Guy hacks UZ and allocates accommodation to students, netting US$3000 in the process

Leonard Sengere Avatar

It’s fitting that on the day we are celebrating Computer Security Day we talk about the hacking of UZ. It is reported that one Martin Magomana (36) unlawfully gained access to the University of Zimbabwe (UZ) computer network recently. We are not sure how much access he had and so cannot know the full extent of his activities.

Martin himself is a Zimbabwe National Geospatial and Space Agent and you will remember that they are located there at the UZ premises.

Before proceeding we should note that in Zimbabwe we believe in ‘innocent until proven guilty.’ So Mr Magomana is innocent as of right now. He was arraigned before a magistrate but is out on bail. Cases like this are the ones the Cyber Bill seeks to address as it outlines; appeals process, offences and penalties and regulations.

What happened?

UZ has an online platform where students can apply for accommodation. What the State is alleging is that Martin gained access to the UZ’s computer network and could edit information on that accommodation platform. 

Once he had that access he proceeded to approach students who were seeking accommodation and charged them between US$40 and $60 to secure it. He is said to have done this between October and November 2021. All in all, he allegedly pocketed over US$3000 from the 64 students he offered the service.

How did he gain access?

It was a simple case of ‘human hacking.’ We don’t know yet exactly how he did it but we know that he somehow got the sign in credentials of a UZ employee who had access to that accommodation platform. 

This is the bane of all systems administrators worldwide. You can secure a system as best you can but all that can be undone by the humans you have to trust with sign in credentials.

WhatsApp may be end to end encrypted and all that, but if a user leaves a phone unlocked and I gain access to their messages, it doesn’t matter what 64-bit encryption protocol they use. A chain is only as strong as its weakest link as they say.

So, the best thing to do to secure your systems might actually be to educate your employees. Stuff like; do not write your passwords down, remember to log out when you’re done, make sure no one can see you what you’re typing when you input your password etc.

How did Martin get caught?

One student he had allocated a room to went to the Accommodations Officer to get confirmation that he had indeed been allocated the room. The admissions crew investigated the matter and found that he had been fraudulently allocated the room. That’s when they saw that 63 other students had been allocated accommodation by the same actor.

When applications are received, a panel decides on who gets accommodation and updates the register accordingly, then the system is updated. So they have a record of who they have chosen that is apart from the computer system and so double checking is not that hard. 

It may just be because the account Martin used did not have authority to allocate accommodation that they found this out. Either way, he was caught. We don’t know but Martin probably felt like, ‘mfana ane dzungu’ as the student seeking confirmation exposed the whole deal.

The messages he exchanged with students, soliciting money were then brought to light and he was promptly located and charged. My man had a good paper trail into his whole operation. So it shouldn’t be hard for the prosecution to get the conviction.

In closing

What happened to the UZ could happen to any organisation. Human hacking (social engineering) is much easier than system hacking and so criminals may choose this route more and more. That one employee who still clicks on links telling them they won US$10000 online should be the priority of the IT department. Education, education, education.

For the victims in this story, the lesson is to just stick to official channels when procuring anything. If it can be helped of course. The guy outside a manufacturer’s door selling the same goods inside at a discount, you should be suspicious of.

You can read more on security:

,

20 comments

  1. Hugh Jarse

    Sounds like this individual would feel at home in parliament! His only problem? Someone didn’t get their cut, or what they thought their cut should be!

    1. Leonard Sengere

      He should consider a career in politics. He seems capable. If guilty of course.

  2. Imi Vanhu Musadaro

    You don’t know how he did it, but proceed to say he used social engineering. He could simply just be in cahoots with an accommodations officer. Maybe, he assisted in the development or troubleshooting of the system, there are many possibilities.

    1. Player 456

      I agree

    2. Leonard Sengere

      He wasn’t involved in development/troubleshooting. He also did not collude with the accommodations officer, who was therefore not charged with anything. However, there are many possibilities as you say but they all involve getting the officer’s credentials somehow. How he exactly did this is the mystery.

      1. Imi Vanhu Musadaro

        You can’t be certain they didn’t collude with the officer. A person not being charged is not an indication of innocence, in as much as a person being charged is not a indication of guilt.

        You’ll also be amazed how many unauthorised people get access to system source code and databases when some poor programmer is facing challenges. Given that he may dabble in code, it’s very possible.

        1. Leonard Sengere

          Hahahaha, dude at the end of his wits will approach anyone to help him just so he can keep his job. Doesn’t care who gets access to what as long as he can finish the job. That’s a good point.

          And yes, collusion is always one of those things hard to guard against. If people collude, even the strongest of security can be breached. In this case, while possible it’s unlikely. The ‘hacker’ just straight up logged in using some guy’s credentials. Would the UZ staff member agree to the hacker using his credentials knowing that if it went south he would be implicated? Possible, he may have prepared some defense beforehand but the probability of him risking this is low in my opinion.

  3. Sagitarr

    How many times have you come across people shouting out their passwords or PIN to colleagues. It could be as simple as that, gaining access to Admin profile with full read/write privileges is enough to cause havoc. IMHO the security around this software lacks merit. For one to breach a system and proceed to make 64 additions/amendments without being caught by the system suggests Grade 2 level security for a University-level product.

    1. Leonard Sengere

      You’re right there. Zimbos really don’t get how passwords/PINs should be secret. In terms of the software lacking appropriate security for a Uni product, it’s also hard to argue with that. On this evidence at least, it doesn’t look good.

  4. Captain Jack Sparrow

    Do you still remember the time an Apple employee went into a bar with the prototype for the iphone 4 and lost it , hear in Zimbabwe you just have to wait till a person drinks a few beers he will start telling you all about his life his workplace and if there are a few ladies in the vicinity he will show you a few tricks or two 🤪🤪🤪 Social engineering 101

    1. Anonymous

      😃😃😃

    2. Leonard Sengere

      Hahahaha, you don’t even have to try in Zimbabwe. They socially engineer themselves. Drinks + ladies = company secrets divulged.

      1. Genius Mubvumbi

        😂😂😂😂😂🤣🤣🤣🤣

  5. Obey Mthunzie

    🤪🤪🤪

  6. Godwin

    ……It may just be because the account Martin used did not have authority to allocate accommodation that they found this out…

    if so this means he hacked into a superuser account and granted permissions to another admin account before doing his thing. He might as well have just used the superuser account(which has all priviledges) to do his shenanigans

    1. Leonard Sengere

      The suspense is killing me. I can’t wait to hear him tell how he actually did it. As a Mr Robot fan, I’m hoping for a juicy hacker story but it’s probably as simple as that he found an admin account not logged out from a library computer.

  7. User

    The university stated that there is no accommodation yet there were 64 empty beds and the children were desperate but they did not even consider that. So does that mean 64 empty rooms were reserved for bribery? If not why didn’t they offer accommodation at the first place? Does that mean Martin got the deal alone and left others in the dark which made them to be frustrated and felt like they should have shared the money because it’s obvious he does not work together and he wouldn’t take the risk alone. Does sending the children back home helps? What about the 37 400 they paid ,will they reverse it or they will accommodate other students and get double the amount .So who is better now Martin or the university

    1. User405

      This is how the accommodation allocation works at the UZ, when you get a room, they’ll give you a certain period of time to confirm it by paying and checking in as well. When it passes your room is revoked. This guy ran his operation between October and November when people were still getting accommodation, so it could be full, but there were people who couldn’t confirm the rooms or got evicted from residents halls for certain reasons. No they will not pay back money because the university did not offer them anything and they get blacklisted meaning they will never be able to apply for accommodation. It’s sad but a very good lesson to us atudents that we should always do things the right way.

  8. Miara

    The students don’t deserve such inhumane treatment why are they removing them from the residents…they have nowhere to go ..at least refund their money because the money 37 400 went straight to the University’s account not to Martin .#Justiceforthe1.1students

  9. Raven

    If I was Martin the possibility of hacking into the system are plenty.
    1)Zero day exploit against the university computer system
    2) exploit a computer on the university network with a vulnerability that hasn’t been patched. The simply do lateral movement from the exploited machine to the domain controller
    3) social engineering, simply clone the website and allow the admii to log in on my fake page while I capture the details
    4) SQL injection attack on the website. With main sub domain owned by the University a single instance of SQL vulnerability on any of their sites could allow me have full access to the database giving me credentials, and myb access to updating the accommodation tables.

    Hacking a system is easy

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.