Job board website vulnerable to hacking, data interception

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

YuWin.ca doesn’t use Secure Sockets Layer (SSL) that allows encryption of all the data exchanged between a client computer and the internet server hosting the website yuwin.ca

“It’s rare to see (no SSL) these days,” said Martin Lehner, an IT specialist and co-owner of Tangerine Technology in Whitehorse.

“It’s quite surprising they wouldn’t encrypt,” Lehner said. “They’ve had executive directors who have been from the IT industry.”

SSL is becoming ubiquitous as even Google now encrypts all searches by default.

“At some point the entire internet will be SSL (encrypted) anyways,” Lehner said.

Because the data exchanged is not encrypted, an attacker could intercept a user’s login information.

While YuWin doesn’t hold information, such as social insurance numbers, that could be used for fraud or identity theft, hackers could still make use of the passwords used for YuWin accounts.

That’s because people often reuse the same password for different services, Lehner said.

“I would say anybody who has an account on the job board … should know their internet password is viewable at a minimum by the YuWin staff or anybody who has access to the backend,” he said.

And an attacker wouldn’t even need to be on the same internet network to intercept passwords, Lehner said.

All he or she would need to do is capture data flowing between the Yuwin.ca’s server and other internet routers.

“Eventually if you wait long enough, you can pull traffic out,” Lehner said.

The lack of SSL also means an attacker could impersonate the website, and trick people into entering their login information.

It doesn’t matter that YuWin is a Yukon-based website, Lehner said, because hackers will scan the entire internet looking for vulnerable services.

Implementing SSL is neither expensive nor difficult, Lehner said.

“I would suspect that with the government who funds them, they probably expect the data is kept reasonably secure.”

YuWin chair Debbie Parent told the News the board was aware of the situation and working on it.

Parent asked the News to withhold publication of this story in exchange for first crack at a news release to be issued Tuesday. The News declined.

Contact Pierre Chauvin at pierre.chauvin@yukon-news.com

Just Posted

Silver rules out HST, layoffs and royalty changes

Yukon’s financial advisory panel has released its final report

City of Whitehorse budgets $30M for infrastructure over four years

‘I think we’re concentrating on the most important things’

Yukon community liaison for MMIWG inquiry fired

Melissa Carlick, the Whitehorse-based community liaison officer for the national Missing and… Continue reading

Yukon man holds no grudge after being attacked by bison

‘The poor guy was only trying to fend off someone who he knew was trying to kill him’

Straight and true: the story of the Yukon colours

Michael Gates | History Hunter Last week, I participated in the 150th… Continue reading

Get ready to tumble: Whitehorse’s Polarettes to flip out at fundraiser

‘There’s a mandatory five-minute break at the end, just so people don’t fall over’

Alaska’s governor goes to China

There are very different rules for resource projects depending on which side of the border you’re on

Yukon survey shows broad support for legal pot

But there’s no consensus on retail and distribution models

Yukon government releases survey on the territory’s liquor laws

Changes could include allowing sale of booze in grocery stores

Get family consent before moving patients to other hospitals: NDP critic

‘Where is the respect and where is the dignity?’

Bill C-17 passes third reading in House of Commons

The bill, which will repeal controversial amendments made to YESAA by Bill S-6, will now go to Senate

White Pass and Yukon Route musical chugs on without director

The cast and crew of Stonecliff are pushing forward without Conrad Boyce, who went on medical leave

Most Read