university of nebraska 2012 breach (264294032)

8/9/2019 University of Nebraska 2012 Breach (264294032)

http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 1/45

Chris Cashmere, University of NebraskaCentral Administration

Dan Buser, University of Nebraska at Lincoln

1

University of Nebraska 2012

Breach



n !ay 2012 the University of Nebraska e"#erienced one ofthe lar$est breaches in hi$her education

t took months to %$ure out e"actly &hat ha##ened

t took years to %nally come to some&hat of a conclusion

t cost the University hundreds of thousands of dollarst &as investi$ated by the 'B and D() *De#artment of)ducation+

he attacker &as cau$ht and #rosecuted by the U-Attorney

2

(vervie&



oday.s A$enda

/

e &ill cover ust a fraction of &hatha##ened

e &ill um# around ust coverin$the hi$hli$hts

-ome technical details

ublic res#onse and communication

m#act and costs

Le$al stu3 Lessons learned and takea&ays



he breach involved t&o entities

he University of Nebraska Central Administration he -tudent nformation -ystem *450,000 records+

A #erson obtained unauthori6ed administrator access to the studentinformation system database for a##ro"imately 27 hours

he University of Nebraska at Lincoln cam#us he De$ree Audit -ystem *20,218 students+

A #erson *same as above+ obtained de$ree audit system records via a&eb a##lication attack

7

ho )"actly9



UNL Attacks

hat he $ot from the outside &as some, but he&anted more

Used a :N service in -&eden to try to cover histracks• 'eb 20th thru !ay 20th

• -canned a total of 52 systems

• Dum#ed a database from the De$ree Audit systemcontainin$ student information *but no +

;e needed insider access

8



Dar&in

4



UNL :N -etu#

UNL took control of its o&n :N from Central ustmonths before the breach

All University 'acility, -ta3, and -tudents have accessto :N

At the time, all $eneral :N users &ere #ut into onebi$ #ool

'ire&all rules &ere o#en at Central to allo& that #oolthrou$h, instead of ust Admin users

'or unrelated reasons &e had full CA ca#ture on theUNL :N<&hich &e &ill cover later<

5



Nebraska Student Information System (NeSIS) Overview- 2012

!aor com#onents are the eo#le-oft a##lication and the (racledatabase

Central Administration mana$es t&o com#lete instances, one for theUniversity -ystem and one for the Nebraska -tate Colle$e -ystem

Ne-- had been o#erational for t&o years at the time of the breach

=

Ne-- Back$round



UNL

UNCA

UNO

Lincoln

Wayne

WSC

UNKKearney

CSC

Chadron

PSC

NCTACurtis

UNMC

Peru

Omaha

Ne-- consists of 7 Universities

/ -tate Colle$es

1 echnical Colle$e>

2 se#arate environmentsUniversities

-tate Colle$es

Nebraska?Nebraska -tateColle$e -ystem *Ne--+

(ver 8@,000 activeusers in the t&o systems



he Ne-- Database

&hich included --N, name, address, D(B, etc for<Current -tudents

arents

Alumni and non$raduates *se#arated+, many years &orth

'aculty and -ta3 &as never a student at UN yet &as in the student system999

AC?-A otential -tudents f you took the AC?-A in Nebraska or checked a Nebraska school for your scores

his data is &here most of the com#romised --Ns ori$inated

ncluded bank account information for more than 20,000 students

No Credit Cards

670,000 e!ords"#sers$

%&0,000 #sers after de-du'i!ation$

(*at the time of the breach, May 2012)

10



11

echnical Details



;o& Did his ;a##en9

•

he attacker &as a University of Nebraskaat Lincoln student and &as allo&ed :Naccess to internal cam#us resources Aninsider9

nsider Access

• he internal %re&all that #rotects the --(racle database &as o#en to connections

from the :N s#ace &hich students&ere assi$ned

'ire&allCon%$

• he eo#le-oft default E)(L)E user#ass&ord &hich #ermits access to#ass&ords tables durin$ user

authentication &as not chan$ed

Default

ass&ord• he attacker &as, usin$ the )(L)

account, &as able to derive the #lain te"t#ass&ords for the database -F-AD!accounts from the encry#ted form

•

he ;ack



1/

Cyber Gill Chain

Access Hecon )"#loit 'oothold)"%ltrati

on

CAU

I;,

;)

H )



17

:N?'ire&all

'ire&all &as con%$ured *unintentionally+ to allo& :N i# addresses

access to the -- system

Based on the :N connectin$ to the databases it &as easy to trackthat back to a user that &as assi$ned the

;e lo$$ed into the :N &ith his re$ular student D, so very easy totell &ho it &as

(nce &e kne& the user &e could %nd all the e"ternal addresses the:N account lo$$ed in from hree di3erent locations, these &ereturned over to la& enforcement &ithin 27 hours

Lincoln N), his a#artment(maha, turned out to be his !om and Dad.s houseLincoln N), his #lace of em#loyment in *data minin$ com#any+

Access



18

-cannin$?HeconBasically tried various scans and e"#loits three &eeks, !ay 4th to!ay 2/

-cannin$ &ith Linu" 'ree tools like, &e found out about some of thesefrom 'B?D()

N!A *#ort scanner+Nessus *vulnerability scanner+;ydra *net&ork lo$in hacker+-cuba *database vulnerability scanner+Nikto *&eb a##lication scanner+

ried an (racle N- listener attacked for a &hile

<but he Je& under the radarAll the connections he made &ere allo&ed

Hecon



14

)(L)?#eo#1e

eo#le-oft used to be delivered &ith a default user and #ass&ord

his &as the case &hen &e de#loyed the - system in 2010eo#le-oft is no& delivered &ithout a default )(L) #ass&ord,you have to enter one in &hen you install eo#le-oft, this &asdone in the #ast 1=27 months

Ne& installs of =8/ or later you are $ood Fou $et a #rom#t to set a

#ass&ord for the )(L) account U#$raded9 Fou &ill still have thedefault - #ass&ord

eo#le $ets you access to a fe& tables, 2 tables are im#ortant

)"#loit



15

-(HD)'N and -ACC)--H'L

une 12t* Heceived a D:D from 'B?olice &ith %le named

KusertablefromDBcsvM• he data. &as from one of the sei6ed com#uters• 'ile contained 15@,/55 ro&s of Ds and encry#ted and hashed

#ass&ords

ossible to crack these at the time of the breach9

)"#loit9



1=

eo#le -oft Lo$in

his &as at the time of the breach, still may be the case<

!ost eo#le-oft deskto# tools &ork this &ay, all have the default)(L)?#eo#1e user and #ass&ord

User enters valid D and any #ass&ord credentialsA## %rst connects to database usin$ the )(L) databaseaccount

he user O#eo#leO issues a cou#le of select statements to validatethe credentials #rovided Checks if the user e"ists

he O#eo#leO user also $ets the data o&ner usually -F-AD! andthe encry#ted #ass&ord for -F-AD!Deskto# a## disconnects from databaseDeskto# a## decry#ts the -F-AD! #ass&ord

Deskto# a## connects usin$ -F-AD!?#ass&ord to verify theusers #ass&ordDeskto# a## disconnects from database

he user is lo$$ed in )"#loit9



1@

:ice resident of 'inance

!ay 2/, 2012 10P00 #m Central Administration sta3 received

an error messa$e in eo#le-oft An account creation had failed,&hich &as a common occurrence An im#rom#tu investi$ationdetermined it &as result of a :2 account bein$ created

Locked sus#icious accounts immediately and continued tomonitor the a##lication

VP1 is a delivered PS account We loced and stri!!ed !rivile"es#security

$sin" S%S&'M he unloced VP1 and escalated its !rivile"esand lo""ed inloned security !ersons ('enise oin) account into a VP2account

VP2 may "o unnoticed+he creation !rocess of the VP2 account creation failed andalerted our system administrators- .ailed durin" a sync ofaccounts 'oothold



20

)"%ltration9

(/hich /e interru!ted)



21

he Notebook

;ere is &here &e %rst $ot a sense of &hat he &as u# to<

-earch &arrant e"ecuted on !ay 28th La& enforcement sei6edcom#uters and a N()B((G from his home and &ork

La& enforcement asked us to look to see if &e could hel# identify&hat &as in his notebook A lot if it &ould not make sense to an

outsider.

Notes for classes *S 21 .oundations of onstraintProcessin"+

;ostnames and for internal -- systems

-F-AD! #ass&ords for all the databasesPS 'S ncry!t(char*3 int3 char*3 int3 char*3 int)

)"%ltration



22

he Notebook

Notes about Iamblin$ sites

Notes on Banks in CanadaNotes on ho& to moneti6e information $athered;o& and &here to sell

)"%ltration

Net+eeroneybrokers

to. (bit!oin)/urum!*ane (bit!oin)eboney

;e claimed he $oin$ to chan$e his $rades3S4stdnt4rd &as on the same #a$e as the -F-AD!

#ass&ords

5woaI'redator (3N)

Inter!asino - Net+eer-#kas*Inter'oker8!om



2/

CA-

'ull CA- for all his activities 5IB of CA %les )very #acket he

sent or received &as there Luck &as on our side here

e did lots of searches in the CA- and e"tracted and analy6edevery select statement he #erformed and the results

e &ere able to determine, &ith a Quite a bit of certainty, only about

1%0 re!ords &ith --Ns &ere do&nloaded or vie&ed

e &ere able to see everythin$ he did and every bit of data hereceived

;e basically Kfumbled aroundM for a fe& &eeks@@R of the select statements no ro&s returned.

-#lit tunnel :N, traSc for our net&orks &ent throu$h the :N and&as ca#tured &hile $eneral internet traSc did not

;o&ever in the CA- &e sa& all his DN- reQuests:isit some forums and then try other stu3 and fail



27

ublic Hes#onse



Communication

28



Communication

)stablished a sin$le #oint of contact, C-(

'irst ress Helease issued less than 7= hours of discovery ssued other Hs &hen si$ni%cant information needed to be shared

Created dedicated email bo", asked for Questions andans&ered every Question &e could

Built a dedicated &ebsite for the security incident to serve ascentral information site *htt#P??nebraskaedu?security+

)stablished our o&n call center to address s#eci%c Questionsabout a &eek after the %rst #ress release *Tune 1st+

Built &eb a##lication to allo& call center and eventually #ublic

search to see if their data &as #art of breach

!ostly did email noti%cations, very fe& KlettersM sent

24



Call Center

25

Tune 1st 2012, 'riday = days



Ne&s

2=



2@

eakP 8,824

• Heceived over 280 Questions and comments throu$h &ebsitesubmission

• Heceived 484 calls to call center Tune 1st to 5th

• eb traSc #eaked the %rst four days and steadily decreased

ublic Hes#onse

Lasted for t&o years, every ne&s story and every court #roceedin$refocused attention an brou$ht ne&s stories and #hone calls



/0

m#act

December 22nd 2012, ;a##y ;olidaysV



/1

m#act

December 22nd 2012, ;a##y ;olidaysV



/2

12 Char$es

• 2 violations of -ection 1= of U- Code 10/0 *a+*8+*A+, felonies&ith u# to 10 years im#risonment

1= U- Code W 10/0 'raud and related activity in connection &ith com#uters*a+hoeverX *8+

*A+ kno&in$ly causes the transmission of a #ro$ram, information, code, or

command, and as a result of such conduct, intentionally causes damae &ithout

authori6ation, to a #rotected com#uterY

• 10 violations of -ection 1= of U- Code 10/0*a+*2+*C+,misdemeanors &ith no more than 1 year im#risonment

1= U- Code W 10/0 'raud and related activity in connection &ith com#uters*a+hoeverX

*2+ intentionally accesses a com#uter &ithout authori6ation or e"ceeds authori6ed

access, and thereby obtainsX *C+ information from any #rotected com#uter

December 22, 2012



//

-ub#oena *email D'+

19 mont*s after t*ein!ident12 mont*s after bein

!*ared



/7

lea

led $uilty to 1 felony violation of -ection 1= of U- Code 10/0 *a+

*8+*A+1 felony and 10 misdemeanors &ere dismissed-i" months of &ork release from a half&ay house in CouncilBlu3s A-i" month house arrest *ankle bracelet+

hen 2 years su#ervised release *#robation+

ay restitution

Senten!ed uy 2: 201: he -tratman family collected the restitution money and#resented it at sentencin$ ho#in$ the ud$e &ould take thatinto consideration, he did not he ud$e &as #retty clear to-tratman the money #aid by his family must be #aid back tothem



/8

Hestitution

otal dama$es claimed by the University &as ;<02,&<9800 otal allo&ed by the court &as ;107,7228%9Hestitution a&arded and #aid &as ;107,7228%9

!ost of the restitution &as our consultant costs e couldactually #rove &e s#ent that money )[CLU-:LF for the

breach

e could not #rovide enou$h details to #rove most of thedama$es and costs he ud$e thre& out those and onlyallo&ed the 105G in dama$es and restitution

f &e.d had actually shut do&n the -- system, dama$es andchar$es &ould have also increased

ude= >?ou are free to try and re!overt*e rest of t*e damaes in !ivi !ourt8@



/4

Hestitution

Any institutions here, &ho e"#erienced a breach, recover some or allof their costs9



/5

(ur Costs

otal ;<02,&<9800 his is the number &e submitted to the

court• UNCentral Administration -ta3 */,1278 hours+ \182,000• UNLincoln -ta3 *80= hours+ \27,000 *estimate+• Call Center \1,800• Letter re# and rintin$ \/28• osta$e \//0

• -tora$e \500 *51B U-B Drives+• UNCA Consultant \2@,000• UNL Consultant \=0,000• )nCase for UNL \15,000

1%0 re!ords " ;<0<A B ;2,000 'er re!ord

%&0k re!ords " ;<0<A B ;08%1 !ents 'er re!ord

45M2012



/=

Lessons, akea&ays,

(bservations, HeJections, and(h By the ay<



)volution of the Breach

otential m#act Con%rmedm#act

Days WeeksMonths



Communication Dilemma

L ? k



71

Lessons?akea&ays

Chan$e the )(L) #ass&ord

his is the best &ay to #rotect your database

A##ly your #atches A-A he N- listener attack he tried (racle #atched in their A#ril 2012CU(ctober 2017 eo#le-oft u#date increases com#le"ity of hashes

Hevie& your :N setu#Hun an discovery scan *nma#+<before someone else does

Hevie& data retention #oliciesBreach im#act could have been lessened if unneeded records had

been removed from the system

L ? k



72

Lessons?akea&ays

Gee# track of your hours durin$ a breach investi$ationGey #layers kee# notes on time s#ent-ummaries and estimates &on.t cut it in court

Gee# track of all e"#ensesHemember to note the details

-ummaries and estimates &on.t cut it in court

he &heels of ustice turn very slo&ly(ver t&o years for it to be resolved

lan on educatin$ the #rosecutor

(ur DBA and eo#le-oft security #ersons s#ent hours $ettin$him u# to s#eed Four #rosecutor selection is based on luck, &e &ere unlucky

L ? k



7/

Lessons?akea&ays

he rosecutor &as and &ill be obsessed &ith Kdama$esMrosecutors need and &ant a dollar amountDama$es is an escalator for the o3encef it &ere not for the fact he deleted some audit records &e maynot have been able to #rove he actually dama$ed. anythin$

Defense &ill focus on the dama$es and dis#uted themDetails and documentation is very im#ortant Fou must be able to #rove dama$es hey must hold u# to scrutiny Fou may have to testify and be cross e"amined about time s#ent

Gno& your cam#us resources, and build relationshi#se had a relationshi# &ith G and faculty runnin$ theinformation Assurance ro$ram at G

L ? k



77

Lessons?akea&ays

f you catch the hacker you can dra$ out a breach for years, in our

case t&o years<but you mi$ht recuo#e some or all of your costs

All #eo#le &ill remember is the BI numbers*htt#P??&&&#rivacyri$htsor$?+

f !r -tratman had come clean &hen the olice sho&ed u# at hisa#artment on !ay 28th 2012, he &ould have likely avoided most of

&hat ha##ened to him, cost and felonies robably 1 misdemeanorand diversion, no criminal record



]uestions9

s there anythin$ you can.t tell us9

hat have you done since the breach9

Did the University have Cyber nsurance9

hy did it take you so lon$ to share this information9

Anythin$ chan$ed at your or$ani6ation because of the breach9

university of nebraska 2012 breach (264294032)

Documents