Singapore's NUS confirms security breach

update SINGAPORE--Hackers have infiltrated the National University of Singapore's (NUS) backend systems and made away with a trove of information, including staff usernames, domain information and hashed passwords. University has confirmed the incident but noted that the affected data is not confidential. 

According to a report Thursday on IT security Web site Secure Computing Magazine's (SC Magazine), hacker group Team Intra had infiltrated the tertiary institution's database by exploiting a SQL vulnerability. The hackers apparently felt the urge to do so after the NUS Web site, upon receiving probes, generated an error message which stated: "If you're trying to use the SQL error message to dig for juicy information, get lost." 

The hackers reportedly retorted: "I made it my personal goal to get in and r*pe their sorry asses for the message." The group subsequently published the stolen information which included NUS staff usernames, domain information and hashed, or encrypted, passwords, it added.

SC Magazine also noted that it had notified the Singapore university about the breach.

[UPDATE: Jan. 6, 9.45 a.m.] SC Magazine has since updated its report with a statement from the NUS' head of IT security, Yong Fong Liang, who said the security breach affected a server which did not contained any sensitive information. Yong was quoted to say: "[The] hackers infiltrated into the system exploiting an application security loophole. This system is a departmental server containing public data... The leaked passwords are for local accounts that allow access to the departmental server only. They are not NUSNET accounts and passwords."

In an e-mail statement to ZDNet Asia, an NUS spokesperson confirmed the hack. "On Jan. 5, 2012, the university discovered that one of our Web servers had been hacked into. We have looked into the matter and ascertained that the information stored on the server is not of a confidential nature. In addition, no information has been removed or tampered with," he said.

"As a precautionary measure, the passwords of all affected accounts have been reset. The affected server has also been disconnected from the network," he noted, adding that the affected server was an isolated, standalone system that was not linked to the NUS network.

The spokesperson also noted that the university is investigating the matter and will put in place appropriate measures to prevent similar occurrences in the future.

[UPDATE: Jan. 6, 3.44 p.m.] In a comment on SC Magazine, a commentor who claimed to be part of Team Intra, said the hack was not targeted and was simply a demonstration of how weak NUS' security was.

"Just clearing this up, it is not our intention to LEAK any private data to the public. We are just here to show the poor security standards some Web sites have. We have our best intentions. NOTHING was changed on the server, and NO ONE was harmed," he said.

"[NUS tried] to prevent hackers by sending out a simple statement, 'If you're trying to use the SQL error message to dig for juicy information, get lost.' However [it did] nothing to actually ensure that [it is] safe," the commentator said, adding that it only took 5 minutes of WAF (Web application firewall) bypassing to get past the university's security infrastructure. He also noted that while the passwords obtained were hashed, the team took less than 4 to 5 hours to decrypt all the hashes.

He revealed that someone else previously also managed to access the same database. He explained that when his team searched for one of the hashes, it found the hashes on a password-cracking forum InsidePro. "No one on that server is safe, if this is absolutely the case," he said. "National University of Singapore had and still has many more holes in its Web site."