The Weakness of Academic Cyber Security
This week the BBC reported on a penetration test performed against UK universities that quickly resulted in severe breaches. In this briefing we will take a look at the techniques used, why universities are relatively unprepared and what attackers seek when hacking into university networks.
A penetration test ordered by Jisc - the government agency providing internet access to UK universities - showed that 100% of tested universities were successfully hacked with most of them only fending off attackers for 1-2 hours. According to the report published by Jisc most breaches were achieved using Spear Phishing attacks.
What is Spear Phishing?
Most of our readers will have heard of Phishing attacks. Here, attackers send fake emails to victims in order to trick them into revealing login credentials or other critical information. Spear phishing attacks take this approach further by tailoring the emails to the victim.
Imagine for a moment that your name is John and that you are working as a non-technical administrator at a UK university. You know Sally, the head of IT, personally.
A general phishing attack may look like this:
Your account is about to expire!
Please log in here to prevent expiry.
While even such basic attacks are frighteningly successful, a spear phishing version of the same email may look something like this
As you may have heard during Monday’s staff meeting, we are upgrading the security of our systems. For technical reasons that I won’t bore you with, this requires that you log into the staff panel before 5pm today. In case you forgot the link, it’s at hxxp://evil.com/login.
Sorry to bother you with this, but it is to keep us all safe.
The spear phishing attack is significantly harder to detect. Reflare’s own penetration testing experience shows that up to 3 out of every 5 victims fall for well-crafted spear phishing emails the first time they are encountered.
If the victim has access to confidential files, this can have catastrophic consequences.
Why are universities being attacked?
Universities present a target that is relatively weakly secured and offers relatively high rewards. While undergraduate assignments and exam scores are of little interest to external attackers, research data can be highly valuable to companies in the private sector and foreign governments. The ease with which UK universities were hacked during this penetration test combined with the high value of information stored on university systems makes it highly likely that actual successful attacks by criminals against universities are a regular occurrence.
Spear phishing attacks are extremely hard to detect. Please never trust an email simply because it appears to come from someone you know. Always check the recipient’s email address before answering and confirm the authenticity of any websites you visit.
Universities are relatively soft targets that own relatively valuable data. In combination with the apparent ease of attack, this indicates that successful hacks against universities are somewhat common.