from Hacker News

Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

by kevinpacheco on 10/4/12, 2:54 AM with 14 comments

  • by mike-cardwell on 10/4/12, 8:56 AM

    I looked at the Nottingham University leak on Tuesday. The leak actually just contained the database schema and not the contents of the database. But it also contained the URL which could be abused to do an SQL injection. I tried adding an apostrophe to one of the parameters in the URL and an SQL error was returned. That page appears to be down now. One of the tables looked like this:

      | courseCode    | varchar(25) |
  | dob           | date        |
  | email_address | varchar(50) |
  | first_name    | varchar(25) |
  | ID            | int(11)     |
  | last_name     | varchar(25) |
  | lastupdated   | date        |
  | orgnameID     | int(11)     |
  | orgnameother  | varchar(50) |
  | student_id    | varchar(25) |
    Probably not massively useful data. Unless you want to perform a spear phishing attack, pretending that you're the University. Then it would be very useful.

    EDIT: This was the Student Union database. I'm not sure how many students it would contain. Maybe a small number? Maybe all of them?

  • by dorian-graph on 10/4/12, 7:40 AM

    > If we want change we must be ready for it. the future is technology. physical school will become obsolete.

    Cute. There's an odd, and I would say silly, obsession amongst some tech-obsessed people to claim the soon obsolescence of things like libraries and universities.

    It's wonderful the recent huge push and availability of online materials and courses from big universities and others, especially for those who otherwise could not attend a university for whatever reasons, but to dismiss universities as a singular blob shows a certain misunderstanding and appreciation of what they are actually for and for teaching in general.

    I'd recommend sitting in on various mentoring services, other student services, practicals and other things and also to read Zen and the Art of Motorcycle Maintenance.

  • by philip1209 on 10/4/12, 4:49 AM

    I spent a summer at one of the universities in this dump. It just looks like wordpress user info - nothing particularly sensitive about the data, and mine wasn't in it.

    Edit: Looks like one of the tables has plaintext passwords. If I recall correctly, security practices at this university were horrible - social security numbers could be accessed in plaintext, and resetting a password took only a single security question without email confirmation.

  • by purephase on 10/4/12, 12:04 PM

    Having worked in higher ed for 10 years, some of which was wrestling with data security, it is not at all surprising the vectors that appear here.

    We would spend days crafting policy, designing/implementing security at perimeter and core for business systems to prevent these types of leaks.

    We believed we were largely successful. Until we realized that some professor had developed a screen scraping application that would spit out CSVs of student enrolment data (including personal data) and ship it to whomever he liked (alumni, student unions etc.). Once certain departments got a hold of the data, others felt obligated to it and a quazi-underground data distribution system was in place.

    We tried to explain, coerce and beg. We used HR, unions to effect policy that they helped create to shutdown these systems, stop the professor (and his copycats) all to little or no success.

    It is not mistake that I left soon after. Such amazing, but ineffectual institutions. It doesn't matter how many of these leaks occur, no accountability means no changes. Might plug these holes, only to have 3 more popup by the end of the year.

  • by thetabyte on 10/4/12, 7:04 AM

    So, I'm at the University of Maryland right now. All three mirrors seem to be down, so I couldn't check if my information was on the list. The article suggests this was done with SQL injection? God, I really hope my university is better than that. Or at least hashes passwords. I'd check if they did, but again, mirrors seem to be down. Sad thing is, I wouldn't be surprised. Despite the 15th best comp sci program in the nation, and ridiculous policies like "change you password to new unique password with at least 1 number and capital letter every 180 days", OIT seems useless on security. Sigh.

  • by motters on 10/4/12, 9:41 AM

    A thought occurs that if any of these universities have computer science or software engineering courses, or even infosec courses, then part of that should include the students examining and/or documenting the universities own IT systems and how they work. There would be a natural synergy between teaching success and the security and efficiency of the universities systems.

    This doesn't necessarily mean that students would be allowed to alter the software, but they certainly could analyze and audit it, and perhaps provide patches in some cases.

  • by itsbits on 10/4/12, 4:56 AM

    its not hacking..they just got some useless information..