Introduction

The GCIS is the Government Communication and Information System. It’s not entirely clear from its name what that means.

From their website,

To provide professional services, to set and influence adherence to standards for an effective government communication system, drive coherent government messaging and to proactively communicate with the public about government policies, plans programmes and achievements.

Whatever their mission, one of the roadblocks along the way was being hacked into, apparently as a part of #OpAfrica, one of the newer efforts by those rascals, Anonymous.

Operation Africa is an ongoing effort by several activists within anonymous who have begun collaborating. The focus of the operation is a disassembly of corporations and governments that enable and perpetuate corruption on the African continent. This consists of organizations responsible for child abuse/labour as well as internet censorship within the continent and globally. We are fighting alongside other operations such as OpNigeria and AnonymousSA to help free the continent from the plague of exploitation that has been occurring for centuries.

It had been in the news recently that South African government sites would be targetted, but I doubt anyone actually expected anything this early. I doubt anything would have changed if they did though. A couple of sites hosted by WebAfrica were taken out, but they weren’t associated with the government at all. So that’s not really helpful guys. Neither was the job website really.

Anyways…

#OpAfrica managed to connect to the GCIS database and released a dump of a table containing information such as phone numbers, first names, last names, email addresses, password hashes and a couple of passwords that they’d cracked for the ease of the reader too. They appear to have had access to a couple of other tables, but presumably they weren’t particularly interesting.

How this helped I’m not entirely sure, but it does give us some insight into how one of our government departments manages their IT security. Spoiler: not well.

The dump also include some information on the systems they were running:

Web application technology: Servlet 2.4, JSP, Tomcat 4.2.3., Apache back-end DBMS: Oracle

The actual passwords were hashed, no salt, with MD5 which is not recommended due to the ease (obviously from the below) of cracking these passwords on modern systems.

Some statistics

Examining just the data that was provided, we find that we already have passwords for 42.7% of the users – that’s 628 passwords. Of these 628 passwords, 27.1% of them contained the word “password”, in one way or another. 2.7% of these passwords were accompanied by an email address, which opens up more potentially compromised systems. All of them have accompanying usernames in any case.

A couple of the passwords contained or were equal to the user’s first name, last name or user name. At this point, the dump is missing 843 passwords, but the existence of passwords containing names implied that we could probably increase that number, so I MD5-hashed the names belonging to the unknown passwords and checked them.

This dropped the number of unknown passwords from 843 to 532, being a total of 939 passwords altogether or 63.8% of the database. 25.2% of the users ended up having passwords that were identical to a first or last name.

We were still missing 532 passwords though, so the remaining ones were put through a hashing database to see what could be pulled out. This brought out another 177 passwords, being 75.9% of the entire database.

Interesting Pieces

All in all, in the collection of 1116 passwords, there were only 549 unique passwords. This included 9 passwords which were only one letter long, and 53.1% of the passwords failed a standard, very basic test (contains at least one number, and a minimum length of 6). 29.8% of the passwords contained the word ‘password’.

The top 10 passwords were:

password1 password01 password02 password2 password123 Admin#11 Education2015 Password123 password03 Password

Not too imaginative, but strangely satisfyingly stereotypical as far as poor passwords go.

Interesting looking usernames from the dump include:

Councillor (and Councillor1 and Councillor2)

cc_admin

ppAdmin

Administrator

usertest

mmAdmin

Several @presidency.gov.za and @parliament.gov.za addresses

All in all, not a good day for the department I’d say. Perhaps a nice haveibeenpwned subscription?

To see my write-up on the VReport hack, check here.