Job board website vulnerable to hacking, data interception

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

A popular Yukon job board website is vulnerable to hacking because its managers have not put common security measures in place.

YuWin.ca doesn’t use Secure Sockets Layer (SSL) that allows encryption of all the data exchanged between a client computer and the internet server hosting the website yuwin.ca

“It’s rare to see (no SSL) these days,” said Martin Lehner, an IT specialist and co-owner of Tangerine Technology in Whitehorse.

“It’s quite surprising they wouldn’t encrypt,” Lehner said. “They’ve had executive directors who have been from the IT industry.”

SSL is becoming ubiquitous as even Google now encrypts all searches by default.

“At some point the entire internet will be SSL (encrypted) anyways,” Lehner said.

Because the data exchanged is not encrypted, an attacker could intercept a user’s login information.

While YuWin doesn’t hold information, such as social insurance numbers, that could be used for fraud or identity theft, hackers could still make use of the passwords used for YuWin accounts.

That’s because people often reuse the same password for different services, Lehner said.

“I would say anybody who has an account on the job board … should know their internet password is viewable at a minimum by the YuWin staff or anybody who has access to the backend,” he said.

And an attacker wouldn’t even need to be on the same internet network to intercept passwords, Lehner said.

All he or she would need to do is capture data flowing between the Yuwin.ca’s server and other internet routers.

“Eventually if you wait long enough, you can pull traffic out,” Lehner said.

The lack of SSL also means an attacker could impersonate the website, and trick people into entering their login information.

It doesn’t matter that YuWin is a Yukon-based website, Lehner said, because hackers will scan the entire internet looking for vulnerable services.

Implementing SSL is neither expensive nor difficult, Lehner said.

“I would suspect that with the government who funds them, they probably expect the data is kept reasonably secure.”

YuWin chair Debbie Parent told the News the board was aware of the situation and working on it.

Parent asked the News to withhold publication of this story in exchange for first crack at a news release to be issued Tuesday. The News declined.

Contact Pierre Chauvin at pierre.chauvin@yukon-news.com

Just Posted

Old Crow woman successfully appeals assault sentence that was based on her unrelated marijuana use

In his decision released Jan. 16, Justice Ron Veale called the original sentence “unfit”

Whitehorse council puts an end to quarry plans

City council unanimously votes to reject OCP amendment to allow for quarry

Team Scoffin to represent Yukon at 2018 Brier

‘It’s a thrill. It’s a dream come true’

Updated: Whitehorse daycare abruptly shuts down, leaving parents scrambling

Owners of Cheeky Monkey daycare said they had to close Jan. 13 because the CRA seized their assets

Ice, ice, baby: scaling a frozen Yukon waterfall

‘There’s a really transformative affect with adventure’

Yukon history is picture post card perfect

The most interesting gift I received at Christmas this year was the… Continue reading

Contentious Whitehorse quarry proposal raises city hackles

‘We’ve had concerns from the get-go on this one’

Extension requested for closing date on Whitehorse affordable housing complex

Challenge Disability Resource Group waiting on $7M from Yukon government before breaking ground

Sponsored Syrian families depart Yukon

‘People were able to feel they were able to make a human connection’

Thanks Northwestel

Thanks Northwestel As we pass the midway point of the futsal (indoor… Continue reading

Most Read