Friday, January 06, 2012

National University of Singapore website hacked, still have many holes


A group of hackers known as Team Intra have hacked into the website of National University of Singapore (NUS) to prove just how weak their website security was. They made staff usernames, domain information and hashed passwords public. A hacker from Team Intra then had the following to say:

"This hack was NOT targeted, it was simply a demonstration of how weak their security was. In no way do we have any problem with the University.

We could have defaced the University's homepage if we wanted to, by writing a backdoor onto their server. They try to prevent hackers by sending out a simple statement: 'If you're trying to use the SQL error message to dig for juicy information, get lost.' However they do nothing to actually ensure that they are safe. It only took 5 minutes of WAF bypassing to get past their weak security.

Yeah their passwords WERE hashed. But let me remind you, it took our team less then 4-5 hours to decrypt all staff hashes. They were not MD5 but rather mysql hashes. All passwords were very easy.

Just clearing this up, it is not our intentions to LEAK any private data to the public. We are just here to show the poor security standards some websites have. We have our best intentions. NOTHING was changed on the server, and NO ONE was harmed.

A hack is still a hack. Someone at sometime, did have access to the same database and god knows what they did with it. This is known as we searched for one of the hashes and the whole dump of hashes were posted on a password cracking forum, known as InsidePro. No one on that server is safe, if this is absolutely the case. National University of Singapore had and still has many more holes in their website."

No comments: