That’s why the hacked federal government software vendor continues to be criticized

The test is for nerds, for tech savvy people like Jorgo Ananiadis. And so the Pirate Party chairman and IT expert sat down on Wednesday and used a simple standard procedure to analyze the Xplain website, which is the access portal of the software company that is partly responsible for the fact that it has now come to an end. mountains of federal data on the darknet.

The result was sobering, the grade F clearly unsatisfactory. The testing tool’s well-meaning advice: “Ouch, you need to work on your security situation right away.”

Discovered more flaws

Of course, an insecure website is not evidence of insecure data management. But it is an indication, points out Swiss security expert and consultant Christian Folini. Because the effort to bring F’s own homepage to the highest class A is manageable. “So it shows a deep sense of security if you don’t.”

But Folini wanted to know more about it and, based on Ananiadis’s test result, took a closer look at the Xplain universe. In doing so, he encountered several shortcomings: a server Xplain had installed for the Federal Bureau of Police (Fedpol) had not been updated for three years, and the server’s login mask made it all too easy for an attacker to obtain the passwords of federal employees.

An unsafe website is an alarm signal for Pirate Party chairman Ananiadis, a call to caution: “After all, I’m not taking my money to a bank with broken windows and a broken door.”

Which million orders were involved?

The federal government, some cantons and the SBB were slightly less selective. They clearly didn’t mind that Xplain is not certified to an information security standard (ISO 27001).

According to the public procurement information platform (Simap), they have issued a total of 20 orders to Xplain for a total amount of more than 30 million francs – with an option for another 21 million.

The main client with five projects is Federal Customs, now called the Federal Office of Customs and Border Security (BASG). The federal police service Fedpol and the Ministry of Defense each have three assignments.

Then there are the orders that are not even on Simap. The BASF placed its first order with Xplain in 2009 worth almost CHF 1.3 million. Because it was not covered by the procurement law, no public publication was made today, according to the customs office.

It is unclear whether Fedpol also issued orders without public publication. The police left the relevant questions unanswered.

In 11 of the 20 public tenders, the contracts were awarded privately, ie without a prior public tender. According to Simap, Xplain was usually awarded the contract because the software company from Interlaken, Bern, made the “economically most favorable offer” or because it involved “follow-up orders”. It is clear that Xplain supplied or developed the original software here and consequently received the standing order, as the software is their “intellectual property”.

what went wrong

However, the fact that there is intensive cooperation between the federal government and Xplain does not explain how sensitive data such as the addresses of members of the Federal Council can end up on the servers of the IT company.

This question is currently being investigated by the federal government. Due to ongoing procedures, Xplain is not allowed to comment on how Director Andreas Loewinger to the “Switzerland at the weekend” says.

Löwinger founded the company Xplain in 2000 together with two business partners, who still form the three-member board of directors with him today. Because of the founders’ past activities and education, it was decided to focus on “homeland security,” he says.

The federal government was a natural clientele. The company applied for federal contracts in public tenders. “We work in a relatively small niche,” explains Löwinger. Nevertheless, in Switzerland there are a double-digit number of companies offering software solutions and services in the “Homeland Security” market.

Xplain is located in a belle époque building in Interlaken, directly on the Aare. In addition to three other locations in Switzerland – in Aarau, Zurich and Lausanne – the company has two more branches in Spain and one in Germany. In total, about 80 people work there.

What Xplain actually offers – and what it doesn’t

Löwinger makes it clear to “Switzerland at the weekend”: “We are not a cybersecurity company.” Although Xplain provides data processing software, it does not provide hosting services. “As a software company, it is our job to develop and offer various specialist applications.”

In other words, Xplain offers “security” and “solutions for the entire field of internal and civil security”, as can be seen on its website. But the company is not a cybersecurity specialist, despite its promise of “end-to-end digitization solutions”. And that is why the company is not certified according to any information security standard, explains Löwinger.

The “Play” hacker group, responsible for the Xplain cyberattack, is not known for targeted attacks. As cybersecurity specialist Tobias Ellenberger recently told CH Media, the group launches large-scale attacks to reach as many victims as possible. The focus is mainly on small to medium-sized companies that do not have a comprehensive security system.

In the meantime, Xplain has improved the security of their homepage, as Ananiadis discovered. Instead of the number F there is now an A and you can see that we are constantly working on that. So the good will seems to be there.