A collective of hackers calling themselves “Team Ghostshell” has claimed responsibility for the release on Monday of stolen data from servers hosted by numerous universities worldwide, including several web servers at Hopkins. According to Darren Lacey, the Chief Information Security Officer at Hopkins Information Technology (I.T.), the content of the leaked information makes it difficult to determine when the hackers accessed these servers, notably a server within the Hopkins Language Lab.
“That data was so old that it is not clear whether it was a recent attack or not,” Lacey said. He confirmed that the more central servers with sensitive information under direct oversight by I.T. were not affected by these breaches, such as ISIS.
In addition to the language lab, some of the web servers targeted at Hopkins were used by the Museums Department and podcasting services. Lacey explained that he responded quickly
to the posting of the information on Monday, getting in touch with the relevant departments to inform them of the situation, begin their investigations and take security measures such as changing passwords.
University spokesman Dennis O’Shea echoed Lacey’s assessment that these leaks do not appear to be a significant problem for Hopkins.
“From what I understand, this was a low-impact event for Johns Hopkins,” O’Shea wrote in an email to The News-Letter. “The leaked data was old and mostly out-of-date.”
Like any other breach of web servers, I.T. is currently investigating the source of the leak, but the timing of the attacks remains an issue.
Lacey explained that the publicity surrounding these leaks and the fact that other universities were affected gives Hopkins additional resources to investigate the breach.
“Web application vulnerabilities are fairly common so these things take a while to investigate,” he said. “Because this affects multiple universities at the same time, we’re working with other universities to investigate suspicious IP addresses.”
Another major partner for Hopkins in this investigation is a contingency of operators of Pastebin.com (a website used by programmers to store lines of source code), who are assisting with tracing the IP addresses that might lead to the perpetrators. Team Ghostshell used Pastebin.com to detail the universities and servers they claimed to have accessed, links to where they have made part of their troves available publically and a post detailing their loose set of policy objectives centered around higher education.
The Daily Pennsylvanian reports that the data taken from servers at the University of Pennsylvania included full names, ID card numbers and contact information for students, administrators and alumni.
In response to an exchange on Twitter with @TeamGhostshell, The Daily Pennsylvanian received an email from someone who identified as a member of Team Ghostshell but declined a phone interview.
Sites containing the stolen information have since been taken offline.
Lacey explained that there are vulnerabilities for servers at Hopkins that fall outside of the custody of I.T., but they still come in when a breach occurs and investigate what happened, including this latest apparent attack. They are also evaluating the vulnerability of the affected sites.
“It doesn’t happen everyday, but there are successful web application attacks on site and we respond and that’s what we’re doing right now,” Lacey said.
According to Paul Martin, a graduate student in Avi Rubin’s lab at the Hopkins Information Security Institute, these sorts of breaches arise in a university setting from the sheer number of accounts that are created and used by different departments on a given campus.
From a research standpoint, Martin explains this is nothing novel that would demand resources outside of the I.T. department.
“It’s not that uncommon to have things left alone for quite a while that attackers can target,” Martin said.
Please note All comments are eligible for publication in The News-Letter.