A constant game of cat and mouse is being played between Internet security specialists and hackers, and there is no sign of it coming to an end.
Last Monday, Oct. 13, the University of New Brunswick Student Union website was one of hundreds defaced by a group called Team System DZ over a couple of weeks with a message supporting the Islamic State of Iraq and Syria. The defacement was online Monday night for about two hours before the site was moved to a new server.
Below the hacking group’s name on the site read, “I love you ISIS.”
IBM Security Systems lead Rick McCaskill said, in his opinion, the attacks were likely the result of hackers finding a security flaw across an entire server or coding platform.
“If you run down the street and jimmy the lock on every door and 15 of them open, you’re probably going to go in and cause some mischief,” he said. “It’s not that the contents of the houses are related in anyway. It’s that they all have the same lock – the same vulnerability.”
Zack Spear is CEO of ICS Creative Agency, which administers Unbsu.ca. He said his company planned to transfer the student union’s website to a new host before the attack happened. The next morning, the switch was made.
“We found the hack and we had everything fixed within about two hours,” said Spear. “This is something we don’t take lightly. We’re doing everything we can to ensure that our websites are secure.”
UNBSU vice president external Nicole Saulnier said the union contacted the Fredericton Police Force after they discovered the website was hacked.
“We are working with our website provider to protect ourselves from this type of vandalism in the future,” she said in an email Tuesday.
Fredericton Police Force spokesperson Alycia Morehouse confirmed Tuesday the complaint came in Monday night and the RCMP have been informed of the situation.
“We are taking it very seriously, and the investigation is ongoing,” she said.
Below the title on the hacked UNBSU website was an Arabic phrase that roughly translates to, “God’s law is in progress. The Islamic nation is coming and God’s law will be applied. You have been warned.”
The website then featured a scrolling-text-box, that in part read: “The state of Islam and the list expands, God Willing. Now now fighting began. This time is a time of Islam and victory and lift the injustice for Muslims and the elimination of America and the allies of the infidels. Will not keep silent about one inch of the land of the Muslims…”
An open Facebook page titled Team System DZ featured links to at least 100 other hacked websites since Oct. 4, posted by a user also named Team System DZ. The page is no longer public.
One post on the page referenced “Server Israelian SQL injection.” An SQL injection, as well as numerous other types of code injections, seeks to add a command into a website’s code to either alter the website’s contents or to gather hidden information like passwords and data from the millions of lines of code on the site’s host server.
Jon Quinn, director of public relations and social media for ICS, said the hackers replaced just one file on the server, which was enough to redirect visitors to an entirely different page.
He said the attack was on the site’s front-end, equivalent to spray painting a building, and no data was taken.
“There’s a million different ways to hack a website,” Quinn said. “No website is 100 per cent secure. I mean, the Pentagon gets hacked. To say something is 100 per cent secure is not, well, possible.”
McCaskill said the back-and-forth between hackers and web security professionals will likely never end. While webmasters can be proactive in testing and updating their systems, there is little else available to get ahead of hackers.
“The job of an Internet security researcher isn’t going anywhere anytime soon,” he said. “As we get more and more connected, and we bring more and more devices onto the Internet – the Internet of things, where someday your toaster and your fridge will be connected – there’s more and more things to attack. The role of the Internet gurus is going to grow to keep our stuff safe.”