

Hackers Breach 53 Universities and Dump Thousands of Personal Records Online - kevinpacheco
http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-thousands-of-personal-records-online/

======
mike-cardwell
I looked at the Nottingham University leak on Tuesday. The leak actually just
contained the database schema and not the contents of the database. But it
also contained the URL which could be abused to do an SQL injection. I tried
adding an apostrophe to one of the parameters in the URL and an SQL error was
returned. That page appears to be down now. One of the tables looked like
this:

    
    
      | courseCode    | varchar(25) |
      | dob           | date        |
      | email_address | varchar(50) |
      | first_name    | varchar(25) |
      | ID            | int(11)     |
      | last_name     | varchar(25) |
      | lastupdated   | date        |
      | orgnameID     | int(11)     |
      | orgnameother  | varchar(50) |
      | student_id    | varchar(25) |
    

Probably not _massively_ useful data. Unless you want to perform a spear
phishing attack, pretending that you're the University. Then it would be very
useful.

EDIT: This was the Student Union database. I'm not sure how many students it
would contain. Maybe a small number? Maybe all of them?

------
dorian-graph
> If we want change we must be ready for it. the future is technology.
> physical school will become obsolete.

Cute. There's an odd, and I would say silly, obsession amongst some tech-
obsessed people to claim the soon obsolescence of things like libraries and
universities.

It's wonderful the recent huge push and availability of online materials and
courses from big universities and others, especially for those who otherwise
could not attend a university for whatever reasons, but to dismiss
universities as a singular blob shows a certain misunderstanding and
appreciation of what they are actually for and for teaching in general.

I'd recommend sitting in on various mentoring services, other student
services, practicals and other things and also to read Zen and the Art of
Motorcycle Maintenance.

~~~
lkozma
I agree with all that you say, but seriously, that book is the most worthless
thing I've ever had the misfortune to try reading.

------
philip1209
I spent a summer at one of the universities in this dump. It just looks like
wordpress user info - nothing particularly sensitive about the data, and mine
wasn't in it.

Edit: Looks like one of the tables has plaintext passwords. If I recall
correctly, security practices at this university were horrible - social
security numbers could be accessed in plaintext, and resetting a password took
only a single security question without email confirmation.

~~~
Hacktivist
My university had similarly bad security practices. Although not accessible as
plain text, the social security number was used when you wanted to change
personal information.

For example to reset your university email account you needed the last three
digits of the ssn and your date of birth. In my case, the school somehow never
got my ssn so my ssn in this case was just "0". So theoretically if anyone
wanted to change my password they just needed to use "yyyymmdd0" to access it.

------
purephase
Having worked in higher ed for 10 years, some of which was wrestling with data
security, it is not at all surprising the vectors that appear here.

We would spend days crafting policy, designing/implementing security at
perimeter and core for business systems to prevent these types of leaks.

We believed we were largely successful. Until we realized that some professor
had developed a screen scraping application that would spit out CSVs of
student enrolment data (including personal data) and ship it to whomever he
liked (alumni, student unions etc.). Once certain departments got a hold of
the data, others felt obligated to it and a quazi-underground data
distribution system was in place.

We tried to explain, coerce and beg. We used HR, unions to effect policy that
they helped create to shutdown these systems, stop the professor (and his
copycats) all to little or no success.

It is not mistake that I left soon after. Such amazing, but ineffectual
institutions. It doesn't matter how many of these leaks occur, no
accountability means no changes. Might plug these holes, only to have 3 more
popup by the end of the year.

------
thetabyte
So, I'm at the University of Maryland right now. All three mirrors seem to be
down, so I couldn't check if my information was on the list. The article
suggests this was done with SQL injection? God, I really hope my university is
better than that. Or at least hashes passwords. I'd check if they did, but
again, mirrors seem to be down. Sad thing is, I wouldn't be surprised. Despite
the 15th best comp sci program in the nation, and ridiculous policies like
"change you password to new unique password with at least 1 number and capital
letter every 180 days", OIT seems useless on security. Sigh.

~~~
michaelt
I haven't looked at all the data released, but for the sample I did look I
didn't see a breach of a university's central records system - they were
breaches of things like the university's diving club's phpbb forum.

Fairly mundane as these things go.

------
motters
A thought occurs that if any of these universities have computer science or
software engineering courses, or even infosec courses, then part of that
should include the students examining and/or documenting the universities own
IT systems and how they work. There would be a natural synergy between
teaching success and the security and efficiency of the universities systems.

This doesn't necessarily mean that students would be allowed to alter the
software, but they certainly could analyze and audit it, and perhaps provide
patches in some cases.

~~~
DanBC
Some people think that's problematic. They say that you shouldn't use students
to replace local industries, because it's bad for local businesses. They might
say that you shouldn't use unpaid students to do real work.

And there are problems with letting students have permission to run
penetration tests - you have no idea if they're white hat or grey hat or black
hat.

~~~
peterhost
Cmon! All the High Education thing is about making Students work for their
university for the time they're enroled, in exchange for knowledge, and
insider's tips (yeah, i can introduce you to xxxx at ibm,...). I personnally
don't know of a single PHD who didn't work (hard) for free for his director...
Untill he got his phd. And even after that, sometimes, if he wants to get into
research himself.

I find internal auditing, under strict surveillance to be a very good idea
indeed. This could even lead to some healthy form of competition between
universities, not only base on who teaches that Lisp class, or what
professor/university's name is.

------
itsbits
its not hacking..they just got some useless information..

