Job board website vulnerable to hacking, data interception

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

YuWin.ca doesn’t use Secure Sockets Layer (SSL) that allows encryption of all the data exchanged between a client computer and the internet server hosting the website yuwin.ca

“It’s rare to see (no SSL) these days,” said Martin Lehner, an IT specialist and co-owner of Tangerine Technology in Whitehorse.

“It’s quite surprising they wouldn’t encrypt,” Lehner said. “They’ve had executive directors who have been from the IT industry.”

SSL is becoming ubiquitous as even Google now encrypts all searches by default.

“At some point the entire internet will be SSL (encrypted) anyways,” Lehner said.

Because the data exchanged is not encrypted, an attacker could intercept a user’s login information.

While YuWin doesn’t hold information, such as social insurance numbers, that could be used for fraud or identity theft, hackers could still make use of the passwords used for YuWin accounts.

That’s because people often reuse the same password for different services, Lehner said.

“I would say anybody who has an account on the job board … should know their internet password is viewable at a minimum by the YuWin staff or anybody who has access to the backend,” he said.

And an attacker wouldn’t even need to be on the same internet network to intercept passwords, Lehner said.

All he or she would need to do is capture data flowing between the Yuwin.ca’s server and other internet routers.

“Eventually if you wait long enough, you can pull traffic out,” Lehner said.

The lack of SSL also means an attacker could impersonate the website, and trick people into entering their login information.

It doesn’t matter that YuWin is a Yukon-based website, Lehner said, because hackers will scan the entire internet looking for vulnerable services.

Implementing SSL is neither expensive nor difficult, Lehner said.

“I would suspect that with the government who funds them, they probably expect the data is kept reasonably secure.”

YuWin chair Debbie Parent told the News the board was aware of the situation and working on it.

Parent asked the News to withhold publication of this story in exchange for first crack at a news release to be issued Tuesday. The News declined.

Contact Pierre Chauvin at pierre.chauvin@yukon-news.com

Just Posted

Yukon privacy commissioner says health department’s lack of cooperation “troubling”

Department of Health and Social Services ignored messages, didn’t implement recommendations, IPC says

Our first line of (frigid) defence

‘But really, to go over 100 megawatts for us was pretty epic’

Yukon Quest field down to just 15 after three withdrawals

Lori Tweddell and Louve Tweddell withdrew from the Quest after not completing qualification races

Today’s mailbox: Biomass

Letters to the editor published Jan. 17

City news, briefly

Some news from Whitehorse city council’s Jan. 13th meeting

Crash survivors burn vehicle to stay warm

Three occupants of a vehicle that went off the road between Carmacks… Continue reading

Twelve impaired drivers nabbed in nine days, RCMP says

‘It’s truly staggering to discover the number of people who are still getting behind the wheel while impaired’

Registration opens for 34th annual Buckwheat International Ski Classic

Registration for the 34th annual Buckwheat International Ski Classic opened on Jan.… Continue reading

Yukonomist: A zero-carbon replacement for our LNG plant

Consider small, modular nuclear reactors

Nicolas Petit wins Copper Basin 300

Rob Cooke was the lone Yukoner to finish, placing 12th

Most Read