04 August | 15:50:56
Scotland's Student Newspaper
Exclusive: Cyber-attacks against Scottish universities put student data at risk
An investigation by The Journal reveals startling rise in attacks
Wednesday, 24 April, 2013 | 11:06
Credit: David Selby/The Journal

Scottish universities have seen a rise in the number of cybercrimes against their IT infrastructure in recent years.

After a five-month investigation, The Journal can reveal that Scotland's universities have experienced hundreds of attacks, which led the University of Edinburgh to send a report to the Information Commissioner's Office in October 2012.

Documents seen by The Journal show that the University of Strathclyde only formally records incidents which are reported to its IT helpdesks, but are exploring ways to investigate more detailed ways investigate more detailed ways to log and track IT security incidents, however, this information is not available retrospectively.

The university saw a modest rise in copyright violation on its networks between 2008/09 and 2010/11, but that figure dropped to 21 in 2011/12 and four instances were recorded so far in 2012/13.

Strathclyde also saw a significant rise in hostile activity rising from 13 instances in 2010/11 to 29 in 2011/12 and nine cases recorded so far this academic year.

Network abuse was another reporting category to see a significant increase, rising from five in 2010/11 to 15 in 2011/12 with a rise from two to 33 in unauthorised service use from 2010/11 to 2011/12 and has already seen 16 occurrences this academic year.

Strathclyde also receives over 500,000 incoming email connections on a typical working day, with almost 85 per cent of these are identified as likely spam or malware.

At the University of Edinburgh, five websites and three ‘legacy’ databases have been compromised in the first three months of this academic year alone with at least 160 people believed to have been affected and advised to change their passwords.

The compromised websites were altered to promote advertising with one also redirecting to an external website before the university was able to remove the content and repair them. Two of the websites were later re-infected, but again fixed.

Compromised databases led to names and addresses being made to the public – which the university maintains were already in the public domain – along with passwords to minor databases, of which most were encrypted.

The university took action to take down the sites to review the code leading to added security to its web servers and a new system put in place for database management.

The revelation of security breaches at one of Scotland's most prestigious universities comes at the same time as documents from the University of the West of Scotland revealed that "there have been many thousands of cyber-attacks [in the last five years] but none of them has been successful".

In response to a request for information, the University of the West of Scotland said: "There has been no breach in security over this period. There have been many thousands of cyber-attacks but none of them has been successful."

When asked to accurately quantify the information, a UWS spokesperson added: "There has been no data loss, malware infection, virus infection, cost to repair or other action taken to prevent further breaches, other than blocking spam email addresses.

"Although we log these events, we do not keep the logs (they are very large) for more than 90 days and we have no accurate trend analysis over the period specified. The perception would be that these attacks continue to increase in number year-on-year."

At Edinburgh University, The Journal can reveal that the affected websites were the Royal (Dick) School of Veterinary Studies, Edinburgh University Brass Band (EUBB) and a website providing access to a database for a School of Biology research project on ed.ac.uk servers.

The university concluded that this instance appeared to be an automated Structured Query Language (SQL) injection attack rather than a targeted attack.

At the time, tech news website The Register reported that Anonymous-affiliated Team GhostShell had targeted the world's top 100 universities in a protest against tuition fees and an apparent falling quality of education.

In filing the report to the ICO, however, Susan Graham, the University Record Manager, determined this media coverage to be "very inaccurate".

Of the people affected by the most serious security breach at Edinburgh University, 11 biology research students saw their details made available, 109 staff names and 53 email addresses released from the Veterinary School and up to 20 names, email addresses and a combination of names and passwords were obtained from the EUBB website.

A review of the university's Information Security Policy has been undertaken this year and the university’s central management group received a proposal this academic year to enhance the overall security of systems outside of central control.

The number of incidents that may have occurred could be far greater, but were not logged centrally with the IT Infrastructure Division which only holds records from 2010/11.

With three academic colleges - subdivided into 22 schools - and three support groups - subdivided into 70 support services – the university’s IT security is devolved with individual schools and units responsible for protecting information systems, which could have resulted in scores of other attacks which remain unknown.

In 2011/12, four individual school and student union servers were compromised with advertising and links to outside services added. The servers were subsequently secured and malware removed.

A user account was also compromised and allowed a malicious remote user access to 12 individual school desktop systems. The user account password was changed and systems were checked.

A school publication website was also compromised via a SQL injection. The server was secured and added material removed.

In 2010/11, a server of one of the university’s colleges was broken into and a set of names and passwords were stolen. The server was secured and method of handling names and passwords was changed.

Despite repeated requests for comment, Edinburgh University failed to respond before The Journal went to print.

Queen Margaret University revealed to The Journal that it has also experienced attacks with six and seven machines respectively in two separate incidents in 2009/10 costing £130 to fix.

Two similar attacks took place in 2010/11 resulting in a cost of £150 to fix, however, a QMU server that year was also compromised through an "insecure/default install of PHP".

The PHP install was updated and hardened with restrictions on external access put in place for the server in question. The university spent £250 of staff time to investigate, solve and implement patches and security hardening through restrictions to external access to prevent re-occurrence.

QMU said: "When any infection is found the machine is isolated from the network and then will only be allowed back on the network once cleaned. The devices would probably be off the network for at least half a day depending on circumstances."

Despite the susceptibility to infection from personal machines on wireless networks, QMU does not have a comparison, but estimates the university machine infection as very low.

QMU added: "If a university machine is compromised then it will be flattened and re-imaged unless there is a concern that the virus or malware can withstand this process in which case the hard disk would be replaced."

Unlike some universities, including Edinburgh University, QMU has a central reporting system to make it easier to spot potential problems on its networks.

Heriot-Watt University also confirmed that it has been subject to two cyber-attacks in 2011-12 which led to a web server briefly losing connectivity on one campus in December 2011 with a further compromise in January 2012 of Session Initiation Protocol (SIP) trunk service briefly affected telecommunications on two campuses.

Both services were swiftly restored by Heriot-Watt's IT services staff and relevant service providers, but not without some inconvenience to some staff and students.

Edinburgh Napier University, University of Glasgow and Glasgow Caledonian University declined to disclose information in relation to any cyber-attacks against their systems.

The Journal requested a review in each case, but a response has not been received by any of these four universities at the time of going to print.

Most universities also declined to comment on the increase in attacks on their systems.

Share this article:
blog comments powered by Disqus
The Journal in print