When a security researcher contacted MyBroadband with information about scams and online fraud being conducted from domains registered and hosted in South Africa, we tried to report the matter to the National Cybersecurity Hub.
According to the Cybersecurity Hub website, we should have received a confirmation email with a reference number for our report, but this has not happened.
Sadly, this lack of response is actually an improvement from several months ago when we conducted a similar test and found that the Cybersecurity Hub was unable to receive email at all due to a misconfigured email server.
Since email is the only channel through which security incidents may be submitted, this means there is currently no reliable way to send such reports to South Africa’s National Cybersecurity Hub.
The National Cybersecurity Hub of South Africa was officially established nearly five years ago to be a central point for collaboration between industry, government, and civil society on all cybersecurity-related incidents in the country.
It was unveiled by the former Minister of Telecommunications and Postal Services, Siyabonga Cwele, on 30 October 2015.
One of the features of the hub announced by Cwele is that it is meant to receive reports of cybersecurity incidents from stakeholders and have clear incident management processes in place to help handle issues that are reported.
Cwele also specifically highlighted the need to fight back against scams and online fraud at the lunch of the Cybersecurity Hub.
“Cyber attacks are real. No single individual or company may afford to singlehandedly defend him or herself against hackers and havoc-wreakers,” Cwele said at the launch of the Cybersecurity Hub.
“If people discover that they have experienced theft they usually just [cut] their losses and try and defend themselves from repeat incidences. We learn daily of incidences of internet fraud where the poor are lured to buy products which appear cheap but are required to deposit funds only to find it was fake.”
Reporting attack sites
MyBroadband received information from Artists Against 419, an organisation that tracks online scammers and provides a database of websites used to conduct online fraud.
Several months ago it tried to report an attack site which was hosted in South Africa to the Cybersecurity Hub, because it was struggling to get the hosting provider to take it down.
At the time, the published email address for reporting incidents to the hub was [email protected].
However, e-mails to that address were all bounced back with an error message indicating that the Cybersecurity Hub’s mail server was not configured correctly.
The full error message was: “550 5.4.1 [[email protected]]: Recipient address rejected: Access denied [AM5EUR03FT016.eop-EUR03.prod.protection.outlook.com]”.
MyBroadband contacted the relevant parties at the CSIR and the Department of Communications and Digital Technologies about the issue, but received no feedback.
Several months later the Cybersecurity Hub changed its reporting address to [email protected], and MyBroadband tried reporting a new incident — this time regarding a domain used to facilitate all manner of scams, including fraudulent tenders.
This time the mail server did not immediately respond with an error message, but we also received no answer from the Cybersecurity Hub.
Cybersecurity Hub incident management process
According to the Cybersecurity Hub website, its incident management process works as follows:
- An incident is submitted through the website or email.
- You will receive a reference number via email.
- The Cybersecurity Hub will route your incident to the appropriate authority.
- The identified authority will respond to the Cybersecurity Hub with a reference number of its own. This reference number is then captured as part of your cybersecurity incident. Once this step is complete, the identified authority is responsible for the resolution of the incident.
- The identified authority will correspond with you directly. The Cybersecurity Hub has no control over the incident investigation and resolution process.
- You will receive confirmation on closure of the incident.
While the first step of the process claims that it should be possible to submit an incident through the website, currently it is only possible to do so via email.
The Cybersecurity Hub website also states: “If you have not received feedback after 5 working days, please contact the Cybersecurity Hub through an email, quoting your reference number. The Cybersecurity Hub will then contact the identified authority for feedback.”
Since no reference numbers are issued, this means that the Cybersecurity Hub’s incident management process completely fails at the second step.