Yukon News

Job board website vulnerable to hacking, data interception

Pierre Chauvin Monday February 13, 2017

Joel Krahn/Yukon News

yuwin.jpg

The YuWin.ca job board website is vulnerable to hacking due to its lack of Secure Sockets Layer (SSL), says Martin Lehner, a local IT specialist.

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

YuWin.ca doesn’t use Secure Sockets Layer (SSL) that allows encryption of all the data exchanged between a client computer and the internet server hosting the website yuwin.ca

“It’s rare to see (no SSL) these days,” said Martin Lehner, an IT specialist and co-owner of Tangerine Technology in Whitehorse.

“It’s quite surprising they wouldn’t encrypt,” Lehner said. “They’ve had executive directors who have been from the IT industry.”

SSL is becoming ubiquitous as even Google now encrypts all searches by default.

“At some point the entire internet will be SSL (encrypted) anyways,” Lehner said.

Because the data exchanged is not encrypted, an attacker could intercept a user’s login information.

While YuWin doesn’t hold information, such as social insurance numbers, that could be used for fraud or identity theft, hackers could still make use of the passwords used for YuWin accounts.

That’s because people often reuse the same password for different services, Lehner said.

“I would say anybody who has an account on the job board … should know their internet password is viewable at a minimum by the YuWin staff or anybody who has access to the backend,” he said.

And an attacker wouldn’t even need to be on the same internet network to intercept passwords, Lehner said.

All he or she would need to do is capture data flowing between the Yuwin.ca’s server and other internet routers.

“Eventually if you wait long enough, you can pull traffic out,” Lehner said.

The lack of SSL also means an attacker could impersonate the website, and trick people into entering their login information.

It doesn’t matter that YuWin is a Yukon-based website, Lehner said, because hackers will scan the entire internet looking for vulnerable services.

Implementing SSL is neither expensive nor difficult, Lehner said.

“I would suspect that with the government who funds them, they probably expect the data is kept reasonably secure.”

YuWin chair Debbie Parent told the News the board was aware of the situation and working on it.

Parent asked the News to withhold publication of this story in exchange for first crack at a news release to be issued Tuesday. The News declined.

Contact Pierre Chauvin at .(JavaScript must be enabled to view this email address)

48 Comments

Common Sense wrote:
3:33pm Saturday February 25, 2017

I find the lack of knowledge and information in this article troubling. Most major websites now use TLS, more specifically TLSv1.2 with TLSv1.3 on the horizon. No website should be supporting SSLv3.0 or lower but last I recall it is somewhere around 15-20% of all websites are still supporting SSLv3.0. All major browsers now support TLSv1.2 but also many more common OS’s have not reached end of life. For example, Vista (April 2017) and Server 2008 (2020) as they do not support TLSv1.1 and TLSv1.2 out of the box, you require a 3rd party browser. Not all websites require such security but it should be provided/enforced whenever there is input of information. It should be noted this only relates to transport, not backend storage.

It is unfortunately common to speak of website security only as “SSL”. However, proper expertise should provide clarification with ease and may also suggest that the PCI Compliance Council, a global group for security standards related to account data protection, decided that as of June 30, 2017, (later revised to June 2018), SSL and TLSv1.0 can no longer be used for PCI DSS compliance.  Nevertheless, while the PCI (Payment Card Industry) group is more specific to that industry it is a far better to provide a more secure standard/platform than someone broadly stating “Use SSL”.

The morality of reporting vs security is troubling. In most major security circles the proper approach is to inform, assist if possible and provide a reasonable reporting date (if not resolved). From this read, fearmongering seems to be the approach taken with a security expert who lacks the expertise portion in my opinion (somethings fishy on top of it all). Security should not be rushed as most often mistakes are made during that process (implementation/testing) and now you’ve already told the masses “hey look at this…” while also inviting the less moral section of society to poke around.

Brent wrote:
1:38pm Thursday February 23, 2017

Groucho yes there is. Go to https://www.yuwin.ca It’s .encrypted now.

Groucho d'North wrote:
5:40pm Wednesday February 22, 2017

So as a result there is now not a Yuwin job board to look for jobs on. Great work everyone!

Thomas Brewer wrote:
12:45pm Monday February 20, 2017

@unlawful
you really need to learn the difference between “breaking the law” and violating the terms of service for an online tool.  VASTLY different things.

unlawful wrote:
2:33pm Saturday February 18, 2017

@Internet Security, a) Tangerine’s site isn’t purported to be SSL and it doesn’t collect user accounts of the general public. b) unless you asked Mr. Lehner, you actually broke the law. “Restrictions
You are allowed to:
(i) use the API only to inspect only sites and servers whose owners have given you permission to do so”

free ad wrote:
1:06pm Saturday February 18, 2017

OMG Yukon news, can we all call Pierre Chauvin for free marketing…have I got a story for you - this is the poorest journalism we have ever seen.  Why don’t you just give lehner a bunch free advertising space for his marketing and leave yuwin out of it. 

Internet Security wrote:
6:06pm Friday February 17, 2017

You can visit this website to see a security report on Tangerine Technology’s website. Very informative.

https://www.ssllabs.com/ssltest/analyze.html?d=www.tangerinetechnology.is

Hogwash wrote:
10:05am Friday February 17, 2017

This is nothing but scare tactics and bad press! targeted at people who know little about how SSL works and how easy it is to fix. Shame on you Tangerine & Yukon News BOTH!

SHAME!

Go pick on someone your own size… or maybe that’s what your doing. Yuwin is a non-profit organization that does the utmost for everyone in the Yukon and ask nothing in return. If you really cared about the security of peoples yuwin login - you would fix it! Go back and crawl under whatever bridge you call home and stop trying to cause drama for your own gain.

yukon_wind wrote:
10:19pm Thursday February 16, 2017

hahahaha look at all the people complaining about them getting caught. whine whine whine. How about you go fix your website and then move on????? I just looked and the website still hasn’t been fixed???? Really????? Come on!

Business1 wrote:
6:49pm Thursday February 16, 2017

I read some of these comments and can’t help but wonder if they are somehow attached to Yuwin. I am also a business owner that has used the Yuwin job board for years to get staff. Just like Martin has. Did I miss the part where Martin said he hates Yuwin? I don’t hate Yuwin either. I do hate knowing that Yuwin didn’t take my right to privacy and security into consideration when storing my information. I think its hard to believe that anyone out there would be happy about this problem and unconcerned. The comments here demonstrate deflection at its finest. Maybe we should call this fake news too?

Brad Dubbe wrote:
6:09pm Thursday February 16, 2017

There seems to be a lot of anger and resentment towards Lehner but is it misdirected? It is not Lehner’s fault that Yuwin is not securing their website properly. Whether he is making comment on it or not doesn’t change that. If I used the site, I know I would be grateful if I was made aware that my password was not being kept securely. Being a whistleblower can be tough. Look at all this negativity. Imagine what someone like Edward Snowden feels like.

Busness as usual wrote:
12:21pm Thursday February 16, 2017

I have been a part of the business community for over thirty-five years, and I am shocked and appalled by Mr. Lehner’s attack on YuWIN.  For years, my company has posted all our vacant positions on this site, at no charge. My company has saved thousands of dollars every year, and we don’t mind shouting out a huge thank you to YuWIN.
Mr. Lehner, I’ve noticed you regularly use the FREE YuWIN service to post your company’s vacant jobs.  I understand, as do most businesses utilizing YuWIN’s services, that they are a non-profit group whose work supports the advancement and growth of our local businesses, and did I mention they do it for FREE!  You have shown your appreciation and support for this organization by filing a complaint with YuWIN’s funder and to show further appreciation, you took this ridiculous story to the Yukon News. 
As part of the community, my company and many, many others show their appreciation for the work of the non-profit sector through financial contributions and/or in-kind support.  Your public attack on YuWIN has shown the whole Yukon community (businesses and others) that you will take full advantage of a non-profit’s services, and then show your appreciation by publicly attacking them.  To say the least, this behavior is bizarre.
Mr. Lehner, instead of filing a complaint against YuWIN to their funder and following that up by starting a smear campaign (in an attempt to tear down a site that you yourself obviously find very useful) perhaps your time might be better spent searching for your corporate soul. Maybe in doing so, you will find a better way of supporting and giving back to our great community.
Finally, I am in total disbelief that the Yukon News would publish Mr. Chauvin’s article. Mr. Chauvin is clearly an inexperienced reporter and unaware of his duty as a “journalist” to properly investigate a story by speaking to other sources before running something this ridiculous.  Fantastic journalism, Yukon News!!

plywood wrote:
10:28am Thursday February 16, 2017

So-and-so left their house’s door unlocked! People could steal things!

Instead of telling them and fixing the problem — ie: writing a letter — let’s publish it in the newspaper to let everybody know.

And so what if people on Yuwin can see the password? The staff at Employment Central are trusted with people’s resumes and even SINs all the time.

I don’t get it

Paul wrote:
10:27am Thursday February 16, 2017

It would take minutes to remediate Yuwin, with the exception of the time waiting for the SSL provider to do their processing.

It would also be easy enough to exploit dns to redirect http://www.tangerinetechnology.is to a cloned site filled with misinformation because there’s no cert to prove they are who they say they are.

http://www.yukon-news.com isn’t secure either.

Get off your high horses. Fix your junk.

Bob Gray wrote:
8:50am Thursday February 16, 2017

All YuWIN staff need to do is install a SSL certificate and be done with it, story over. All of this small town drama with name-calling, blaming, conspiracy theories and put-downs helps no one. Grow up people.

Do the right thing wrote:
6:17pm Wednesday February 15, 2017

@ Agenda. Yuwin has been proving an essential service to Yukoners for years. There are literally hundreds of success stories behind this organization.  I can’t believe anyone would defend the former governments stance that was purely driven on financial reasons. 

Speaking of success stories, why doesn’t Tangerine do the responsible and ethical thing and provide the ‘cheap easy’ fix for this non-profit rather than placing them in a place more vulnerable than they were before.  It’s called damage control out in the real world, you know, the place where territorial dollars help don’t exist to prop up private sectors like Tangerine.

anonymous wrote:
6:02pm Wednesday February 15, 2017

Banks do have access to your online banking password. I closed my account at one bank as they tried to use my password as a means to identify me (telephone banking) and when I told them I was not giving it to them they told me I failed the validation. I spoke to a supervisor who said it was a common way to identify people. It was the only bank to ever ask me that so I closed all my accounts there. My point is that they must have known my online banking password to try to verify me with it.

Agenda wrote:
5:00pm Wednesday February 15, 2017

the government is trying to get rid of yuwin.  the timing of this article is utterly convenient!

Professional IT wrote:
12:08pm Wednesday February 15, 2017

Announcing this in the press before it is fixed is irresponsible on the parts of both the Yukon News and Tangerine. You are inviting hackers to the site and putting a LOT of Yukon’s at risk - not doing a public service. The professional protocol is to contact the site’s owner and help them them fix it.  This should happen before anything is made public (if ever).  A cheap publicity stunt and poor reporting to boot - both of you should be ashamed!

Victor Rogers wrote:
9:51am Wednesday February 15, 2017

A couple things strike me as odd with this story. 

First, Martin’s own site is insecure. 

Second, any supporting ‘testimonials’ either in the comments on this article or on Tangerine’s site are not attributed to any actual people/businesses and that makes me think they are company shills.

Third, rather than spending money advertising in a traditional format every few months a ‘news article’ is manufactured praising this companies technical prowess.

Finally, why is an ‘established’ company randomly changing their name?

Are You Kidding Me??? wrote:
11:53pm Tuesday February 14, 2017

I have read this article several times and nowhere do I see anything that states Mr. Lehner approached the media about this. @ Sandbox bullies and the rest; where is your proof that this in fact occurred? Or, are you all just flying on assumptions? Perhaps it would be prudent for the News to clarify how this story came to be and what Mr. Lehner’s role was. I would suggest you all stop tarring and feathering someone who actually may not be the “culprit”. The fact is, perhaps there are some security concerns that have come up and perhaps it is in the best interest of those who use the service to know about it. How is that harmful? Grasping at straws in attempt to compare the website of a business that is for information only to a website that collects and stores information is at the same level of deflection occurring in the lower 48; on par with Kellyann Conway and Spicer; it becomes ridiculous. This article is not about Mr. Lehner’s business nor his intent.
@ Antigone; just out of curiosity, how did you reach your conclusion as to what the problem really is? Your statement is unfounded. Please do share your obvious privileged knowledge about this so called “creating a website that costs a lot of public moneys.” WE the public should know ...not?
Clearly a whole lot of assuming and deflection happening here, and that serves no purpose.

ConnieAnnKellway wrote:
10:01pm Tuesday February 14, 2017

We need to consider the alternative facts here. Yuwin has the best security out there. No way they could ever lose sensitive information that people thought was secure. This is FAKE NEWS that’s being reported. No one has better security than Yuwin, believe me. Everyone knows that Yuwin security is the best.

FrozenYukoner wrote:
5:32pm Tuesday February 14, 2017

I’ve known Martin personally for almost a decade. He has strong ethics and does not shy away when asked real questions even if it may make him unpopular. Antigone and some other commenters are wondering why this is even a news article? I’m not sure. I guess people’s passwords being vulnerable isn’t enough? I’m wondering how long the Yuwin site has been like this for??? Is this new or has it been this way for years??? This all sounds so dubious and people are just covering for themselves. I wish more people in our world would stand up and speak out. It is something that isn’t done enough anymore!

Sandbox friend wrote:
5:12pm Tuesday February 14, 2017

It is funny that people who won’t put their real name to their posts are chastising Martin for commenting on a real problem that probably affects a lot of people. It probably has more to do with embarrassment and saving face than anything else. I hope yuwin learns from this.

Rob H wrote:
4:34pm Tuesday February 14, 2017

http://www.tangerinetechnology.is/index.html isn’t even a secure site.  It looks like it was built by a Grade 10 Comp Sci student.

Yukoner wrote:
3:41pm Tuesday February 14, 2017

@bobsam The reason Martin should secure his site is because he has contact information on there so with out a certificate someone could impersonate his site and give different contact information on there and then someone might contact the invalid number and give out information to someone who they expected to be Martins company, maybe their credit card info… If Martin is gunna say its a problem with the Yuwin site then he should acknowledge it for his own.

YukonDoug wrote:
3:37pm Tuesday February 14, 2017

Martin is very skilled at what he does. He found an hole in our computer network that someone used to hack us, even though our IT support at the time said everything was fine. I’ll attest to his competency all day long.

JoeS wrote:
3:33pm Tuesday February 14, 2017

We are also contractors of Orange. They offer phenominal service compared to all the other computer service companies in town. Everyone who works there is very friendly and always willing to help us even with the dumb questions we have. We have always appreciated their candor and we appreciate their input on the missing security of a highly used website. Thank you Martin & Martin.

JameB wrote:
1:00pm Tuesday February 14, 2017

Who cares about Martin anyways? This is about a Yukon website not protecting private information, not about Martin and his comments.

Customer wrote:
12:17pm Tuesday February 14, 2017

I’m a customer of Tangerine and I’m very happy with how proactive they are with my organization’s security. They give a great service and I’m thankful that they watch for these kinds of security flaws. Thank you for bringing it to everyone’s attention. Shame on everyone getting mad at Martin and company. It’s not his fault that a local job board is lacking security.

Mick Foley wrote:
11:54am Tuesday February 14, 2017

Yukon IT wrote:  Finally there is this glaring error in this story: SSL is broken.  At some point the Internet will be using TLS.  You would think that such an “expert” in the field as Lehner would understand the difference.

I wouldn’t hire Orange to mow my lawn let alone do a security audit.

Employer1 wrote:
10:36am Tuesday February 14, 2017

I am an employer that uses this job board and I say THANK YOU!!!!!!!!! To Martin Lehner and the Yukon News for making this problem public. I would have never found out and now I need to go change all my passwords because of this.

R@anger1 wrote:
10:09am Tuesday February 14, 2017

wow look at all the anonymous trolling! I must have missed all of you troll the canada revenue agency when they disclosed that a cd of taxpayer information was lost. this is the same thing. it’s a public service announcement for people who’s passwords may have been exposed. bravo to martin for having the guts and being willing to speak up.

bobsam wrote:
10:04am Tuesday February 14, 2017

Why would Martin secure his own website if he isn’t collecting user names and passwords? Sounds like some people are pretty ego hurt that their job board of choice got caught exposing sensitive information. I say time for Yuwin to go and get replaced by the Canada Job Board.

Antigone wrote:
9:52am Tuesday February 14, 2017

why the f…is there an article in the Yukon News about this!
Use your little brains people! if the intention would have been to benefit the site and its users, they would have contacted people responsible for Yuwin ( E.D et board). Haha I am left wondering what the benefit of such an article is: have you been promised some funding? do you have a membership card at the Liberal party! LOL! Really, Yuwin has done excellent work and is one of the most visited website from and about the Yukon. People from all over the world use Yuwin ! it is THE webiste that has the more visits in the Yukon. May be that is the problem. Instead of creating websites that cost a lot of public moneys the gouvernement should support Yuwin and give more funding so it can increase its capacity and its security. The informations presented on this website is public information!

Anonymous3 wrote:
8:35am Tuesday February 14, 2017

I’m sure I have seen many job postings on Yuwin for positions at Orange Technology. May be time for Orange Technology to advertise job postings else where.

Sandbox bullies wrote:
6:32am Tuesday February 14, 2017

Yeah, this doesn’t sound fair. Give Yuwin a chance to rectify if there is an issue, instead of going directly to the media about it. Respect and professionalism. Likely this guy just wants us all to know they have changed their name from Orange Tech to Tangerine? Same goes to you, Pierre Chauvin.

Yukoner wrote:
11:50pm Monday February 13, 2017

Did you know, Martin, that if I navigate to your company’s website, my web browser says my connection is not secure? “It’s rare to see (no SSL) these days” eh? Why don’t you take a piece of your own advice.

Yukon IT wrote:
11:00pm Monday February 13, 2017

I can understand the Yukon New’s lack of IT security knowledge.  And I understand that they would need to lean on an expert.  But come on, no other interviews from people in the industry to corroborate the story?

There was no need to pick on an organization to discuss this topic.  No where in this article was it mentioned how a business or organization could obtain a TLS certificate.  Did you know that you can get a free TLS certificate from letsencrypt dot org?  Ask your hosting provider if they will set this up for you.  It’s not that difficult.

Finally there is this glaring error in this story: SSL is broken.  At some point the Internet will be using TLS.  You would think that such an “expert” in the field as Lehner would understand the difference.

ralph wrote:
9:22pm Monday February 13, 2017

martin sure does a lot of public service. everyone remember the whole northwestel debacle? it is refreshing when someone is willing to stick their neck out for others. now everyone knows their passwords might be leaked so they can change them. we need more martins around. maybe he should run for politics? no, that’s an easy way to get corrupted.

Karl wrote:
9:05pm Monday February 13, 2017

Not sure why this made the news either.  There is no indication of a data or privacy breach occurring here, just a website like hundreds of thousands of others that doesn’t have a certificate installed.  Lehner sure likes to play armchair security specialist and get his name in the paper.  The Yukon News and Whitehorse Star websites don’t have SSL installed and both take encrypted user input field data.  Why doesn’t Martin pick on them?

northernlights wrote:
8:00pm Monday February 13, 2017

Why the hate on for Martinn? I think this is a public service announcement warning employers of a flawed system and maybe leaked passwords. Good on Martin for letting everyone it’s an issue!

Fred@North wrote:
7:06pm Monday February 13, 2017

haha it sounds like some “anonymous” people are jealous that someone else knows what they’re talking about.

mlehner wrote:
7:03pm Monday February 13, 2017

@anonymous: No actually, a bank doesn’t have access to your online banking password. The entire idea of encryption (as a generality) is to keep this information from anyone’s hands. The back-end of a database does not need to have things like passwords in plain text (and maybe this one doesn’t, I actually don’t know, I simply said that one needs to presume it is until proven otherwise). Take for example LM / NTLM hashes for logging into a Windows domain network. User account passwords are not kept in plaint text format - that’s the whole idea. I’m confused by your comment about “fishing for public money” ? No where does it state that I personally benefit at all from this ? As for under-qualification, I’d be happy to discuss my paper credentials, real world experience and my role as a security professional. Feel free to stop by the office anytime.

@Anonymous2: I was asked for a professional opinion, so I gave one. I’m regularly asked by media for opinions on technical things because that’s my specialty and what I’ve been doing for a decade now.

* EYE ROLL* wrote:
6:16pm Monday February 13, 2017

I’d really appreciate it if local media stopped letting this guy try to promote his business through articles like this one. Don’t forget that Northwestel rightly went after him for false and defamatory statements!

Yukoner wrote:
5:37pm Monday February 13, 2017

Hmm, tangerine doesn’t use SSL either (https://www.tangerinetechnology.is). So anything Martin says about Yuwin is true of his own site too.. and he runs a tech company.

Anonymous2 wrote:
5:08pm Monday February 13, 2017

He sure likes to find ways to keep his name in the news (no pun intended), doesn’t he? He easily could have contacted YuWin with this issue without going to local media.

That says a lot about a person.

Anonymous wrote:
4:44pm Monday February 13, 2017

> “I would say anybody who has an account on the job board … should know their internet password is viewable at a minimum by the YuWin staff or anybody who has access to the backend,” he said.

No Martin, that’s inherent of literally every service on the internet. If you have access to how the information is stored, you have access to the information. That’s like saying your bank knows your pin number and your accounts. No duh.

If you can interfere with someone’s connection at that level, intercepting traffic becomes nearly trivial anyway. Please go read about sslstrip.

SSL doesn’t protect against phishing attacks. Anyone could send an email that looks like it’s from yuwin and direct them to an insecured site with a login password. This is how literally every other phishing scam on the internet works.

Finally, just because the website transit isn’t encrypted doesn’t mean the password is stored in an unencrypted way or that the information on the website is stored insecurely. Please go read about password hashes. Please learn anything about how security works.

Take your alarmist bullcrap somewhere else, and stop fishing for public money as an under-qualified security consultant.

Add a comment

Commenting is no longer available for this story. Commenting expires 21 days after publishing.