The FBI Issues a Warning about Criminals Selling College VPN Access
These login details allow access onto educational networks, which could potentially enable bad actors access to student databases or other platforms within that network.
The FBI cautioned:
If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.
The entire point of a private network is to keep networks and data safe. If that network is compromised, all data and systems within that network can also be compromised.
Once a bad guy has access to that network, it’s no longer private and no longer secure. They have the time and space to operate freely to try to hack systems connected to that network.
Not the end of the game
That said, having access to a network does not mean hackers will automatically have access to those systems.
If the network has been built correctly, each system will have its own gatekeeper and security. Data within those systems should also be encrypted to help protect the contents.
So, while this is definitely cause for concern, it’s immediately game over.
How to protect VPN networks
If you find your own VPN network compromised, what can you do about it?
You have a couple of options.
1. Change the login credentials across the entire network
This is a lot of effort for a network the size of a college or university, but it’s also necessary.
A change of username style and length and change of every single password is just the beginning, but should slow down the rate at which hackers can access the network.
2. Audit all user accounts for the network
You would then need to perform a full audit of all active user accounts with current access to the network.
Revoke any accounts you don’t recognize without fail. If you revoke an active account you don’t recognize, you can always reinstate it when you get the call.
It’s much better to have to do this a few times while removing hacked accounts than to leave potentially vulnerable accounts active.
3. Perform a security audit all systems connected to that network
Accessing a VPN network is one thing, being able to then hack the systems connected to it is something else.
As long as those systems have been set up properly with their own logins, two-factor authentication and encryption, it should be a tough ask to hack them.