||Hacked by Codeine||

The break-in took all of 10 minutes. A computer hacker known as Codeine discovered multiple security flaws in the coding of UVM’s servers, using them to gain unauthorized access to UVM’s website on Aug. 12. “The most important thing is that there was no student information compromised,” information security officer Dean Williams said. “The [affected] server is separate from the server containing grades and courses.” However, Codeine said he could have accessed more important information.   “These hacks allowed me access to multiple different databases containing various information such as accounts and passwords,” he said. After discovering the flaws, Codeine sent an email to UVM’s computer helpline detailing the security weaknesses, according to his email correspondence. “The University of Vermont suffers from multiple web application vulnerabilities such as Remote File Inclusion, SQL injection, Cross-Site Scripting (XSS),” the email stated. The computer helpline received Codeine’s email, where a technician from Enterprise Technology Services assigned the issue a tracking number in UVM’s Footprints system, used to track technology problems. But nothing was done. “We had an internal communication breakdown,” Williams said. “We didn’t address all of those issues within several weeks.” When a response was not given, Codeine sent another email that he said would clarify his mission. “I was informing you all of my discovery so someone malicious wouldn’t use that information to actually take advantage of the website,” the email stated. “Bluntly, these could lead to hacking attacks against UVM and data stored in its databases.” Codeine said he then waited patiently, never heard back and revisited the issue after weeks had passed. “After that they said nothing,” he said. “One month later, I decided to check back on the site and nothing had been done to fix it.” So he decided to make his message clearer. On Sept. 8, Codeine again gained unauthorized access to the server and vandalized multiple UVM websites, changing them to his own custom page. The changed websites, including the ResLife homepage, included a black background, Codeine’s hacker graphic, the music of “Airplanes (Freestyle)” by Royce Da 5’9″ and a custom greeting. “Is this how you all defend the privacy of your employees and students?” Codeine’s message read. “Even after a month of being alerted of the MULTIPLE vulnerabilities you take no action?” The affected websites were left up until a student tipped off the security team that a change had occurred, Williams said. “The landing page was up for eight hours, overnight,” he said. “It was reported at 8 a.m. by a UVM student and we disabled it.” By 11:41 a.m. on Sept. 8 the issue had been resolved and Director of Systems Mike Austin reached out to Codeine in response. “I’m sorry that it looks like we just ignored you,” Austin said. “We really do appreciate you trying to give us the heads up.” “I’d like to ask for peace though,” he said. “Thanks for any other information you may have.” While the web team worked to fix the problems, news of the hack was spread throughout the hacking community, originating with a post on HackForums.net. “Great job man,” wrote fellow hacker kn0x. “They should really secure their stuff better. You can get a lot of valuable information from sites like that.” “Meh, not really impressed,” hacker Warv0x posted on Hack Forums. “But they were asking for it. They should start focusing on security at least a bit.” The story was also picked up by an Australian magazine Secure Business Intelligence, who ran a story titled “US Uni warned, then hacked,” according to their website. The hack was even publicized by Cisco Security on Twitter. “Ever been warned about vulns in your website by a hacker? Did you fix them? These guys didn’t,” according to their Twitter page. One of Codeine’s techniques is called cross-site scripting. “Once a [cross-site scripting] attack is activated, everything from account hijacking, changing of user settings, cookie theft and poisoning, or false advertising, is possible,” Paul Lee, IT Architect wrote on IBM’s developer works website.   When asked about the current security of UVM, Williams said he was confident in the efforts of his web team. “The web team and systems group are doing a pretty thorough review of our code right now,” he said. “All code has bugs — what we’re doing now is prioritizing.” Junior Christoph Griesshammer, a computer science major, said he is not surprised that the University was hacked. “Organizations are always getting hacked,” Grieshammer said. “But I’d expect a university to handle student information and data more securely than allowing simple exploits.” “People put a lot of trust into the University,” he said. “They are throwing all of this money here and expect it to be safe.” But money may not be enough to stop a hacker with a resume. Codeine, who claims to have hacked major institutions, described himself as a “Greyhat hacker,” meaning he is involved in illegal activity with a nonmalicious intent. “Us [hackers] are not all 40-year-old guys living in their parents’ basements,” he said. “We go to school, work jobs and do other stuff besides hack. And we’re not evil.” Codeine said he has been hacking for about four years and does freelance security work for testing websites. While he is not a student at UVM, Codeine said he chose to hack the University because he knows people that go there. “I just don’t like seeing people’s info leaked due to the lack in security in educational and government systems,” he said.