On Oct. 1, a hacking group under the moniker Team Ghostshell unleashed “ProjectWestWind,” a venture that has since leaked 120,000 records from 100 universities worldwide. The group targeted major learning institutions like Harvard and Cambridge, as well as two Canadian universities—McMaster University and the University of British Columbia.
The group allegedly intended to bring about a discussion on the state of higher education.
“We have set out to raise awareness towards the changes made in today’s education, how new laws imposed by politicians affect us, our economy and overall, our way of life,” Team Ghostshell wrote in a post on pastebin.com. “How far we have ventured from learning valuable skills that would normally help us be prepared in life, to just, simply memorizing large chunks of text in exchange for good grades.”
Four servers were hacked at McMaster in Hamilton, Ontario. Team Ghostshell accessed files that included the names of people who participated at departmental events, as well as names of students, and degree dates. These actions have led the general public to believe that the hackers’ actions were not meant to do actual harm, but rather to make a statement.
Despite the innocuous nature of the information, the attack still brings up the issue of software security. McGill has an IT Security Incident Response Protocol, which details their response to an incident where confidential data has been compromised or the IT systems are attacked. Steps include assigning an Incident Officer to identify the problem and take “corrective action.”
“All software have bugs and all universities are targets,” McGill Chief Information Officer Ghilaine Roquet said. “We receive bug fixes regularly by all our software and hardware suppliers.”
Derek Ruths, an assistant professor in the school of computer science at McGill, explained that any information available online—whether it be grades, enrollment information, or course registration—is at risk of being hacked.
According to Ruths, McGill purchases its software platforms from various software companies.
“It is not necessarily the case that running the wrong software is going to get you hacked,” he said. “Sometimes there are just vulnerabilities in the software itself. For example, if myCourses had a huge bug in it, it may be very possible for hackers to easily get the enrollment of the entire university by simply accessing the right myCourses pages.”
In order to diminish the chances of being hacked, universities must then be careful about the level of security of the software they purchase, Ruths arged. Although he does not have details about the security of McGill’s software, he believes there is no reason to be concerned at the moment.
“There’s nothing going on with McGill’s software that makes me suspect that it is insecure, but most software that is hacked usually looks pretty secure on the surface,” he said.
According to Ruths, there are also some students at McGill who intentionally look for bugs and report them to IT services.
“They do it on their own accord,” Ruths said. “They consider it a service. If they see a page and something strikes them as a little odd about it, they will tinker around to see if there is a problem. If they find that there is a problem, they will immediately report it. This is the kind of behaviour that I think should be encouraged on some level because … when good people find problems, systems get better.”
Although Ruths said all software is at risk, McGill IT’s response protocol means that the university is prepared to deal with hacking, should it occur at McGill.
