According to a report, Rasputin, a Russian-speaking hacker has threatened to sell an NYU student’s private data on the Darknet. He also threatened to sell the social security numbers and the bank routing numbers of the faculty as well.
The New York University was one of the 60 universities and government agencies reported to be targeted in the attack. A site which claims to search the Darknet for a potential threat, Recorded Future reported that the hacker is willing to sell other personal information as well.
The hacker in question gained infamy last year. This came about when The Hill reported that they hacked the Election Assistant Committee. After hacking, they sold the high-level credential to the highest Darknet bidder.
An administrator of the New York University Information Technology said that NYU handles most vital records of students. These include health records, financial information, and other personal information of more than 50,000 faculties. Len Peters, Chief Information Officer of the NYU started working at the university in October. He is one of the figures asked to help secure the university from cyber-attacks. Peters said that the potential for a crippling attack is highly likely unless combated with military precision since the hacker did not sell any personal information from the NYU.
Peters said, “My understanding of that particular incident was that it was published that we had vulnerabilities. But we didn’t find any evidence that we had actually been hacked.”
Reporters recorded the vulnerabilities and said that the institution was warned before the reports were released. In an email, a representative from one of the popular media told WSN that its report focused on the sale unauthorized access to university networks. They had no plan to focus the report on the actual exfiltration of any private data.
Three types of bad actors are of significant concern to the university. They are the hacktivists, non-state actors, and the extortionists. A security analyst at cPanel, a large web-hosting software company, Jamyn Shanley said: “The extortionist may sell the data back to the victim, the hacktivist may publish it to damage the institution and the non-state actor may use it in other ways to further their own goals.” She added that “But they are all potentially a threat to sensitive information.”
Peters told reporters that since he started working at the NYU, there has only been one successful hacking incident. He said that the direct deposit accounts of some individuals were compromised and redirected.
“There are literally thousands and thousands of attempts to break into machines on a regular basis. Sometimes it is to get information that can be monetized on the Darknet,” he said.
Although Shanley’s view does not reflect those of the cPanel, he believes that larger institutions are susceptible to hackers. This is because there are more potential targets which improve the likelihood of success.
Peters explained that over 120,000 devices are used by the NYU community, and it increases every day. Shanley also added that the non-state actors, hacktivists and the extortionists, given NYU’s size would likely leverage sensitive personal information to achieve their goals.
The size of the NYU poses another risk in a number of devices connecting to the network. They are insecure and more susceptible to attack. He also said that the public desktop computers of the university are centrally managed with the most recent security updates. The level of security does not deal with the student’s personal devices.
“Our confidence level is much higher on public computers because we manage them,” said Peters. “With students, we do not manage [their] devices, so it is really on the student to ensure that those are occurring,” he added.
The network has therefore been undermined by the high volume of attempts. This has made the school to adopt a risk-based security method. The method, according to Peters, is similar to securing home: protection starts at the edge of a fence. More valuable items are therefore protected further inside.
NYU IT has come out with a risk register which determines what information is deemed a high priority.
“The risk register does two primary things, it assesses the possibility or probability that that vulnerability could occur and then it accesses the impact if it was to occur and then from that we derive a score. From that [score] we can then prioritize what is most important,” said Peters.
Stanley threw more light on phishing, a common and fairly low-tech tactics deployed by hackers. A fake link in mass emails is created, to trick people to get their credentials. These credentials are then sold on the Darknet market. Even though Peters could not quantify the number of successful scam in the NYU, he warns against phishing.
Carlos Garcia, Business Insider, Assistant Vice President for Strategic Technical Operations at NYU Public Safety said something interesting. He said that the worth of the benefit of technology is a risk. He, therefore, said that the university plans to expand the NYU ID swipe entry implemented in buildings currently. These are the Kimmel Center for University Life and the Bobst Library.
Garcia said, “If you look at the pros and cons, the pros continue to outweigh the cons. What we are trying to do is be proactive and frankly be ahead of the curve in a security industry that can sometimes be behind when it comes to technology.”