Sunday, March 29

UCLA psychology department's database hacked

Correction: The original version of this post contained an error. Hashes do not have inverse equations and cannot be used to generate the original password.

A hacker identified as “Inj3ctor” is claiming responsibility for the release of information from the psychology department’s database which included the names, home addresses and dates of birth of 26 applicants to the university.

The incident occurred Friday and university police notified officials from UCLA Information Technology by 9:35 p.m. that night.

Although the release of this information is concerning, it is not a breach of security, said Ross Bollens, director of security at UCLA IT.

By law, there are specific requirements about what determines a breach of security and none of the information released by the hacker meets the criteria, Bollens said.

The applicants whose information was released will be notified of the incident, Bollens said.

The hacker also released the names, email addresses and office phone numbers of some professors in the department.

But because this information can easily be found on the UCLA directory, this does not constitute a breach in security, Bollens said.

In a statement posted on the website Cyber War News, the hacker said he released passwords from the database.

The information on the release, however, only contains the hash of passwords ““ a sequence of letters and numbers created using an equation on the original password. But the equation does not have an inverse, so there is no way of generating the original password for use. For that reason, the hashes are not of much use to third-party members, Bollens said.

Webmasters from UCLA IT are still investigating the hacking, but Bollens said it is likely the result of a SQL injection, which makes programs give more information than intended for release.

The psychology department’s outdated database may have made it more susceptible to the SQL injection, where the hacker puts in a code that the program doesn’t recognize. That can cause the program to give up information that the programmer did not intend to release. SQL injections are responsible for more than 90 percent of hacks.

Even before the release of information, the department was already working on updating its database technology, which it will continue to do to increase its security, Bollens said.

Information about exterior organizations affiliated with the department was also released.

The biggest Internet security breach at UCLA history, in 2006, was the result of a SQL injection.

Compiled by James Barragan, Bruin senior staff.

Comments are supposed to create a forum for thoughtful, respectful community discussion. Please be nice. View our full comments policy here.