Save up to 50% on HP Products
May 21, 2006 6:05 PM PDT
University server in hackers' hands for a year
- Related Stories
-
Ohio University suffers security breaches
May 11, 2006 -
Man charged with hacking USC database
April 20, 2006 -
FBI probes network breach at Stanford
May 25, 2005
Bill Sams, Ohio University's chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers.
In a disclosure that hasn't been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.
At least one security expert was astonished that a compromise could go undetected for so long.
"That's unbelievable," said Avivah Litan, security analyst with research firm Gartner. "I have never heard of that much of a delay. Why would it take a year to discover this? It doesn't make any sense."
What's also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities.
Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school's servers.
Litan estimates that a third of all data leaks are at universities. She says information bandits are preying on the nation's colleges for three reasons. First, the schools possess Social Security numbers and other information useful in committing identity theft. Secondly, she says universities don't take security serious enough.
"They don't want to spend money on it," Litan said.
Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks.
At the time of the attacks at Ohio University, the school operated 90 servers, Sams said. And that was just the school's primary computer network; more servers are operated by individual university departments.
"If you're a corporation, you can just lock everything down," Sams said. "We don't have that luxury. The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."
How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn't receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.
The culprits who broke into the other two servers made off with health records belonging to students treated at the university's health center, as well as Social Security numbers of an additional 60,000 people.
"We had a failure of both policies and procedures," Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn't quicker to order a security audit, Sams replied: "Should we have? Yes. Did we? No."
See more CNET content tagged:
university,
school,
social security number,
Social Security,
hacker
Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.
Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.
Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.
Amazing. Absolutely amazing. Also, stoopid!
rb
Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.
Amazing. Absolutely amazing. Also, stoopid!
rb
The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.
The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.
Who wants this server job on campus?
Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.
Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.
Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.
So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.
Who wants this server job on campus?
Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.
Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.
Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.
So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.
That's not all, but isn't that too much already?
(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.
That's not all, but isn't that too much already?
(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)
"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."
This comment by the CIO is out of touch and out of date. Yes information needs to be ?free flowing? but what type and category of information. As for not wanting to spend money on the problem ? from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of ?free flowing? information ? well at least it was free flowing for a year.
One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for ?No Child Left Behind?
" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."
Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (http://www.educause.edu). All they do is address University and high educational institution?s IT and information security needs and requirements.
Have a great Day...
- One Year and No One Had a Clue
-
by RoyalWulff
May 23, 2006 6:53 AM PDT
- "They don't want to spend money on it," Litan said."
-
Reply to this comment
-
-
See all 62 Comments >>"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."
This comment by the CIO is out of touch and out of date. Yes information needs to be ?free flowing? but what type and category of information. As for not wanting to spend money on the problem ? from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of ?free flowing? information ? well at least it was free flowing for a year.
One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for ?No Child Left Behind?
" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."
Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (http://www.educause.edu). All they do is address University and high educational institution?s IT and information security needs and requirements.
Have a great Day...