Jan 192015

On December 31, a self-described teenage hacker from Australia who calls himself “Abdilo” claimed to have hacked into dozens of education entities by exploiting SQLi vulnerabilities. Metropolitan State University acknowledged they were breached, but what is going on with the other educational entities that were allegedly hacked, too?

Abdilo claims that he started attacking .edu sites back in August, and by October had 80 .edu sites compromised.  He also claims to have numerous .gov, .mil, and business companies, but this post is only focusing on the education sector attacks, as we haven’t seen any public disclosure from most of them. Do they even know they were allegedly hacked?

Abdilo claims to have hacked public and private educational entities in the U.S. and elsewhere. His list, below, is edited  to only include the .edu entities he claims to have hacked, with his comments:

Here are some of the sites i messed with:
every *.k12 site is vuln to sql injection.
MetroState.edu(I broke into you cause i like 22 jump street, thanks for the 22k ssns)
MSU.edu(no reason)
cam.ac.uk(fuck steven hawkings)
liv.ac.uk(Top school my ass)
stanford.edu(some guy found a sqli in you then i found a better one… fuck you)
yale.edu(so easy)
harvard.edu(was a challange but they are dumb)
ncsu.edu(thanks for the 6k sqlis digitalganster.com loved it LOL)
arizona.edu(I sqlied you 4 times while obnoxious called you up on the phone to troll you and tell you, then we decided to fuck with you by dumping your database 4 times then asking for booty pix else we release it)
catholic.edu.au(Fuck Catholics? lol I have no reason I just did it for the hell of it)
goodnews.vic.edu.au(Badnews I has all ur records)
goodshepherd.edu.au(Why are all christian schools vuln to sqli besides liberty.edu?)
mercy.vic.edu.au(NO MERCY FOR YOU)
stpaulba.sa.edu.au(…. I have nothing funny to say lol)
stjosephsbrackenridge.qld.edu.au(Seriously another chirstian school)
gatech.edu(Nice alexa rank)
uky.edu(you are yuky)
vmi.edu(fuck you have a shit alexa rank)
miami.edu(I was watching dexter and wanted to get into your police station… this was close enough for me)
berkeley.edu(you fixed it don’t worry, twas funny having a sqli in a 1.5k alexa rank site)
case.edu(Fuck the law)
utep.edu(Your facts are really messed up ;))
wartburgseminary.edu(No idea why I attacked you lol your name is a bitch to type)
uoregon.edu(LOL university of oregon… you mad?)
utexas.edu(Cosmo ;))
uchicago.edu(S****** ;))
rutgers.edu(Idk thought you were a news agency)
ncmc.edu(You have no alexa rank.. at all)
spst.edu(Alexa: 2,063,219…….)
sxu.edu(Nice domain, that is all)
norwalk.edu(Damn you tiny)
ufl.edu(You were worth the time and effort)
princeston.edu(LOL easy)

And that, allegedly, is just some of the .edu sites attacked. Abdilo writes:

I cannot remember the majority of edu/gov i have sqlied, i didnt keep a good enough record and one of my hdds is now… melted and destoryed.

Note that the University of Kentucky was recently mentioned on this blog in the context of a post about hacks mentioned on #TeamCarbonic’s web site by @MarxistAttorney. And although they informed this blog that they were investigating those claims, they never got back to DataBreaches.net with any statement as to whether they had found confirmation of a breach – by anyone.  Berkeley was also mentioned recently on this blog, but without exploring the data dump, it is not known to me whether this is the same hack as Abdilo claimed.

Abdilo claims that he wanted to see what would happen, and notes that despite all his attacks on .edu, .gov, and .mil, “no cops came calling.”

One would think they would.

In the interim, if anyone is aware that any of Abdilo’s other targets have subsequently acknowledged being hacked, please use the Comments section below to let me know.

Jan 162015

Maura Lerner reports:

Metro State University is investigating a computer security breach that may have exposed personal information about students, faculty and staff.

In a campuswide e-mail Friday, interim president Devinder Malhotra wrote that a computer hacker apparently got “unauthorized access” to the university database in mid-December, and that investigators are still trying to determine the scope of the data breach.

“We do not believe this server contained any financial data or credit card information,” he wrote, but he said some of the databases included employee Social Security numbers.

Officials say they learned about the problem Jan. 2, when a cybersecurity service notified them about a blog posting “by a computer hacker” who claimed to have hacked into 75 websites. “We were just one of those,” said Anne Sonnee, the interim vice president for communications.

Read more on Star Tribune.

A statement on the university’s web site states:

Metropolitan State University has recently learned of a computer security intrusion and a likely data breach. We are investigating the scope of what appears to be unauthorized access to a university server that contained personal information of faculty, staff and students. We do not believe this server contained any financial data or credit card information, but several databases included employee Social Security Numbers.

We responded quickly when we learned of this situation. We immediately enlisted the assistance of the system office of the Minnesota State Colleges and Universities (MnSCU), and the State of Minnesota’s MN.IT division, and we will be bringing on additional expertise as is required. To date, we have established the validity of the claimed attack, disabled the vulnerability that we believe permitted this breach, isolated the risk from other servers, and notified law enforcement. The university is also taking additional measures to minimize future security risks.

As part of our response, we are moving our web site to a new server and you may notice reduced functionality and broken links. While this move may cause some disruption of web site functions, the following services are NOT affected and may be directly accessed by clicking the links below:

 D2L
 eServices
 Email
 Portal

We will be working through the weekend to correct web site problems and will continue efforts to return web functionality. We will keep you updated.

While our investigation may take several weeks to establish the nature and scope of the possible breach, out of an abundance of caution and with the goal of full transparency, we are communicating what we do know about this situation as soon as possible. As the investigation progresses, we will share the results, contact affected individuals, and confirm if data were compromised. We will also notify affected individuals, as required by law.

While we are not yet able to determine who the affected individuals are, in the interim it may be prudent to take precautions to prevent identity theft and credit card fraud by closely monitoring credit card activity and other financial transactions. Specific information on how to obtain a credit report and report identify theft may be found on the Minnesota Attorney General’s website at http://www.ag.state.mn.us/Consumer/IdentityTheft/Default.asp

The university sincerely regrets this apparent breach and any inconvenience it may cause.

We appreciate your patience and understanding during this transition. Please see the attached Q & A for more information. If you have any further questions or need additional information, you may also email or call Metropolitan State University Gateway at 651-793-1300. Your inquiry will be directed to the appropriate individual or department for a response.

There is a related Q & A about the breach on the university’s web site.

A search of Pastebin discloses a post on December 31st by “Abdilo” (@abdilo_ on Twitter), a self-described teenage hacker from Australia. The paste references having allegedly hacked Metro State in December:

MetroState.edu(I broke into you cause i like 22 jump street, thanks for the 22k ssns)

If that claim is true, at least 22,000 people may have had their Social Security numbers stolen.

Jan 162015

Donna Lowry reports:

Fulton County School officials are investigating a teen who they believe hacked into his teachers’ emails for nine months.

The district sent home a letter today to parents of students at North Springs Charter High School telling them that last year, a student gained access to the email login information for 21 faculty members.

“Any email that a staff member would generate on a school district computer about school district business, that type of information,” said Scott Muri, Deputy Superintendent for Fulton County Schools.

Read more on 11Alive.

Jan 072015

Add the University of Hawaii  and Cornell University to the universities that have been hacked by @MarxistAttorney.

The U. of Hawaii data dump, which DataBreaches.net is not linking to, does not contain student or employee personal information, but in addition to acquiring the root username/password, “Attorney” also got the mac addresses, service tags, usernames and more of each and every computer/smart board in their University. The dump only contained approximately 2,000 of the 65,000 lines of data he acquired, he tells this site.

DataBreaches.net emailed U. of Hawaii to ask them to confirm or deny the breach and provided them with the vulnerable url that had reportedly been used to access their system. They promptly acknowledged the inquiry and stated they were investigating, but as of the time of this posting, have not replied with any confirmation or denial.

Long-time readers may recall that during 2009 – 2011, the University of Hawaii had a number of data breaches that resulted in a critical report from Liberty Coalition and a class action lawsuit that was settled in 2012.

Cornell University also appears to have been hacked by @MarxistAttorney. That data dump includes non-sensitive employee contact information (names, work e-mails and phone numbers), as well as what appears to be information on the university’s utilities accounts information (power, heating, gas, etc.) Cornell did not respond to an inquiry by this site as of the time of this posting.

In an interview this week, DataBreaches.net asked @MarxistAttorney about his motivation for hacking universities. While his earlier comments referred to hacking for the “lulz” and to undermine IT departments, he also notes that he hacks to protest:

I am a University student myself, and I am already knee-high in debt. You shouldn’t be forced to pay crazy high tuition fees just because you want to pursue an education and not work at some shit shack like McDonald’s. I can see myself spending half my life after graduating just paying off loans and I don’t want that for myself or anyone else. This is my way of protesting. I hope that by dumping the data of this University, and the various other ones I have done in the past, that they will consider lowering the tuition fees, or making it free to attend university, so students don’t need to suffer like me and millions of others have. Not to mention, this is a University we are talking about here, the fact that they can’t audit their own site and fix sqli vulnerabilities shows how disappointing the monkeys for IT Teams they have.

“Attorney” says that most of his hacks, like these two, exploit SQLi vulnerabilities. In the U. of Hawaii case, the vulnerability has already been patched, Attorney tells this site, but the damage was already done.

Jan 072015

I can’t remember whether I’ve ever seen parents keep their children home from school as a result of a school web site defacement, but that’s what happened in Yorkshire when the defacement suggested an Islamist group.

Kenny Toal reports:

A local authority has advised all public bodies and organisations to make sure their security software is up to scratch after hackers, claiming to be from an Islamist group, targetted a primary school website.

Some parents at Sowerby Community Primary, in Thirsk, kept their children off school today after the security breach last night.

But police say while they are investigating there is no threat to the school or its pupils.

Read more on ITV.