Monday, October 8, 2012

When universities will take SECURITY seriously?

Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com.

In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. Typically, hackers seek such information because it can be used to steal identities, crack bank accounts or can be sold on the black market.

Universities make ripe targets because they store vast numbers of personal records, often in decentralized servers. The records can be a gold mine because students often have pristine credit reputations and do not monitor their account activity and credit scores as vigilantly as adults. Dozens of universities have been plagued by breaches recently.

Last August alone, the University of Rhode Island warned that students and faculty that their information may have been exposed. And at the University of Arizona, a student discovered a breach after a Google search exposed her personal information — and that of thousands of others at the university. Smaller computer breaches at Queens College and Marquette University were also reported.

In this case, the hackers said they were not motivated by profit but to “raise awareness towards the changes made in today’s education.” In a message accompanying the stolen data, they bemoaned changing education laws in Europe and spikes in tuition fees in the United States. But they also noted that in many cases, the servers they breached had already been compromised. 

“When we got there, we found that a lot of them have malware injected,” the hackers wrote on Pastebin. To breach servers, the hackers used a technique known as an SQL injection, in which they exploit a software vulnerability and enter commands that cause a database to dump its contents.

In the case of some universities, the hackers breached multiple servers. At colleges across the country, some students set up sites that allowed students and faculty to search the leaked data for their information. For instance, at the University of Pennsylvania, Matt Parmett, a junior, created a Web site that made it possible for classmates to search the leaked data by name.

No comments: