Educause Security Discussion mailing list archives
Re: Multiple .edu sites reportedly victims of db theft
From: "Carson, Larry" <larry.carson () UBC CA>
Date: Tue, 3 Feb 2015 20:19:23 +0000
Given the complex organizational structures at most institutes I'm thinking it would be fairly likely that at least one Drupal instance would run at each institution. As an example we have an enterprise level instance and separate standalone ones run by academic units. That's similar for WordPress and a myriad of other applications. Regards, Larry Carson Associate Director, Information Security Management, UBC -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel L. Rosenblatt Sent: February 3, 2015 11:02 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Multiple .edu sites reportedly victims of db theft Hi, Can I ask if the sites that are on this list are running Drupal? Thanks, Joel Rosenblatt Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Tue, Feb 3, 2015 at 12:36 PM, John Stauffacher <john () caffeinatednetworks com> wrote:
My apologies for formatting, I generally take the daily digests -- so I am picking up responses out of the listserv interface. Unfortunately, right now - I know very little. I'm working with a few organizations here in the states to see if we can isolate traffic from outside of the US that is suspect and is targeting their applications. Having spent a good deal of time myself in Higher Ed, i understand the enormous pressures your under and how budgets are always tight, time is always tight -- but I would ask -- if you get some spare cycles start going through your access logs or ids logs looking for sqli attacks. I wanted to include some comments that Gary Warner from UAB sent out to another distro, as he went the extra mile to find even more background on this: - snip - Not sure if there is enough to go on here or not, but when I visit the Pastebin link by this kid, there are many examples of his URLs in his other Pastes. For example, here is a list of SQL probes he did against "nhs.uk". http://pastebin.com/5yxT6c8s His catalog of pastes can be accessed here: http://pastebin.com/u/abdilo Because he has also been probing the Australian government and many Australian educational institutions, I'm also passing this information to friends at ACMA and the AFP. Finding a single IP who hit several of those addresses, and then looking for that same IP on some of "our" .edus might be a path forward, but I believe it may be true that, as Greg points out, there is not enough information here to move an investigation forward. If there is "proof" that this is happening, I would strongly suggest sending a lead to our FBI friends who deal with academic breaches, but again, I'm not sure if we have that much information yet. Just thought you guys would be in the best position to try to determine what we might be able to do here. - end snip - I think if we are going to make a run at stopping this person, we would need to collaborate a bit and start sharing some information.Is there any other information about how or what is vulnerable, or what information was extracted? More information will be required before any organisation could do a response and begin the investigation into how to remediate.Greg On Tue, Feb 3, 2015 at 1:51 AM, John Stauffacher <john () caffeinatednetworks com> wrote:All, I came across an individual a few days ago on twitter (@abdilo_) that was bragging about breaching multiple .edu's via sqli. He claimed responsibility for a breach of Metropolitan State University, and this afternoon dropped this partial list of .edu sites that he reportedly has breached and absconded with their databases: http://pastebin.com/yyhT6tzc uq.edu.au columbia.edu usyd.edu.au upf.edu vcu.edu williams.edu monash.edu.au uji.es hu-berlin.de exeter.ac.uk mcmaster.ca ubc.ca waikato.ac.nz uwa.edu.au ohio-state.edu handles.gu.se iwm-kmrc.de purdue.edu lancs.ac.uk uni-erlangen.de luiss.it unimib.it purdue.edu univ-montp1.fr uw.edu.pl pless.cz inscripcions.org uni-oldenburg.de 141.89.97.231 idecisions.org uni-mannheim.e If anyone on this list is a member of these organizations, or can reach out to them -- it is important that they know. From the communication that I have gotten from this person (all via twitter) this issue seems to be systemic in some piece of software shared amongst all these groups. If that is the case, then we are looking at a vendor related flaw -- and the potential targets is pretty large. -- John Stauffacher GPG Fingerprint: 5756 3A3B ADA3 22A6 9B26 6CA8 DB8D 2AC3 7699 0BD
Attachment:
smime.p7s
Description:
Current thread:
- Multiple .edu sites reportedly victims of db theft John Stauffacher (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Greg Vickers (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Ian McDonald (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Colleen Blaho (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft John Stauffacher (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Joel L. Rosenblatt (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Hudson, Edward (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Colleen Blaho (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Keller, Alex (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft John Ladwig (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Joel L. Rosenblatt (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Carson, Larry (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Greg Vickers (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft John Stauffacher (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft John Stauffacher (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft John Ladwig (Feb 03)
- Re: Multiple .edu sites reportedly victims of db theft Frank Barton (Feb 05)
- Re: Multiple .edu sites reportedly victims of db theft Alan Amesbury (Feb 05)
- Re: Multiple .edu sites reportedly victims of db theft Milford, Kim (Feb 09)