Threat Hunting for Higher Ed
Scott Goodwin
 Experienced IT Analyst,  Security+
11 October 2017
Your information is out there whether you like it or not, just floating around the digital world. As a result, it is possible to collect email addresses, passwords, IP addresses, and other technical information affecting an organization just by monitoring certain websites on the internet. Just by knowing where to look, hackers (and security researchers) can collect all kinds of information about an organization, up to and including potentially valid credentials.
This information gathering process is not illegal either. Our own IT
Audit & Security division, OCD Tech, has been collecting this information by “scraping” the content from key websites on the internet.  These sources include public forums that are regularly abused by hackers to release stolen or otherwise sensitive information. In some cases, hackers hope to take credit for their work and increase the damages to their target by releasing the data they steal to the public domain. In other cases, hackers post a snippet of data, enticing other malicious individuals to purchase the entire stolen dataset.

From a research perspective, capturing this data is useful to identify threats affecting an organization, their clients, vendors, or partners. It is important to note, however, that this type of data appearing on the internet does not necessarily indicate that a breach even occurred from within the affected organization. It is more likely that the data came from a third-party breach and the user chose to reuse their business or school email address and password. In these cases, a third-party breach can have disastrous consequences, as the leaked credentials could be valid for internet-facing applications or local network access.

Higher education institutions have it rough, as they are responsible
for securing a technical environment which is just as complex
and dynamic as those found in other industries. In addition to the
business-as-usual security implications of maintaining such a large
network, they are also responsible for securing the information associated with their constantly changing student user base. Colleges
and universities must balance the security and availability of this information to provide access where necessary and prevent access in
all other cases.

An internet-accessible student portal is often implemented providing
a method for students and parents to manage personal, academic,
and financial information. These web applications provide encryption
to protect the network traffic and users are only permitted to view
their own information. The problem with these portals is that they
usually rely on passwords and passwords can be compromised.

It also doesn’t help matters that students probably aren’t the most
security-focused individuals. As a result, they may fall into the standard bad habit of reusing passwords across multiple services or websites.  When you take into account the massive number of student
accounts across the numerous higher education institutions and consider the quantity of emails and passwords that are released by hackers on a regular basis; the number of potentially vulnerable student user accounts that emerges is staggering.

In the past 18 months, OCD Tech has captured over 105,000 unique
email addresses which end with the “.edu” top level domain. Over
16,000 of these “.edu” email addresses were released with an associated password. It is likely that a subset of these credentials is valid for the internet-facing student portals provided by the institution. With valid credentials, personally identifiable student information may be available, including financial information.

These credentials were released to public websites such as Pastebin.
com. Unfortunately, there is usually no other context associated with
this type of information leak. Due to the nature of these websites and
the people releasing the data, it is not usually possible to identify the
true source of the leaked data. Similarly, there is usually no way of
knowing if the data is legitimate or not. However, the release of data
that is potentially damaging to a student, such as an email address
and password combination, can be just as damaging to the higher
education institution hosting their data.

To address the risk associated with information leaks and third-party
breaches, a two-fold approach is required. First, any internet-facing
application holding personally identifiable information should require two-factor authentication. This renders a compromised password useless if the attacker cannot provide the second form of authentication.  Secondly, higher education institutions should consider monitoring internet sources that are likely to host student credentials.  Active monitoring or engaging with a third party to provide monitoring services can help identify threats to student information before they fully materialize.

If you have any questions about IT security, please contact Scott
Goodwin, Security+, by phone at 617.471.1120 or via email at

Want more information on IT Audit & Cyber Security?  Visit!