

    @Macd and @504f6ea59b3d6ced7f3dc71b1d759565:disqus , every country is governed by disclosure laws. Take for example in the USA and other bigger economies  there are laws which stipulate that if a company is breached or hacked it should disclose  the  impact of the breach and  some further details(Governance laws). However, we don’t have anything like that in zim and hence ZSE  are not oblidged to say anything. I am not saying they should but as for me I am  more clear of what happened and the extent of the breach  so whether they say it or not i  understand what happened.
    Having said that we need  either some bodies , or powers that be within the business circles maybe the treassuries commission to put  such disclosure laws in place. South Africa has something in their King 3 laws so why not zim.

    I read that Zim is in the top 10 of the future hubs for IT in Africa. In as much as I am happy for that, I am a bit saddened by the culture of security  which is lagging behind as  other  components of IT are slowly growing in zim.
    It should be security first and the rest follows otherwise such hacks will alway occur and sooner or latter  the big companies will be ashamed for not investing in security.

    Finally , the attack did not use any form of social engineering or phishing it was a straight up bang on weekly coupled and poorly developed applications running on issecure backends and disoriented databases with open services and a lot of defaults enabled  on top of unpatched OS, DBS and Apps…..
    Also there are no logs to be shown to you guys becoz the ZSE does not do any logging and monitoring

  11. Anonymous says:

    when l first came across techzim started a while back, l sniffed around to see what was open and l have done it again today, l would like to say they have been a great improvement on the security side of this site!

    Have l revealed anything? NO, thus what we want in Zim, a way of improving IT Security without hiding or fear of the unknown. 

  12. Farai says:

    And it’s still down as we speak…

Leave a Reply

Your email address will not be published.

css.php