MSU officials: No secure data released in hacking incident

January 10, 2013 11:18:27 AM



Mississippi State officials scrambled Wednesday to ensure no sensitive data was compromised after a cyber-attack resulted in information from one MSU server being posted online. 


MSU Chief Information Officer Mike Rackley said in a release that the preliminary investigation into the hacking incident revealed no secure data -- social security numbers, credit card information, health information or grades -- was released.  


Even so, the website Hack Read News posted information on the MoneyMate accounts of 535 people at the university, including usernames, emails and encrypted passwords early Wednesday morning. The database was still available on Hack Read's website at press time.  


"This represents only one of hundreds of servers in the MSU system," Rackley said. "In response to incidents like this one and the increasing number of Internet-enabled computer attacks, Mississippi State continually modifies its systems and practices to enhance the security of sensitive information." 


Most of the information posted was already available on existing public domains or in digital university directories according to Rackley, but as a safeguard, MSU's Information Technology Services has been notifying those affected by the leak, suggesting that their account passwords be changed.  


A Brazilian hacker took credit for the incident via Twitter, posting a link to the info. 


On Thursday Hack Read News also gave the hacker, @Gevolus, credit for a leaked database from the U.S. Department of Defense Non-Lethal Weapons Program. The leak included officials' usernames, email addresses (some with Pentagon ties), but more importantly, the addresses, names, contact details and current place of posting for several high-profile Army and Navy personnel.  


Richard Corey, computer support specialist for the Bagley College of Engineering at Mississippi State University and Starkville alderman, said he thought @Gevolus was probably what is referred to as a "gray hat hacker." 


He said, basically, there are two other types of hackers: those who do it professionally, for companies looking for weaknesses in their own systems, and those who do it maliciously or for personal gain. 


"The gray hats are kind of in between the good and the bad," Corey said. "That's probably this guy. People that are like that will sometimes hack a system, release the fact that they have hacked it, and post some of the files as proof in an effort to get people to update their systems." 


It is all about highlighting vulnerabilities, Corey said. 


Corey said the encrypted passwords that were released, could technically be unencrypted, but the process is an arduous one. He said ITS would likely "re-fault" the passwords rendering the old encryption useless.  


"The university isn't in any immediate danger," he said. "But it certainly puts people on notice, and has this inadvertent effect so people go, 'Hey, systems really can be hacked. Information can be stolen.' 


"There were obviously some weaknesses in the system, but (MSU ITS) will patch any vulnerabilities. At the end of the day, it just depends on how strong your system is."  


MSU President Mark Keenum said in a release that hacking plagues all levels of organizations in the digital age, and unfortunately that does not exclude higher education.  


"We're very sensitive to the concerns such attacks generate, but at this point we believe that the secure data of these individuals remains safe," he said. 


Officials at Mississippi University for Women declined comment on the hacking incident and whether it would affect the school's IT protocols.