16-year-old claims to be behind USyd data breach
Tom Joyner (@tomrjoyner) investigates USyd’s would-be child hacker.
Child hacker
Honi can reveal that the hacker apparently responsible for the breach of one of Sydney University’s IT systems on February 2 has claimed to be a 16-year-old boy from Queensland. He has said that he has no intention to “abuse” the data he accessed, and instead only wanted to “mess” with the system.
The attack, which has implications for the integrity of USyd’s security infrastructure, compromised the personal details of approximately 5,000 students and did not come to the University’s attention until February 6.
The hacker, who goes by the online alias Abdilo, told Honi that the attack had yielded email addresses and ‘pass combo lists’, though he has no intention of using the information for malicious ends.
“99% of my targets are just shit i decide to mess with because of southpark or other tv shows,” he wrote.
As for Sydney’s breach on February 2, Abdilo claimed that he had very little trouble in accessing the information, rating the university’s database security with a “0” out of 10.
“I was taunting them for awhile, they finally figured it out,” he said.
https://twitter.com/abdilo_/status/566013736922537984
In a statement provided to Honi by the University of Sydney, a spokesperson confirmed a review of the matter was taking place in the wake of the hack.
“We are implementing an immediate review of all of our applications to check to see if similar vulnerabilities are in place, and will rectify any that are found,” the statement read.
Abdilo used a method of hacking known as SQL injection, in which security vulnerabilities are exploited by a line of malicious code ‘injected’ into the targeted system to breach a database.
IT security expert Troy Hunt, who works with web security training service Pluralsight, said that he knows of Abdilo and has been monitoring his online movements with interest since he first appeared late last year.
“[Abdilo] obviously has some intelligence,” he said. “He’s approachable enough to talk to, but clearly he hasn’t quite realised the ramifications of what he’s doing.”
Hunt said that SQL injections are a top concern in web application security, and that he is mildly impressed by what Abdilo has shown himself to be capable of so far.
“He’s effective insofar that SQL injections are effective,” he said. “You don’t need to understand the mechanics of how it works, you just need to copy and paste the code.”
“He’s basically saying, ‘Look I’m out to get caught and this is who I am’.”
“This is going to be fun,” he wrote on Twitter on February 2, the same day that Sydney University’s system was breached and before the attack had been made public.
On the same day, Abdilo claimed on twitter to have access to the databases of a total 32 tertiary institutions worldwide.
These included Monash University, University of Queensland, University of Sydney, and University of Western Australia in Australia alone. US institutions that Abdilo claimed to have access to included Harvard, Yale, Princeton, and Columbia University. He further suggested he had accessed 9,468,248 database entries from his ‘zero day’ SQL injection attack.
Honi has been unable to as yet verify these claims.
https://twitter.com/abdilo_/status/562161916215164928
Hunt said that it’s quite possible that Abdilo is behind the attacks but is exaggerating their true extent.
“He’s significantly overstating what he’s done,” he said. “The other option is that he’s not a 16-year-old and that fact is misdirection, and he’s actually quite good at what he does.”
In a message sent to the compromised universities, Abdilo wrote:
“As for me, fuck your edus i have owned them all, im done with your idiotic “security”, in a year or so i will come back and audit them all, except i will go and drop your damn tables and format your drives, i suggest fixing your sites before then.(I cannot stop other people from going and raeping your sites, only you can)”
This was followed by a list of security features that would need improvement.
https://twitter.com/abdilo_/status/566020523474173953
On Twitter, he claimed to have been reported to the Australian Federal Police (AFP) “50 times”. When asked if he was concerned, he responded that the AFP “has better things to do then raid someone who is embarrassing unis”.
Hunt was surprised that he hasn’t been arrested yet, despite ongoing illegal activity.
“What I found really odd about this is that he’s still running wild,” he said. “He’s pervasive enough to get into these systems but I would doubt that he is able to avoid detection.”
“He seems resigned to the fact that [his arrest] is going to happen.”
The AFP could not be reached for comment.
This is not the first time that Abdilo has perpetrated such an attack. In January, the ABC reported that he was behind what could be the biggest attack on Australian private data in the country’s history, when he broke into the customer database of a major insurance provider.
In the same month, he broadcast a live-stream of his attack on US university databases.
Below is a partial list of university databases Abdilo claims to have hacked, sourced from his PasteBin account:
Yale University
Harvard University
University of Arizona
University of Queensland
Columbia University
Georgia Institute of Technology
University of Chicago
University of Miami
Rutgers University
Princeton University
University of Sydney
Universitat Pompeu Fabra
Virginia Commonwealth University
Williams College
Monash University
Stanford University
Universitat Jaume I
Humboldt University of Berlin
University of Exeter
McMaster University
University of British Columbia
University of Waikato
University of Western Australia
Ohio State University
University of Gothenburg
Leibniz-Institut für Wissensmedien
Purdue University
Lancaster University
University of Erlangen-Nuremberg
Libera Università Internazionale degli Studi Sociali Guido Carli
University of Milano-Bicocca
University of Montpellier
University of Warsaw
Carl Von Ossietzky Universitat
University of Mannheim
Clarification: An earlier version of this article stated that Abdilo claimed to have accessed passwords when in fact he had accessed pass combo lists.