Lulz team seems to have their signature on the Security page almost on a weekly basis. Just today, “The Sun” newspaper’s online home-page has been defaced, playing on the recent Murdoch issue but the most recent and interesting case certainly remains the attack to Italian Universities.
On its Twitter page LulzStorm posted a supposed dump of the databases of 18 Italian Universities, containing thousands of usernames, cleartext passwords, emails and private information.
[Figure 1 – LulzStorm Twitter page]
As indicated in the Twitter post, the guys have saved the dump online, which seems to still be active at present.
Here LulzStorm manifested one more time the vulnerability of information systems. Vulnerability in this context means weak systems, weak protection and/or weak security administration. It is not the fault of any application; it is not the fault of any security system or software: the error here is typically human.
According to some incident handling talks it seems this issue was mostly caused by SQL injection bugs of custom web applications and maybe the presence of software vulnerabilities (old joomla, phpforum): SQL Injection and Cross Site Scripting vulnerabilities are responsible for most data exposures on the Internet today. Simply put, these vulnerabilities need more attention from data owners.