3 September 2015
Nuus
3
Your password is traceable by using your student number
eFundi passwords are not secure EUGENIE GREGAN
Y
our eFundi password, and with that a lot of your personal details, can be easily retrieved by attackers who only know your student number. A white hat hacker (a hacker who exploits systems to find a flaw and report it) recently exploited a serious security weakness in the NWU student login portal which allows anyone with the correct knowledge to gain access to your eFundi password and personal online workspace. The basis of the exploit is the performance of a dictionary attack on any known student number, enabling an attacker to retrieve the password linked with the account. Justin Weldon, a fourth year student in BSc Information and Computer science with system security as an honours subject, discovered the exploit when he first noticed how quickly a login response is given by eFundi for valid and invalid passwords he submitted. “While pages like Gmail and Facebook will also block you from logging in temporarily after a certain number of invalid attempts, eFundi will allow you to try to login an unlimited number of times,” Weldon explained. Upon further investigation, Weldon discovered that by using
penetration testing software within an operating system called Kali Linux, users are able to build a brute force attack from a custom dictionary of over five billion password combinations. This can then be used to attempt to crack a password linked to a student number. “Basically, you can load a bunch of dictionaries onto your system. The software then runs through the dictionary, matching each word and word combinations to the student number until the correct match has been found,” Weldon further explained. This method is commonly referred to as a trial and error method as the exploit will continue to run until the correct combination of username and password can be identified. The operation can also be performed multiple times and at an alarming rate of words per minute. What also makes students’ passwords vulnerable is the fact that the security policy changed earlier this year and now allows passwords to remain set for various months, which differs from the prior monthly password expiration time. This gives an attacker more time to try and find a password and infiltrate an account. “People in general don’t like to
think out difficult passwords. If your name is Peter, you’re likely to choose something like Peter7. “This is a very easy password to crack, because if I have your student number and knows your name starts with a P, I’ll programme the application to first run through all the words in the dictionary starting with P,” Weldon said.
When the attack is successful a lot of damage can be done and the attacker can perform various exploits When the attack is successful a lot of damage can be done and the attacker can perform various exploits. The attacker can for instance log into a students’ account and steal or delete work submitted by the student via eFundi. Furthermore an attacker can log into lecturers emails if the lecturers username and password is found, as lecturers still make use of Groupwise. This is especially easy, because
lecturers’ email addresses usually include their usernames. Logging into a lecturers’ eFundi also means an attacker will have the ability to alter assignments (i.e. change the submission date), see all assignments submitted and even delete pages. Another concern is the fact that a lot of campus activities are conducted by using a student number and password, for instance the recent SRC-voting process. According to Weldon there are a few possible prevention methods available for both students and the NWU (see boxes). Weldon made his findings and information available to the NWU-Puk management. “I just feel that if someone with worse intensions comes along harm could be done rather than good,” he said. Wapad approached Instapdienste with this issue, who referred us to Dawie van der Berg, an employee at the NWU-Puk operations and infrastructure department. At the time of print Van Der Berg didn’t respond to enquiries. eFundi was implemented in 2006 and according to the official NWU website has around 8000 users. The system is also used on the Vaaldriehoek and Mafikeng campuses.
RAYNIQUE MEYER Dit was ’n blou Maandag vir Lerato (Mpati) Phoofolo toe hy sy stem in die Potchefstroomse Landdroshof laat hoor het. “Kom tot die punt, hier is geen geregtigheid nie, wat wil julle van my hê?” het Phoofolo geskree. Hy het ’n vinger na Eileen du Preez, die staatsaanklaer, gewys toe hy uit die beskuldigdebank opstaan en dít skree. Familielede wat die hofverrigtinge bygewoon het, het Phoofolo probeer stilmaak. Du Preez was besig om Phoofolo se suster, Kegomoditswe Paula (Mokatsane) Mthembu, te kruisondervra. Dié NWU-Pukstudent sou verlede Donderdag in die hof verskyn, maar weens ’n verwarring by die departement van korrektiewe dienste kon hy eers Maandagmiddag weer verskyn. Du Preez het Phoofolo namens die staat aangekla van aanranding met die opset om ernstig te beseer, asook betreding en intimidasie en versuim om sy bortogvoorwaardes na te kom. Sy het ’n aansoek tot land-
dros Tebogo Mokgatle gerig om Phoofolo na ’n psigiatriese hospitaal te verwys vir sielkundige waarneming, berig Netwerk24. Die staat het na aanleiding van twee getuies se verklarings aangevoer dat hy ’n gedragsprobleem het.
Kom tot die punt, hier is geen geregtigheid nie, wat wil julle van my hê? Jochemus Taljaard van Beskermingsdienste, en Rooies Andrianatos, sy koshuisvader, het bevestig Phoofolo se gedrag wissel van vriendelik tot onbeheerbaar aggressief. Taljaard het bevestig Phoofolo het dié gedrag steeds getoon ná hy ’n tweede keer gearresteer is, berig Netwerk24. Toe Taljaard hom byvoorbeeld voorkeer ná Beskermingsdienste ingelig is hy is op pad, het
Phoofolo hom aanvanklik vriendelik gegroet deur sy hand te skud en hom ’n drukkie te gee. Toe het hy verdwyn en probeer om oor ’n heining te spring om sy besittings in sy koshuis te kry. Toe hy wéér in hegtenis geneem is, was hy egter aggressief. Die hof het vir ’n kort tydperk verdaag en Mokgatle het die staat se aansoek toegestaan. Du Preez het gesê hulle versoek om Phoofolo na ’n psigatriese inrigting te stuur is nie om hom te straf nie, maar om bystand te bied omdat sy gedrag die afgelope tyd kenmerkende veranderinge getoon het. Hendri van Dyk, ’n vierdejaar in BCom finansiële rekeningkunde is verlede maand deur Phoofolo met ’n skêr in die boarm, blad en heup gesteek. Beide Phoofolo en Van Dyk is inwoners van Over-de-Voormanskoshuis waar die voorval homself afgespeel het. Van Dyk gaan ook getuienis lewer. Phoofolo sal op 30 September weer in die hof verskyn.
• Never create a password in relation to your identity or personal surroundings. Guessing passwords based on your phone numbers will be easy, same goes for passwords beginning with the name of the individual or family members. • Include non-dictionary words in your passwords, this makes it much more complex when running checks using a dictionary attack. • Include uppercase, lowercase, symbols and numbers combined with the above to create a strong password. • Despite the longer time in between changing passwords users should still change their passwords on a regular period. This will prevent attackers from having access if they have compromised your security already.
Prevention: NWU
• Stealing submitted work or deleting submitted work.
• Locking accounts for a time period after a certain amount of incorrect login attempts.
• Logging into a lecturers' email as lecturers still make use of eFundi, thus all communication media can be analysed and inspected.
'Skêr-aanvaller'skree op aanklaer in hof
• Never share your password to any site let alone your eFundi page. Social engineering can be used to determine your eFundi login just from looking at patterns you use in your passwords (i.e. names, cellphone number).
Possible exploits
• Cause trouble such as sending threating messages to avoid trackbacks to the culprits.
Testing the student number against more than 94000 different combinations of words. This can be seen by the value “94565” which is the amount of words currently in the textfile.
Prevention: Students
• The use of a CAPTCHA. • Limiting all authentication to server side avoiding locally encrypted cookie files thus eliminating the possible attack of approximately 1400 words per attempt. • Encrypt server responses adding an extra layer of prevention.