Tuesday, November 21

Hacker sells access to databases at UCLA, other universities


3.1.news.russiahackUCLA-01.png


A Russian-speaking hacker sold unauthorized access to databases for more than 60 universities and government agencies in the United States and United Kingdom, including UCLA.

The hacker, called Rasputin, sold SQL injections which allow a hacker to access all the contents of an internet database, rather than only parts of it, for various databases according to a statement by Recorded Future, a technology company that specializes in real-time threat intelligence.

Recorded Future informed the UCLA Information Security Office that a UCLA website was vulnerable to SQLi attacks from Rasputin, according to the office.

Recorded Future also said Rasputin had accessed a U.S. Election Assistance Commission database with a similar attack in November.

The UCLA Information Security Office worked with the affected campus unit to identify and make the website secure again, prior to Recorded Future’s Feb. 15 public announcement. The office did not specify which website was compromised.

[Related: UC cybersecurity issue met with mixed responses from faculty]

Though the website was initially vulnerable to the exploit, there was no personally identifiable or sensitive information in any of the web server’s SQL tables, the UCLA Information Security Office said.

Peter Reiher, a computer science adjunct professor, said SQL is a popular query language for databases and a way of asking for something from a database.

He said most websites rely on databases to store information about users, such as users’ interests or personal identification, and give the information to servers when asked. Servers can identify users when accessing databases, but doing so can also unintentionally give secret information.

He said database owners can prevent a SQLi attack through well-programmed systems, but some people buy systems with potential mistakes in the software.

“One of the things they might be doing is filling around with SQL, and the attacker can get ahold of their information,” Reiher said. “It’s not the user’s fault but the software came with a mistake built in.”

Reiher said he thinks with so much data flowing around UCLA in many different servers, it is possible someone made a small mistake that could have had negative consequences.

“The amount of data flowing around UCLA is intense, but what would be lost depends on what the database is compromised of,” Reiher said.

Other affected universities include New York University, Rice University and the University of Washington. The federal agencies the hacker breached include the National Oceanic and Atmospheric Administration and the U.S. Department of Housing and Urban Development.

Contributing reports from Eric Bazak, Daily Bruin contributor

 

Share on FacebookTweet about this on TwitterEmail this to someoneShare on Google+Share on Reddit

Comments are supposed to create a forum for thoughtful, respectful community discussion. Please be nice. View our full comments policy here.

  • Skyler Wilson

    if you need any hack related job, or you are looking for a hacker for hire, you should contact [email protected], he is fast, efficient, trustworthy and reliable, send a mail to request service

  • Love Navel

    i have been a victim of wicked people who call themselves hackers. i want to inform you that almost everyone here are all scams. just last week i paid over 300GBP to a hacker that claim he is good, up to this momemt ive not heard from him. i was at the verge of loosing my job, just monday i was surfing the internet when i saw this email ([email protected]) at all conner stating that he is good and legit that he will not reap you off. i had to give him a chance, people i am not here to praise anybody but i am here to tell you that mr Daniel is real and legit, today i am a happy man, my grade has been change and he is the best. i urge you guys to contact him on this email ([email protected]), he is real and he is the best. i will go tell the world what this man has done for me. God is my witness if i am lying. Mr daniel is a God sent to help correct out mistake. just had to put this out there for those who really need someone goodcontact him on his email . ([email protected])