The message at the top of a paste by two hackers pretty much nails it:
A few days back, Team ITNRA hacker ‘HaxOr’ hacked into the University of Washington using a SQL injection. The SQL injection that was abused was fixed, but that doesn’t mean there wasn’t more. Just because someone finds an SQL injection vulnerability in a website doesn’t mean they’re so amazingly good. Anyone can do it, to be quite honest. Just thought I’d share that though.
And so, in yet another breach of U. Washington’s servers on February 29, hackers dumped 31 database users’ logins and passwords as well as 25 WordPress users’ logins, passwords, and e-mail addresses. All passwords were encrypted.
U. Washington is certainly not alone in needing to harden their security. Indeed, there are so many uni sites that have been hacked using SQLi that one blogger simply batched a number of breaches during November 2011 involving the University of Washington, University of Oregon, Maricopa Community College, Stanford University, Harvard School of Engineering and Applied Sciences, and Michigan State University. And in a paste made a few weeks ago, one hacker, “Joinse7en,” provided a list of specific SQLi vulnerable urls for:
- University of Nebraska-Lincoln
University of Wisconsin-Madison
Northern Arizona University
University of California, Los Angeles
University of Washington
Ohio State University
University of California, Berkeley
University of Hartford
Washington and Lee University
Texas Christian University
University of North Carolina at Chapel Hill
University of Houston
Nebraska Methodist College
Whether those leads were acted upon is not known at this time, although a quick search on Pastebin does not turn up any new hacks for the sample I checked.
Thankfully for universities, at least some hackers are taking a break from hacking universities. In a notice published several days ago, two hackers involved write, in part:
We’re suspending Operation Education as the months go by. We may resume Operation Education in the future, but as of now, we’re merely people playing with others.
We, N0B0DY and N0LIFE, want to say that we had a bit of fun getting into the universities that we got into as a part of Operation Education (#OpEdu).
University of Washington
University of Arizona
Cincinnati Christian University
Valley Forge Christian College
University of Florida (Privately)
Cambridge University (Privately; Also e-mailed them; Vulnerability not fixed as last checked)
We’re releasing this public statement to announce that #OpEdu will be delayed for the upcoming months.
The universities around the United States are very well known, whether it be sport-related, academic-related, etc, but that doesn’t mean the have the best security.
All we have done is SQL inject these universities, and it’s quite a disappointment to see that universities are in danger of losing data, as well as getting data released.
We showed people that. We’re aware that we haven’t done much, and the list of universities that could be accessed via SQL injection goes on and on, but we showed people that universities are vulnerable. People just haven’t found them.
I’m surprised that this month has been the month that universities have been getting hacked over and over, especially University of Washington. We’ve shown these universities that they need to take better care of security rather than making themselves look like the “best they can be” when hackers can ruin that reputation in one leak.
Universities amass a tremendous amount of personally identifiable information and it’s clear that even large universities are maintaining databases that are inadequately secured.
But if you’re surprised by the listing of universities that were hacked in recent weeks because you didn’t see any reports in the media, don’t be. The mainstream media has not really been following what’s going on on Pastebin or other dump sites, so many uni’s escape negative media coverage.
It’s clear, however, from what’s been posted by hackers that the state of data security in higher education leaves much to be desired. So what’s the answer? The U.S. Department of Education does basically nothing to ensure uni’s have adequate security and FERPA provides no private cause of action in the event of a privacy breach. How many class action lawsuits would it take against uni’s to get them to finally address some of what should have been addressed long ago?
And if uni’s fail to get pastes with personally identifiable information removed from Pastebin or other similar sites, wouldn’t that go a long ways to showing negligence and callous disregard in any class action lawsuit? Why are pastes with PII still up on the web? Just saying….