Slashdot Mirror

← Back to Stories (view on slashdot.org)

White Hat Hackers Cracked 50 UK Universities' Computer Systems In 2 Hours (bbc.co.uk)

Posted by EditorDavid on from the college-admissions dept.

"A test of UK university defences against cyber-attacks found that in every case hackers were able to obtain 'high-value' data within two hours," writes the BBC.

Bruce66423 shares their report: The tests were carried out by "ethical hackers" working for Jisc, the agency providing internet services to the UK's universities and research centres. They were able to access personal data, finance systems and research networks....

The simulated attacks, so-called "penetration testing", were carried out on more than 50 universities in the UK, with some being attacked multiple times. A report into their effectiveness, published by Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi), showed a 100% success rate in getting through the cyber-defences. Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.

The tests were carried out by Jisc's in-house team of ethical hackers, with one of the most effective approaches being so-called "spear phishing"...where an email might appear to be from someone you know or a trusted source but is really a way of concealing an attack, such as downloading "malware".

5 of 34 comments (clear)

  1. again... by guygo · · Score: 3, Interesting

    it comes down to the human with an irredeemable case of "click before think".

  2. This is absolutely no surprise by gweihir · · Score: 2

    Any competent security expert knows that security universally sucks and any experiences security consultant has seen the most demented decisions by "management" that are the root-cause for this. Unless we see personal, criminal liability for those that screwed it up and made the decision to go with bad (but cheap) options, nothing is going to change.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Phishing by Fusen · · Score: 2

    I work at a UK university and the report linked in this story doesn't surprise me one bit.

    The key part that enabled the 100% success rate is phishing.

    Most Universities will have multiple thousand staff. Most of those staff will not be technically literate. Most technically illiterate people fall for phishing.

    We constantly have compromised staff accounts that originate from the most basic poorly crafted phishing emails.

    Unless you completely lock down the email system or are able to teach every single staff member the detailed ways of checking email headers and body sources then this won't be fixed.

    1. Re:Phishing by rtb61 · · Score: 2

      Parallel networks. If it absolutely needs to be connected to the internet, connect it to the internet. If it does not absolutely need to be connected to the internet, then bloody don't connect it to the internet, run it on an internal hard wired network. Why would accounting need to directly face the internet.

      Communications systems should be completely seperate, just communications only, seperate little notebook on the persons desk, next to their smart terminal, one only connects to the university system and the other connects anywhere. If the communications system is compromised so what, do a quick reinstall and you are under way. There is no need to run email etc. on that secured smart terminal, that can run fine on the cheapest Linux notebook you can find.

      Parallel networks if you want security for secure systems, otherwise you are betting your security on the shitty non-warranties that come with the software you buy, seriously, how stupid is that. The manufacturers do not trust their software to be secure, hence they do not warrant it as being secure, yet the customer buys it and delusionally expects it to be secure.

      --
      Chaos - everything, everywhere, everywhen
    2. Re:Phishing by TheRaven64 · · Score: 2
      At Cambridge, most of the systems use a single sign on system and provide tokens for the services, so no one sees your password except the authentication system. They've now integrated that with Office365, so Microsoft doesn't see the password when you log in (when they first set it up, they accidentally sent the entire password database to Microsoft, in plain text. Ooops). It ought to be easy to tell people 'only ever enter your password into raven.cam.ac.uk'. Unfortunately, they also:
      • Set the flag in the password field that prevents password managers from caching it (I think most browsers now ignore this), which prevented the obvious clue of 'Hmm, why is this not autofilled, maybe something bad is happening here'.
      • Use the same password for email, so every single mail client also contains a copy of the master password for that user's account, rather than something like an OAuth token generated for that device and granting access only to email.
      • Have a bunch of new systems written by muppets (such as the new payroll system) that ask for the password and don't integrate with the SSO system, so they require people to enter the password into that site (giving that password to Payroll gives Payroll access to everything, including the student information database - I'm astonished that this is allowed under the GDPR).

      I filed numerous bugs against these systems while I was there. None of them were fixed.

      --
      I am TheRaven on Soylent News