PETALING JAYA: The Education Ministry's online school examination analysis system, Sistem Analisis Peperiksaan Sekolah (SAPS), (sapsnkra.moe.gov.my/ibubapa2/index.php), has been taken down.
The Star received an anonymous e-mail claiming that the site, introduced in July 2011 to centralise examination results from all states, is vulnerable to an attack called SQL Injection.
This technique, according to the tip-off, allows an attacker to retrieve student data stored on the site, covering approximately 10,000 national primary schools and secondary schools.
The e-mail alleged that 4.9 million student details, along with their parents' MyKad numbers, could be compromised. The e-mail also carried a large attachment containing multiple text files with what looked like student records.
The anonymous sender claimed to have reached out to the ministry.
Cyber security responsive services senior vice president for CyberSecurity Malaysia, Dr Aswami Ariffin, said this exploit is simple to take advantage of since the connection to the site is unsecure.
"So to mitigate, the system owner must reconfigure the system with a secure connection. This setup is compulsory especially when it involves database at the backend," he said.
However, he said, while CyberSecurity Malaysia is a trusted government agency that would be able to assist in securing government websites, it is up to the system owner to engage its services.
"It is advisable for the system owner to conduct a web penetration test so that the security weaknesses could be uncovered and reconfigured," he said.
The e-mail also claimed that the site suffered from other problems, including passwords being stored in plain text, adding that most users used simple passwords such as 1234567.
"Any website today should go through vulnerability assessment prior to launch. No new website will be vulnerable to SQL injection attack if vulnerability assessment and fixes are done properly," said IT security services company LGMS founder CF Fong.
He claimed that government websites are prone to attacks because the necessary security measures are usually not taken.
"Common issues we had in the previous administration was that security assessments were not done, or were outsourced to unqualified vendors," said Fong.
The SAPS aims to measure students' academic performance and enable better administration.
Teachers are required to key in students' examination and test results into this database, allowing parents to have real-time access to their children's academic results.
Did you find this article insightful?