Gov't urged to strenghten checks as second Jamcovid security lapse reportedTuesday, February 23, 2021
BY JASON CROSS
On the heels of the discovery of another security vulnerability on the Jamcovid website, data security and web hosting expert Trevor Forrest has urged the Government to strengthen checks and balances when contracting companies for sensitive data technologies.
“Things need to be done as it relates to these kinds of assessments, ensuring that the systems are in compliance with security standards, and global data protection privacy standards, and so on, and to ensure that Government is on the leading edge of what it needs to do to deliver the services it needs to, and to move into a digital society,” Forrest told the Jamaica Observer yesterday.
Just days after the Government assured users of the Jamcovid application that their personal data was safe, following the revelation that travellers' personal information had been left unprotected, technology magazine TechCrunch yesterday reported another discrepancy in the system.
According to TechCrunch, a second security lapse had exposed private keys and passwords linked to the Government app and the website.
A security researcher, who asked not to be named, due to fears of legal action from the Government of Jamaica, told TechCrunch on Sunday that the Amber Group, which created and implemented the system, allegedly left a file unprotected. The file reportedly contained passwords that would have given access to back-end systems, storage and databases running the site and app.
The file was said to have been left unprotected as a result of a mistake.
It was discovered in an open directory on the Jamcovid website.
“The exposed file contained secret credentials for Amazon Web Services databases and storage servers for Jamcovid. The file contained a username and password to the SMS gateway used by Jamcovid to send text messages and credentials for its e-mail-sending server,” according the TechCrunch story entitled 'Jamaica's Amber Group fixes second Jamcovid security lapse'.
The Observer attempted to contact the group's Chief Executive Officer Dushyant Savadia for comment on the latest revelations, but calls to his phone went unanswered. Attempts were also made to get comments from the national security ministry on the matter, but the newspaper was unsuccessful.
TechCrunch reported that it had made Savadia aware of the second breach.
The magazine also said that the Ministry of National Security had not responded to its queries as to whether the Government would continue its contract or relationship with the Amber Group, and what security requirements were agreed on by both Amber and the Government for establishing the app and website.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at https://bit.ly/epaper-login