Last Wednesday Harvard University announced that on June 19 an intrusion on Faculty of Arts and Sciences and Central Administration information technology networks was discovered. According to the announcement on Harvard website, this breach affected eight different schools and thought to have exposed students' log-in credentials. University IT staff denied that any personal data or information from internal email system had been exposed.
An advisory on the website urges people affiliated with the affected institutions to change their passwords. Password change could be required again soon as a part of security measures to protect Harvard system.
It is not the first time Harvard was hacked. Earlier this year AnonGhost group hacked website of Institute of Politics at Harvard and in 2012 Harvard was attacked by GhostShell team, which also took responsibility for hacking servers of 100 major universities such as Stanford, the University of Pennsylvania and the University of Michigan.
Higher education certainly is one of the most targeted and – meanwhile – common industries for cyber-attacks. Increased attention to the cybersecurity of educational institutions derives from the fact that universities are less secure than enterprises while college ERP systems contain not less valuable data, and the amount of important information may be even bigger, that entails large number of potential victims of an attack. The detailed reasons why both cybercriminals and security specialists focus on this area are described below.
Why are universities systems a perfect target for cyber-attacks?
The first and the main reason lies in the environment of campus systems. University networks have a large number of users. Thousands of freshmen go to university every year, it's hard to imagine that any business institution hires so many new employees on the regular basis. College systems store personal information, payment information, and medical records of current and former students and employees. The great amount of sensitive information always comes with attempts to steal them. The exposure of this information may have long-term consequences as some of the students of the top universities are likely to hold key positions in the nearest future.
University systems supported BYOD (bring your own device) policy before this term appeared in the business area. Students are active in using latest technologies. File sharing, social media, and adult content are a source of malware and viruses. If a student's device synced with college network is compromised, it's not only the student who is affected, so is the university. More information on mobile application security and mobile Device management security you can find in our article.
Universities have to provide an easy access to their systems for all these students and personnel. It makes incidents investigation more difficult than when we deal with business structures.
Finally, such systems can store not only educational and personal information but governmental and even military research materials. So, university systems are an attractive target to state-sponsored hackers, as this information can be used for industrial or state espionage.
What had happened? Was Harvard breached via a vulnerability in PeopleSoft?
Harvard has not disclosed any technical details about the breach, thus, it is a fertile ground for speculations and baseless conclusions. The only thing we can say for sure is that PeopleSoft application is installed in multiple Harvard colleges (as it is known from public sources) and that real examples of universities' hack via PeopleSoft vulnerabilities took place in last few years.
Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in media since 2007 when two students faced 20 years in prison after they hacked California state university's PeopleSoft system. In August 2007, three students installed keylogging software on computers at Florida A & M University and used the passwords they gleaned to gain access to the school's PeopleSoft system to modify grades. A student at the University of Nebraska in 2012 was able to break into a database associated with the university's PeopleSoft system, exposing Social Security numbers and other sensitive information on about 654,000 students, alumni and employees. In March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. And this is not the full list of university attacks, and it is only against PeopleSoft systems.
PeopleSoft systems are widely used in higher education, they are implemented in more than 2000 universities and colleges around the world. ERPScan's research revealed that 236 servers related to universities are accessible on the internet (including Harvard server). It means that at least 13% of universities with PeopleSoft systems are accessible from the Internet while Enterprises have about 3-7% depending on the Industry. 78 of these universities are vulnerable to TokenChpoken attack presented at HackInParis Conference by Alexey Tyurin. 7 of these universities are among America's top 50 colleges by Forbes, so they seem a real treasure for cybercriminals.
TokenChpoken attack allows to find the correct key to Token, login under any account and get the full access to the system. In most cases, it takes not more than a day to decrypt token by using a special bruteforcing program on latest GPU that costs about $500. It's almost impossible to identify the fact of this attack, as an attacker uses common legitimate system functionality, he brute-forces token password remotely by downloading a token from web page, and then all he needs is just to log to the system.
Other Universities (besides 78 mentioned before) are also potentially vulnerable, but only students with access to internal University PeopleSoft system can exploit this vulnerability and get administrative rights. Moreover, 12 universities still have a default password for a token, so any unskilled attacker can successfully perform an attack.
What should we learn from the hacks?
First, we should admit that higher education institutions face risks that can actually result in espionage, blackmail, and fraud.
PeopleSoft is clearly the leader in higher education though there are other university ERP vendors like Three Rivers Systems, Ellucian, Jenzabar, Redox, and others.
As all university networks are complex and consist of numerous modules and there are numerous vulnerabilities in them, protecting them seems a nightmare for any IT team. Cybersecurity is not some separate steps taking from time to time, but the ongoing process. Of course, no one can prevent all threats and attacks, so safety lies in continuous monitoring and mitigation of risks.
The awareness of Oracle PeopleSoft security is even worse than with SAP Security where is also the lack of awareness, but it is decreasing. As for PeopleSoft, there are real examples of vulnerabilities and breaches, but nobody cares about it.