{"id":7983,"date":"2026-06-18T20:30:09","date_gmt":"2026-06-18T20:30:09","guid":{"rendered":"https:\/\/www.fintechpulse8.com\/?p=7983"},"modified":"2026-06-18T20:30:09","modified_gmt":"2026-06-18T20:30:09","slug":"wild-goats-open-gates-government-websites-are-asking-to-be-hacked","status":"publish","type":"post","link":"https:\/\/www.fintechpulse8.com\/?p=7983","title":{"rendered":"Wild goats, open gates: Government websites are asking to be hacked"},"content":{"rendered":"

<\/p>\n

\n

Government websites are insecure and a mess. The Constitution says that officials must provide us, the public, with \u201ctimely, accessible and accurate information\u201d. The way that is done in the modern world is through websites.<\/p>\n

But the gov.za websites are highly insecure. They are vulnerable to viruses and ransomware. There have been many reports of hackers penetrating the state\u2019s systems.<\/p>\n

Read:\u00a0Government says its computer systems are secure: We looked and they\u2019re not<\/p>\n

We previously reported that the State Information Technology Agency (Sita), the body responsible for much of the state\u2019s computer systems, including websites, has more than 5 000 known security flaws across its public-facing network on the internet.<\/p>\n

We have now examined government websites and services outside Sita\u2019s network using the same industry tool. These internet services are scattered across Telkom, Vodacom, MTN, Microsoft Azure, municipal servers, private hosting companies, and more. Some appear to be managed by government departments themselves. Some appear to have been built years ago by whoever was cheapest (or most expensive) at the time, and not meaningfully touched since.<\/p>\n

\n

It is not just Sita\u2019s network that is plagued with vulnerabilities; it is the entire government network.<\/p>\n<\/blockquote>\n

Sita\u2019s network has about 1 100 public-facing systems, of which one in seven carries a known security vulnerability. The non-Sita government internet, which is smaller (516 systems), has one in five hosts vulnerable. The network is less than half the size, yet has nearly as many critical security flaws.<\/p>\n

\n
\n

ADVERTISEMENT<\/p>\n

CONTINUE READING BELOW<\/p>\n<\/div>\n<\/div>\n

Read:\u00a0Sita denies Nigerian \u2018hactivists\u2019 gained access to SA government systems<\/p>\n

When we reported that Sita\u2019s oldest unfixed security flaw dates back to 2006, we expected that to be a low point. But we have found that the non-Sita government internet has about 36 systems with vulnerabilities first documented in 2007: the year the iPhone launched, and South Africa won the Rugby World Cup in Paris, and apparently, the last year anyone updated these systems. All 36 systems carry exactly the same 15 severe vulnerabilities (some with more).<\/p>\n

One of the worst examples comes from the Amathole District Municipality in the Eastern Cape. One of its servers, hosted in a Microsoft data centre, carries over 353 known security vulnerabilities, of which 94 are rated \u201ccritical\u201d. (Just to be clear: it is absolutely NOT Microsoft\u2019s responsibility to fix this; it is the municipality\u2019s responsibility.)<\/p>\n

Listen: Government cyber vulnerabilities date back to 2007<\/p>\n

To give you a sense of how bad this is, Sita\u2019s entire network of more than a thousand systems has 125 unique critical flaws in total. This municipality has managed to accumulate 75% of that on a single server. In a strange way, it is quite impressive.<\/p>\n

Witzenberg Municipality in the Western Cape matches that almost exactly: 347 vulnerabilities, 94 of which are critical, on one website. It runs the same software as Amathole \u2013 Apache 2.4.7 on Ubuntu 14.04. Ubuntu is an operating system, akin to Windows. Ubuntu names each new version after an animal, and version 14 was called \u201cTrusty Tahr\u201d. A tahr is a type of wild goat (you can see them on Table Mountain). This version has not been trustworthy since April 2019*<\/sup>, when support for it ended. The operating system has been accumulating unaddressed security flaws for over seven years.<\/p>\n

Who is in charge?<\/span><\/h2>\n

Sita\u2019s network, for all its flaws, has a network space with predefined addresses, and one body at least partially responsible for it. But the non-Sita government internet has no equivalent. It is distributed across more than 15 distinct hosting providers, and there is no single entity with the mandate (or inclination) to coordinate security across all of them.<\/p>\n

What happens when something needs fixing? Well, it depends on who built the system, when they were last paid, and whether they are still in business.<\/p>\n

\n
\n

ADVERTISEMENT:<\/p>\n

CONTINUE READING BELOW<\/p>\n<\/div>\n<\/div>\n

The agriculture department has a server with 152 known vulnerabilities, 37 of which are critical. The server is not hosted on the Sita network but by Dimension Data (one of SA\u2019s largest and most reputable IT companies). That does not mean that it is Dimension Data\u2019s responsibility to keep the server secure.<\/p>\n

One of the worst finds, similar to our findings with Sita\u2019s network, is a server belonging to the Integrated Justice System (IJS). The IJS connects courts, the National Prosecuting Authority (NPA), and correctional services. It handles criminal case records, prosecution tracking, and offender data for South Africa. Apologies for getting a bit technical. This server has its Remote Desktop Protocol (RDP) port \u2013 the technology used to control a computer remotely \u2013 exposed directly to the internet, and it also has a confirmed vulnerability called SMBGhost. America\u2019s Cyber Defence Agency warned about this vulnerability in 2020, as did many other cybersecurity institutions globally.<\/p>\n

Then there is Ekurhuleni. The municipality has its own network. On it sits incidentmanagement.ekurhuleni.gov.za, the municipality\u2019s incident management system, which carries many known vulnerabilities. The municipality needs an incident management system for its incident management system.<\/p>\n

\n

Who\u2019s in charge for fixing this mess? Who\u2019s taking responsibility? Given the age and severity of many of the vulnerabilities, the answer seems to be: no-one.<\/p>\n<\/blockquote>\n

In May, Ekurhuleni\u2019s acting city manager explained to parliament how the municipality got hacked: \u201cYou could drive to our licence station in Bedfordview, where we have Wi-Fi, and just park outside, and if you are a hacker, you can get access to our virtual private network (VPN) and do these things\u201d.<\/p>\n

There are two realistic ways to get into its VPN. Either the hackers used compromised credentials (i.e., passwords they obtained) or they exploited a vulnerability in an outdated system.<\/p>\n

\n
\n

ADVERTISEMENT:<\/p>\n

CONTINUE READING BELOW<\/p>\n<\/p><\/div>\n<\/div>\n

The Ekurhuleni VPN may have been using an obsolete Microsoft-developed protocol from the 1990s called PPTP. Microsoft has ended support for it because it is so vulnerable. It can be cracked in minutes if you are on the same Wi-Fi network.<\/p>\n

\n

Using PPTP is as good as leaving the front door open.<\/p>\n<\/blockquote>\n

There are seven of these insecure VPNs on Sita\u2019s network, and 10 of them off Sita\u2019s network. There should be zero. PPTP was fully cracked in 2012. There are newer, more secure protocols that serve the purpose better. Those using the insecure protocol include Joe Gqabi Municipality, Bojanala Platinum District Municipality, the KZN Nerve Centre, and some unnamed hosts and routers on Sita\u2019s network.<\/p>\n

Technical details<\/span><\/h2>\n

We ran our Shodan analysis on gov.za hostnames hosted outside Sita\u2019s AS37130 in late May, and again on 8 June 2026. Shodan identified 1 089 exposed service records across 516 unique internet-facing hosts. Of those, 106 hosts (one in five) carried at least one known vulnerability, compared to Sita\u2019s one in seven. The dataset spans government entities hosted by more than 15 different providers, with no centralised oversight.<\/p>\n

\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n
Sita network<\/strong><\/td>\nNon-Sita .gov.za<\/strong><\/td>\n<\/tr>\n
Total records<\/td>\n2 150<\/td>\n1 089<\/td>\n<\/tr>\n
Unique IP addresses<\/td>\n1 112<\/td>\n516<\/td>\n<\/tr>\n
Hosts with vulnerabilities<\/td>\n152 (1 in 7)<\/td>\n106 (1 in 5)<\/td>\n<\/tr>\n
Unique Common Vulnerabilities and Exposures (CVEs)<\/td>\n904<\/td>\n725<\/td>\n<\/tr>\n
Unique Critical CVEs (>= 9.0)<\/td>\n125<\/td>\n133<\/td>\n<\/tr>\n
Total CVE count<\/td>\n5 014<\/td>\n4 466<\/td>\n<\/tr>\n
Total Critical CVE count<\/td>\n575<\/td>\n726<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
\n

\u00a0<\/p>\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n
Some of the worst hosts<\/th>\nTotal CVEs<\/th>\nCritical<\/th>\nOperator<\/th>\n<\/tr>\n<\/thead>\n
admcitizen.amathole.gov.za<\/td>\n353<\/td>\n94<\/td>\nAmathole District Municipality (Azure)<\/td>\n<\/tr>\n
witzenberg.gov.za<\/td>\n347<\/td>\n94<\/td>\nWitzenberg Municipality<\/td>\n<\/tr>\n
mail.tclm.gov.za<\/td>\n268<\/td>\n60<\/td>\nThaba Chweu<\/p>\n

Local Municipality<\/p>\n<\/td>\n<\/tr>\n

dalrrd.gov.za<\/td>\n152<\/td>\n37<\/td>\nDALRRD \/ Agric. Res. Council<\/td>\n<\/tr>\n
nda.gov.za<\/td>\n153<\/td>\n23<\/td>\nNational Development Agency<\/td>\n<\/tr>\n
midvaal.gov.za<\/td>\n151<\/td>\n19<\/td>\nMidvaal Municipality (Vodacom)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
    \n
  • Canonical, the makers of Ubuntu, offers a paid service to continue addressing security flaws, but it is extremely unlikely that the government is using it, even if it pays the subscription fees.<\/em><\/li>\n<\/ul>\n<\/div>\n

    #Wild #goats #open #gates #Government #websites #hacked<\/p>\n","protected":false},"excerpt":{"rendered":"

    Government websites are insecure and a mess. The Constitution says that officials must provide us, the public, with \u201ctimely, accessible and accurate information\u201d. The way that is done in the… <\/p>\n","protected":false},"author":1,"featured_media":7984,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[4149,10204,1329,10206,181,10205,2675],"class_list":["post-7983","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-investing","tag-gates","tag-goats","tag-government","tag-hacked","tag-open","tag-websites","tag-wild"],"_links":{"self":[{"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=\/wp\/v2\/posts\/7983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7983"}],"version-history":[{"count":0,"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=\/wp\/v2\/posts\/7983\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=\/wp\/v2\/media\/7984"}],"wp:attachment":[{"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fintechpulse8.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}