Hackers Breach 53 Universities and Dump Thousands of Personal Records Online
bits.blogs.nytimes.comI looked at the Nottingham University leak on Tuesday. The leak actually just contained the database schema and not the contents of the database. But it also contained the URL which could be abused to do an SQL injection. I tried adding an apostrophe to one of the parameters in the URL and an SQL error was returned. That page appears to be down now. One of the tables looked like this:
| courseCode | varchar(25) |
| dob | date |
| email_address | varchar(50) |
| first_name | varchar(25) |
| ID | int(11) |
| last_name | varchar(25) |
| lastupdated | date |
| orgnameID | int(11) |
| orgnameother | varchar(50) |
| student_id | varchar(25) |
EDIT: This was the Student Union database. I'm not sure how many students it would contain. Maybe a small number? Maybe all of them?
> If we want change we must be ready for it. the future is technology. physical school will become obsolete.
Cute. There's an odd, and I would say silly, obsession amongst some tech-obsessed people to claim the soon obsolescence of things like libraries and universities.
It's wonderful the recent huge push and availability of online materials and courses from big universities and others, especially for those who otherwise could not attend a university for whatever reasons, but to dismiss universities as a singular blob shows a certain misunderstanding and appreciation of what they are actually for and for teaching in general.
I'd recommend sitting in on various mentoring services, other student services, practicals and other things and also to read Zen and the Art of Motorcycle Maintenance.
I agree with all that you say, but seriously, that book is the most worthless thing I've ever had the misfortune to try reading.
I spent a summer at one of the universities in this dump. It just looks like wordpress user info - nothing particularly sensitive about the data, and mine wasn't in it.
Edit: Looks like one of the tables has plaintext passwords. If I recall correctly, security practices at this university were horrible - social security numbers could be accessed in plaintext, and resetting a password took only a single security question without email confirmation.
My university had similarly bad security practices. Although not accessible as plain text, the social security number was used when you wanted to change personal information.
For example to reset your university email account you needed the last three digits of the ssn and your date of birth. In my case, the school somehow never got my ssn so my ssn in this case was just "0". So theoretically if anyone wanted to change my password they just needed to use "yyyymmdd0" to access it.
Having worked in higher ed for 10 years, some of which was wrestling with data security, it is not at all surprising the vectors that appear here.
We would spend days crafting policy, designing/implementing security at perimeter and core for business systems to prevent these types of leaks.
We believed we were largely successful. Until we realized that some professor had developed a screen scraping application that would spit out CSVs of student enrolment data (including personal data) and ship it to whomever he liked (alumni, student unions etc.). Once certain departments got a hold of the data, others felt obligated to it and a quazi-underground data distribution system was in place.
We tried to explain, coerce and beg. We used HR, unions to effect policy that they helped create to shutdown these systems, stop the professor (and his copycats) all to little or no success.
It is not mistake that I left soon after. Such amazing, but ineffectual institutions. It doesn't matter how many of these leaks occur, no accountability means no changes. Might plug these holes, only to have 3 more popup by the end of the year.
So, I'm at the University of Maryland right now. All three mirrors seem to be down, so I couldn't check if my information was on the list. The article suggests this was done with SQL injection? God, I really hope my university is better than that. Or at least hashes passwords. I'd check if they did, but again, mirrors seem to be down. Sad thing is, I wouldn't be surprised. Despite the 15th best comp sci program in the nation, and ridiculous policies like "change you password to new unique password with at least 1 number and capital letter every 180 days", OIT seems useless on security. Sigh.
I haven't looked at all the data released, but for the sample I did look I didn't see a breach of a university's central records system - they were breaches of things like the university's diving club's phpbb forum.
Fairly mundane as these things go.
There was at least one university where hashed passwords were leaked. I believe it was michigan, though not sure anymore.
A thought occurs that if any of these universities have computer science or software engineering courses, or even infosec courses, then part of that should include the students examining and/or documenting the universities own IT systems and how they work. There would be a natural synergy between teaching success and the security and efficiency of the universities systems.
This doesn't necessarily mean that students would be allowed to alter the software, but they certainly could analyze and audit it, and perhaps provide patches in some cases.
During some of my more high-security classes at school, we had to confine our classroom to a completely different network. While we were given access to and authorization to use and learn certain tools, we could not use them on the university network. This meant that when class was in session, the network administrators would shut down the switch port connecting the room elsewhere, not only cutting us off from the rest of the network but also from the Internet.
The school couldn't assure that all the data going over the wire was protected from these tools, but felt it good practice to teach us. Of course, many students then left the class after the two hours were up and stupidly practiced their newfound skills on the network anyway. After that day, we lost more than a couple students from the class (and possibly the university).
The schools know their systems are insecure. The leadership is comfortable in accepting this risk. I just wish they would make this information public to the students, so they can choose to accept the risk as well.
Some people think that's problematic. They say that you shouldn't use students to replace local industries, because it's bad for local businesses. They might say that you shouldn't use unpaid students to do real work.
And there are problems with letting students have permission to run penetration tests - you have no idea if they're white hat or grey hat or black hat.
Cmon! All the High Education thing is about making Students work for their university for the time they're enroled, in exchange for knowledge, and insider's tips (yeah, i can introduce you to xxxx at ibm,...). I personnally don't know of a single PHD who didn't work (hard) for free for his director... Untill he got his phd. And even after that, sometimes, if he wants to get into research himself.
I find internal auditing, under strict surveillance to be a very good idea indeed. This could even lead to some healthy form of competition between universities, not only base on who teaches that Lisp class, or what professor/university's name is.
its not hacking..they just got some useless information..