Follow-Up: How the University of Sydney Was Hacked
Last week, Chris Howell of Honi Soit followed up on the breach:
Closer to home, a reliance on security through obscurity seems to be partially responsible for the February 2015 breach of the University’s Online Recruitment System for Economic Experiments (ORSEE), which disclosed the personal information of 5684 students and an unknown number of staff to an as yet unidentified attacker. The incident has led to concerning revelations about the University’s information security policies, serving as yet another reminder that large organisations are failing to do all that they can to secure our data.
The ORSEE breach occurred because the system contained a fundamental security flaw. Known as an SQL Injection vulnerability, an examination of the ORSEE source code reveals the bug existed unpatched in the system from its first main release in 2004 to August of 2014; for a little over a decade, ORSEE was trivially easy to break into. The moment the School of Economics deployed the system in 2008, they were risking the disclosure of users’ private information.
Honi has obtained a copy of a report detailing the findings of the University’s internal investigation into the breach. The report indicates that ORSEE was initially deployed by the Faculty of Arts and Social Sciences without a security audit. In 2013, five years after its deployment, the University’s ICT group identified the vulnerability as part of a security review and developed a patch for it, seven months prior to the official patch distributed by the ORSEE developers. Shockingly, the University didn’t bother to deploy its security fix “as further development work was being done”, seemingly waiting until a planned upgrade to use the Unikey authentication system was complete. For over a year, the University knew about the vulnerability, but relied on security through obscurity and, utterly unsurprisingly, it was as if they had relied on no security at all.
Read more on Honi Soit.