Harvard hack: Joomla-related?

[Jeff in SacCA]

CNET is reporting that a Harvard prospective student database has been hacked (http://www.news.com/8301-10789_3-989317 ... ag=nl.e404) with the database and site posted on BitTorrent, including social security numbers and other personal information for 6,600 students. They note that one of the SQL files posted is joomla.sql.

What do we know about this? Was this in fact a Joomla! site? Was it 1.0 or 1.5? Were they following security best practices or not? What can we learn about this to make our own sites more secure?

[Geoff]

Just because a database is called joomla doesn't mean it was running Joomla!. I'm not saying it does or does not.

[AmyStephen]

As someone who works at a University with student and employee data, I will tell you, this is the kind of thing one worries about.

This was not a Joomla! vulnerability. In fact, the Joomla! website was not ever cracked or defaced, at all.

What happened was an unethical person gained access to a network administrator's userid and password. With those credentials, that person illegally logged onto the server. By server, I mean the Linux server that housed the website and other files and databases. The individual had "root level" control of the entire server.

With that access, this person copied files and folders off of a file server - those files included a file called joomla.sql that was a backup of a beautiful Graduate College of Arts and Sciences Joomla! website. These files were zipped up, along with credentials used to access the server - and the contents were floated out to the world of BitTorrent. A couple of days later, the media figured out what happened and gave these accounts.

1 - http://www.devicepedia.com/security/har ... rrent.html
2 - http://torrentfreak.com/harvard-website-hacked-080218/
3 - http://www.pcworld.com/article/id,142589/article.html

If you actually read what the GSAS said in the announcement entitled Harvard Graduate School of Arts and Sciences hacking incident states the worst case scenario of potential compromise since the creditials used provided access to all data on the entire server:

As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed.

That's the type of fear that those of us who work with personally identifiable data worry about.

I hope they catch this bastard because the damage done to these people will never end. They will have to watch their records closely from now on to see if someone tries to assume their identity and harm them financially.

Joomla!'s only relationship to this situation was the name of the database backup file that was included in the zip file on the torrent. It's unfortunate Joomla! is getting a "black eye" on this since it was not a Joomla! vulnerability. In light of the recent announcement, though, real people have been harmed and that is the real tragedy with this story.

I wish the media would read some of the articles they link to as reference material. Following this one story made me keenly aware that reporting the facts isn't always what happens.

Anyway, hope that helps.
Amy