Zimbabwe finance ministry website taken down after hacking

Posted by

According to Consumerizim, a local consumer e-activism website, the Zimbabwe ministry of finance website www.zimtreasury.org was hacked yesterday. The website was apparently hacked by a group of hackers calling themselves Abs0lution. The site has since been taken down.

Here’s a screenshot Consumerizim took of the defaced website:

The site has been taken down and currently shows the following:

Finance Ministry Zimbabwe

advertisement

The finance ministry website (like all other government websites) is only used to publish (already public) reports and make announcements. It doesn’t have any actual connection to any of the ministry’s databases or data that’s not already public, so, save for embarrassment, such hacking has no impact on the ministry’s operations.

This is the second time the Finance ministry’s website has been hacked. As diplomatic cables from Wikileaks dominated the news in December 2010, a hackers group reportedly working in solidarity with Wikileaks defaced the website resulting in it being taken down for several weeks.

This is also the second high profile hacking of a government’s website in Africa this year. Just last month, more than 100 Kenyan government websites were hacked by an Indonesian hacker.

42 Comments

  1. there is need to improve the security of websites in africa particularly and generally around the world. like the play @ words with consumerizm (didnt know they existed) . there is a critical need to aggregate zimbabwan websites, so that we know where to get what info on zimbabwean issues

  2. Joe Black says:

    Funny you should bring that up … I’m working on a comprehensive directory as we speak.

    As for the hacking … it happens. I’ve started noticing a bit more focused hacker attention on local web sites and servers.

    Is it possible some of these guys use us Africans as “soft targets” to practise their skills?

  3. Harrison Ford, Air Force One says:

    I bet it’s a Joomla site like all sites Zimbabwean hacked
    e.g. ZSE, Herald, NewsDay etc. And most of these seem to be made by one big web
    designing company. You really wonder if they are learning anything at all about
    security. Poor website security is also why I am not on sha yet, if ever. I don’t
    feel they can provide as much security as Facebook does. I expect criticism for
    mentioning sha but I dare them to convince me that they have serious security
    measures to protect user information like emails and messages etc. After all
    the same company behind it built many prominent sites that were hacked.

    1. Dave says:

      waiting for the reply also

    2. Anonymous says:

      Please Webdev reply! I also want to know what you have to say in response to these allegations

      1. Anonymous says:

         U think they even know anything about that when they just copied and pasted a plug in.

        My answer on their behalf: We will look to get the best plugin for that.

    3. ngth says:

      I think it is worth pointing out that Webdev host but did not develop the ZSE, Herald or NewDay sights (they have developed the new Herald site but did not do the old one).  I am not saying their security is top notch and they cant be hacked just that I do not know of any of their sites that have been hacked, eg classifieds etc.

      There hosting also seems secure, it is that the sites they are hosting are not and hence get defaced.  Seems unfair to label them with any blame when other developers are responsible.  Hosting is about providing electricity and bandwidth, it is the developers responsibility to secure the site.

      High profile sites should have a maintenance contract with their developers to keep the site upgraded and patched, this pay one and it must last forever plan most people use for sites here leaves them open to attack.

      1. ngth says:

        Just worth pointing out I do not work for Webdev so take my comments with a pinch of salt, I do know some people who do though, so hopefully they will come on here with the correct info.

        1. Harrison Ford, Air Force One says:

          The Herald website http://www.herald.co.zw clearly says “site and hosting by WebDev” and it has been hacked a number of times.

          THEY MUST COME AND TELL US. I LOST ALL CONFIDENCE IN THEM WHEN I FOUND A POORLY DONE “COPY AND PASTE” JOB OF THEIR TERMS & CONDITIONS ON THE SHA SITE. AND I THINK SOMEONE EVEN HIGHLIGHTED IT ON TECHZIM.

          Even other sites aside, how safe and secure is sha because right now i can tell you it isn’t.

          DO YOU HEAR THAT WEBDEV, I WILL NEVER USE SHA BECAUSE IT IS NOT SAFE FOR ME. IF IT IS SAFE I DARE YOU TO SAY HOW SAFE IT IS BELOW.

          WEBDEV, YOU CAN POST YOUR REPLY BELOW.

          I USE FACEBOOK BECAUSE I KNOW HOW IT PROTECTS MY DATA, AS FOR SHA…. AND BECAUSE MORE STRINGENT U.S. LAWS POLICE EVERYTHING FACEBOOK DOES WITH MY DATA.

          I KNOW YOUR EMPLOYEES READ THIS BLOG BECAUSE I SAW THEIR COMMENTS/POSTS WHEN SHA LAUNCHED.

          I could tell you a lot about sha right now but then again i would just go on and on and on.

          I am not there for a reason. it’s just not safe for a social network.

          I dare them to say what security measures there are in place. i am not aking them to tell us what plugins they use, but simply just how safe it is to use sha.co.zw, as a member – even using the scale: “safe”, moderately safe” and “very safe”.

          1. slackie says:

            webdev reply here. 
            Webdev did not develop or host the ministry of finance website.ZSE was not developed by us, and although hosted by us the hacking took place at the code level.NewsDay was not developed by us, and although hosted by us the hacking took place at the code level.Herald has not been hacked since we took it over. We developed and host it.SHA has not been hacked. To answer your question I would put it in the ‘safe’ category. We may not be as secure as Facebook, but we do have a good track record considering how high traffic sites we develop and host. We have daily hacking attempts on our sites and I would say we know more about internet security than most in Zimbabwe.You seem to have something personal against Webdev Harrison as this article had nothing to do with us, and your comments mostly attack webdev with incorrect information. 

            1. Harrison Ford, Air Force One says:

              Dear Slackie, if this is what WebDev does, that when a concern is raised about its products, it then goes on to say:

              “You seem to have something personal against Webdev Harrison as this
              article had nothing to do with us, and your comments mostly attack
              webdev with incorrect information.

              Then it is rather sad because you imply people who raise serious concerns about a WebDev product have something against Webdev and accuse them of all sorts of things like “using incorrect information”

              if people raise concerns about Facebook security, Facebook does not go out there saying those who say so have something against Facebook. facebook proves to people how safe it is and tells us what it does to secure that data.

              I am not going to bother and believe your word regarding which sites you did and when as the gospel. My point has been proven already. Sha IS, as you say, “SAFE”, not “moderately safe” or “very safe”.

              Thank you for that because should it be hacked i would not want my email address or other details and communications disclosed WikiLeaks style.

              The concept of a Zimbabwean social network is good, but with great power comes great responsibility.

              The article talks about the financne ministry website but it also highlights security issues of zimbabwean websites and Sha deserves special attention and focus because of its “personal” nature. Did you want me to wait until Sha which is “safe’ has been hacked to say something.

              Now what you should do is make Sha even more safe rather than stop concerned fine Zimbabweans such as myself raising safety concerns about Sha.

              Some of us scrutinize products before buying them or using them.

              At this point, i will also disclose some of my findings of my scrutiny of Sha to techzim right now. it is not that i have something against Sha, i just expect high professionalism when user data is concerned.

              Oh yes, dont panic, it is nothing that will scare your users. But if it is necessary i can post it below, if Techzim says/decides so. I am not doing this as an attack, but it’s just that i have serious data security and privacy, and professional concerns.

              Hopefully my actions will lead to a far much more improved and vastly superior and “very safe” Sha.

          2. slackie says:

            if you do have any security observations or bugs etc … on http://www.sha.co.zw we actually often give $$ to people raising those with us as you can see on the ‘winner$’ tab so we are happy to entertain those. please email admin at sha dot co dot zw with that.

            1. Harrison Ford, Air Force One says:

              Tell  me that the $ reward will be definite and how much you are prepared to pay me and i will tell you my observations and even suggest security enhancement.

              I am not asking for much, or even hundreds.

              Then i will tell you all my observations.

              For me to suggest anything it has to be definite.

              Already, the stuff i see wrong is enough to have all your sites including the herald, classifieds, newsdays etc. shut down and this can negatively affect all your future business.

              You servers are located in USA which has serious data security and integrity laws that can have your sites shut down. This also means you must also comply with US laws, on top of Zimbabwean laws. I know some of the critical ones, and i can suggest ways you can comply.

              As it is, you are in violation of a number of US laws and one of the simplest ones which you can easily fix, carries a fine of US$250 000 and/ imprisonment, plus damages, and in the US there is no limit to damages unlike in Zimbabwe.

              By the way, if your membership, say, now exceeds 10 000, you are looking at a minimum total compensation, excluding the above, of at least $1 000 000.

              If i was out to get Webdev, by now all your sites would have been offline, shut down by US law inforcement, and those behind Webdev would face arrest if they ever set foot on US soil/territory, including means of transport.

              Online business is not just creating the site, there are compliance issues as well.

              I will email you so you can tell me your offer. I am sure you now appreciate that i am actually one of the good guys. I will tell you half, then you pay me, then i will tell you the rest of my observations. just covering my back.

            2. slackie says:

              for that to happen we need a formal proposal, quote and cv from you before we consider it.

            3. Harrison Ford, Air Force One says:

              I am not certified in IT and do not have a degree in it, but i know what i know. Bill Gates started Microsoft without certificates, and Zuckerbeg did same thing.

              If you want a CV to consider obvious security and compliance issues, and issues that are critical to your staying in business, then well you can see for yourself when maybe a hacking has happened.

              if i were you i would just look at the tecnical security details rather than what cut of cloth i am wearing.

              And from evidence worldwide, many hackers are not professors or degreed programmers.

              If you want a degree garai makadaro.

              I just wont use sha and will tell my friends and family to stick with FB. And always remember that your other businesses are threatened by what happens on sha.

              I am sure you saw the comment i posted and was deleted by the moderator. There is just a hell lot more. i submitted only very little issues to Techzim because i suspected they might have a webDev employee on board.

              Of course i wont bother to mention Sha issues publicly on my own blog where i will be free to do so because i have nothing against sha. I am sure when something finally happens to the site or the law takes its course you will do something.

              After all it is not my business.

              I think i rest my case. When someone who has the same knowledge as i do puts you pa tight, i will come back to say i told you so. At least i have good intentions.

              far better to just get the information than to bother me asking for my CV. What for? Already your site is not sufficiently protecting and securing member data.

              Hopefully you will not provoke me to prove to the whole world how unsafe your site is, despite my lack of IT certification.

              Anyway and like i said, i will not go further with this dialogue. Time may be on your side.

            4. kthaker says:

              sniff sniff….. hmmm harry, your posts smell very much like slander. be careful dude.

            5. Harrison Ford, Air Force One says:

              @106038c26a19d6baa6e687e2d9edca0f:disqus, I WOULD NOT SAY SOMETHING I AM NOT SURE OF, NEVER. I UNDERSTAND CORPORATE LAW VERY VERY WELL, AND I GOT DISTINCTIONS I ALL MY LAW SUBJECTS AT DEGREE LEVEL.

              THERE IS NO SLANDER IF YOU ARE TELLING THE TRUTH AND YOU CAN PROVE IT.

              IT OUGHT NOT TO GET TO A LEVEL WHERE I GO PUBLIC, WHETHER IN A COURT OF LAW OR NOT, TO PROVE THAT THE SITE HAS SECURITY ISSUES.

              I LIKE WHAT WEBDEV IS DOING AS IT SPARKS IMAGINATION AND CHALLENGES THE WHOLE SECTOR TO BE BETTER. IF I HAD SOMETHING AGAINST THEM I WOULD SIMPLY HAVE POSTED SOMETHING ON MY BLOG, BUT I DID NOT, AND HAVE NOT.

              INSTEAD OF JUST TELLING ME TO SEND THE INFO, I AM NOW ASKED TO SEND A CV, HECK, IF I GO OUT IN PUBLIC AND JUST SHOW PEOPLE WHAT I MEAN, PEOPLE WILL LISTEN AND WONT CARE THAT I HAVE NO I.T. DEGREE, AND I WILL EVEN BACK MYSELF UP WITH PLENTY OF EXPERT OPINION, EVEN FROM ALL OVER THE WORLD IF NECESSARY. AND WHAT DO YOU THINK THEIR CLIENTS WILL SAY WHEN THAT HAPPENS.

              I GAVE THEMN THE CHANCE TO GIVE THEM THE INFO, THEN THEY SAID I MUST QUALIFY MYSELF WITH A CV. WELL, THAT’S TOO BAD FOR THEM, I WILL NOT DO THAT.

              THERE IS NO CV I WILL SEND, I WILL WAIT UNTIL SOMETHING HAS HAPPENED, THAT WILL BE MY PROOF.

              I HOPE THEY WILL FIGURE OUT EVERYTHING THEMSELVES.

              I AM NOT GOING TO RESPOND ANY FURTHER TO THIS. I STICK TO MY WORDS AND WHAT I HAVE SAID AND I STAND BY THEM. I AM TELLING YOU THE TRUTH. IF THEY DO NOT WANT TO KNOW I DONT CARE, IT IS NOT MY BUSINESS AT STAKE. SOMEONE ELSE CAN FIND OUT THE SAME THINGS I DID. AND THEY BETTER PRAY HE HAS GOOD INTENTIONS.

              LASTLY, I AM NOT ON SHA.

              THANKS.

    4. Benedict says:

       I doubt its the websites that they built. I suspect its the servers that were hacked. I wonder how many other website are down.

  4. Rue says:

    Did you know that the Ministry has another website – http://www.zimtreasury.gov.zw done by GISP?

    1. @22bab1f52d40b6c9fc184e9a4877484d:disqus thank you for the contribution.

    2. Joe Black says:

      Wonderful! Just the favicon tells me it’s another Joomla build … I wonder how secure THIS one is. Shhhhhhhh you’ll alert the hackers LOL.

      1. Tapiwa ✔ says:

         Joomla is not inherently insecure (some of it’s plugin’s have vulnerabilities), but saying “It’s a Joomla site therefore it’s insecure” is blatant misinformation.

        I’ll hazard to say Joomla is likely to be more secure than most “local-content” CMSes. Perfect security is a myth.

        1. Joe Black says:

          Read my comment again, then think about your response.

          Did I say “It’s a Joomla site therefore it’s insecure”?

          1. Tapiwa ✔ says:

            You might not have said it outright, but you certainly insinuated it.

            The ellipsis is used to indicate continuation: you continued your observation that it’s a Joomla build by wondering how secure “this one” is.

            Also, I wasn’t just replying to you only, but to the thread at large the anti-CMS sentiment seems popular around these parts by people who’ve never heard of the debilitating “Not Invented Here” syndrome

            1. Joe Black says:

              Seems you’re hearing what you want to hear. By saying “this one” it was a continuation on the story (and running theme, both here in web hosting in Zim) of Joomla sites being hacked.

              Don’t tell me what I’m insinuating 🙂 Read, understand, don’t read between the lines.

              Sigh.

  5. Prosper Chikomo says:

    A few websites of big Zimbabwean companies I know with combined
    user accounts of over 1 million do not have any security at all. I have not
    told them that because if you highlight such things and then something happens,
    you will be treated as a suspect.

    It’s like one banking multinational bank, Standard &
    Chartered Bank, I had the misfortune of dealing with when about 2 years ago when I applied for a Visa.

    They said my card would be out in 5 days. After 7 days I went back and I was
    told my card has not even been submitted to HQ. I was furious because I had
    things I wanted to pay for with that card.

    The manager then said come after 14
    days. (Making 21 days in total.) I went there 14 days later and there was still
    nothing. All that time going there, because of their stupid
    mistakes, I now already knew the names of all employees  in that bank Stanchart branch because i would be told go and see [put name here] and [put name here] would tell me to go and see [put name here 3].

    In the middle of the whole bad customer experience I wanted
    to tell the bank manager there that this is lax security if a customer can know
    bank employees by name but I decided not to because of the bad customer service
    they had rendered me. Why help them?

    Since they gave me bad service, I demanded, and got all my money back
    including bank charges and I left. I never bothered to tell them about the lax
    security

    Then what happened.

    A few months, if not a year later, I was to read in the
    papers that that very same Standard & Charterted bank branch was robbed of US$300 000 by some employees working in
    cahoots with an acting branch manager.

    I just said to myself I knew it, and served them right!

    VAKAKAURA!!!

    As for the hacking, I see these kinds of things everywhere.
    99% of Zimbabwean websites are just not safe and secure.

    Like I said, I know companies with websites and systems that
    are not secured, even as from a user point of view and not as an inside man,
    and I am being conservative when I say customers of these Zimbabwean companies number over 1 million in total.

    Should I tell them?

    Why the hell should i?

    In typical Zimbabwean fashion they will want to see you wearing
    a suit and they will ask you what your qualifications are (I have no IT
    certificates but I know what I am talking about), your company name, where your
    company is located, and even dare to ask me for CR14s

    Oh yeah, they will also ask you if you have at least 3 years
    in business.

    Sometimes you do not need to be a genius to know something,
    or to have 3 years’ experience to know something.

    And if you tell them, and then they get hacked and lose millions, you will be treated as the prime suspect simply because you showed them a loophole you suggested they cover.

    Many of the hacked sites were built by businesses that have
    survived 3 years but there are some start-ups and even unemployed graduates that
    can build more secure sites, and even many IT uncertified/undegreed people who can tell when
    a system is full of holes or not.

    So just like with the Standard & Chartered bank branch, I
    will keep my mouth shut.

    If one day a company website is hacked and customer
    data is stolen and more, they would have learnt their lesson. Why should I care?
    Why should I say anything, and for what? I just don’t do business with them,
    those ho do will regret it one day.

    If I try to say something I will even be
    told to go to Harare, using my own personal funds, top protect a multimillion-dollar
    business? Hell no! They will see for themselves.

    By the way, I can also be arrested if I suggest which
    companies to you, or even to mention that they have security loopholes everywhere
    even if it is obvious.

    I would be happy to assist anyone who thinks his multi-million
    dollar business could be one of them, but you pay for travel expenses and advice
    before hand, especially if you are in harare and run a countrywide business. My advice is as is.

    1. Developer says:

       
      A few websites of big Zimbabwean companies I know with combined

      user accounts of over 1 million do not have any security at all

      I dont htink there is a site with more than 50,000 users in Zim, let alone a million, even if you combine them!!!

      1. Prosper Chikomo says:

        Well, if you add up the total users of the companies i talk about their total users are over 1 million. Do not underestimate users of Zimbabweans websites or services.After all, all the mobile networks, as an example, have millions of users. I am not saying it is websites of mobile companies. I am not going to discuss that fact any further as i believe i have made my point very clear.

  6. Anonymous says:

    Are we short of companies that can develop a website complete with its own inhouse CMS?

    1. ngth says:

      I do not think using an in house CMS is the answer, you better getting the power of a tested product with lots of developers.  

      However it is a case of keeping the CMS up to date with patches and implementing the correct development policies when building addons.

  7. Get your $50 site here says:

    The problem is, that zimbabweans are in it for the cheapest possible deal…
    (get your $50 website and emails set up here!!!!!!)

    If you want security, get a proper local developer to set your site up, not some spotty 17 year old kid, sitting at an internet cafe downloading free templates. And if you are one of these developers try adding some of these mods/components, they might help!

    http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/8384

    http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/14087

    1. Harrison Ford, Air Force One says:

      You made me laugh. That is the problem there. Joomla sites, being easy to create, someone will just install the site and forget about the security. Uninformed buyers of websites who are unaware about security issues will love the design and kiss the guy who created the site for just US$50 when more could be at stake.

  8. Madziva says:

    How many Zimbabwe joomla sites do we have hosted internationally  and
    how many have been hacked? How many joomla sites do we have hosted
    locally and how many have been hacked? BY THE WAY how many website CMSs
    do we have on the market. Among Joomla, WordPress, Drupal (all open
    source), how much market share does each one have, which one is the
    leading CMS?

    Webdev, design@7 et…al used to work with Cold fusion, but things are changing, we need those components, the extras and we need easy iteration. Design has nothing to do with hacking. Price has nothing to do with hacking. Technology prices are getting cheaper and cheaper and I have taught 10-17 year olds how to create their websites with Joomla, WordPress and Drupal e.t.c

    We arguing the wrong matterz here mazimba. Look at the websites which are being hacked: GOVERNMENT websites, ZIm, Kenya et..al and some Anonymous groups acknowledging that they have done IT.
    WE ARE BLAMING JOOMLA BECAUSE IT IS THE MAJOR CMS RIGHT NOW.

    1. Harrison Ford, Air Force One says:

      Personally, i do not blame joomla mor any CMS. Even the huffington Post uses Drupal. However, i refuse the asertion that only government sites are hacked. Even the smallest site ought to be very safe and secure. you cant have a insecure and not safe site just because only gvt sites are hacked. even your small one can be hacked too. some sites are even hacked and do not know it. If a site is defaced, there is evidence, but there are many that are not defaced that are hacked and there is no visible evidence. i do not blame the tool, i blame how it is used by those who use it.

      remember the wikileaks cables, the evidence of the hacking wasn’t visble. only when the cables were released was it discovered there had been a security breach. i know people will criticise my wikileaks example but the moral is the same.

  9. Munhu says:

    nothing wrong with joomla…ebay uses joomla, UK gvt, Orange, European Union all use joomla.

    Do your homework if u are a joomla user and improve your skills…nxaa

    1. Anonymous says:

       No no no no wait there. UK GVT and White house use Drupal not Joomla

  10. kthaker says:

    wow! for a discussion of web and security experts.. no one actually realised that the site is actually developed in cold fusion. well done guys! 

    hint:

    http://www.zimtreasury.org/sitedown.cfm?CFID=8146175&CFTOKEN=84887091

    1. Joe Black says:

      KT the discussion quickly evolved from being about the Ministry’s site, to one about hacking, and then about CMSs being used shoddily.

      Keep up, bro.

      1. kthaker says:

        and now its moving on to what the original site in question was developed in….which wasn’t php or joomla as people so gracefully assumed. hackers dont discriminate 🙂
        ^5 @71f2ae3452547e2c4fcc684c5c6b4280:disqus  

  11. Shaba says:

    Okay this was not a hack! LMAO… Bunch of Amateurs!

Leave a Reply

Your email address will not be published.

css.php