Exclusive: Top-secret police codes up for sale
Cyber crime experts warn this could expose critical cop systems to hackers
Secret codes that make critical police databases vulnerable to hackers are being peddled to private companies, a forensic probe has revealed.IT investigator Trish Richardson made this discovery while looking into the alleged theft of computer systems and intellectual property belonging to a company contracted by the police.
Richardson stumbled across an offer to procure software source codes for firearm management systems – identical to those used by the police. The source codes are a set of instructions that are used for computer programming.
“Giving the source code to someone is the same as giving a criminal the master key to a safe. If the source code relates to the police firearm system you would also know where every single police firearm in the country is all the time,” a police cyber crimes source told Times Select.These codes are the blueprints to potentially critical police databases and systems, and include those used to track SAPS firearms across the country.
The codes do not contain the actual information inside databases, but they can provide information on the database’s layout and where the information is stored.
Police cyber crime officers and firearm legislation experts say hackers can use these codes to gain access to the data. They warn that, once inside secure police systems, other systems can also potentially be accessed, including the Central Firearms Registry, which contains details on every single gun owner in the country.
Richardson says she discovered the codes were for sale while conducting an investigation for IT solutions company FACTT, which sold the police various computer systems.The person who offered access to the codes was Jerenique Bayard, a director of the Centurion IT solutions company, Intsika-IT. Bayard was involved in another company, Unisys Africa, which won a computer software supply tender with the SA Police Service in the early 2000s. Unisys Africa was the head of a consortium that included FACTT and IT solutions company Forensic Data Analysis (FDA).
Bayard last month offered the source codes to Richardson in an e-mail, which Times Select has seen. This was at the same time that FDA was shutting down several of the police’s computer systems over a pay dispute.Bayard told Times Select he had the necessary permission to provide the source code to a third party.
“I was procuring the solution from the owner and authorised distributor. The commercial agreements are confidential.”
But Richardson said Bayard did not have permission to sell the source code. She warned the potential threat posed to national security was huge, “especially as the police still use the same system”.
“With source codes you can install malware (harmful software) onto systems without the customer ever knowing.”Times Select has learnt that, on Monday, Richardson met with IPID’s investigations head, Matthew Sesoko, and senior Hawks cyber crimes officers over Bayard’s source codes offer. Both IPID and the police declined to comment.
Bayard insisted the source codes were programming codes and did not contain any client data or “classified documents”.
“It is inaccurate to say I have offered to sell source code that is key to sensitive police databases. The SAPS data is secured by SAPS and SITA [South African Information Technology Agency].”
Bayard said to date he had not sold the source code to anyone and had not quoted anyone a price.SITA chief executive Sethumo Mohapi said while orginal source codes did not contain data, “it gave you the information on how to manipulate the data”.
He said with a source code, hackers could then create “object codes” which would then allow one access to the data.
In 2013, hackers stole the names and personal details of nearly 16,000 whistle-blowers and crime victims from the police website.
Attorney Martin Hood, who represents South Africa’s firearm industry, said once you have access to one police system, you potentially gain access to all their systems, as you are behind their IT security firewalls.
Bytes Technology, which took over Unisys Africa, distanced itself from the leaked source codes, saying Bayard had never been employed by Bytes.