USyd breach highlights security education lapses: Expert

Companies need advice as well as protection says expert

The recent breach of student records on the University of Sydney website raises questions for the security industry as a whole, according to an expert on the matter.

In a letter to university students this week, vice-chancellor, Dr Michael Spence, apologised for the breach, which he said had been patched twice on university servers in the past.

"The University was advised of such a flaw in our security in 2007," Spence wrote. "At that time the matter was swiftly rectified as it has been today. Regrettably some time later as a result of a software update, the security patch was inadvertently removed without anyone becoming aware of its function in protecting the security of student records.

"This is, of course, a most serious lapse in the standards which we should be able to expect of our ICT services, for which I can only apologise. I am somewhat relieved to note that since 2007 we have substantially upgraded our ICT processes generally and specifically around the implementation and “penetration” testing of new or updated software."

The security breach followed a hacking attempt in which the front page of the website was defaced with personal attacks against a UNIX system administrator at the institute, as well as other messages, including ones of support for victims of recent flooding in Queensland.

The subsequent breach is currently under investigation by NSW acting privacy commissioner, John McAteer, a process he said would take approximately five weeks to determine if the university itself as at fault.

However, according to former ethical hacker Jason Pearce, the hack highlights a weakness for the security industry as a whole and not just the university.

“We do a great job of selling products to people but we don’t do a good job of educating them around the risk to protect themselves. That’s a weakness for everyone,” said Pearce, who now works as a director of sales engineering at security vendor M86.

The hack, which Pearce suspects was an inside job by a student, raises a couple of issues for Sydney University.

“One is that they’re not doing any code reviews or vulnerability assessments on those particular websites. A simple Web assessment would have picked up that there is access to data somewhere else in the environment.”

"From what I understand it was an easy cross scripting site hack.”

The hack comes in the wake of a similar data breach affecting approximately four million Vodafone customers earlier this month.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU