Notification of Disclosure: University of Alberta

On October 24th, we were contacted by a 3rd party unrelated to the University of Alberta IT, regarding a suspected infection or compromise of their devices/data. We took immediate action and reached out by phone to gather more information about the malady. 

This 3rd party reported to us that they had, at a not-precisely-known point in time, suffered a breach that seemed to have persistent, infection-like effects. Endpoints seemed to have a persistent or repeating form of compromise, data exposure seemed persistent and/or continuous. Meanwhile, this user had lost access to other, not-connected resources, such as Canada's "MyDigitalID" system, indicating a current or prior identity-targeted threat. It's important to note that at this time, we have no cause to believe that the MyDigitalID system in use, has suffered any form of compromise.

We took time to interview this reporter about the locations, companies, who could/would have certain "permissive" types of information on them, aka, information that is typically a key component in the manipulation or recall of other protected data. If this still doesn't make sense to you, think Social Security Numbers. Among a list of varying names, the University of Alberta was one provided. During this period we also collected a number of IOC's from the reporter, including related pulses found on AlienVault, a selection of VirusTotal Graphs, and live DNS data.

A moment of reality - education budgets suck. Nobody who works in InfoSec/CyberSec for a living is shocked when they hear that their nearby university or educational institution got hacked because they weren't running SUPERBIRD LAZER EDITION on all of their endpoints. It's equally not really that surprising when universities...in particular...have tech hiccups. We ourselves offer heavy discounts to students who enroll and verify into our Student Program, as well as frequently subsidizing or simply "forgetting to charge" services rendered to our friends who are Charities or NonProfits (also not equipped with huge Cyber budgets). By all means, if there is good will in corporate posture, it starts with us regardless of the angle you look at it from. Sound too good to be true? Ask StormyCloud, a privacy-focused non-profit, how much money we've accepted from them, or asked of them, for assessing their infrastructure. That's just how things work here.

The University of Alberta was included in a sampling of services that the user reported utilizing. Queries across multiple "vulnerability crawling" platforms, showed that there were past/current/potential vulnerabilities detected across the University of Alberta's infrastructure. The University of Alberta was, out of the sampling of sites checked, the only with passively crawled vulnerabilities present/detected/known. On October 25th, our team, out of pure good will do mind you, dedicated an additional 20 hours and 11 minutes of hands-on-keyboard time (give or take, a little over $1,000 worth of manhours) to researching and hunting for possible routes of exploit, completing the subsequent day and resulting in a 930 page report, October 26th. We communicated this to the user, who expressed intent to visit the university in person the next day and included a copy of the user's relevant report to deliver during said meeting. 

This is really, unfortunately where the professional nature of things ends.

Apologizing for it here and now. You've been warned. 

Our testing in and of itself is non-exploitive itself; ex, we're not seeking out XSS by trying to XSS-bomb sites. There are some instances where we're able to identify a vulnerability by the exposure of a specific file, or the contents of that specific exposed file that is a "traditionally" exposed-by-misconfiguration file. There are some instances in which specific query parameters embedded within a URL may expose an error or unpredicted system behavior seen on an out-of-date system, information from which helps us identify misconfigurations or vulnerabilities. Above all, we're not "scratch testing on prod" - to be clear. 

When the user delivered the report, or at least...attempted to, they were accused of making it themselves. Someone with, completely no attachment to us, was apparently just...bringing the University of Alberta, a fake vulnerability write-up - a whole damn write-up. Because I guess people in Canada do that in their free time when the maple trees aren't ready? (This is satire and unrealistic). The user clarified no, they didn't make it, and reached out to our support to try to get someone in contact with the university live. They got quite honestly, now considering how this story is going/probably ends, the most aggro person possible; our Lead of Threat Actor Engagement and Response.

Over the course of about 9 minutes, a University of Alberta associate was given the "TLDR" of the situation, "hey, you may have vulnerabilities, if you do it is what it is, can we give you this report and you forward it to IT so you can verify and/or patch this stuff". The associate said yes, provided an email, and was immediately sent their Report PDF, not password protected either. 100% scannable, pokable, proddable, checkable. 

Following this...meeting? disclosure? interaction? We worked with the user to isolate and protect a new device purchased at the user's choice, not our request. This endpoint was protected before being brought onto the exposed internet, and as far as we can technically vouch and verify, nothing spooky has gotten back in since. We actively give this device the "green check mark", the "seal of safety", whatever obscure marketing jazz you prefer. We provided the user additional guidance and actively are, in terms of recovering access to compromised pieces of identity. It is at this point, we consider this user's initially presented threat case, resolved pending the identity things in-motion. 

In-between initial disclosure and today, our email was checked by UoA staff 5 times - 3 times on October 27th, once on October 30th, and once November 3rd. During this time period however, rather than reviewing the...handy dandy report, you know, the one that literally spells out what you should be doing (our vulnerability reports include remediation instructions, because wtf why wouldn't they), they were busy blowing up ZoomInfo, Censys, CriminalIP, and Shodan trying to figure out who we were, or a bolder assumption, what our "significance" was, before deciding whether to take us seriously or not. 

On November 3rd, a University of Alberta associate reached back out to us with a response from their CISO and IST teams that is all but an ego challenge. Read it for yourself. 

Hi [associate],

I spoke with our CISO and IST offices, and they asked me to pass on the following message. We will be sharing this same message with [reporter] next week.

 

Nope. Not an access control policy in sight, although it seems whoever was here before us was doing some...uh...American...peacekeeping?

Raaaaaa???

OKOK, listen, maybe we're asking alot. Let's start with the firewall and go from there. 

On the same subdomain the above screenshot comes from...we have....

Ah, I understand now. 

Maybe at least their main website has a WAF, one would hope?

No further comment here

Let's check across their entire infrastructure and see what's available without authentication

That's...a lack of firewall/access control/IDS for sure.

What else do we have...lots of WordPress sites, lots of WordPress plugins, especially Contact Form 7. That's notoriously been vulnerable, now to find if you're using it somewhere...

Alrighty, so, you're using it. What can we do here...let's see...well, you're out of date, and bad enough that...

Add that one to the report - this is informative and unfortunate.

Also, to be clear, providing you your own vulnerability assessment using our own intelligence platform and enrichments, that's not allowed, but you're allowed to use the intelligence platforms of others, to do the same to us? But we, we are the "low standard"? Au contraire. Once vulnerability detection was complete, we ceased, and reported the vulnerabilities to you, further sending the report no-hassles, and offering to have an associate stand by and help you get to fixing, all without asking for a dime. Seems pretty fucking stand-up, not going to lie. 

There's more to go into but, at this point, this is turning into a monologue. So here's the summary.

Since this disclosure was completed on October 27th, per our Scanning and Disclosure Policy we will be releasing this report on...let's go November 27th, make it easy to remember. This report will include over 900 pages that, if the University of Alberta does not come to appreciate, hopefully you will learn from, and not make the same mistakes. We haven't gone out of our way to actively exploit these; someone may happen to find success, they may not. Hey, maybe if you find something you should try reporting it to them ;) 

We just saw some bullshit like this where BeyondTrust caught the Okta intrusion and Okta fucked around for 17 days before hearing back, "persisting with escalations", aka someone got angry and sent something potentially regrettable. This game? The whole "dance and chickenshit around the security team" thing? We're not doing it. It's childish, it's immature. It's irresponsible to the end-user, in the University of Alberta that only happens to be the "future" of education, eh?

To be clear, businesses and 'Sec professionals get "beg bounties" all the time, which is when someone comes to you, claims to have a bug or vuln, but tries to bait payment before providing a shred of info, or anything actionable/useful. There's nothing wrong with compensating helpful research, but...they gotta actually have a bug/vuln, and they rarely do. However, when someone brings you an actual, articulated report, guys catch up, you intake the report, validate or disprove, patch, and then let the reporter know the results of your work - you properly triage !!!! reports !!!!

So, TLDR - November 27th (this ended poorly), report drops, from there things go how they go, hopefully the university decides to actually test for these before less friendly folks do. Ideally if they don't, somebody will happen to speed up the "breach cycle" and force UofA to eat their humble pie and patch. Until UofA takes their CyberSec posture serious, I personally wouldn't make them the college of choice, you're seemingly likely to end up in a data breach inevitably if this is the type of hijinks their IT Team thrives on. 

Follow Up Posted November 7th:

The University has started harassing and abusing students who have no connection with us, but are advocating for our vulnerability report to be reviewed. This is probably something someone could sue for, but also demonstrates absolutely shitty behavior that hampers security responses and degrades security awareness. In response not to not only dehumanizing but abusive behavior, we're waiving our disclosure policy that provided the university with 30 days of hunt time and sharing our report early. You do not get to abuse your customers and slack on their security, and take advantage of our favor, all in one.

See the University of Alberta's Vulnerabilities as Detected