Moce toka Viti. Nomu lasa e rui divi.

Week two in Florida. Florida is a lot like Fiji, tropical weather and multi cultural. Though it would be winter, the mornings and evenings are cool, and the days almost hot. The beaches are extremely wide and smoothened by bulldozers each morning before the city wakes. Though the manicured beaches, tall buildings and bright lights keep you on a permanent high, it also reminds me of the insustainability of our destruction of this planet.

My brother flew down the day I got here. I hadn’t seen him in a few years. It has been great seeing him again but we haven’t had much time to enjoy Florida due to tight work schedule. Every Sunday we go down to the beach and play some volleyball and watch the waves. At times it almost feels like Fiji.

I can’t wait for Vara and Joana to get here. I know they will love Florida.

I was woken up this morning by Vara, yelling into my ear. “There is a Tsunami warning for Fiji, wake up. Do you think it’s gonna come this far”?

We’re about a mile from the beach, but also at an elevation of about 50m or so. I replied, “No, not gonna come this far”. I was up all night on a project so this was not at the slightest bit interesting to me right now.

In my half alseep state however, each passing car started to sound like an approaching wave, crashing through the coconut trees and quickly tearing it’s way up the hill towards us. I decided to was time to wake up.

I started making my tea, listening to the radio. It was going on about the Tsunami warning and evacuations etc. There was a report about that the sea was retreating in the Yasawa’s. OK, sounds like this is a real disaster.

The first thing that came to mind was to see if I could get more up to date information online. I typed in http://twitter.com/ and did a search for “tsunami fiji“.

There were 2-3 updates every minute, and most of them stating the Tsunami warnings were already withdrawn. However, the radio was still going on with the warning. I didn’t really want to trust twitter solely, since most of it was just word of mouth.

I tried google, which would not have been useful in this situation a week ago. However, early this month they had implemented “search options” which allowed you to filter search results by date, showing the most recent results first.

Google proved to be up to date, with trusted information. Twitter had been just as, or maybe a few minutes ahead, but it took weeding through a few posts to finally get a trusted source.

It didn’t take long for Fiji Times to post an update on the cancelled Tsunami warning for Fiji. Which was immediately picked up by google, as well as twitter.

A few months ago I had the need to search for some very up to date information. Twitter provided the best source, in which google was quite useless. Now google seems to have noticed that they needed to provide realtime results. Twitter however still has the edge, with human interaction in near real-time and a wider range of resources. For example, if the Tsunami had actually hit, you could have watched it from around the world via Fiji Webcam link posted on twitter.

Now looking at this, I’m amazed at how close up to date information, especially those of large human interest such as disasters, is on the web now, mostly attributed to Twitter. Forget the radio, I’m doing a twitter search.

I noticed that the dates on blog posts were off by a day, since the default timezone on a Wordpress install is about a day behind Fiji Time. So I reset the timezone to UTC +12. Unfortunately that doesn’t change the creation date of old posts.

So for that:

update wp_posts set post_date = post_date_gmt + INTERVAL 12 HOUR, post_modified = post_modified_gmt + INTERVAL 12 HOUR

Fortunately the wordpress developers are pretty savvy. They included the GMT dates which can be used as an absolute on which to get the timezone relative dates as above. Way to go wordpress.

In reality, all dates are relative, so the above would depend on the timezone setting of your database, and hopefully it is set correctly. It is most likely correct however. It may also be depended on the PHP timezone, if PHP is used to calculate the GMT times - I haven’t looked at the actual SQL inserts in wordpress so it could be either or.

I didn’t even realize it was Fiji Day, I didn’t know it was a pulic holiday for that matter.

Fiji Day isn’t a huge affair in Fiji like it is in the US. You’d know it was Fiji day if you were a Fijian in the US. Biggest get together of the year. Fijians flying around the country to get to a Fiji Day Celebration. There are so many different celebrations going on now though you don’t know which one to go to. Kind of dilutes the whole notion of Fiji Day, would be nice if every Fijian were able to meet in one location.

Good thing we didn’t go out last night. Had a cold an that would have been worse if mixed with Fiji Bitter.

Wow, it has been 2 weeks since I last updated this blog - baahm - there you go, updated!

Taking a look at the largest websites on the com.fj domain (Fiji domains) I was surprised that 8 out of the 11 websites I looked at had security flaws that can be detected in about 10 seconds (literally) with just a browser.

These websites were Vodafone, Connect, Fiji White Pages, AFL, Fiji Sun, Air Fiji, Fiji TV, Fiji Times among others.

Those that don’t have apparent security flaws:
Airports Fiji Limited
Air Fiji
Fiji Times

Those that have apparent security flaws:

Telecom Fiji Limited
Vulnerability: XSS, XSRF
Severity: Low
Note: No user accounts to exploit

Vodafone
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Connect
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges

Fiji White Pages
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected

Fiji Yellow Pages
Vulnerability: XSS, Blind SQL Injection
Severity: Medium
Note: There are no user accounts so users are not affected. However, the whole database is vulnerable to reading.

Fiji Sun
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected. Attack requires social engineering.

Fiji TV
Vulnerability: XSS, XSRF, SQL Injection
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges. Direct SQL injection can retrieve all user details and possiblity administrative access to the website.

South Pacific Stock Exchange
Vulnerability: Blind SQL Injection
Severity: Critical
Note: Blind SQL injection can blind read the database, and possibly gain administrative privileges.

Now this is quite a disturbing. I only tested two basic exploits, XSS and SQL Injection. The XSRF vulnerabilities are implied when XSS is present and user accounts are present on the same domain.

No need to panic, estimates claim that around 70% of the websites on the internet are vulnerable to XSS. What amazes me however, is that these are large corporate websites, their web developers should know better.

Disclaimer: I am not disclosing any details on the vulnerabilities found on the mentioned websites except the fact that they exists. You’ll have to take my word on it.

Update: As requested by JJ, here’s a look at the FVB website:

FVB
Vulnerability: XSS, Blind SQL Injection
Severity: Critical
Note: XSS can be used to log in as another user, possible gaining administrative privileges. Blind SQL injection can blind read the database, and possibly gain administrative privileges.