Friday, march 27, at 5 in the afternoon, I received a direct message on Twitter. The sender was Jorge Villalobos, a software programmer, a mexican living in the united States and has never worked in government. He wrote: “The map data of health of Sinave are published a few hours before the conference (on coronavirus). It is not very difficult to remove them if one knows something of programming software”.
In the following days, Villalobos sent a similar message, with the numbers of cases that would announce later. Each night, coincided. In a long interview, he said that he was not hacking the page, but had a “bad practice” in the settings, which “was very poorly made and had hung in the system a version visible, before the hour of the official announcement, that “any programmer” could easily find.
He insisted: “you can access it without problem, but I think that those who made the page do not know”. We then decided: we would make public the data on my Twitter account, and we would see if it was a “patch” on the system. It didn’t happen and the figures were confirmed again. Many people criticized that the data was published first in the mind of a journalist, arguing that it had a press conference. And of course, they were right. The interior of the secretariat of Healthsought to who was the “reliable source” that had been leaked, but the system remained intact.
The next day, Villalobos recorded a video explaining how you got. Security experts digital Luis Fernando Garcia, the organization’s R3D, and Rafael Bucio, director of the company TPX Security, analyzed it, and agreed: what did your colleague is legal, and it was just a bad design of the page. But the three discovered a vulnerability more worrying.
The map is hung on a page of the National System for Epidemiology (Sinave), created in 2006, that works with http, a protocol of the Internet is not encrypted. In addition to the figures on coronavirus, are housed there also, data from other diseases, such as cholera, influenza, diabetes, and tuberculosis. Garcia, R3D, said: “The domain is not encrypted, exposing public servants with access to the system at the theft of their credentials (username and password) and unauthorized access to the information. It is not possible to measure the severity of the potential harm of an access is not restricted, but it would be very important to correct”.
Bucio analyzed Sinave through Shodan, a public platform of risk analysis. Found that the site has at least eight vulnerabilities detected on this platform. “That website could be compromised in three or four hours of work a cybercriminal” he said.
This 2 of April, the Directorate General of Epidemiology Secretariat of Health responded to this column that the site is monitored 24 hours a Data Center Technology Infrastructure with security protocols against attacks. Shortly before sending the response, the map that dominated the figures was removed from the system and the data will no longer be accessible prior to the conference night. When you do this, the site of Sinave stopped working for a few minutes. “They went down the entire page when I went to correct. This is another test: the one who is working is not professional, look fellows,” said Villalobos. Later, from Health said that they had removed the map “so as not to create misunderstandings (sic)”.
The Secretary also responded that they do have certificates of encryption, and that “will be implemented in the next few days, however, it is important to mention that the information has never been exposed to any type of attack (sic)”.
For the experts, the fact that the map could be seen before is not ideal, but it is not an error too serious. Considered to be more important to monitor how it is operating the system. Garcia, R3D, said: “although these errors may not generalise that all the information handled by the government in response to this epidemic is at risk, if it is desirable that information more sensitive; for example, one that is intended to be shared through the app, announced by the government, to be protected with much greater care.”