USyd breach highlights security education lapses: Expert

Companies need advice as well as protection says expert

The recent breach of student records on the University of Sydney website raises questions for the security industry as a whole, according to an expert on the matter.

In a letter to university students this week, vice-chancellor, Dr Michael Spence, apologised for the breach, which he said had been patched twice on university servers in the past.

"The University was advised of such a flaw in our security in 2007," Spence wrote. "At that time the matter was swiftly rectified as it has been today. Regrettably some time later as a result of a software update, the security patch was inadvertently removed without anyone becoming aware of its function in protecting the security of student records.

"This is, of course, a most serious lapse in the standards which we should be able to expect of our ICT services, for which I can only apologise. I am somewhat relieved to note that since 2007 we have substantially upgraded our ICT processes generally and specifically around the implementation and “penetration” testing of new or updated software."

The security breach followed a hacking attempt in which the front page of the website was defaced with personal attacks against a UNIX system administrator at the institute, as well as other messages, including ones of support for victims of recent flooding in Queensland.

The subsequent breach is currently under investigation by NSW acting privacy commissioner, John McAteer, a process he said would take approximately five weeks to determine if the university itself as at fault.

However, according to former ethical hacker Jason Pearce, the hack highlights a weakness for the security industry as a whole and not just the university.

“We do a great job of selling products to people but we don’t do a good job of educating them around the risk to protect themselves. That’s a weakness for everyone,” said Pearce, who now works as a director of sales engineering at security vendor M86.

The hack, which Pearce suspects was an inside job by a student, raises a couple of issues for Sydney University.

“One is that they’re not doing any code reviews or vulnerability assessments on those particular websites. A simple Web assessment would have picked up that there is access to data somewhere else in the environment.”

"From what I understand it was an easy cross scripting site hack.”

The hack comes in the wake of a similar data breach affecting approximately four million Vodafone customers earlier this month.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags university of sydneysecurityhacking

More about M86University of SydneyUniversity of SydneyVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts