Camer seriously needs to step it up!

How it all started

If you are in a hurry just jump to the next section “Look and Feel” ;-)

Startups and tech companies pop up everyday and it is almost impossible to keep up with new names on techcrunch.com but you seldom see names from Cameroon, where I come from, or Africa for that matter. Once I came across a piece from theguardian.com unveiling a talented youngster from my home country. It was titled “I couldn’t even pay for the internet”: the Cameroonian who built jobs site in his bedroom” and depicted Churchill Njanje’s early struggle and perseverance to building a successful business from nothing. Such success stories boost my motivation and give me hope that there must be more of similar talents just waiting to be uncovered.

Well, I’m a software developer myself and I have always been thinking of connecting with Cameroonian developers and entrepreneurs and getting fun and useful projects rolling but it is not that simple, unfortunately. Finding and getting in touch with local talents is tough and such challenge, fortunately or unfortunately, shows there is still some great potential in this area.

So I tried the very old-fashioned way of Googling into public institutions and ministries thinking they must have some clues. After browsing a few sites my attention drifted away and I ended up doing an ‘IT auditing’ which is precisely the aim of this post. Most sites look outdated with inconsistent design. A few contained malware, some were down for a few days and handful were painfully slow. I thought of doing an in-depth investigation but when I started seeing more and more sites being hacked, I abruptly decided to share a few of my findings. The full list of sites I looked into is given at the end of this post.

Initially, I thought of emailing each webmaster and hopping they will respond and get their sites cleaned up. But knowing that “Le Cameroun c’est le Cameroun”, I do not think much would happen, at least not anytime soon. Also, some of these sites did not have an obvious email contact.

Cutting to the chase, this is what I found.

Look and feel

The first impression, often visual, is very decisive and indicates to a great extent how long one stays on a particular site. I got surprised, not at first, but later on, by the inconsistency across. Several themes would emerged from blue-ish on white background to soaking green or red backgrounds. Overall, I thought the MINSANTE (Ministry of Public Health) had a very modern and refreshing design. I thought the MINRESI (Ministry of Scientific Research and Innovation) had a pretty light and enjoyable design as well but it took time to load pictures and I noticed the reason was because of thumbnails using original pictures. Why would anyone use a 4608x3456 pixels picture on a 270x202 thumbnail? That is plain and simple laziness but unfortunately very common even on the PRC (Presidency of the Republic of Cameroon) site.

Copyrights

Most sites showed outdated copyrights and I wondered how to interpret that. Sloppiness, indifference or just that these sites have been forgotten and not being actively maintained? Below are just a few copyrights examples:

MINEPIA (Ministry of Livestock, Fisheries and Animal Industries): “Copyright Minepia 2012”

MINEP (Ministry of Environment, Natural Protection and Sustainability): “MINEP Copyright ©2009

MINHDU (Ministry of Housing and Urban Development): “2010valid xhtml valid css

MINPOSTEL (Ministry of Post and Telecommunication): “Copyright © 2012 Minpostel.- Tous droits reservés.

And the list goes on and on.

Dominance of Joomla and Wordpress

I have nothing against popular CMS and blog frameworks, especially for those of us whose sole intention is to get some content out and fast. I would expect governmental websites, on the contrary, to spend a little more time building their sites and putting in some serious content and structure. You would expect to see very customized services… I was surprised almost 52% (14 in total) of the sites were built on Joomla, three were based on WordPress, two on CMS Made Simple and a few others on SPIP, Drupal …

CMS Framework usage distribution

Connection Speed

When it comes to loading speed, a few sites were quite fast, most were quite slow and MINFOPRA (Ministry of Public Service and Administrative Reform) was painfully slow. It took a few seconds just to load an almost empty homepage. I have to admit I should have done more thorough speed tests but it would have taken too much time. I am leaving this for a follow up session or other enthusiastic readers. Besides packet speed, one of the common mistake, already mentioned, is of loading massive pictures instead of thumbnails.

Responsiveness

Responsiveness might not mean much in Cameroon given that mobile broadband connectivity is not pervasive but it’s still extremely important given the current rapid growth in mobile penetration. I’m thinking, if you have a poor connection on your mobile device you actually need better responsiveness to keep your data quota down…think about that for a second ;-)

Only 6 out of 28 were responsive so there is some ‘bootstrapping’ work to be done here.

Security and Vulnerabilities

Man-in-the-middle attack and https

Using secure http (https) does not automatically make your site secure but it is for sure the least, and most recommended way, to avoid man-in-the-middle attacks (further reading: “95% of HTTPS servers vulnerable to trivial MITM attacks”). I believe having static content over http is probably fine but as soon as login or exchange of sensitive information (credentials, user info…) is involved, http is very weak and vulnerable.

Of the 28 sites I checked, only 3 were using https (PRC, eRegulations and MINPOSTEL) and the other (around 90%) were not ( eventhought most of them had admin pages and email services).

Compromised

It is heartbreaking to find state-own websites abandoned and basically left out to (low-level) hackers to play with. At the time of writing this post, impm-cm.org was hacked and even Chrome would show “site ahead contains malware.cpm.36obuy.org…” and from the HTML source it appears some Javascript file was even replaced and making your browser pinging 36obuy.org non-stop.

DIPLOCAM (Ministry of External Relations) got me thinking …who the hell is maintaining this site? It is our “Ministry of External Relations” and the homepage has meta tags (keywords and description) full of “fake Rolex”, “replica watches” … Every page has a footer showing “Ministère des Repliques Extérieures” (very ironic indeed) and pointing to an obviously shady website.

I thought I’d seen it all but MINESUP (Ministry of Higher Education) was something else. Even though it wasn’t visually noticeable, it was all clear from the source HTML. There was completely offensive and out-of-place content (which I won’t cite here) …pointing to another very doggy site. I believe it’s been pwned too.

Joomla honeypots

Again, I have nothing against Joomla or WordPress… but their ease-of-use ultimately comes with some sacrifices and potential vulnerability webmasters must be aware of. Generally speaking, most vulnerabilities come from outdated software and/or plugins. A quick way of detecting such vulnerabilities is to use well-known scanning tools targeting respective frameworks e.g. Joomlascan for Joomla based sites.

Checking the Joomla based sites from our list showed some gruesome truth and confirming our initial findings. The tool detected 35 vulnerabilities on the MINESUP site alone and many other sites had around 5 vulnerabilities and the only one without vulnerability was MINPOSTEL (which used https…remember?)

Content and Misc

Mediocre Search

I’m a search enthusiast and have used Solr for years and ElasticSearch more recently (and more frequently). I therefore start auditing by usually checking the quality of search results. Most of the sites I’ve checked had an “OK” search functionality most likely built-in with their respective frameworks. However, most didn’t provide full-text search of (scanned) pdf documents for download. Usually only their metadata was indexed (e.g. title…).

For example, MINCOMMERCE (Ministry of Trade), clearly had the terms “subsistence” and “stakeholders” in one of the documents but searching for those terms (together) yielded no result. Searching for “métrologie scientifique ” yielded no result even though both terms exist in this page.

MINCOMMERCE, just like most other Joomla based sites I checked had similar issues and also had a restriction of 3 to 20 letters in the search window (ref: Increasing the Search Limit in Joomla to More than 20 Characters).

Not to be biased towards Joomla, I checked a few other sites including PRC where I searched for “Agenda 2030 pour le développement durable” which appears in this page but got no hit. Searching for “MACKY SAM Auguste Francis” on MINSANTE (drupal based site), Ministry of Public Health, yielded no result while this name appeared in a nomination paper from the same site. The list goes on…

Misc

DNS and IP

One expected consistency observed across was the use of “.cm” domain. MINCULTURE (Ministry of Arts and Culture) was the only site that used a .com domain name and a foreign IP address (registered in the US). The other exception were eRegulations and CBF (Cameroon Business Forum) with .gov which I believe is all fine?

Maintainers

I mean who is in charge of maintaining all these websites, right? One doesn’t just dump a server out in the great wild cloud and hope for the best. System and security patches have to be installed. Vulnerable plugins have to be updated … Such work would be easier and more efficient if done by a common set of people. You would, naively, think the Cameroonian government hires the same firm(s) for building and maintaining its sites…wrong!

Many sites didn’t even have contact information (e.g. MINT, Ministry of Transport). Some had an in-house team like MINESEC (Ministry of Secondary Education) or MINHDU, and others hired 3rd parties like MINCOMMERCE. These guys just don’t talk to each other.

Dead links

HTTP-404 errors becomes frequent as you start clicking deeper and deeper through the sites. Also “Page under construction” is quite common and is almost a surrogate for totally empty sites. See for example this page “Camerounais a l’etranger” from DIPLOCAM which is under construction.

Choosing the English version on the site for MINT gave “Forbidden You don’t have permission to access /En/index.php on this server.” (http://www.mint.gov.cm/En/index.php). Some other site, I don’t remember, gave me “Database connection error (2): Could not connect to MySQL.” for a few days. Let’s call that a temporary failure.

MINESEC basically vomited a poor error message when clicking on the forum link: “The file ‘config.php’ doesn’t exist or is corrupt. Please run install.php to install PunBB first”.

These are not isolated cases but rather common and they make you quickly lose trust and confidence on a website: “Should I keep reading or come back next month or next year? Can I rely on whatever information I find on this site?”.

Summary

Despite the overall mediocre landscape a few sites performed quite well. PRC used https, had a pretty solid design, was quite fast and responsive. eRegulations was pretty slick, fast and responsive. MINSANTE and ASSNAT were quite fast and had an above average look. The lack of responsiveness, however, took them slightly down. A few other sites like MINRESI or MINPROFF had some outstanding features but some critical elements (such as security vulnerabilities and speed) could not make them rise above the pack.

Recommendations

A very cheap and easy recommendation would be to have one office overseeing the design of all governmental sites or at least have some design guidelines (themes, basic security requirements …). A more practical one would be to hire services from one, preferably, or just a few web design firms for designing, testing and maintaining everything.

Auditing should obviously be done on a regular basis.

That’s plenty of jobs and internships to give local startups and students!

Just to put things in perspective, go ahead and randomly check a few sites from the French government and you will see a consistent theme across. They have a fairly unified style. Even Gabon’s governmental sites have an extremely consistent design even at HTML/Javascript code level.

PS

Just for knowledge sharing and reproducibility purposes, below is a list of tools I used to conduct this investigation including the sites I checked. Note that not all are government sites, I have deliberately included a couple from the academia like INC (National Institute of Cartography of Cameroon)…

Here is a Google-Doc of the data I gathered and compiled.

Tools:

Chrome with Developer mode (F12), source code (Ctrl+U), Incognito mode …

Ping.eu for DNS check, ping tests …

Joomlascan for detecting vulnerabilities from Joomla sites

Wappalyzer can be used to detect with Framework and technologies are used by a site

Sites I looked into

MINTOUR — Ministry of Tourism — http://www.mintour.gov.cm

PRC — Presidency of the Republic of Cameroon — https://www.prc.cm

SPM — Prime Minister’s Office — http://www.spm.gov.cm

DIPLOCAM — Ministry of External Relations — http://www.diplocam.cm

MINEPAT — Ministry of Economy, Planning and Regional Development — http://www.minepat.gov.cm

MIN-CULTURE — Ministry of Arts and Culture — http://www.minculture-cameroun-gov.com

MINESUP — Ministry of Higher Education — http://www.minesup.gov.cm

MINFOPRA — Ministry of Public Service and Administrative Reform — http://www.minfopra.gov.cm

MINEFOP — Ministry of Employment and Vocational Training — http://www.minefop.gov.cm

MINFOF — Ministry of Forestry and Wildlife — http://www.minfof.cm

MINPOSTEL — Ministry of Post and Telecommunication — http://www.minpostel.gov.cm

CBFCAMEROUN — Cameroon Business Forum — http://www.cbfcameroun.org

MINCOMMERCE — Ministry of Trade — http://www.mincommerce.gov.cm

MINHDU — Ministry of Housing and Urban Development — http://www.minhdu.gov.cm

MINEP — Ministry of Environment, Natural Protection and Sustainability — http://www.minep.gov.cm

MINEPIA — Ministry of Livestock, Fisheries and Animal Industries — http://www.minepia.cm

MINPROFF — Ministry of Women’s Empowerment and the Family — http://www.minproff.cm

MINRESI — Ministry of Scientific Research and Innovation — http://www.minresi.cm

MINSANTE — Ministry of Public Health — http://www.minsante.gov.cm

MINESEC — Ministry of Secondary Education — http://www.minesec.cm

ASSNAT — National Assembly — http://www.assnat.cm

MINT — Ministry of Transportation — http://www.mint.gov.cm

IMPOTS — Directorate General of Taxation — http://www.impots.cm

INC — National Institute of Cartography of Cameroon — http://www.inc-cameroun.cm

EREGULATIONS — enterprise and investment procedures — https://cameroun.eregulations.org

ANRP — National RadioProtection Agency — http://www.anrp.cm

IMPM — Institute of Medical Research and Plant Study? — http://www.impm-cm.org, this link contains a malware, click on it at your own risks. I also found the following link which could be a more recent version of the site http://impm-cameroun.org ?)

MIPROMALO — Mission de la Promotion des Matériaux Locaux — http://www.mipromalo.cm

MINATD — Ministry of Territorial Administration and Decentralization — http://minatd.cm