Perhaps forwarding this to your IT staff will be sufficient? Perhaps with a CC: to Admin?

http://www.databreaches.net/?p=23496

University of Washington and other universities hacked. Again. And again.

March 3, 2012 by admin

The message at the top of a paste by two hackers pretty much nails it:

A few days back, Team ITNRA hacker ‘HaxOr’ hacked into the University of Washington using a SQL injection. The SQL injection that was abused was fixed, but that doesn’t mean there wasn’t more. Just because someone finds an SQL injection vulnerability in a website doesn’t mean they’re so amazingly good. Anyone can do it, to be quite honest. Just thought I’d share that though.

And so, in yet another breach of U. Washington’s servers on February 29, hackers dumped 31 database users’ logins and passwords as well as 25 WordPress users’ logins, passwords, and e-mail addresses. All passwords were encrypted.

U. Washington is certainly not alone in needing to harden their security. Indeed, there are so many uni sites that have been hacked using SQLi that one blogger simply batched a number of breaches during November 2011 involving the University of Washington, University of Oregon, Maricopa Community College, Stanford University, Harvard School of Engineering and Applied Sciences, and Michigan State University. And in a paste made a few weeks ago, one hacker, “Joinse7en,” provided a list of specific SQLi vulnerable urls for:

• University of Nebraska-Lincoln
• University of Wisconsin-Madison
• Purdue University
• Northern Arizona University
• University of California, Los Angeles
• University of Washington
• Ohio State University
• University of California, Berkeley
• University of Hartford
• Washington and Lee University
• Texas Christian University
• University of North Carolina at Chapel Hill
• Dowling College
• University of Houston
• Nebraska Methodist College
• Yeshiva University

Whether those leads were acted upon is not known at this time, although a quick search on Pastebin does not turn up any new hacks for the sample I checked.

Thankfully for universities, at least some hackers are taking a break from hacking universities. In a notice published several days ago, two hackers involved write, in part:

We’re suspending Operation Education as the months go by. We may resume Operation Education in the future, but as of now, we’re merely people playing with others.

We, N0B0DY and N0LIFE, want to say that we had a bit of fun getting into the universities that we got into as a part of Operation Education (#OpEdu).

University of Washington
University of Arizona
Cincinnati Christian University
Valley Forge Christian College
University of Florida (Privately)
Cambridge University (Privately; Also e-mailed them; Vulnerability not fixed as last checked)

We’re releasing this public statement to announce that #OpEdu will be delayed for the upcoming months.

The universities around the United States are very well known, whether it be sport-related, academic-related, etc, but that doesn’t mean the have the best security.

All we have done is SQL inject these universities, and it’s quite a disappointment to see that universities are in danger of losing data, as well as getting data released.

We showed people that. We’re aware that we haven’t done much, and the list of universities that could be accessed via SQL injection goes on and on, but we showed people that universities are vulnerable. People just haven’t found them.

I’m surprised that this month has been the month that universities have been getting hacked over and over, especially University of Washington. We’ve shown these universities that they need to take better care of security rather than making themselves look like the “best they can be” when hackers can ruin that reputation in one leak.

Universities amass a tremendous amount of personally identifiable information and it’s clear that even large universities are maintaining databases that are inadequately secured.

But if you’re surprised by the listing of universities that were hacked in recent weeks because you didn’t see any reports in the media, don’t be. The mainstream media has not really been following what’s going on on Pastebin or other dump sites, so many uni’s escape negative media coverage.

It’s clear, however, from what’s been posted by hackers that the state of data security in higher education leaves much to be desired. So what’s the answer? The U.S. Department of Education does basically nothing to ensure uni’s have adequate security and FERPA provides no private cause of action in the event of a privacy breach. How many class action lawsuits would it take against uni’s to get them to finally address some of what should have been addressed long ago?

And if uni’s fail to get pastes with personally identifiable information removed from Pastebin or other similar sites, wouldn’t that go a long ways to showing negligence and callous disregard in any class action lawsuit? Why are pastes with PII still up on the web? Just saying….

...and what has happened in the last two months? SOPA perhaps?

Anonymous, Decentralized and Uncensored File-Sharing Is Booming

"The RetroShare network allows people to create a private and encrypted file-sharing network. Users add friends by exchanging PGP certificates with people they trust. All the communication is encrypted using OpenSSL and files that are downloaded from strangers always go through a trusted friend. In other words, it's a true Darknet and virtually impossible to monitor by outsiders. RetroShare founder DrBob told us that while the software has been around since 2006, all of a sudden there's been a surge in downloads. 'The interest in RetroShare has massively shot up over the last two months,' he said."

Interesting design choice. I wonder if the design was ever reviewed by a lawyer?

http://www.denverpost.com/news/ci_20084568?source=googlenews&google_editors_picks=true

Denver officials order review of police software that could overwrite witness descriptions

Denver officials have ordered new training for police detectives and are considering policy changes in the wake of disclosures that the initial eye-witness descriptions of crime suspects may be overwritten in some instances and never make it into court files.

And while the Police Department's computer system keeps a log of the edits officers make to those descriptions, attorneys in the public defender's and district attorney's offices cannot recall ever seeing one — raising the specter that potentially critical information may be inadvertently withheld from defense attorneys.

Sometimes dem lawyers is just so silly!

Patent Attorneys Sued For Copyright Infringement

"Patent blogger Dennis Crouch writes on Patently-O of a catch-22 for attorneys. Patent attorneys are required to submit all prior art that they know of to the patent office. Failing to do so is an ethical violation, and can result in a patent being invalidated. But now the Hoboken Publishing Company and the American Institute of Physics are suing a major patent firm for copyright infringement, because they submit articles to the patent office without paying a separate royalty."

Sounds like full employment for my Computer Security students...

http://www.gmanetwork.com/news/story/250245/scitech/technology/fbi-cyber-attacks-may-soon-be-top-threat-to-usa

FBI: Cyber attacks may soon be top threat to USA

March 4, 2012 7:40am

Cyber-attacks loom as the top threat to the United States in the near future, officials of the US Federal Bureau of Investigation said.

A report on PC World quoted FBI Director Robert Mueller as citing threats from hackers, including state-sponsored ones.

"(While terrorism remains the FBI's top priority) in the not too distant future, we anticipate that the cyber threat will pose as the No. 1 threat to our country," it quoted Mueller as saying.

The bits and parts I find interesting (understand)

Ed-Tech Weekly News Roundup: Raspberry Pi Launches, Research Works Act Dies

• Raspberry Pi, one of the startups that I chose as the best of 2011, finally had its launch this week. Demand for the $35 Linux computer was so high that the organization's retail partners found their servers crashing under the load.
• MIT Opencourseware is teaming up with the open source textbook publisher Flatworld Knowledge to create textbooks for the school's OCW Scholar courses (I've written about these courses here).
• The Education Business Blog has crunched the numbers on iPad textbooks versus those old expensive printed ones and finds that "It will cost a school 552% more to implement iPad textbooks than it does to deploy books." Revolutionary!
• manifesto for teaching online http://www.education.ed.ac.uk/swop/manifesto.html The manifesto for teaching online is intended to stimulate ideas about creative online teaching. It was written by teachers and researchers in the field of online education, in connection with the MSc in E-learning programme at the University of Edinburgh. It attempts to rethink some of the orthodoxies and unexamined truisms surrounding the field.