Singapore's NUS confirms security breach

Singapore's NUS confirms security breach

Summary: update Hacker group Team Intra breaches local institution's database and publishes information such as staff username and hashed passwords. NUS confirms attack but says data on server not confidential.

SHARE:
TOPICS: CXO, Browser, Security
1

update SINGAPORE--Hackers have infiltrated the National University of Singapore's (NUS) backend systems and made away with a trove of information, including staff usernames, domain information and hashed passwords. University has confirmed the incident but noted that the affected data is not confidential. 

According to a report Thursday on IT security Web site Secure Computing Magazine's (SC Magazine), hacker group Team Intra had infiltrated the tertiary institution's database by exploiting a SQL vulnerability. The hackers apparently felt the urge to do so after the NUS Web site, upon receiving probes, generated an error message which stated: "If you're trying to use the SQL error message to dig for juicy information, get lost." 

The hackers reportedly retorted: "I made it my personal goal to get in and r*pe their sorry asses for the message." The group subsequently published the stolen information which included NUS staff usernames, domain information and hashed, or encrypted, passwords, it added.

SC Magazine also noted that it had notified the Singapore university about the breach.

[UPDATE: Jan. 6, 9.45 a.m.] SC Magazine has since updated its report with a statement from the NUS' head of IT security, Yong Fong Liang, who said the security breach affected a server which did not contained any sensitive information. Yong was quoted to say: "[The] hackers infiltrated into the system exploiting an application security loophole. This system is a departmental server containing public data... The leaked passwords are for local accounts that allow access to the departmental server only. They are not NUSNET accounts and passwords."

In an e-mail statement to ZDNet Asia, an NUS spokesperson confirmed the hack. "On Jan. 5, 2012, the university discovered that one of our Web servers had been hacked into. We have looked into the matter and ascertained that the information stored on the server is not of a confidential nature. In addition, no information has been removed or tampered with," he said.

"As a precautionary measure, the passwords of all affected accounts have been reset. The affected server has also been disconnected from the network," he noted, adding that the affected server was an isolated, standalone system that was not linked to the NUS network.

The spokesperson also noted that the university is investigating the matter and will put in place appropriate measures to prevent similar occurrences in the future.

[UPDATE: Jan. 6, 3.44 p.m.] In a comment on SC Magazine, a commentor who claimed to be part of Team Intra, said the hack was not targeted and was simply a demonstration of how weak NUS' security was.

"Just clearing this up, it is not our intention to LEAK any private data to the public. We are just here to show the poor security standards some Web sites have. We have our best intentions. NOTHING was changed on the server, and NO ONE was harmed," he said.

"[NUS tried] to prevent hackers by sending out a simple statement, 'If you're trying to use the SQL error message to dig for juicy information, get lost.' However [it did] nothing to actually ensure that [it is] safe," the commentator said, adding that it only took 5 minutes of WAF (Web application firewall) bypassing to get past the university's security infrastructure. He also noted that while the passwords obtained were hashed, the team took less than 4 to 5 hours to decrypt all the hashes.

He revealed that someone else previously also managed to access the same database. He explained that when his team searched for one of the hashes, it found the hashes on a password-cracking forum InsidePro. "No one on that server is safe, if this is absolutely the case," he said. "National University of Singapore had and still has many more holes in its Web site."

Topics: CXO, Browser, Security

Liau Yun Qing

About Liau Yun Qing

The only journalist in the team without a Western name, Yun Qing hails from the mountainy Malaysian state, Sabah. She currently covers the hardware and networking beats, as well as everything else that falls into her lap, at ZDNet Asia. Her RSS feed includes tech news sites and most of the Cheezburger network. She is also a cheapskate masquerading as a group-buying addict.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Just to clear things up... (As quoted from the intra team)

    A reply on the actual thread on SCMagazine...


    Dear Colleagues,

    It was published on SC Magazine today that hackers have broken into NUS and made staff usernames and passwords public. We have performed investigation and confirmed that hackers infiltrated into the system exploiting an application security loophole. This system is a departmental server containing public data.

    We would like to highlight that the leaked passwords are for local accounts that allow access to the departmental server only. They are not NUSNET accounts and passwords. The passwords of affected accounts have been reset.

    We are working with the department to investigate further.

    Thank You
    Head (IT Security)


    Maybe things are more in perspective now?
    melynx