January 23, 2006 6:40 PM PST

Notre Dame probes hack of computer system

Two computer-forensic companies are helping the University of Notre Dame investigate an electronic break-in that may have exposed the personal and financial information of school donors.

The hackers may have made off with Social Security numbers, credit card information and check images, Hilary Crnkovich, Notre Dame's vice president of public affairs, told CNET News.com. She declined to disclose how many donors may be at risk.

"The (computer) server that was potentially affected was taken offline immediately," Crnkovich said. "The university continues to explore safeguards and precautions to ensure something like this doesn't happen in the future."

Computer theft of sensitive information continues to plague universities around the country. Last July, a hacker breached a server at the University of Connecticut that stored the personal information of 72,000 students, faculty and staff. In May, Stanford University said that its computer security was breached, putting the personal information of nearly 10,000 people at risk.

The student-operated newspaper at Notre Dame, The Observer, quoted donor Mike Coffee wondering why a server storing sensitive information was connected to the Web.

"It seems to be a very shoddy setup for protection of personal information," said Coffee, identified by The Observer as a 1991 Notre Dame alumnus and a longtime IT professional.

Crnkovich said that any donor whose checks were received by the school between Nov. 22, 2005, and Jan. 12, 2006, may be at risk. The school said it has notified all the donors at risk.

7 comments

Join the conversation!
Add your comment
My word
This is one reason why you legaly do not have to give schools your social securty number and if you pay with electronic money your Credit Card or Check numbers can be easy taken.
Posted by feedbackuser5 (25 comments )
Reply Link Flag
A server containing important information connected..
..to the WEB. God forbid such an offense. FYI. There are
thousands of computers running on the web everyday that
house some of the most important information in the world!

I don't give a crap what network official would like to tell me that
any computer on any network that is remotely connect to the
web, is in one sense or the other, at risk of a hacker attack.

Once a piece of networking hardware has been infiltrated and
changed the possibilities of any computer on a network being
hit is great.

Take for example my very own Microsoft Wireless Access Point.
Billy gives me no way of turning off UPnP. This alone allows
developers to create code to manipulate this feature remotely
without me knowing AT ALL.

Don't believe me? I got screenshots and I write about on
TechViewsToday.US. I tracked the foul play to the back end of
the KAZAA developers site that showed me the code to a
program that ultimately is able to change my wireless router
without my knowledge using UPnP.

Here is the URL to the code that Remotely Controls UPnP:
<a class="jive-link-external" href="https://www.limewire.org/fisheye/viewrep/~raw,r=1.15/" target="_newWindow">https://www.limewire.org/fisheye/viewrep/~raw,r=1.15/</a>
limecvs/core/com/limegroup/gnutella/UPnPManager.java

Here's a piece of the code:
package com.limegroup.gnutella;


import java.net.InetAddress;
import java.net.Inet4Address;
import java.net.UnknownHostException;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Enumeration;
import java.util.Random;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cybergarage.upnp.Action;
import org.cybergarage.upnp.Argument;
import org.cybergarage.upnp.ControlPoint;
import org.cybergarage.upnp.Device;
import org.cybergarage.upnp.DeviceList;
import org.cybergarage.upnp.Service;
import org.cybergarage.upnp.device.DeviceChangeListener;

import com.limegroup.gnutella.settings.ApplicationSettings;
import com.limegroup.gnutella.settings.ConnectionSettings;
import com.limegroup.gnutella.util.ManagedThread;
import com.limegroup.gnutella.util.NetworkUtils;


/**
* Manages the mapping of ports to limewire on UPnP-enabled
routers.
*
* According to the UPnP Standards, Internet Gateway Devices
must have a
* specific hierarchy. The parts of that hierarchy that we care
about are:
*
* Device: urn:schemas-upnp-org:device:InternetGatewayDevice:
1
* SubDevice: urn:schemas-upnp-org:device:WANDevice:1
* SubDevice: urn:schemas-upnp-
org:device:WANConnectionDevice:1
* Service: urn:schemas-upnp-org:service:WANIPCon

And here are the screenshots that provoked the tracking down
of the code that changed my network.

<a class="jive-link-external" href="http://matrixstructures.com/images/UPnPCode.jpg" target="_newWindow">http://matrixstructures.com/images/UPnPCode.jpg</a>

As it turns out the person I'm receiving my internet from
(Legally) has a daughter with KAZZA on her laptop.

Funny thing -- he also has another computer that he used to
run KAZZA on back in the day. Mind you that we can't monitor
his daughter and he swears that he hasn't used KAZZA in
"Forever".

"Cool"
"I can't control that aspect of the network but I can control
mine!"

I can control my network through means of MAC address control
as well as IP address control. Then there is certificate
management as well as many different ways of user
authentication. But one thing is evident.

Theoretically you should never have to dial into your hardware
once it is set up and configured properly. The only reason that
you should be messing with your hardware is to ensure a secure
device by either upgrading the hardwares BIOS or enabling a
secure feature provided by the hardware manufacture.

Unfortunately to my knowledge there is no "Consumer Level"
networking device that has the capability of notifying the owner
of any changes made to the hardware that wasn't made by the
owning user.

Essentially, if this software was available for my Microsoft
Wireless Base Station; I would have been notified when the
ROGUE code changed my wireless router leaving open ports that
I didn't create.

As a matter of fact -- here is the URL to the screenshot of my
Microsoft Wireless Router.
<a class="jive-link-external" href="http://matrixstructures.com/images/UPnPCode.jpg" target="_newWindow">http://matrixstructures.com/images/UPnPCode.jpg</a>

Remember:
"Just because I can't see a computer on the network. It doesn't
necessarily mean it's not there."

The point: Any computer connected to the internet in any way,
shape, or form is subject to Spyware, Hackers, and Virus's.

~Justin
www.TechViewsToday.US
Posted by OneWithTech (196 comments )
Reply Link Flag
A server containing important information connected..
..to the WEB. God forbid such an offense. FYI. There are
thousands of computers running on the web everyday that
house some of the most important information in the world!

I don't give a crap what network official would like to tell me that
any computer on any network that is remotely connect to the
web, is in one sense or the other, at risk of a hacker attack.

Once a piece of networking hardware has been infiltrated and
changed the possibilities of any computer on a network being
hit is great.

Take for example my very own Microsoft Wireless Access Point.
Billy gives me no way of turning off UPnP. This alone allows
developers to create code to manipulate this feature remotely
without me knowing AT ALL.

Don't believe me? I got screenshots and I write about on
TechViewsToday.US. I tracked the foul play to the back end of
the KAZAA developers site that showed me the code to a
program that ultimately is able to change my wireless router
without my knowledge using UPnP.

Here is the URL to the code that Remotely Controls UPnP:
<a class="jive-link-external" href="http://cvs.limewire.org/fisheye/viewrep/~raw,r=1.15/limecvs/" target="_newWindow">http://cvs.limewire.org/fisheye/viewrep/~raw,r=1.15/limecvs/</a>
core/com/limegroup/gnutella/UPnPManager.java

Here's a piece of the code:
package com.limegroup.gnutella;


import java.net.InetAddress;
import java.net.Inet4Address;
import java.net.UnknownHostException;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Enumeration;
import java.util.Random;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cybergarage.upnp.Action;
import org.cybergarage.upnp.Argument;
import org.cybergarage.upnp.ControlPoint;
import org.cybergarage.upnp.Device;
import org.cybergarage.upnp.DeviceList;
import org.cybergarage.upnp.Service;
import org.cybergarage.upnp.device.DeviceChangeListener;

import com.limegroup.gnutella.settings.ApplicationSettings;
import com.limegroup.gnutella.settings.ConnectionSettings;
import com.limegroup.gnutella.util.ManagedThread;
import com.limegroup.gnutella.util.NetworkUtils;


/**
* Manages the mapping of ports to limewire on UPnP-enabled
routers.
*
* According to the UPnP Standards, Internet Gateway Devices
must have a
* specific hierarchy. The parts of that hierarchy that we care
about are:
*
* Device: urn:schemas-upnp-org:device:InternetGatewayDevice:
1
* SubDevice: urn:schemas-upnp-org:device:WANDevice:1
* SubDevice: urn:schemas-upnp-
org:device:WANConnectionDevice:1
* Service: urn:schemas-upnp-org:service:WANIPCon

And here are the screenshots that provoked the tracking down
of the code that changed my network.

<a class="jive-link-external" href="http://matrixstructures.com/images/UPnPCode.jpg" target="_newWindow">http://matrixstructures.com/images/UPnPCode.jpg</a>

As it turns out the person I'm receiving my internet from
(Legally) has a daughter with KAZZA on her laptop.

Funny thing -- he also has another computer that he used to
run KAZZA on back in the day. Mind you that we can't monitor
his daughter and he swears that he hasn't used KAZZA in
"Forever".

"Cool"
"I can't control that aspect of the network but I can control
mine!"

I can control my network through means of MAC address control
as well as IP address control. Then there is certificate
management as well as many different ways of user
authentication. But one thing is evident.

Theoretically you should never have to dial into your hardware
once it is set up and configured properly. The only reason that
you should be messing with your hardware is to ensure a secure
device by either upgrading the hardwares BIOS or enabling a
secure feature provided by the hardware manufacture.

Unfortunately to my knowledge there is no "Consumer Level"
networking device that has the capability of notifying the owner
of any changes made to the hardware that wasn't made by the
owning user.

Essentially, if this software was available for my Microsoft
Wireless Base Station; I would have been notified when the
ROGUE code changed my wireless router leaving open ports that
I didn't create.

As a matter of fact -- here is the URL to the screenshot of my
Microsoft Wireless Router.
<a class="jive-link-external" href="http://matrixstructures.com/images/UPnPCode.jpg" target="_newWindow">http://matrixstructures.com/images/UPnPCode.jpg</a>

Remember:
"Just because I can't see a computer on the network. It doesn't
necessarily mean it's not there."

The point: Any computer connected to the internet in any way,
shape, or form is subject to Spyware, Hackers, and Virus's.

~Justin
www.TechViewsToday.US
Posted by OneWithTech (196 comments )
Reply Link Flag
It Gets Back To Data Encryption
Commercial database software vendors were offering field level data encryption over 20 years ago. Note to Notre Dame officials: Start doing your homework and don't ask for any more contributions until you pass this exam.

<a class="jive-link-external" href="http://www.net-security.org/article.php?id=71" target="_newWindow">http://www.net-security.org/article.php?id=71</a>
"A Database Encryption Solution That Is Protecting Against External And Internal Threats, And Meeting Regulatory Requirements
by Ulf Mattsson - CTO of Protegrity - Wednesday, 28 July 2004.

Security is becoming one of the most urgent challenges in database research and industry, and there has also been increasing interest in the problem of building accurate data mining models over aggregate data, while protecting privacy at the level of individual records. Instead of building walls around servers or hard drives, a protective layer of encryption is provided around specific sensitive data-items or objects. This prevents outside attacks as well as infiltration from within the server itself... This paper presents a practical implementation of field level encryption in enterprise database systems, based on research and practical experience from many years of commercial use of cryptography in database security. We present how this column-level database encryption is the only solution that is capable of protecting against external and internal threats, and at the same time meeting all regulatory requirements."
Posted by Stating (869 comments )
Reply Link Flag
May work, but not being used...
"We present how this column-level database encryption is the only solution that is capable of protecting against external and internal threats, and at the same time meeting all regulatory requirements."

You may have noticed the latest paper by Larry Ponomon (the Privacy Institute) that stated that encryption was a good technology used by very few.

Trustifier technology also provides trusted multilevelsecurity protection and compliance, and many other additional benefits that encryption does not.
Posted by R_U_ Trustified (1 comment )
Link Flag
Common Sense
The use of common sense would have helped out here. For example, why would you put a server with sensitive information out in the open. That server should have been kept behind the firewall with very little or no Internet access at all.
Posted by Michael00360 (58 comments )
Reply Link Flag
Federal Data Security Laws Ignored
Academic institutions also fall under the FTC Safeguard Rules (effective 5/23/03) that require specific policies, procedures, risk assessments and mitigation to prevent or deter the theft or misappropriation of sensitive information. Financial Aid offices are considered financial institutions by the FTC because they provide financial services to students (loans) which means their personal information is on file, along with donors and others.

Now the question of the day is...WHY has there been no acknowledgement or publicity about this information safeguard rule and why are there so few cases of enforcement?

Since we can't rely on the government to protect us from identity thieves we have to do it ourselves...www.safeguardprogram.com is one way to learn how.
Posted by ceebee513 (11 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.