Anatomy of a hack: Examining Root The Box’s attack on UVA’s website

This screenshot from UVA third-year Andrew Kouri’s computer shows last week’s UVA homepage hack in real time. This screenshot from UVA third-year Andrew Kouri’s computer shows last week’s UVA homepage hack in real time.

Last week’s high-profile defacing of UVA’s website may not have led to a serious security breach, despite threats of e-mail infiltration and stolen data by two hackers calling themselves “Root the Box” who took to Twitter to boast and threaten during a 24-hour battle with University Information Technology Services. But it definitely got peoples’ attention—in Charlottesville and beyond—and sparked a conversation about how we secure schools’ online information.

“It was certainly not a sophisticated attack on UVA’s website by any means,” said third-year computer science major Andrew Kouri, who managed to conduct a chat interview with the pair of hackers. “In fact, I’d like to think that most CS students here could figure out how to exploit the vulnerability if they actually cared enough to do so.”

Kouri thinks the repeated takeovers of the UVA homepage, detailed in a string of news stories and picked up by the Associated Press, were overblown. But there are a few takeaways, he wrote in an opinion column for the Cav Daily. Chief among them, “as the hackers say, no system is entirely secure.”

The fact that we know how the hack unfolded is largely due to some deft work by Cavalier Daily reporters, who joined other students in watching a full day’s worth of hacker antics in real time, capturing them with screen shots and talking it all over on Twitter. Their reports lay out the details: At about 9:10pm on Monday, April 15, visitors to UVA’s homepage were redirected first to a white-on-black image of the words “ROOT THE BOX” and a grimacing, broken-tooth skull over what looked vaguely like an alien from the Space Invaders arcade game, then to a Twitter feed with the handle @R00tTh3B0x.

For the next 40 minutes, the hackers—going by the names n3tcat and x86, according to their redirect page—appeared to do battle with ITS, with the homepage flicking between its normal state and the high-tech Jolly Roger five times before the main page returned for good at 9:53pm.

An hour after the site reverted to normal, Cav Daily editor-in-chief Kaz Komolafe wrote a tweet asking the hackers for more information, and a 20-minute conversation followed.

“We hacked it because we can,” Root The Box wrote back. “For fun, and because of the University’s lack of security. That sums it up.” They later implied the hack was in part in response to a $40,000 Virginia Innovation grant awarded to three UVA researchers last month to develop patented code that would increase Web security. The computer scientists, who aren’t part of ITS, “don’t deserve their award,” they wrote.

The hackers went silent at 11:15pm, only to return the next evening to again deface the homepage and issue a threat: “If you admit your security fails and acknowledge #RTB for our actions we’ll leave you alone,” they wrote, using a self-designated hashtag. “Otherwise, you’ll continue to feel the wrath.”

Normalcy returned shortly. Kouri, seeking fodder for a column, used an encrypted Web app to chat with x86 and nt3cat, and came away both better informed and unimpressed.

The pair claimed they’d hacked the site via its widely used Web platform, WordPress. Specifically, they found a chink in the armor of the Honor Committee website, probably because of a weak password. Once inside, they were likely able to set up new administrator logins, creating new doors to come back through later.

But Kouri believes they were bluffing about their ability to mine the site for sensitive data. They sent him screenshots of files they’d supposedly downloaded, but they were too nondescript to be real proof of a serious security breach. And even though one of them had claimed to have a connection to the University—“The UVa hasn’t changed a bit since I attended”—Kouri thinks that, too, was a lie. They referred to the Honor Committee as “the ‘honors’ site,” which smacked of unfamiliarity, and their screen shot showed they were on Central Time.

UVA has said little about the incident. The only clue online that anything went amiss is a note on the University’s system status page that ITS had temporarily disabled access to WordPress admin pages.

Amateurish as the effort might have been, it did raise some eyebrows. Are UVA and other public institutions more vulnerable than previously thought?

“I think the increasing complexity of software and the increasing prevalence of online software in our daily lives has exposed greater degrees of attack surfaces,” said John Feminella, a local software engineer, former Chief Technology Officer at Cardagin and c0-founder of analytics health monitoring company UpHex*. There’s more vulnerable landscape than there was even five years ago, he said. “That means these incidents are more likely to occur.”

But developers are getting more savvy when it comes to watching for weaknesses, he said. One effective way to do that is to tap into the hive mind of the hacking community and put it to good use, creating communication portals to allow so-called “white-hat” hackers to point out soft spots.

“It’s always good to have someone double-checking your work, especially where security is concerned,” Feminella said, and welcoming suggestions resonates with the kind of experts who would rather get a nod of recognition than make headlines for an epic attack.

But if UVA isn’t particularly progressive when it comes to getting friendly with those who might be secretly poking at its secure perimeters, that’s also understandable, Feminella said. As a public institution sitting on a big pile of personal information, the University has a lot to lose.

“I think they’re required to have a certain conservatism, because they’re dealing with peoples’ lives,” he said of those in charge of the data. And however much of a spectacle Root The Box created last week, UVA is doing a pretty good job of keeping the baddies at bay.

“The fact that there aren’t thousands of these incidents instead of one of them is to their credit, too.”

Rodney Petersen, managing director of the Washington, D.C. regional office of the Educause, a nonprofit advancing IT in higher education, agreed that schools have risen to the challenge of becoming effective protectors of information.

“I don’t see a lot of these kinds of incidents,” he said. “I can think back eight, 10 years ago when website defacement was much more common.”

And even if they don’t welcome hackers in, they certainly try to think like them, he said, turning their security professionals into “people who can defend their networks and anticipate what a bad guy might do.”

They also watch each other, and UVA’s hack had more higher-ed eyes on it than it might have otherwise. As it happened, Root The Box went on the attack while Educause was holding its annual conference for college and university IT security professionals in St. Louis, making for a captive and very interested audience.

“They learn from each other’s mistakes,” Petersen said of school IT teams. “No one wants to be in response and reaction mode.”

*Correction: We previously said John was a co-founder of Cardagin; he was the CTO. Also, UpHex was initially described as a “health analytics” company, but it’s actually an “analytics health monitoring” company. He explains it this way: “We watch your Google Analytics, Facebook, PayPal, etc. and we let you know whenever something statistically surprising happens. We don’t watch your EKG or blood pressure.”