Part of Northwestern University‘s network has been offline for over a week as a result of a hack first disclosed on Twitter.
On April 5, “MLT” reported a XSS (Cross-Site Scripting) vulnerability on XSSposed.org involving themayor.itcs.northwestern.edu.
And then this happened:
Some Random University Login page : http://themayor.itcs.northwestern.edu/user.php?error=1
Admin Email : [email protected]
Password : manager
Yours Truly,
~Chief.
— Chief (@Puttied) April 6, 2015
According to statements made to DataBreaches.net by @Puttied, he acquired six login credentials, but didn’t attempt to download or acquire any other data. He says that although he defaced the site by redirecting the “Home” button on their control access panel to his Twitter account, it still took the university three days to realize they’d been attacked and to take the server offline.
@Puttied informs DataBreaches.net that although he was aware of the XSS vulnerability, he attacked the site using an SQL injection.
This is not the first time this year that Northwestern U. has had reported security issues. In January, @AnonGhost (whose Twitter account is now suspended) announced a defacement of their youstem subdomain. A screenshot of that defacement can be found here. Then in February, SLC Security noted that open-source intelligence suggested that Northwestern University was compromised, but no further details or confirmation was provided. SLC Security’s observation was noted on this site on Feb. 3. Whether Northwestern U. ever took note of those reports is unknown to this site.
As noted ad nauseum, the number of schools with SQLi vulnerabilities is legion. As recently as April 6, SLC Security reported:
Colleges check for SQLi on your systems!
Honestly for the past few months we have seen nothing but a rash of colleges and universities getting smacked with SQLi exploits. Test your servers or I’m sure the hackers responsible for these attacks will test it for you.We have at least 26 confirmed reports of breaches of which some have been reported and some have been brushed under the rug…
To which this blogger says “Amen!” I hear every day from young hackers who are more than eager to test their skills with SQLi exploits on universities. And as much as I’d hate to encourage them by publishing their hacks, I will publish at least some of them because schools need to wake up and do a better job of securing their servers.
Just as Abdilo was very “in your face and up your servers” to universities about targeting the education sector for their lax security, @Puttied also has a message for Northwestern University:
You’re a University site with the extension .edu at the end of it, therefore the government sees you as a priority.
There are charges for hacking or tampering with an educational site, but i think you should be able to fix simple sql or xss vulnerabilities.
The carelessness of not doing that has given someone like me a toy to play with, therefore you suffer.
DataBreaches.net emailed Northwestern U. yesterday and asked a number of questions about what was on the compromised server and what they were doing to prevent future attacks. Today, the university sent this statement:
The server was used by Northwestern’s Block Museum of Art and had the index to the museum’s art collection so people could search the collection online. All of that is public information. No personal data was stored on that server. The server is being replaced.
So, no big deal? This time, maybe.