On February 13, cybersecurity expert Pierluigi Paganini reported on Security Affairs that the Italian hacktivist collective LulzSec ITA claimed to have hacked three Italian universities: University of Basilicata, University of Naples Parthenope (Uniparthenope), and University of Rome 3. In all three cases, according to Paganini, LulzSec ITA used a longstanding and well-recognized technique known as a SQL injection attack.
A SQL injection attack can be simply defined as “a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database,” allowing the malicious data “then [to] produc[e] database query results or actions that should never have been executed.” First discovered in 1998, SQL injection attacks remain a simply but highly effective and popular form of web application malware.
Paganini termed it “embarrassing that universities could be hacked with a so simple technique.” He wrote that the LulzSec ITA hacktivists told him “that in some cases, they were able to bypass login pages without knowing the username and password, just using simply using SQL Injection strings.”
The LulzSec ITA hackers also asserted that initially, all three universities had failed to disclose the data breach and attempted to hide the incident in violation of the European Union General Data Protection Directive. Subsequently, according to Paganini, Uniparthenope emailed a data breach notification to affected students and teachers. LulzSec ITA told Paganini that the notification attempted to downplay the incident, even though they claimed “to have accessed data contained in 27 databases and compromised some portals used by the university.”
Note: This latest incident is, regrettably, just one of many examples of colleges and universities’ vulnerability to cyberattacks from many sources. A variety of reports in just the last year indicate the high degree and prevalence of that vulnerability around the world:
- Australia: In March 2019, media reported that Chinese authorities stole “huge volumes of highly sensitive personal data from the Australian National University” (ANU) in a sophisticated cyberattack,” even after ANU had received assistance from the Australian intelligence community in bolstering its cyberdefenses.
- United Kingdom: In an authorized penetration-testing attack by ethical hackers on more than 50 United Kingdom universities, “in every case hackers were able to obtain ‘high-value’ data within two hours.”
- United States: In March 2019, hackers breached applicant data for Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York, then emailed applicants and offering them the opportunity to buy and view their admissions files. In April 2019, Georgia Tech University admitted that it had suffered a data breach – its second in less than a year — potentially affecting more than 1.3 million current and former students, faculty, and staff members. In July 2019, hackers exploited a vulnerability in a popular admissions and enrollment banner software to steal data from at least 62 U.S. universities and create bogus student accounts.
- Global: In March 2019, the Wall Street Journal reported that “Chinese hackers have targeted more than two dozen universities in the U.S. and around the globe as part of an elaborate scheme to steal research about maritime technology being developed for military use.”
While even well-funded cyberdefenses can be breached by sophisticated cyberattacks, there is little excuse for universities failing to defend against SQL injection attacks. As one writer put it, “SQL injection is the lowest of the low-hanging fruit for both attackers and defenders. SQLi isn’t some cutting edge NSA Shadow Brokers kit, it’s so simple a three-year old can do it.” For that reason, the Italian university hacks should prompt university information security teams, at a minimum, to identify all of the web applications on which their universities depend and apply well-recognized techniques for preventing SQL injection attacks.