14 DAY TRIAL // St0rm, the hacker that not long ago discovered three vulnerable domains belonging to the University of Melbourne, found out that after the institution failed to patch up the issues, someone else might have actually penetrated the web servers.
Wanting to learn more on the story, I contacted the hacker who was kind enough to chat with me on the subject.
The suspicion comes after he stumbled upon some user accounts that had the passwords blackhat123. While this is not a clear indication of a hack, it could always mean that someone is probing their servers.
“So the 'good hacker' has hacked the system, found the 'bad hackers' before any of the admins!” St0rm said.
The gray hat claimed that he currently managed to hack a fifth domain where he could access information belonging to 245 staff members. The details include names, usernames, emails, phone numbers, addresses, pictures, fax numbers and personal descriptions.
Other data includes 3 administrators, 13 MySQL databases, 136 forum user logins and around 200 sets of credentials and personal information belonging to students, all from 10 databases.
In total, the five domains contained 1302 logins, the passwords from 800 of them being easily decrypted.
“I came across the domains one by one, and scanning the various vulnerabilities that I knew there could possibly be. After which I had used a couple of vulnerabilities to my advantage with an exploit,” he says, trying to explain his findings.
“Once I had gained access to the databases, I then searched for logins. After finding as many logins as possible, I then copied the files and put them onto my computer, decrypting the hashes and was then finished.”
While he continues his quest to alert the University of Melbourne, he advises institution representatives to follow some simple tips in securing their assets, recommendations that could be taken into consideration by any organization that handles tons of sensitive data:
Change the encryption level of All logins to SHA or SHA256 instead of MD5 hash.
Add a network sniffer to your web servers so that you can monitor remote access, and see who's got access when where and how.
Get people to test the sites regularly to make sure everything is running smoothly.
When someone calls, and asks for an administrator, and says it's urgent. Put a real admin on the phone. Don't make excuses about being idle. Finally, he insists that none of the information was leaked by him, but if someone else takes advantage of the weaknesses he found, all the people involved could be exposed.
"If you're going to arrest me for helping people online, then so be it. Lock me up for life," he concludes.