A file server hosted by the State Information Technology Agency (SITA) exposed potentially sensitive data relating to high school and higher education exams in South Africa.
MyBroadband was informed about the security problem by a forum member who spotted the details of the server in a Facebook post.
The Facebook post was informing school administrators and educators about a new version of the Education Management Information Systems (EMIS) software.
EMIS is a function and unit in the Department of Basic Education (DBE).
According to MyBroadband’s source, the Facebook post provided a link to the SITA file server’s web interface, along with login credentials. The username and password were simply “intranet”.
The web interface showed a list of files available for download even without being logged in.
Visiting the website revealed that the server contained many potentially sensitive files relating to the National Senior Certificate and Community Education and Training exams.
These files included software apparently used for capturing marks and other records, files that included the personal information of students, and database backups.
The server also housed various manuals, including ones with information on how the DBE’s systems for re-marking exams work.
According to the source, at least some of the database backups found on the server contained passwords that were stored in plain text.
At the time of publication, the server was no longer accessible from the Internet.
MyBroadband asked the DBE and SITA for comment on the file server.
Is this site meant to be available from the public Internet?
SITA said that the purpose of the server was to provide a file-sharing platform for provincial education departments.
“The site is generally used to share large files,” SITA explained.
“The site was made accessible on the open network, for this data access.”
While the server was initially intended for internal government use, SITA said that it was made available on the Internet to host files or documents for external use outside of the department.
“A new and separate username and password were created that allowed limited access to view the files, for external use,” SITA stated.
The username and password were shared with users who required this functionality.
“Please note that a second level of security for data privacy protects and secures internal files. It includes a twofold password protection system, whilst additional data protection measures are added at file level to each internal file,” said SITA.
“The database backups are encrypted.”
It should be noted that MyBroadband’s source stated they were able to restore at least one of the database backups on the SITA file server and found that it contained passwords stored in plain text.
Some of the backups on the server were password-protected. It is not known how difficult it might be to guess the passwords of these database backups.
Why does the site not have a TLS certificate?
SITA said that the file server’s web interface does not have a Transport Layer Security (TLS) certificate because the whole system would soon be redundant, and a certificate would have incurred an additional cost.
“The level of security that protects internal information on the database is adequate,” SITA stated.
TLS certificates provide a layer of encryption for traffic flowing between your web browser and the server. It manifests as a lock icon in your browser’s URL bar.
SITA said that this specific insecure server would have soon been decommissioned anyway, as it had developed a new file sharing solution that was being put in place.
An interim file-sharing system has been developed for the DBE and is currently being implemented in the national and provincial education departments, SITA stated.
Why does this site use such a weak username/password combination
SITA explained that the reason the server used such weak login credentials was to make it as accessible as possible to the users who needed to use it.
“Only the files intended for external use were accessible using the simple password,” SITA said.
It reiterated that the intranet/intranet username and password only allowed access to specific files cleared for external use.
Was this site perhaps a vector used by the individual(s) who leaked the matric maths exam this year?
“This is in no way linked to examination question papers,” SITA told MyBroadband.
The agency said that it does not have access to the server that deals with matric examination question papers.