PETALING JAYA: The Education Ministry's online school examination analysis system, Sistem Analisis Peperiksaan Sekolah (SAPS), sapsnkra.moe.gov.my/ibubapa2/index.php), has been taken down.

The Star received an anonymous e-mail claiming that the site, introduced in July 2011 to centralise examination results from all states, is vulnerable to an attack called SQL Injection.

This technique, according to the tip-off, allows an attacker to retrieve student data stored on the site, covering approximately 10,000 national primary schools and secondary schools.

The e-mail alleged that 4.9 million student details, along with their parents' MyKad numbers, could be compromised. The e-mail also carried a large attachment containing multiple text files with what looked like student records.

The anonymous sender claimed to have reached out to the ministry.

Cyber security responsive services senior vice president for CyberSecurity Malaysia, Dr Aswami Ariffin, said this exploit is simple to take advantage of since the connection to the site is unsecure.

"So to mitigate, the system owner must reconfigure the system with a secure connection. This setup is compulsory especially when it involves database at the backend," he said.

However, he said, while CyberSecurity Malaysia is a trusted government agency that would be able to assist in securing government websites, it is up to the system owner to engage its services.

"It is advisable for the system owner to conduct a web penetration test so that the security weaknesses could be uncovered and reconfigured," he said.

The e-mail also claimed that the site suffered from other problems, including passwords being stored in plain text, adding that most users used simple passwords such as 1234567.

"Any website today should go through vulnerability assessment prior to launch. No new website will be vulnerable to SQL injection attack if vulnerability assessment and fixes are done properly," said IT security services company LGMS founder CF Fong.

He claimed that government websites are prone to attacks because the necessary security measures are usually not taken.

"Common issues we had in the previous administration was that security assessments were not done, or were outsourced to unqualified vendors," said Fong.

The SAPS aims to measure students' academic performance and enable better administration.

Teachers are required to key in students' examination and test results into this database, allowing parents to have real-time access to their children's academic results.

https://www.thestar.com.my/news/nation/2018...nalysis-system/

pakar it mali explain sql injection

cikai website maintained by cikai admin

satu lagi projek kerajaan barisan nasional


SAY IT PROUDLY

This post has been edited by DValentine: Jun 9 2018, 04:36 PM

Hire amateurs to set up websites sure use simple passwords or settings.

Wawasan 2020

Berapa Kali Kali Kali subcon sampai budak rempit jaga site

Hidup BN

tl;dr getting database records without the need of proper access by inserting commands into unsecured/unprotected text fields or address bar.

This post has been edited by ZerOne01: Jun 9 2018, 04:46 PM

username: admin
password: admin

die lah breach here breach there no more secret liao. soon we will find out how sadsoul really look like

Too hard. It's actually....

username: BN
password: 123

WTF something as basic as SQL injection also not covered ah....

Like can build a house but tak pasang pintu.

hope lowyat got breach so we know whose dupe belong to who.

This is bad.

LOL not even simple encryption for password

thats what happen when money kene songlap kerja bagi intern buat

Why don't have server side validation and encryption of password. No strong password enforcement when user register? Who actually got the contract? Is this open tender?

SCREAM IT

SATU LAGI PROJEK KERAJAAN BARISAN NASIONAL

repeat 3 times

Songlap!
Jgn x songlap!
Dulu, kini and..... Oh wait!.

lol u know they subcon like crazy and the work is being done by freshie right?

They're not even doing this secretly.

So will be responsible when rich fag kids kena kidnap because of all the information?

im surprised nobody sue any of them using PDPA... quick cash yo

Hmmm...


Attached thumbnail(s)

So many cyber breach yet still got dumbass thinks entry/exit keeping people's fingerprint is a good idea.
This is not murica. Confirm no win.
Or else govt already take action

Salah maszlee?

telco, and then astro, now this. malaysia boleh!

Habisla, my data andy kids data sudah kena. Bodo punya it contractor

sub-sub-subcon to intern. Nuf said.

More HT and scams too.

This post has been edited by Kedekut: Jun 9 2018, 05:55 PM

what dafark
SQL Injection????
bruh

there goes my tax money

Lol still got SQL injection ka nowadays?

Must be .net programmers.

Edited: oh php programmers

This post has been edited by billylks: Jun 9 2018, 06:18 PM

Freshie like me know there is existing libraries to encrypt the password on the server side.
LOL.
So many existing libraries to prevent such things from happening.

cyber security malaysia.. fail something as basic as sql injection. I wouldn't surprise if telco data breached happen to be same cause.

The commoner no need to know the details. It is enough to know that a hacker can manipulate student marks due to this vulnerability. Full stop.

In dot net if use entity framework should prevent against sql injections. I bet the php code is running on and old version pre mysqli and pdo, or tge coder only knows how to use insecure mysql functions

lol its okay just bunch not yet fb legal kids information leaked

SQL injection got nothing to do with username lar.

This xkcd comic explains it perfectly:

Isnt most of gomen websites horrendous with security?

Nothing shocking, even loliyat harum site is safer lol

This post has been edited by olman: Jun 9 2018, 08:00 PM

Kerajaan PH ambil alih terus ada data breach

#BringBackBN

Ok fine, let's blame the Jews. Lol!

This is why, schools should never be allowed to use any online system. You only need a chalk, a pen, a blackboard and books.

DELETE FROM student_loans where STATUS=1












This post has been edited by mafioso: Jun 10 2018, 01:31 AM

dont even have secure connection meh

inb4 sudah bayar berbillion develop website wey

nothing to see

This post has been edited by xperiaVuser: Jun 10 2018, 02:51 AM

i have to put this out here.

my company was involved in a huge exercise in implementing SIEM (google that) in sensitive government agency to circumvent hacks, breeches, compromising third party apps/system/, etc etc. problem was, after dah built the war room and everything - sure can start seeing where were the holes was, mana network components yang tak hardened, the govt it self has no SOP or how-to to fix these holes. the easiest was to tutup the server yg compromised but nobody knows how to fix server without formatting the whole damn thing. itu senang, kalau network yg dah kena hack, jadi watering hole, they damn blur dont know what to do. so every night we can see la, like a bunch of data sampai 1GB keluar from the network to god knows where to god knows who. ada report but they themselves damn blur dont know what to do.

the new govt lagi champion, they suruh take down the SIEM. habis.

belum lagi targeted spoofing attack. but thats a story for another day.

This post has been edited by tareh: Feb 7 2019, 10:47 AM

takpalah

saya rasa ini salah opposition

What SIEM u use? QRadar? Archsight?

don't expect uproar because nobody gives af... that time Malaysian telco user data breached, almost whole population kena... name, IC, address, phone number, all leaked

nobody cared. in developed country, the whole nation will sue the telcos kaw kaw.