By Ahmed Suliman and Tremaine Noel, Technology and Gaming Sub-Editors.
It has been three months since UWA student information was compromised in a major cybersecurity event. What do we now understand about the incident? And what does it teach us about the challenges of cybersecurity for large institutions? Pelican’s Technology & Gaming sub-editors investigated the issue.
Callista Hacked
On the evening of the 29th of July, an email from the office of Vice-Chancellor Amit Chakma was sent out to the UWA student community, informing them that Callista, the software system used to store student information, was compromised and that their student details may have been accessed by an unauthorised actor. This information included: “name, student ID and image, date of birth and contact details. In addition to course details and unit grades”. Furthermore, the email disclosed that the matter had been reported to WA Police.
Callista is an Australian student management system (SMS) acquired in 2015 by the Tribal Group, a UK-based multinational education technology company. Earlier this year, ten Australian universities (which include UWA) paid the Tribal Group fifty-five million dollars for a five-year deal to continue using the Callista software. The group of universities are part of what is known as the Callista Senior Executive Group, which oversees the development of the software and allows the universities to “contribute their business experience and directly influence the continuing development of Callista”.
The email came as a shock to students. There was confusion about which information was specifically accessed and who was affected. Multiple students who spoke to Pelican reported fearing their personal information would become publicly available online and/or lead to identity theft. Furthermore, this incident was announced merely days after the WA Arts and Culture Trust announced its own hacking incident, and hence some speculated about whether there was a large-scale attack against West Australian institutions.
Perpetrator Charged
A few days later, on the 5th of August, Professor Chakma emailed students to confirm that a suspect had been charged by WA Police and that the University was also conducting an internal investigation. The Vice-Chancellor reassured students that according to the current stage of the investigation, it did not appear that the student information accessed was shared elsewhere. However, the University’s FAQ page for the data breach currently states that “…the University considers it appropriate and precautionary that all students, including graduates, consider their data has been accessed”.
In September, it was revealed that the alleged perpetrator was Ming Han Ong, a twenty-two-year-old UWA software engineering student. Mr Ong has since been suspended and is no longer permitted to enter the university campus under a court order. He was charged with “Unlawful use of a computer with intent to benefit” and will next face court at the Magistrates Court for a remand hearing on Thursday, the 19th of January, next year.
Pelican reached out to the University to enquire about further information regarding the case. We asked a range of questions, including the alleged mechanism of the breach, the type of Callista account used, what security procedures have changed since the incident, and whether the University intends to use Callista to store student information moving forward.
A representative responded that “UWA has been conducting a thorough investigation to prevent a similar incident from occurring again.”
“The University continues to use Callista, the University’s Student Information Management System.”
“As this is a matter still before the courts, UWA will not be making further comment.”
The accused is known to have been active on campus and, in particular, has been a member of the University Computer Club’s (UCC) committee. According to the club’s committee minutes, the student was a member of the UCC committee until at least the 26th of July. We reached out to the UCC’s president Cormac Sharkey to discuss his involvement with the club.
Pelican: What was the date when Ming Han Ong formally left the committee? Did he step down voluntarily?
CS: While we had already suspended his access to club resources, Ming stepped down from the committee voluntarily on the 1st of August.
Pelican: Do you know if any club resources were used in the breach?
CS: We can confirm that Ming used some of our resources during his time as a member. However, it is important to note that he was not using them in any novel manner – the club’s resources are in no more of a privileged position than a personal computer or any other device connected to the University’s Wi-Fi network. Additionally, Ming did not have any special access to our resources by virtue of being a committee member.
Pelican: Is there anything you would like to add to the story from the club’s perspective?
CS: The matter is still before the court, so I am limited in what information I can provide. The club was proactive in dealing with the issue and cooperated with the University. Our committee and the technical team responded promptly when required, and the club (and I), thank them for their efforts.
Staying Safe
Pelican spoke to Bradan from the UWA Information Security Society to learn more about cybersecurity incidents of this nature (quotes edited for clarity).
Pelican: To your understanding, how sophisticated was the breach involved in this incident?
UISS: The breach was at a relatively easy level of exploitation. I am not part of the trial, so I can’t fully speak on this, but to my understanding, the alleged suspect may have found leaked credentials online, which could be easily bought by anyone with a web browser. Those credentials were then used to access a highly privileged account on Callista. At that point, personally identifiable student information was automatically collected using a script. This is also relatively easy for anyone with basic knowledge of programming to do.
Pelican: Do you believe this was a preventable incident?
UISS: Yes, of course. There are tools and services that allow you to identify leaked credentials online, and monitoring those would have provided one way to avoid this. However, the most important way would be to have two-factor authentication for accounts on the system. Having that extra protection of needing to send a code to your phone is not something a random attacker with leaked credentials would have access to.
Pelican: How does an incident like this usually get detected?
UISS: It was likely detected within seconds of the system being accessed. I understand that UWA has a cybersecurity operations centre, which tracks unusual activity on the University’s systems. Having someone make thousands of requests to scrape information would likely show up as an alert on UWA dashboards.
Pelican: This was an issue with university systems and procedures, but what can students do to protect their own information and login credentials?
UISS: Defending the sanctity of your own information is probably difficult here, given it is a university database, which means all the information on it must be accurate. On other sites, I would recommend minimising the amount of information you give in case it gets breached. In regard to protecting login information, be sure to monitor when your email/password is discovered in database dumps. A very popular website to do this is Have I Been Pwned?, which allows you to enter your email to discover if your credentials have been unmasked in data dumps elsewhere on the web. If that happens to be the case, be sure to change all associated passwords.
Another way would be to ensure you are using two-factor authentication. This would not protect you if, as with this case, someone else’s credentials were used to access your information, but at least your own credentials could not be used and, therefore, minimising the attack surface.
Pelican: Does ethical/white hat hacking help prevent issues like this? How so?
UISS: Yeah, definitely. I work as a security consultant, and one of the things that any white hat hacker or security consultancy does is reconnaissance work looking at any relevant dumps and leaked credentials online. I know for a fact that there are a lot of leaked credentials for UWA, so that is something that every testing company will look out for when starting an engagement like this. Usually, the best thing an organisation like UWA could do is have strong policies to ensure that password health is maintained and due diligence is undertaken to ensure data loss.