Freenters hacking exposes lax security, compromises student information
The Chicago Maroon - November 15, 2013
Freenters founders admitted to weak security after a group calling themselves the UChicago Electronic Army (UEA) hacked into the free printing service’s system and dumped users’ personal information online.
At 10:20 a.m. Thursday, 3,015 Freenters customers received an e-mail from the official Freenters e-mail account, sent by the UEA, lambasting Freenters’ lack of security and providing a link to a file containing “data concerning the first and last name, email, birthdate (for those registered before 2/20/2013), major, and grade” of users, as well as “protected forms of passwords,” according to a statement from Freenters.
The UEA message called users “Freentards” and stated, “we regret to inform you that we’ve been hacked super fucking hard.”
Third-year Helen Gao was hacked even though she said she has not used the service since signing up last fall.
“I wasn’t terribly surprised that they got hacked, I guess, but I was pretty surprised someone took the time to do that and write that immature of a message,” she said.
Freenters customers were left confused as to whether their passwords had been compromised after the attack.
Freenters sent an e-mail about two hours after the attack apologizing for the actions but claiming that users’ passwords were secure. An hour later, Freenters clarified through their Facebook page, saying “we highly recommend that you change your password for other accounts.” IT Services later sent an e-mail to affected students with the same advice.
Allison Shapiro, a sophomore at Northwestern University, where the company has operated since this fall, also received the UEA e-mail. According to Shapiro, Northwestern’s IT Services made similar suggestions to UChicago’s. However, she was concerned that Freenters was unclear about the exact nature of the attack.
“The e-mail they sent us specifically said that our personal information such as account passwords was not compromised, so I was really confused when I got this separate e-mail from the IT people saying that in fact it had been,” she said.
While users’ passwords have not directly been made public, a “hashed” version of the password has been made available. Hashing runs a password through a complicated function which delivers a stream of numbers and letters on the other side.
According to Borja Sotomayor, associate director for technology and faculty director of Hack@UChicago, hashed passwords can always be decrypted using a “brute force” hacking method, but how long it would take a hacker to crack the password depends on the password and how it was hashed.
“Usually when you’re using a hashed function like SHA-256, you don’t run the hashing function just once. You run it literally hundreds or thousands of times,” Sotomayor said, referencing the specific form of hashing that Freenters used. “The big issue from what I’ve been able to tell from the data that’s been made available is that they used a single round of hashing, which makes it very easy to brute force the hashes.”
One alumnus who did not wish to be named stated that he had been able to crack a friend’s hashed password relatively easily. “I gave it a try and was able to do in less than one minute. While it would obviously take some time to crack all of the hashes…any one hash in isolation can probably be cracked quickly. In short, it’s definitely necessary to assume that all passwords are (or can be) compromised,” he wrote in an e-mail.
Freenters co-founder and fourth-year Hyesung Kim admitted their security was “weak” but said that the attack took them “completely by surprise.”
“There was not a single indication. We not only got hacked on our website. The hacker, we assume, actually visited all of our printing stations around 3 or 4 in the morning and printed 999 pages of a printed document that pretty much says, ‘Why Freent?’”
Kim and Freenters leaders met with administrators at IT Security yesterday to begin an investigation into the incident.
“There must be some traces that the hackers have left. We’re giving all the information we get to NSIT and IT Services so they can do the investigation in terms of who hacked the website,” Kim said.
Sotomayor said that from what he had heard, Freenters made it much too easy to access users’ personal information.
“What’s being implied by the e-mail that was sent and the other stuff that’s being implied around it is that basically they were running a lot of their code with basically administrative privileges, which means that if someone was able to hijack the server they would immediately be able to access stuff like the contents of the databases, they would be able to access stuff like password information, and so forth,” he said.
Software engineer Hillel Wayne (A.B. ’13) added, “I remember a year or two ago a friend demonstrating how insecure the site was—apparently they didn’t have the server password protected. He was able to go in and mess around with the ads.”
Kim said the company had taken steps to verify the security of the website even before the hack.
“We actually changed our website twice and our application four times, and each time, we tried to make sure the security was not easily able to be broken. This is the first time that it has happened to us. We’re wondering how they were able to break in.”
However, Wayne claims that Freenters has been insecure since its inception, and the UEA just exposed these problems. “People could have been stealing passwords for years and Freenters wouldn’t have cared. Hopefully this shock will get them to actually do something. At the very least, now the average user knows their platform is insecure, which should make them think twice before giving them information,” he said. “In some ways, the UEA was doing the users of Freenters a service.”
Kim said the Freenters team would learn from this to make the service better. “I just want people to understand: I’m not trying to blame others. It’s Freenters’ fault,” Kim said. “This is a turning point for us—the message that the hacker gave us. We’re going to make sure that this doesn’t happen again the future.”
Sotomayor casts blame on both sides for the hack.
“It’s easy to flip this around and suddenly blame the developers of the site,” he said. “If you leave the door of your apartment open with the keys there, if someone goes in and steals all your stuff, it makes it no less of a crime.”