Website of Jamia Millia Islamia HackedIs Humorous Defacement a Sign of Serious Security Shortcomings?
The website of Jamia Millia Islamia, a public central university in Delhi, got hacked twice in 24 hours. The defacing of the website is the latest example of how academic websites in India are vulnerable to hackers. But the hacking incidents had a humorous twist that generated many comments on twitter.
Someone defaced the website early Tuesday and posted the message: "Happy Birthday Pooja. Your love," The Times of India reports.
In the evening, the website displayed: "Sorry, I Have a Boyfriend. ~ Pooja".
No individual or group has claimed responsibility for the defacement, according to Times of India.
But Twitter lit up with comments about the hacking.
Normal people use fb, ig or WhatsApp to wish birthday's, crazy people hacks national university's website. Sigh.— Aman Sharma (@ibeingaman) May 22, 2018
Wishing Pooja on her birthday #Jamia's website hacked. #Delhi #JamiaMilliaIslamiaUniversity
One Twitter user wrote: "Dear Pooja you need to leave your boyfriend and marry this hacker guy!" And another commented: "Pooja is one lucky girl, the guy who did it isn't".
The university, however, isn't amused.
"It is unfortunate that someone does such pranks to send personalized messages. We have taken the matter seriously and will approach the concerned authorities and police/the IT cell to take necessary steps so that this does not happen again in the future," the varsity's media coordinator, Saima Saeed, told Information Security Media Group.
She said that the university received information about the first hacking between 12 a.m. and 1 a.m. Tuesday. "Our first response was to restore it and we managed to do it in six hours," she added.
Some security experts speculate that someone replacing the index page using remote code execution could have been responsible for the defacing.
Other Hacking Incidents in Academia
Jamai Millia Islamia is just the latest academic institution in India to be targeted by hackers, pointing to the apparent need for enhanced security.
In the past year, a pro-Pakistan group hacked and defaced the websites of four prominent Indian institutes - Indian Institute of Technology Delhi (IIT Delhi), IIT Varanasi, Aligarh Muslim University and Delhi University - and some lesser known institutions.
The hacker group, code named "Pakistan Haxors Crew" wrote comments about the Indian government and the Indian Armed forces on the landing pages of the websites. The hacker group said: "Nothing deleted or stolen. Just here to deliver my message to Indians."
The Pakistan Haxors Crew had said the hack was in response to an Indian hacker hacking Pakistan's railways website.
The Problem Areas
Too many educational institutions fail to update their websites to protect against hackers, some security experts say.
"Typically these are WordPress paste websites. Now, since WordPress is the most commonly used web management software, it is an easy target for hackers," says C.N. Shashidhar, founder SecurIT Consultancy. "Just like in Windows, WordPress suffers from multiple vulnerabilities. Hackers keep looking for these so that they can target multiple websites by exposing one vulnerability."
The website might also be using Joomla, another web management software, some observers speculate. "In such a scenario, we can't rule out an SQL injection attack," Shashidhar says. "Joomla and WordPress are largely affected by this vulnerability due to the widespread use of the SQL database on such web platforms. The ramifications of such a security breach vary from authentication bypass to information disclosure to extending the malicious code to other application users."
But some security practitioners portray the latest incidents are merely a prank.
"The kind of message displayed, it looks like a prank by a student. ... The university must do something to have better security layers for its website," said one practitioner, who asked not to be identified.
The websites of most central universities are managed by the state-run National Informatics Centre.
Plan of Action
The academic institutions need to pay better attention to the basics of security. "You can't be using software which is vulnerable to attacks and sit on it without patching. I understand that information security isn't an area of specialization for educational institution, but this is something very basic," says the practitioner who asked not to be named.
To mitigate the risks from the vulnerabilities, experts recommend:
- Updating obsolete software or web components to the latest patched versions;
- Implementing secure development practices along with periodic vulnerability assessment and penetration testing.