After Operation Ivy, an operation launched by TeamHav0k and Zer0Lulz with the purpose of identifying cross-site scripting (XSS) vulnerabilities on the official sites of some major US universities, the grey hats now began Operation Big10. This op is aimed at the administrators of university sites in order to make them aware of the risks implied by an unsecure domain.
“Big10P was an operation to make colleges and universities aware that even the best colleges in the world are still insecure,” the hackers said.
The list of education institutions that have been proved to be vulnerable includes 10 names, the hackers explaining for each of them the level of danger and the threats posed by the existent security holes.
The institutions catalogued as being highly exposed include Northwestern University (northwestern.edu), Purdue University (purdue.edu), University of Michigan (msu.edu), Penn State (psu.edu), University of Minnesota (umn.edu), University of Wisconsin (wisc.edu), University of Iowa (uiowa.edu), and Indiana University (iu.edu).
The XSS flaws present on their websites can be used to steal cookies, for XSS tunneling, and even to initiate XSS attacks using Metasploit (XSSF).
“With XSSF there is a lot more that can be done, the attacker can then open up a backdoor to your computer resulting in a complete OS compromise and do whatever he/she wants,” the hackers explained recently.
Operation Big 10 also lists a couple of colleges whose sites contain low risk vulnerabilities that aren’t quite as dangerous, but which on secure domains shouldn’t exist at all. These are the Ohio State University (osu.edu) and University of Illinois (Illinois.edu).
The sites owned and administered by education institutions seem to be the favorite targets of the grey hats from TeamHav0k and Zer0Lulz, who have recently shown that Brown, Columbia, Dartmouth, Cornell, Harvard, Princeton, Pennsylvania, and Yale University are all exposed to malicious operations.