Unsecure server exposed student and exam data of high schools

Jamie McKane · Dec 15, 2020

Unsecure server exposed student and exam data of high schools

A file server hosted by the State Information Technology Agency (SITA) exposed potentially sensitive data relating to high school and higher education exams in South Africa.

MyBroadband was informed about the security problem by a forum member who spotted the details of the server in a Facebook post.

ConfusedR · Dec 15, 2020

This is what you get when you force "30 percenters" into BBBEE jobs...............

Vorastra · Dec 15, 2020

Lo and behold, the sun rises in the East, water is wet, the ANC is corrupt, and a government institution doesn't know what they're doing.

All are constants in the universe.

now05ster · Dec 15, 2020

Well done SITA. You absolute legend.

A non-sarcastic well done to the forumite for the scoop.

NeoAcheron · Dec 15, 2020

"SITA said that the file server’s web interface does not have a Transport Layer Security (TLS) certificate because the whole system would soon be redundant, and a certificate would have incurred an additional cost."

LoL root trusted TLS certificates are free... letsencrypt.org and even if you wanted to, a self signed certificate could have been provided, and shared among the people using it. An untrusted certificate is not ideal, but it's still better than not having one at all. Sensitive information lives on those servers. Plain text passwords are stored... My god they are breaking almost every basic software development rule about security in the proverbial book...

Just shows you how little these morons know about security and tech overall.

Thor · Dec 15, 2020

Clearly not.

“The level of security that protects internal information on the database is adequate,” SITA stated.

Totempole · Dec 15, 2020

Some brute-force software on those .rar archives, and you'll no doubt have the passwords in under 24 hours.

Sapphiron · Dec 15, 2020

Totempole said:
Some brute-force software on those .rar archives, and you'll no doubt have the passwords in under 24 hours.

Yeah, GPU brute force password cracking is scary fast.

Also consider the password used for the intranet, I doubt it will take 24 hours

Herr der Verboten · Dec 15, 2020

Jamie McKane said:
Unsecure server exposed student and exam data of high schools

A file server hosted by the State Information Technology Agency (SITA) exposed potentially sensitive data relating to high school and higher education exams in South Africa.

MyBroadband was informed about the security problem by a forum member who spotted the details of the server in a Facebook post.

When ever I see "SITA" I cringe. God knows how it is to deal with them and their clients.

Totempole · Dec 15, 2020

Sapphiron said:
Yeah, GPU brute force password cracking is scary fast.

Also consider the password used for the intranet, I doubt it will take 24 hours

Yeah, I was being conservative with the 24 hour timeline.

mercurial · Dec 15, 2020

Nemoneiros said:
When ever I see "SITA" I cringe. God knows how it is to deal with them and their clients.

You don't wanna know.

j4ck455 · Dec 15, 2020

I have only one thing to say: there is a silent H in SITA.

RonSwanson · Dec 16, 2020

Breaches are bad, sure, but what a cringe-worthy response from SITA to the questions posed.

Petec · Dec 16, 2020

And wh

NeoAcheron said:
"SITA said that the file server’s web interface does not have a Transport Layer Security (TLS) certificate because the whole system would soon be redundant, and a certificate would have incurred an additional cost."

LoL root trusted TLS certificates are free... letsencrypt.org and even if you wanted to, a self signed certificate could have been provided, and shared among the people using it. An untrusted certificate is not ideal, but it's still better than not having one at all. Sensitive information lives on those servers. Plain text passwords are stored... My god they are breaking almost every basic software development rule about security in the proverbial book...

Just shows you how little these morons know about security and tech ove

NeoAcheron said:
"SITA said that the file server’s web interface does not have a Transport Layer Security (TLS) certificate because the whole system would soon be redundant, and a certificate would have incurred an additional cost."

LoL root trusted TLS certificates are free... letsencrypt.org and even if you wanted to, a self signed certificate could have been provided, and shared among the people using it. An untrusted certificate is not ideal, but it's still better than not having one at all. Sensitive information lives on those servers. Plain text passwords are stored... My god they are breaking almost every basic software development rule about security in the proverbial book...

Just shows you how little these morons know about security and tech overall.

And what is even more frightening is that these muppets probably know more about tech than the communications dept, that is busy roughshodding laws that will let them control the SA internet and squish internet freedom.

mercurial · Dec 16, 2020

RonSwanson said:
Breaches are bad, sure, but what a cringe-worthy response from SITA to the questions posed.

Apparently beaches are also bad.

elf_lord_ZC5 · Dec 17, 2020

Just another day in Africa ...

DailyTech · Dec 20, 2020

will it help though

DailyTech · Dec 20, 2020

Unsecure server exposed student and exam data of high schools

Jamie McKane

MyBroadband Journalist

ConfusedR

Expert Member

Vorastra

Honorary Master

now05ster

Expert Member

NeoAcheron

Well-Known Member

Thor

Honorary Master

Totempole

Expert Member

Sapphiron

Expert Member

Herr der Verboten

Honorary Master

Totempole

Expert Member

mercurial

MyBB Legend

j4ck455

Executive Member

RonSwanson

Honorary Master

Petec

Expert Member

mercurial

MyBB Legend

elf_lord_ZC5

Honorary Master

DailyTech

Senior Member

DailyTech

Senior Member