Need something? Download free app.
- Related Stories
-
Ohio University suffers security breaches
May 11, 2006 -
Man charged with hacking USC database
April 20, 2006 -
FBI probes network breach at Stanford
May 25, 2005
Bill Sams, Ohio University's chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers.
In a disclosure that hasn't been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.
At least one security expert was astonished that a compromise could go undetected for so long.
"That's unbelievable," said Avivah Litan, security analyst with research firm Gartner. "I have never heard of that much of a delay. Why would it take a year to discover this? It doesn't make any sense."
What's also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities.
Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school's servers.
Litan estimates that a third of all data leaks are at universities. She says information bandits are preying on the nation's colleges for three reasons. First, the schools possess Social Security numbers and other information useful in committing identity theft. Secondly, she says universities don't take security serious enough.
"They don't want to spend money on it," Litan said.
Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks.
At the time of the attacks at Ohio University, the school operated 90 servers, Sams said. And that was just the school's primary computer network; more servers are operated by individual university departments.
"If you're a corporation, you can just lock everything down," Sams said. "We don't have that luxury. The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."
How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn't receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.
The culprits who broke into the other two servers made off with health records belonging to students treated at the university's health center, as well as Social Security numbers of an additional 60,000 people.
"We had a failure of both policies and procedures," Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn't quicker to order a security audit, Sams replied: "Should we have? Yes. Did we? No."
See more CNET content tagged:
university,
social security number,
school,
Social Security,
hacker
Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.
Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.
Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.
Amazing. Absolutely amazing. Also, stoopid!
rb
During my junior year, a member of the student senate managed to break in to several of the universities computers. His attempts were apparently to demonstrate to the university how weak their defenses were as he informed them about the break in and the information he had access to after he did it.
What was the universities response? Acadamic discipline! Two years later they find out they have been seriously compromised. It's a classic story of people not caring until it happens, on a large scale.
I guess what they should do is hire the student security gurus and have them recommend procedures to secure the network. Every school has atleast 10 geeks who can exploit network at their will ... now all you do is hire one Security Professional to recruit those 'skilled' students.
science, a subset of mathematics. I'm not aware of any university
program that teaches computer or systems adminstration (of
which computer/network security would be a subset of).
Something weird happened in the early 00's. Computer Science
grads could no longer find those swank jobs at developer-
houses fresh out of school for >65K/yr, and started looking
elsewhere. When the market got used to it, employers looking
for, say, a Windows Administrator, instead of requiring such
banal things as certifications, started requiring degrees in
Computer Science... but the pay did not increase... so these
employers were requiring a $20K-100K education for a lowsy
$15/hr job. And the CS grads chomped at the bit. What I think
happens is that most CS grads end up taking their first job at
the university they graduated from, and this may help explain
the security issues... a Computer Science degree, a security
minded systems administrator does not make.... Most, if not all,
of the sys admins I know learned by hands on training and years
of experience under an experienced (toor)mentor.
install updates or patches on the systems --
they are managed by the campus computer services
group. Further, I don't know about this
particular school, but at most universities
independently "testing" the campus network
security would be grounds for dismissal or
expulsion.
The same if frequently true outside academia
too. I work in computational sciences, but out
company systems are managed by a separate IT
department. We haven't administrative authority
on any machines save systems quite specifically
designated as ours (namely, the compute clusters
and instrumentation control systems). We also
find that IT is not generally knowledgable about
the systems and security -- where we might have
specific understanding of the implementation of
a technology, their knowledge is typically
limited to the installation and general
administration of the same technology. As a
result, when something is not right, they
generally tell us to stick it until we develop a
pedantic presentation about the specific issues
at hand (last time I had to do this, I had to
give a lecture on privilege escalation on our
improperly configured filers -- and I'm a
biologist).
Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.
Amazing. Absolutely amazing. Also, stoopid!
rb
During my junior year, a member of the student senate managed to break in to several of the universities computers. His attempts were apparently to demonstrate to the university how weak their defenses were as he informed them about the break in and the information he had access to after he did it.
What was the universities response? Acadamic discipline! Two years later they find out they have been seriously compromised. It's a classic story of people not caring until it happens, on a large scale.
I guess what they should do is hire the student security gurus and have them recommend procedures to secure the network. Every school has atleast 10 geeks who can exploit network at their will ... now all you do is hire one Security Professional to recruit those 'skilled' students.
science, a subset of mathematics. I'm not aware of any university
program that teaches computer or systems adminstration (of
which computer/network security would be a subset of).
Something weird happened in the early 00's. Computer Science
grads could no longer find those swank jobs at developer-
houses fresh out of school for >65K/yr, and started looking
elsewhere. When the market got used to it, employers looking
for, say, a Windows Administrator, instead of requiring such
banal things as certifications, started requiring degrees in
Computer Science... but the pay did not increase... so these
employers were requiring a $20K-100K education for a lowsy
$15/hr job. And the CS grads chomped at the bit. What I think
happens is that most CS grads end up taking their first job at
the university they graduated from, and this may help explain
the security issues... a Computer Science degree, a security
minded systems administrator does not make.... Most, if not all,
of the sys admins I know learned by hands on training and years
of experience under an experienced (toor)mentor.
install updates or patches on the systems --
they are managed by the campus computer services
group. Further, I don't know about this
particular school, but at most universities
independently "testing" the campus network
security would be grounds for dismissal or
expulsion.
The same if frequently true outside academia
too. I work in computational sciences, but out
company systems are managed by a separate IT
department. We haven't administrative authority
on any machines save systems quite specifically
designated as ours (namely, the compute clusters
and instrumentation control systems). We also
find that IT is not generally knowledgable about
the systems and security -- where we might have
specific understanding of the implementation of
a technology, their knowledge is typically
limited to the installation and general
administration of the same technology. As a
result, when something is not right, they
generally tell us to stick it until we develop a
pedantic presentation about the specific issues
at hand (last time I had to do this, I had to
give a lecture on privilege escalation on our
improperly configured filers -- and I'm a
biologist).
The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.
The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.
Every machine I had to connect to for ANY personal details for my job there was Unix. Specifically, Solaris!
Granted these assumptions are based off observations from four years ago. But again, universities are very political in even the most trivial decisions. This tends to slow down any process to improve what isn't a marketing tools.
Examples:
>A computer in every FRESHMEN dorm room first, then to upperclassmen...implemented!
>Wireless campus...implemented!
>A CSO role reporting to either the CIO, the provost, or the president.....hmmm
Every machine I had to connect to for ANY personal details for my job there was Unix. Specifically, Solaris!
Granted these assumptions are based off observations from four years ago. But again, universities are very political in even the most trivial decisions. This tends to slow down any process to improve what isn't a marketing tools.
Examples:
>A computer in every FRESHMEN dorm room first, then to upperclassmen...implemented!
>Wireless campus...implemented!
>A CSO role reporting to either the CIO, the provost, or the president.....hmmm
Who wants this server job on campus?
Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.
Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.
Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.
So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.
Who wants this server job on campus?
Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.
Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.
Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.
So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.
That's not all, but isn't that too much already?
(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.
That's not all, but isn't that too much already?
(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)
"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."
This comment by the CIO is out of touch and out of date. Yes information needs to be ?free flowing? but what type and category of information. As for not wanting to spend money on the problem ? from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of ?free flowing? information ? well at least it was free flowing for a year.
One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for ?No Child Left Behind? :-)
" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."
Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (http://www.educause.edu). All they do is address University and high educational institution?s IT and information security needs and requirements.
Have a great Day...
- One Year and No One Had a Clue
-
by RoyalWulff
May 23, 2006 6:53 AM PDT
- "They don't want to spend money on it," Litan said."
-
Reply to this comment
-
See all 62 Comments >>"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."
This comment by the CIO is out of touch and out of date. Yes information needs to be ?free flowing? but what type and category of information. As for not wanting to spend money on the problem ? from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of ?free flowing? information ? well at least it was free flowing for a year.
One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for ?No Child Left Behind? :-)
" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."
Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (http://www.educause.edu). All they do is address University and high educational institution?s IT and information security needs and requirements.
Have a great Day...