Too busy looking up to the stars to see the backdoor was left open. Again !!!!
The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to "significant amounts" of data stretching back 19 years. The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates …
Tuesday 4th June 2019 12:44 GMT Khaptain
Do they really need all that data together
"names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed."
That seems like a lot of data held on the "same" system... Does your Passport and/or Emergency Contact Details really need to be held along side your payroll details ? Something smells very un-GDPR.......
GDPR reminder : Purpose limitation
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose..
Tuesday 4th June 2019 15:24 GMT Anonymous Coward
Re: Do they really need all that data together
I'm not sure if this was a case of all details being held on a single system - it sounds like the attackers had compromised pretty much every system...
I'm guessing that the clean up after the first breach missed something, leaving the attackers not only a route back in but likely the ability to watch the attempted fixes.
Tuesday 4th June 2019 12:51 GMT Tom 7
Tuesday 4th June 2019 14:38 GMT Pascal Monett
"we undertook a range of upgrades to our systems to better protect our data"
Yeah, but that didn't actually work now did it ?
I don't know what it is you upgraded, and to what you upgraded to, but it seems to me that a redesign of your network is in order.
Like, putting a firewall between your network and all that juicy data you are hoarding for no good reason. Maybe add a proxy server and another firewall behind that, to ensure that only the proper computers - which have no Internet access - can access that data.
One more thing : maybe a decade after someone has left your University, you could consider not having that data accessible via the network ? In other words, archive it ?
Tuesday 4th June 2019 15:29 GMT Anonymous Coward
Re: "we undertook a range of upgrades to our systems to better protect our data"
"One more thing : maybe a decade after someone has left your University, you could consider not having that data accessible via the network ? In other words, archive it ?"
I wonder if they do keep data back this far.
Or whether the data was part of test systems.
Of if the attackers were submitting requests for historical data restores and still not being noticed.
From the article, I'm not sure which option is more likely.
Tuesday 4th June 2019 19:43 GMT Christoph
Tuesday 4th June 2019 22:44 GMT tjbutt
That would be Brian Schmidt, Nobel prize for physics.
I'm pretty sure he was making the point that the entire university, including himself, was affected.
I read the breach announcements, thought they were well done. A little empathy is good to see.
I also have some empathy for the task of protecting a large university, inherently full of BYOD, from a determined attack. Virtually impossible.
That large collection of 'toxic data' is troubling, though.
Wednesday 5th June 2019 09:34 GMT Anonymous Coward
"I also have some empathy for the task of protecting a large university, inherently full of BYOD, from a determined attack. Virtually impossible."
While protecting against every possible attack is, as you say, virtually impossible, being aware of your critical systems and protecting them via best practices should have both limited the impact (if not prevented it entirely) and reduced the time the attackers had to cause mischief.
This isn't a unique organisation - there are thousands of universities all over the world providing this type of access, and many more organisations providing similar levels of access. While other organisations do get compromised, they rarely get compromised twice in the space of 12 months with the second compromise getting significantly more data.
If cost is the key issue, requiring higher levels of device control (i.e. ACL's/host-based firewalls to limit access to key systems, and force all other access via SSLVPN from untrusted parts of the network with IDS/IPS/NAC tools to enforce compliance and spot unusual traffic early. All of this can be done with open source tools and a little reading or with off-the-shelf products at a higher cost). From there, start cleaning up the rest of the network to make more of it "safe" - use network scanners to find forgotten servers, update/patch older equipment, set standards that are enforced so that 10+ year old FTP servers sit around unpatched etc.
Thursday 6th June 2019 10:01 GMT Anonymous Coward
Obviously not eating their own dog-food
‘Australia National University .. runs a respected computer science program, including a course on offensive cyber operations that's designed to teach students how "to identify and test systems for vulnerabilities without full knowledge or direct access."’ ref
A little light on the acutal technical details, any idea as to how the hackers got in, in the firstplace?