Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Education United Kingdom

White Hat Hackers Cracked 50 UK Universities' Computer Systems In 2 Hours (bbc.co.uk) 34

"A test of UK university defences against cyber-attacks found that in every case hackers were able to obtain 'high-value' data within two hours," writes the BBC.

Bruce66423 shares their report: The tests were carried out by "ethical hackers" working for Jisc, the agency providing internet services to the UK's universities and research centres. They were able to access personal data, finance systems and research networks....

The simulated attacks, so-called "penetration testing", were carried out on more than 50 universities in the UK, with some being attacked multiple times. A report into their effectiveness, published by Jisc (formerly the Joint Information Systems Committee) and the Higher Education Policy Institute (Hepi), showed a 100% success rate in getting through the cyber-defences. Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.

The tests were carried out by Jisc's in-house team of ethical hackers, with one of the most effective approaches being so-called "spear phishing"...where an email might appear to be from someone you know or a trusted source but is really a way of concealing an attack, such as downloading "malware".

This discussion has been archived. No new comments can be posted.

White Hat Hackers Cracked 50 UK Universities' Computer Systems In 2 Hours

Comments Filter:
  • again... (Score:4, Interesting)

    by guygo ( 894298 ) on Saturday April 06, 2019 @03:47PM (#58395560)
    it comes down to the human with an irredeemable case of "click before think".
  • by gweihir ( 88907 ) on Saturday April 06, 2019 @04:41PM (#58395766)

    Any competent security expert knows that security universally sucks and any experiences security consultant has seen the most demented decisions by "management" that are the root-cause for this. Unless we see personal, criminal liability for those that screwed it up and made the decision to go with bad (but cheap) options, nothing is going to change.

  • by Fusen ( 841730 ) on Saturday April 06, 2019 @05:57PM (#58396052)

    I work at a UK university and the report linked in this story doesn't surprise me one bit.

    The key part that enabled the 100% success rate is phishing.

    Most Universities will have multiple thousand staff. Most of those staff will not be technically literate. Most technically illiterate people fall for phishing.

    We constantly have compromised staff accounts that originate from the most basic poorly crafted phishing emails.

    Unless you completely lock down the email system or are able to teach every single staff member the detailed ways of checking email headers and body sources then this won't be fixed.

    • by rtb61 ( 674572 )

      Parallel networks. If it absolutely needs to be connected to the internet, connect it to the internet. If it does not absolutely need to be connected to the internet, then bloody don't connect it to the internet, run it on an internal hard wired network. Why would accounting need to directly face the internet.

      Communications systems should be completely seperate, just communications only, seperate little notebook on the persons desk, next to their smart terminal, one only connects to the university system a

    • At Cambridge, most of the systems use a single sign on system and provide tokens for the services, so no one sees your password except the authentication system. They've now integrated that with Office365, so Microsoft doesn't see the password when you log in (when they first set it up, they accidentally sent the entire password database to Microsoft, in plain text. Ooops). It ought to be easy to tell people 'only ever enter your password into raven.cam.ac.uk'. Unfortunately, they also:
      • Set the flag in
      • We only use SSO for the majority of our systems, we still get people falling for phishing login forms that look like they were created in Word 1997.

        There is a plan to use MFA for staff with higher access but trying to get that working for every single staff member with an IT account will be mayhem when they forget their phone or lose their yubikey...

        Classic example of the triangle of security, ease of use, speed. Only ever 2 of the three when people just want all 3. And that is why JISC saw 100%

        Very few are

  • The word is "hacked" not "cracked".

  • In nuclear silos, according to every movie I've ever seen, at least two people have to turn keys simultaneously to set a "high value" chain of events into motion.

    At present, we don't treat private information with the same respect. But is that a good thing?

    Status quo: private information is not a nuclear-tipped ICBM.

    Cluestick quo: the cat doesn't go back into the bag

  • The tests were carried out by Jisc's in-house team of ethical hackers, with one of the most effective approaches being so-called "spear phishing" ... where an email might appear to be from someone you know or a trusted source but is really a way of concealing an attack, such as downloading "malware".

    I can almost see adding "wakey wakey" quotes to "spear fishing" for all the fish out of water.

    But adding scarequotes to "malware" is at direct eye level with adding scarequotes around "weed" (and I'm not talking

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...