“It all started with Trevor and Tekla Fernando.”
Suchetha Wijenayake, long-term Linux guru, FOSS advocate and founding member of FOSS.lk has been working with the web for a long time – and in his work as a system administrator, trainer and web coder, he’s seen his fair share of web security flaws and exploits. Recently, while running a simple Google search for two popular names from the request shows of the Sri Lankan Broadcast Corporation’s English Service from the 1990’s, he happened upon some odd results:
One of the links on Google led directly to a set of Microsoft Excel files containing over 100,000 names, ID and passport numbers, dated July to September 2013. Tracing back the URL led to an unprotected directory on the Sri Lanka Bureau of Foreign Employment. The next day, he called the SLBFE to alert them to this flaw.
Unfortunately, things went downhill from there. After going through multiple secretaries, Suchetha was directed to an IT consultant who promptly accused him of hacking and later called him to tell him that they would be coming for him (Suchetha) very soon. Calls to Amal Senalankadhikara, Chairman of the SLBFE, proved to be useless.
“Many of my friends were asking why I didn’t report it to the National Center for Cyber Security, others why I was getting so bothered by something that was being proven to be not my problem, and something the SLBFE was unconcerned about. I had two reporter friends asking for the story, and a bunch of people asking for the URL (which I wasn’t ready to release).
I was upset about all this because I am not sure how much mischief you can get upto with someone’s name, passport number, and ID number, but I imagine it’s quite a bit. I have spent too much time fighting security breaches that I feel bad for the poor sysadmin who is at the firing line. I also like to think that I am a good guy. That I do the right thing. This may be a delusion, but we all have them,” explains Suchetha in the public blog post he made after days of trying to get in touch.
Unfortunately for Sri Lanka (and unfortunately for people like Suchetha), it appears competency is no longer the watchword of the day. As of the time of writing, the directory in question is still open, though files later than 2011 seem to have been moved elsewhere.