Dump Up The Kids
Not even a single day has passed since the raid of the Italian Police against some alleged Italian Anonymous members, and a new hacker group, whose name LulzStorm reminds unequivocally the Lulz Boat, has been the author of a clamorous action of hacking against several Italian universities.
On July the 6th, the “Silence of the Tweets” following the Italian Police raids has been broken by @LulzStorm (which had not been taking part to #opitaly until then) with some tweets announcing the availability of the Italian University Dump.
Besides the data, the torrent contains a real declaration of war:
unisi.it (Università Degli Studi di Siena)
unisa.it (Università Degli Studi di Salerno)
uniroma1.it (Università La Sapienza di Roma)
antonianum.eu (Pontificia Università Antonianum)
econoca.it (Università Degli Studi di Cagliari, Facoltà di Economia)
uniba.it (Università Degli Studi di Bari)
unibocconi.it (Università Commerciale Luigi Bocconi)
unifg.it (Università Degli Studi di Foggia)
unime.it (Università Degli Studi di Messina)
unimib.it (Università Degli Studi Milano Bicocca)
uniurb.it (Università Degli Studi di Urbino)
unibo.it (Università Degli Studi di Bologna)
unipv.it (Università Degli Studi di Pavia)
unina2.it (Seconda Università Degli Studi di Napoli)
unile.it (Università del Salento)
polimi.it (Politecnico di Milano)
unito.it (Università Degli Studi di Torino)
unimo.it (Università Degli Studi di Modena e Reggio Emilia)
Is not clear if the attack was perpetrated as a revenge for the campaign against the “Italian Chapter” of Anonymous, but, of course, it had ample space on media, rasing many questions and concerns even among non-professionals. The chancellors of the affected universities (among which “La Sapienza di Roma and the Politecnico di Milano, etc), immediately replied that the deployed countermeasures were able to stop the attack and in many cases no sensitive data were stolen.
Even if the attack details have not been unleashed, it looks like this might be yet another occurrence of an SQL Injection attack which may be considered the real lethal weapon of this tremendous 2011 (if we do not consider DDoS attacks which are not considered an elegant vector by “purists”). I do not know if, as Veracode claims, 10.000 bucks would have prevented the Sony Breach, but for sure more secure coding and a more efficient deploying of Web/DB firewall are necessarily needed.
Another aspects concerns the Italian 193/2006 law, which in theory obliges each institutions managing sensitive data (such as passwords), to keep them encrypted. Regulations are useless if not properly audited: I must confess I had the opportunity to analyze the torrent and I may confirm that in several cases leaked data include e-mails and passwords in clear. As a consequence, the question among infosec professionals is legitimate: why those data were not stored in compliance with the above quoted law? Regardless of the method used, if the attackers meant to show security weaknesses (in technology and regulations) probably they were successful, up to the point that several lawyers with expert knowledge in privacy claim that students may in theory obtain compensation for damage caused by poor security measures taken by universities.
In any case the declarations made by the Italian Anonymous suggest that this could only be the first occurrence. Are we ready for that?