Monday, April 16, 2007

FOIA Fun. Or. How Phishers hacked into IU

This post should probably be called Indiana Public Records Act Fun - but that doesn't quite roll off the tongue.

I signed up for an Indiana University email account in March or so of 2006. Between signing up and the start of school in September, I'd never used the email address for anything, and a Google query at the time for the address came back negative.

In mid June of 2006, I received a phishing email claiming to be from the IU credit union. The Indiana Daily Student later covered this incident. The article merely mentioned that phishing emails targetting the credit union had been sent out, and that a bunch of students had typed in their info. The article didn't explain how the phishers had learned the email addresses of the students, nor who had launched the attack.

My IU email address is 'csoghoia'. Given that my email address was new, and wasn't published anywhere on the Internet, there was no way for a phisher to learn my address short of an exhaustive address space search (i.e. trying every possible combination of letters) - Unless, of course, the university was hacked, and information was stolen, or, if the university accidentally released my info. Either of these two potential scenarios were alarming, and so I began to look into the matter.

An email requesting information from IU's Incident Response Manager about how phishers had learned my email address resulted in this: "Unfortunately, I cannot comment on this activity as it relates to an active investigation. Be assured we are working aggressively to put a stop to it."

Alarm bells went off... Something phishy (ha ha) was going on.

Thus, on June 23 2006, I filed a Indiana Public Records Act Request with the University. I asked for: any and all information regarding theft or accidental loss of student data including but not limited to names, social security numbers, and email addresses. I am additionally requesting any and all information regarding any ongoing or completed investigations including those by the Office of the VP for Information Technology, of "phishing" emails sent to IU users pretending to be from the IU Credit Union. The scope for these two requests are for documents created within the last 6 months.

On January 11 2007, I received a fat envelope full of papers from the Office of the University Counsel. The response can be seen here. Most of the information was fairly boring, but there were some gems. I've scanned the interesting documents and put them online here.

Typically, when phishers send emails out - they will collect an email list of millions of email addresses, and then send the same email out to them. Thus, in an effort to get the most bang for their phishing buck, the fraudsters target major banks. The idea being, of course, that out of 5 million email addresses, perhaps 200,000 actually belong to Citibank customers. Thus, it doesn't make too much sense for a phisher to send out 5 million emails claiming to be from a small credit union in Bloomington, Indiana. It simply isn't worth it.

If the phisher can get his hands on an email list of every person in Bloomington, then sending an email to every one of those people on the off-chance that they have a bank account with one of the major credit unions in town starts to make sense. This kind of targeted phishing attack has a name: spear phishing.

And what happened in June 2006, was a case of spear phishing.

From reading the documents that I've placed online, I've been able to figure out the following:

Chinese hackers - or at least, someone connecting from a machine in China, broke into one of the accounts on the 'steel' research cluster at IU. This cluster serves the research needs of the student population, and the "about steel" page says that it has over 24,000 accounts active. It seems that most students have accounts - I have one, and I don't recall ever requesting one. Presumeably, it happens as part of the general account setup process.

Ok, so the hackers were able to gain access to Steel. What next?

Every unix machine has an "/etc/passwd" file that lists information on every active user account on the system. Steel has one of these. I just logged into steel a few moments ago to test this, and as of April 15 2007, Steel has over 30,000 user accounts listed in /etc/passwd.

With access to steel, the hackers were able to download the /etc/passwd file, and thus get a list of many many active user accounts. Your steel account name is the same as your IU email address. Thus, the hackers were able to get 30,000 email addresses.

The phishers then sent a large number of fake emails, claiming to be from the IU credit union, to IU users, directly from the steel cluser- that is, the fake emails were sent from within the IU network. A recent report indicates that between 70-80 users were duped by this attack. A subsequent attack happened in Feburary of 2007. It is more than likely that either the same phishers, or another gang using the same stolen email address list, caused this attack. We will probably continue to see attacks, every few months, using the same email list. Eventually, in 2-3 years, when most of the students on the list have graduated, will the list finally be useless. Thus, for the phishers, the capture of the email list is a gift that keeps on giving.

It's also worth noting that the very same phishers launched a similar attack against a credit union in Florida. They left a bunch of forensic evidence behind on steel which proves the link between the two credit union attacks. Clearly, these guys have found a niche (breaking into machines, gathering info, and then targeting small credit unions and banks). My guess is that it's quite profitable.

Which brings me to the most important point of this blog-post: Notification.

Indiana has a Breach Notification Law. However, it is very narrowly written to only kick in when the following information is lost:

  • Sec. 3. (a) As used in this chapter, "personal information" means:

    • (1) an individual's

      • (A) first name and last name; or

      • (B) first initial and last name; and

    • (2) at least one (1) of the following data elements:

      • (A) Social Security number.

      • (B) Driver's license number or identification card number.

      • (C) Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account.

  • (b) The term does not include the following:

    • (1) The last four (4) digits of an individual's Social Security number.

    • (2) Publicly available information that is lawfully made available to the public from records of a federal agency or local agency.

The act only went into force on June 30 2006 - which is sadly, a few weeks too late.

For the purposes of discussion, lets pretend that the law kicked in on Jan 1 2006. In such a scenario, the university would still not be required to tell any of their students that chinese phishers had access to their email addresses. Why?
Because an email address is not covered by the law. If the phishers had stolen SSN's, then the university would be required to notify the student body...

I want to make it perfectly clear that I am not criticizing the university. They followed the law, and acted in a perfectly legally manner. My criticism, is of the law, which is weak, and ineffective.

As a side note: if the university decided to track students by their full last name and all but the first letter of their full name (i.e. "hristopher Soghoian"), as the law is currently written, the university wouldn't be required to notify students if the school were hacked into, and the entire database of student records and SSN's were stolen. Obviously, tracking students in such a way would not be very practical, but it does demonstrate that the law is fairly narrow, and doesn't cover everything.

My goal in posting this isn't to heap criticism on the university staff. The staff here are overworked, underpaid, and do their jobs as best as they can. The problem here is the law. It is broken, and needs to be fixed. We should not depend on inquisitive graduate students filing Public Records Act requests to learn about these kinds of incidents. The law should be amended so that we're told when they happen.

If you surveyed the student body, and asked them: "If the university were hacked into, and criminals were able to learn your email address, which they could later use for phishing attacks, or even to sell to spammers - would you want to be told" - I'm guessing that a large number would answer yes. Admittedly, this is a fairly loaded question - but in any case...

(As a technical aside: As things currently stand, every one of the 30,000 users who has an account on the steel cluster can get a full list of student's email addresses. This should be fixed. Any evil student could quite easily download the list and then sell it to spammers.)


Kevin Makice said...

Very interesting post.

While it may be true that students would answer affirmatively to that last question, it is also probably true that the vast majority wouldn't know what to do with that information.

Those who would recognize the signs of a phishing effort might know to be extra vigilant about possible attacks or anticipate more spam showing up but what else can one do? Those inclined to respond to such an attack likely wouldn't know what to do with the information either.

While I agree with the idea behind your concluding statements, I just don't see the practicality of it.

Anonymous said...

Your email address is public knowledge and any assertion that there should be a law requiring the university notify you if it may have been "stolen" is nonsense because it can't be "stolen;" one cannot steal something you give away freely:

I find it just as upsetting as you that they university had to be compelled to report on the incident.

MCR said...


i think the more direct problem here, as you note, is the availability of the /etc/passwd file, and the automatic connection between unrequested user accounts and email addresses. yes, the law doesn't impose enough reporting requirements, but i'm more concerned about the technical issues.

i am really not sure what a better law would look like. if it required IU to announce to you when your email address was taken, it still wouldn't apply in these particular circumstances. if it required disclosure of a breach of information that could be used to determine an email address, that's the sort of rule that leads to a lot of confusion and messy litigation. now if it required IU to announce the breach of and access to any individualized information, or any individual account information, that might capture what you're searching for, but it seems like it might place a huge, huge cost on corporations and organizations. of course, they're the ones whose systems were breached, and they're already paying a high cost to patch the systems up - why not add to the disincentive, which would then create an even bigger incentive to secure the systems as much as possible in the first place?

email/facebook msg me if you want to respond; i never remember to check blog comments afterwards.

Anonymous said...

While I get your gist behind the legal disclosure requirements, one should wonder why it would take even this. IU could simply make an IT policy requiring disclosure of hacking attempts that resulted in inappropriate access of user information.

I would surmise that security personnel would recognize the benefits of informing people whose email addresses were obtained, and that they should be extra cautious with any email that was received. If this policy was properly publicized it would be a disincentive to hack any of IU's systems for this purpose.

Also looking at this if the Credit Union had been informed of the hack (not sure if they were or not before, or even if this would have been possible) they could've excised any hyperlinks in emails that they sent, and informed their members not to click on any links in emails. (not that they shouldn't already be doing this.)

The bottom line of my comment is that while there should be a law requiring disclosure, just because there isn't one doesn't mean that the disclosure couldn't have or shouldn't have happened.

Anonymous said...

For a case like this, I really don't see the advantage of disclosure of a breach like this. How many students would even have the knowledge you have of mail address propagation information that you do that would enable them to trust mail to that address more than they would otherwise if they didn't know that all and sundry had it? What if the university had told each of these users, in and amongst all the other informtion they no doubt got about their accounts, "treat e-mail to this address as you would that to any other address that is public information?" Would that have reduced the number of people who responded to the phishing attack?

I think it's much easier for users simply to assume that any e-mail they receive, to any account, could be from a phisher than to try to make determinations based on probability of e-mail address propagation of whether or not that message is valid. Potential propagation of an e-mail address is of rather low value for the amount of work you have to do, when determining whether an e-mail is valid: stick to the better methods that you ought to be using anyway.

Anonymous said...

This site has an SQL insertion vulnerability, which would make it pretty easy to steal the database of user info anyway...

500 Page Error
Category=Microsoft OLE DB Provider for ODBC Drivers
Description=[MySQL][ODBC 3.51 Driver][mysqld-4.1.20]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

Anonymous said...

There's places other than /etc/passwd on steel to find harvestable public directory information. LDAP servers contain a treasure trove of data. Go figure, they're directory servers. That's what they do.

Keep in mind... All this information is considered public directory information (in the eyes of Buckley/FERPA).

If a student is concerned *any* information about them is contained in the University public directory (for any reason whatsoever), he/she can request a partial or total directory exclusion from the Registar's office.

It's a great way to become "invisible" on campus, though beware it could come back to haunt after graduation (especially when background checks are performed by potential employers). I think the stock wording by the registrar's ofice (when asked if they can confirm enrollment and/or conferral of a degree) is "there is no record for that student we can provide to you" (or something to that effect which is intentionally ambiguous).

Be sure to lift the exclusion before you graduate!! :^)

students credit card articles said...

that's why it is important that your don't just use you credit card without verifying the legibility of your transaction.