Interview with Virginia.edu hackers, R00TTH3B0X
I’m surprised to be writing this, but I think the hacking incident this week with the Virginia.edu homepage is terrifically ironic. Before chatting with the two hackers, who go by the handles “x86” and “n3tcat,” I thought that the episode could be an important milestone for computer science, and IT in general at the University. I think there are a few takeaways: First, the exploit serves as a reminder that we must never rest assured systems are, and will always be, secure. Second, improperly managed software can cause problems beyond their foreseeable scope. And finally, a quick response does not always equate to the best response.
I chatted with x86 and n3tcat using an encrypted application called cryptocat, which prevented me from determining their IP addresses, and consequentially, protecting their anonymity. My purpose for chatting with them was to find out their motives, and to see if they shared the same view on always pushing technology to it’s edge for the purposes of furthering our general security as I did. I ask them why, if they had access to everything (as they claimed), would they only take down the site’s homepage, leaving everything else in tact.
Their response was that they are different than the typical “script kiddies” who “don’t have a passion for it, [but] just want the fame.” They “simply dislike the rest of the hacking community” and are trying to hold the data, making “MBs to GBs, GBs to TBs, etc.” I decided to dig further into this statement, which essentially implies that they are stockpiling the data, for release at a later date.
I asked, “So what do you want from them?” They replied that they wanted neither money nor recognition, but that they wanted “[ITS] to apologize to the community, and to admit that we have access to plenty of data that they say we don’t. Then we will leave the University of Virginia alone, and move on.” To that, I replied “But you don’t. You’re bluffing.”
As proof, they sent me an image of a database file that they had supposedly downloaded. It did not contain any specific information, nor was there evidence that the file was any more than just a random database. After some bickering about the validity of their proof, I asked them if they had a specific time as to when the data will be released. “No,” they said.
At this point, it became rather apparent to me that these two were not as dissimilar from the “script kiddies” which they declared to dissociate. Still, their entry point leaves us to scrutinize policy about maintenance of University websites. They admitted to “exploit[ing] UVa through [the University’s] ‘honors’ [sic] wordpress.” Wordpress is an open-source blog platform that was found to have a vulnerability two weeks ago. Site owners, who actively maintain their sites, were encouraged to create strong passwords and update their installations to the latest version of the software, but apparently this was not done on the Honor committee’s installation.
R00TTH3B0X said that they were trying to “teach [ITS] a lesson” and “[let students] know that nothing is secure.” Distilled to an actual credible point, I think that if x86 and n3tcat taught us anything, it is that there is no such thing as “set it and forget it” in software. Patches are constantly being published for security holes, and if left unmaintained, “we enter and wreak havoc.” Because, “whose [sic] to say we don’t want to watch everyone panic?”
So what about the administration’s lack of response? I think it is a prudent move. When I asked about their communications with ITS, x86 responded, “They’ve ignored.” Although submitting to their request is relatively cost-free, there is no concrete evidence that the hackers have any worthwhile tricks left up their sleeve. In an attempt to prolong their media attention, R00TTH3B0X tweeted a masked link to trick those who may not know about the age-old internet trick. If the University had panicked and released a statement quickly, it would have fueled the exploiters’ desires and taken credibility from our network administrators, who actually responded quickly and effectively to the threat, ensuring that no personal data was lost. Even though I believe there is no threat, they assured me that, “Only time will tell. If we aren’t acknowledged by ITS, then we will release plenty of information against UVa.”