PETALING JAYA: The Education Ministry's online school examination analysis system, Sistem Analisis Peperiksaan Sekolah (SAPS), sapsnkra.moe.gov.my/ibubapa2/index.php), has been taken down.

The Star received an anonymous e-mail claiming that the site, introduced in July 2011 to centralise examination results from all states, is vulnerable to an attack called SQL Injection.

This technique, according to the tip-off, allows an attacker to retrieve student data stored on the site, covering approximately 10,000 national primary schools and secondary schools.

The e-mail alleged that 4.9 million student details, along with their parents' MyKad numbers, could be compromised. The e-mail also carried a large attachment containing multiple text files with what looked like student records.

The anonymous sender claimed to have reached out to the ministry.

Cyber security responsive services senior vice president for CyberSecurity Malaysia, Dr Aswami Ariffin, said this exploit is simple to take advantage of since the connection to the site is unsecure.

"So to mitigate, the system owner must reconfigure the system with a secure connection. This setup is compulsory especially when it involves database at the backend," he said.

However, he said, while CyberSecurity Malaysia is a trusted government agency that would be able to assist in securing government websites, it is up to the system owner to engage its services.

"It is advisable for the system owner to conduct a web penetration test so that the security weaknesses could be uncovered and reconfigured," he said.

The e-mail also claimed that the site suffered from other problems, including passwords being stored in plain text, adding that most users used simple passwords such as 1234567.

"Any website today should go through vulnerability assessment prior to launch. No new website will be vulnerable to SQL injection attack if vulnerability assessment and fixes are done properly," said IT security services company LGMS founder CF Fong.

He claimed that government websites are prone to attacks because the necessary security measures are usually not taken.

"Common issues we had in the previous administration was that security assessments were not done, or were outsourced to unqualified vendors," said Fong.

The SAPS aims to measure students' academic performance and enable better administration.

Teachers are required to key in students' examination and test results into this database, allowing parents to have real-time access to their children's academic results.

https://www.thestar.com.my/news/nation/2018...nalysis-system/

pakar it mali explain sql injection

cikai website maintained by cikai admin

satu lagi projek kerajaan barisan nasional


SAY IT PROUDLY

This post has been edited by DValentine: Jun 9 2018, 04:36 PM

Hire amateurs to set up websites sure use simple passwords or settings.

Wawasan 2020

Berapa Kali Kali Kali subcon sampai budak rempit jaga site

Hidup BN

tl;dr getting database records without the need of proper access by inserting commands into unsecured/unprotected text fields or address bar.

This post has been edited by ZerOne01: Jun 9 2018, 04:46 PM

username: admin
password: admin

die lah breach here breach there no more secret liao. soon we will find out how sadsoul really look like

Too hard. It's actually....

username: BN
password: 123

WTF something as basic as SQL injection also not covered ah....

Like can build a house but tak pasang pintu.

hope lowyat got breach so we know whose dupe belong to who.

This is bad.

LOL not even simple encryption for password

thats what happen when money kene songlap kerja bagi intern buat

Why don't have server side validation and encryption of password. No strong password enforcement when user register? Who actually got the contract? Is this open tender?

SCREAM IT

SATU LAGI PROJEK KERAJAAN BARISAN NASIONAL

repeat 3 times

Songlap!
Jgn x songlap!
Dulu, kini and..... Oh wait!.

lol u know they subcon like crazy and the work is being done by freshie right?

They're not even doing this secretly.

So will be responsible when rich fag kids kena kidnap because of all the information?

im surprised nobody sue any of them using PDPA... quick cash yo