The attack was mounted using a well-known technique called “SQL injection”, where an attacker exploits a database that powers a website, making use of errors in the configuration of user input on the web page. The attack focused on smaller departmental server computers rather than central university servers. It is likely that departmental servers will be less secure and less frequently updated with new security fixes than central machines. Hence they may present an easier target for hackers.
One of the UK universities affected was Edinburgh University, in Scotland, which suffered breaches of three servers. These were located in the Department of Biological Sciences, the Roslin Institute (which researches animal biology), and the Students’ Union. The published information included names, email addresses and passwords (many in cleartext).
commissum is an information security company located in Edinburgh (see http://www.commissum.com). Briony Williams, a security consultant at commissum, commented, “As Edinburgh University is in a sense our ‘home’ university, we take a particular interest in security breaches that affect it. This successful hack is a convincing demonstration of the extent of vulnerabilities in smaller departmental servers, which may not receive the same emphasis on security as the larger central machines. It is important for any university to invest the resources necessary to protect its data, whether intellectual property or personal data. A university’s intellectual property is a potential source of revenue, while personal data may be used for identity theft. In both cases, loss of confidentiality could result in severe consequences if data got into the wrong hands.”
Since discovery of the attack in early October, many servers have been secured at the affected universities, and some web pages have been taken down. Passwords have been reset where necessary, and at least one university is inspecting its website source code to identify similar vulnerabilities.
Briony Williams of commissum comments again: “It is encouraging that steps are being taken to prevent these particular servers from being hacked again in this particular way. However, there is a much broader need to secure all servers, and to close this general loophole on all university websites where it exists. The Gh0stshell hackers claim (probably spuriously) to be protesting at educational standards, but what they have actually achieved is to issue a wake-up call for university departmental IT officers. If nothing else, this could represent a positive contribution to the information security of university departments”