The Nigerian education sector embraced online solutions to cater for an improved record management system, e-result checker, and eLearning platform. However, this has led to increased vulnerabilities in portals of universities and other higher institutions of learning.
According to Nelson, Silex secure investigators have revealed that the education sector is among the most vulnerable industries in Nigeria because it lags behind in addressing known problems. They warn that intruders could exploit known gaps to alter student records, increase incidences of identity theft, and leverage these vulnerabilities to launch massive attacks that could compromise data and even shut down portals of higher institutions.
The major beneficiaries of such exploit are the students. Some of these students will do all it takes to discover vulnerabilities so they can alter records to suite their personal interests. This is according to Nelson.
According to Nelson, some big questions were raised by students at an undisclosed educational institution. The students approached Nelson with the following question, which he provided answers to.
Can a cyber criminal hack into a University to change my score?
As a cyber investigator who trains computer science student on cyber security in Nigeria, I find it difficult to answer these question: Can you hack into a University to change my score? I keep wondering why every student should be more interested in hacking their school database, rather than researching on how to protect the school portal, but on the second note they deserve to ask same question. Until recently a student phoned me to seek for skill in a certain exploit, when I asked him why do you keep asking the same question every time you call, he said to me he had a bet with the lecturer, he is going to hack in to the university portal.
According to Nelson this is possible; however, the real question is can you do it without being discovered?
Hacking is not a problem if you want to. Changing of score is probably also doable, but it would depend on the procedure of the individual teacher. If you stand the risk of having your teachers scores on a piece of paper, that will be hard to hack. The fact is cheating with scores is just as serious as cheating with your research. If discovered, you are done in that world, you get expelled.
Compared with government, corporate and military portal, relatively few hacks have been directed at university portals. But recently, we expressed growing fear that education sectors are inviting target to activist hackers, criminals. These vulnerabilities may result in possible risks to student records and theft or loss of student information, Nelson commented.
Silex investigators are studying systematic kinds of methods, flaws that earlier opened the way for hackers to penetrate co-operate services networks, government systems and university computers.
In January 2015, Silex investigators disclosed that via a specialised strategy they discovered vulnerabilities in web portals of a number of higher institutions in Nigeria. The allayed fears that students records could easily be compromised by hackers.
There are critical vulnerabilities we identified. And I fear that sooner or later, hackers are going to start exploiting them. It is a looming disaster and I wish all concerned can work towards forestalling attacks on educational portals, Nelson stated.
Cerrt Nigeria launched a cyber security incident response and coordination center to defend against cyber crime in Nigeria. No one knows exactly how many intrusions have occurred, but anecdotes are mounting.
Nelson, declined to name the institutions that these vulnerability studied are subjected to. According to Nelson, it would violate the current research and place the institutions at risk. According to Nelson, web applications are the biggest exposure layer for this vulnerability. However, this can manifest itself via several other services as noted above.
Whats the damage that can be done?
The above just demonstrates creating a file, but an attacker can literally run any command that's conceivable on a bash shell. This could mean modifying the contents of the web server itself, change the website code, deface the website, steal user data from the databases, change permissions on the website, installing back doors etc.
Remember that it will be run in the context of user running the web server. This is generally the http user. Note that there is no elevation of privilege solely with this vulnerability, but it can be used in conjunction with another local vulnerability to escalate privileges to root user. It is not uncommon for attackers to cascade different exploits to gain entry into a system/network.