GCIS Data Breach

GCIS Logo

Introduction

The GCIS is the Government Communication and Information System. It’s not entirely clear from its name what that means.

From their website,

To provide professional services, to set and influence adherence to standards for an effective government communication system, drive coherent government messaging and to proactively communicate with the public about government policies, plans programmes and achievements.

Whatever their mission, one of the roadblocks along the way was being hacked into, apparently as a part of #OpAfrica, one of the newer efforts by those rascals, Anonymous.

Anonymous Logo

Operation Africa is an ongoing effort by several activists within anonymous who have begun collaborating. The focus of the operation is a disassembly of corporations and governments that enable and perpetuate corruption on the African continent. This consists of organizations responsible for child abuse/labour as well as internet censorship within the continent and globally. We are fighting alongside other operations such as OpNigeria and AnonymousSA to help free the continent from the plague of exploitation that has been occurring for centuries.

It had been in the news recently that South African government sites would be targetted, but I doubt anyone actually expected anything this early. I doubt anything would have changed if they did though. A couple of sites hosted by WebAfrica were taken out, but they weren’t associated with the government at all. So that’s not really helpful guys. Neither was the job website really.

Anyways…

#OpAfrica managed to connect to the GCIS database and released a dump of a table containing information such as phone numbers, first names, last names, email addresses, password hashes and a couple of passwords that they’d cracked for the ease of the reader too. They appear to have had access to a couple of other tables, but presumably they weren’t particularly interesting.

How this helped I’m not entirely sure, but it does give us some insight into how one of our government departments manages their IT security. Spoiler: not well.

The dump also include some information on the systems they were running:

Web application technology: Servlet 2.4, JSP, Tomcat 4.2.3., Apache back-end

DBMS: Oracle

The actual passwords were hashed, no salt, with MD5 which is not recommended due to the ease (obviously from the below) of cracking these passwords on modern systems.

Some statistics

Examining just the data that was provided, we find that we already have passwords for 42.7% of the users – that’s 628 passwords. Of these 628 passwords, 27.1% of them contained the word “password”, in one way or another. 2.7% of these passwords were accompanied by an email address, which opens up more potentially compromised systems. All of them have accompanying usernames in any case.

A couple of the passwords contained or were equal to the user’s first name, last name or user name. At this point, the dump is missing 843 passwords, but the existence of passwords containing names implied that we could probably increase that number, so I MD5-hashed the names belonging to the unknown passwords and checked them.

This dropped the number of unknown passwords from 843 to 532, being a total of 939 passwords altogether or 63.8% of the database. 25.2% of the users ended up having passwords that were identical to a first or last name.

We were still missing 532 passwords though, so the remaining ones were put through a hashing database to see what could be pulled out. This brought out another 177 passwords, being 75.9% of the entire database.

Interesting Pieces

All in all, in the collection of 1116 passwords, there were only 549 unique passwords. This included 9 passwords which were only one letter long, and 53.1% of the passwords failed a standard, very basic test (contains at least one number, and a minimum length of 6). 29.8% of the passwords contained the word ‘password’.

The top 10 passwords were:

  1. password1
  2. password01
  3. password02
  4. password2
  5. password123
  6. Admin#11
  7. Education2015
  8. Password123
  9. password03
  10. Password

Not too imaginative, but strangely satisfyingly stereotypical as far as poor passwords go.

Interesting looking usernames from the dump include:

  • Councillor (and Councillor1 and Councillor2)
  • cc_admin
  • ppAdmin
  • Administrator
  • usertest
  • mmAdmin
  • Several @presidency.gov.za and @parliament.gov.za addresses

All in all, not a good day for the department I’d say. Perhaps a nice haveibeenpwned subscription?

To see my write-up on the VReport hack, check here.

Tagged with: , , , ,
Posted in Security
6 comments on “GCIS Data Breach
  1. This is what I posted in “Real World” lulz, Face Book…(I thank you in advance for your publicity)
    **We Are Legion…
    We Do Not Forget and as the relevant Hacktivists start fleXing their muscles and “testing the water” thank goodness the media is only paying lip service (In their own UNeducated way)
    Lulz, he calls Anon Activists “RASCALS” love it, love them (especially the purple ones)…..DUH, the sweets …
    And, lets get real, have a look at the .gov passwords, what a joke, it speeds thingZ up tho, I must admit *insert winking smiley face here*
    ‪#‎sumink‬ that did bug me, but then I chuckled (split second change from bug to chuckle) was Knowles said ” A couple of sites hosted by WebAfrica were taken out, but they weren’t associated with the government at all. So that’s not really helpful guys. Neither was the job website really.”….yoo hoo, hunters “track” their prey, and the .gov “Jobs Site” (apart from corruption) takes advantage of, and manipulates our suffering people (It also educated and will assist) hacktivists as ‪#‎OpAfrica‬ rolls on, as for “WebAfrica” well, private servers are where the juicy stuff is…ask Hillary (BIG lulzzzz)
    Anyway, after months of research and prep, Anon SA is kicking off 2016 (election year) with some eXciting moves and frankly (Mr Shankly, lulz)..sorry…frankly Mr Knowles knows not a lot on how we “kick-IT” and more importantly he does not understand the why…does he really know why specifiX were leaked?
    I think NOT…
    ‪#‎DarkDwellers‬ ‪#‎Saturation‬ ‪#‎Choices‬ ‪#‎WAL‬
    ‪#‎FUCKTHESYSTEM‬
    ‪#‎ANC‬ ‪#‎ANCthieves‬ ‪#‎Zuma‬
    ‪#‎Oapn‬ There are reasons why we do “certain” things, like release data or get publicity is cos (legionnaires live “All over the world…” (ELO tuneZ)) besides, what a lovely way to safely SHARE our say and assist other Anons with key keystrokes and thus eXpose our corrupt and devious ANC led puppet government (with their ‪#‎Corporations‬ and ‪#‎Elitists‬) we warned them to…eXpect us…
    Stay on target, watch your 6
    This is how we will ‪#‎unFUCKtheSYSTEM‬…**…end/
    I am sure you will hear about/from thoZe pesky “Rascals” again soon.
    Thanks………Granville (real world names suck, but they call me ****)

  2. Tycoon says:

    This proves that we either not doing enough as a nation to educate and make people aware of such things or that we are just too ignorant to consider such things. Most people still think that hackers are a myth, and having this mindset will put our country on a miserable state in the next few coming years. I for one believe that a lot still needs to be done. How on Earth do you use such passwords (password1)… I believe there is more coming, Cyber crime is real and its here to prove a point, we need to educate our nation, make them aware and put means of mitigating such from happening.

  3. Ockert says:

    I wonder how the identified passwords could compare to a random sample of passwords for comparable employees world wide? My guess is not too much, unless where data originates with individuals in organisations with a sound password policy that is implemented and enforced.

  4. Tycoon says:

    @Ockert my biggest concern is how on earth do you allow an organization to have such passwords, as far as I am concerned as a Security Admin you need to set a proper password policy for your org ie: Password minimum length of 8 characters, must have special characters and etc.

    A friend of mine used to say “your network is as strong as your weakest link”

Leave a Reply to Granville Mckenzie Cancel reply