You wanna see something kinda creepy? Try a little Google search with me. No, it’s okay – I promise this isn’t going to turn up images that require brain bleach. Look up the terms "university breached." This search shows you an incredible number of stories about universities from the smallest to the largest in the country being hacked, and a disturbing number of those headlines contain the word “again.”
This is particularly upsetting, given that in a lot of these cases it’s not just names or email addresses, but social security numbers, credit card or bank details, date of birth, phone numbers, plus names and email addresses. More than enough to thoroughly screw with someone’s digital life and credit rating. Sure, you don’t get the publicity and notoriety hacking a school that you do for dumping login credentials for a government agency or major vendor that has millions of customers. But the information you do gather is a lot more financially valuable, and it’s apparently a very easy task. This makes universities a very tasty target for cybercriminals.
Early in 2012 a group calling itself N0B0DY and N0LIFE tried to bring this situation to light with a hacktivism campaign they called #OpEdu, short for Operation Education. They hacked into six different schools over the course of about a month before (temporarily?) suspending the campaign. Another hacker called Joinse7en posted a list of URLs pointing to vulnerable universities, which comprised 16 different major universities. And these were hardly isolated incidents.
Security researcher Kurt Aubuchon did a search of publicly reported breaches that happened between 2009 and 2011, and even when excluding inside jobs (namely staff or students hacking the network), universities are hacked 357 times more than would be expected, if breaches were distributed evenly among US firms. That’s more than hospitals, hotels and resorts, bars and restaurants by quite a bit. Keep in mind that 2011 had fewer attacks on higher education than any year since 2005, both in terms of the number of institutions and records affected. However, by all accounts, 2012 already appears to be one of the worst years yet for attacks on schools.
There are a lot of possible reasons why universities have been so heavily targeted, aside from all that juicy PII (which hospitals also have in abundance). It’s widely known within InfoSec circles that universities are particularly difficult to defend. Part of this is the culture of openness, as well as increasing budget troubles for most schools. Automated hacking tools are certainly helping people locate poorly defended targets much more quickly and easily too.
To quote Aubuchon:
“It may be the case that, perceiving a conflict between security and academic freedom, these institutions leave themselves poorly defended against external attacks, or that they for other reasons fail to address information security effectively.”
But not all schools view network security as a failure of academic idealism. In a future article we’ll see how some schools use network security as a chance for valuable education to prepare students for a rapidly growing career field.