Comments on: University server in hackers' hands for a year

Intruders go undetected in total on three servers containing student data at Ohio University.

[booboo1243]

Those who can't ... end up at universities

"we need someone somewhere to come up with a set of best practices for schools."

Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.

[MrNougat]

Open Source

Agreed. "Best Practices" are open source. If you're not satisfied with the features of existing "best practices," then make your own.

[booboo1243]

Those who can't ... end up at universities

"we need someone somewhere to come up with a set of best practices for schools."

Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.

[MrNougat]

Open Source

Agreed. "Best Practices" are open source. If you're not satisfied with the features of existing "best practices," then make your own.

[rpbell]

Here's the funny part...

...just think: Fully 100% of the recent graduates of Ohio University's computer sciences program have been taught by instructors who apparently know no one whit about security.

Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.

Amazing. Absolutely amazing. Also, stoopid!

rb

[maxwis]

Maybe They Did

Maybe some of the students DID test the servers and found the holes. They just didn't tell the school.

[dland51]

Funny part?

Why would any of those instructors or students have valid reason to test the university system for security breaches, let alone do patches and updates? That would be a real nightmare and is most likely forbidden in their respective university handbooks!

[mpettyjohn]

You'd be surprised...

As a recent graduate of Ohio University this security breach is quite distressing.

During my junior year, a member of the student senate managed to break in to several of the universities computers. His attempts were apparently to demonstrate to the university how weak their defenses were as he informed them about the break in and the information he had access to after he did it.

What was the universities response? Acadamic discipline! Two years later they find out they have been seriously compromised. It's a classic story of people not caring until it happens, on a large scale.

[jay_ai]

even funnier/sad part

An even funnier/sad part is that hundreds of schools that are reading this story won't do much about it. Some won't have the talent to pentest their own network, while some will just be lazy to do anything. I don't know if their budgets allow them to hire external pentesters,, but without getting those security experts to come and pentest their network, i don't think they can secure their environment. As a network admin or operations, you have countless pending tasks already ... hence the motivation to do extra without getting anything extra is close to nil.

I guess what they should do is hire the student security gurus and have them recommend procedures to secure the network. Every school has atleast 10 geeks who can exploit network at their will ... now all you do is hire one Security Professional to recruit those 'skilled' students.

[catmistake]

CS ~= systems administration

A computer science program is supposed to teach computer
science, a subset of mathematics. I'm not aware of any university
program that teaches computer or systems adminstration (of
which computer/network security would be a subset of).

Something weird happened in the early 00's. Computer Science
grads could no longer find those swank jobs at developer-
houses fresh out of school for >65K/yr, and started looking
elsewhere. When the market got used to it, employers looking
for, say, a Windows Administrator, instead of requiring such
banal things as certifications, started requiring degrees in
Computer Science... but the pay did not increase... so these
employers were requiring a $20K-100K education for a lowsy
$15/hr job. And the CS grads chomped at the bit. What I think
happens is that most CS grads end up taking their first job at
the university they graduated from, and this may help explain
the security issues... a Computer Science degree, a security
minded systems administrator does not make.... Most, if not all,
of the sys admins I know learned by hands on training and years
of experience under an experienced (toor)mentor.

[Zymurgist]

Let's not be silly.

Neither student nor faculty has authority to
install updates or patches on the systems --
they are managed by the campus computer services
group. Further, I don't know about this
particular school, but at most universities
independently "testing" the campus network
security would be grounds for dismissal or
expulsion.

The same if frequently true outside academia
too. I work in computational sciences, but out
company systems are managed by a separate IT
department. We haven't administrative authority
on any machines save systems quite specifically
designated as ours (namely, the compute clusters
and instrumentation control systems). We also
find that IT is not generally knowledgable about
the systems and security -- where we might have
specific understanding of the implementation of
a technology, their knowledge is typically
limited to the installation and general
administration of the same technology. As a
result, when something is not right, they
generally tell us to stick it until we develop a
pedantic presentation about the specific issues
at hand (last time I had to do this, I had to
give a lecture on privilege escalation on our
improperly configured filers -- and I'm a
biologist).

[rpbell]

Here's the funny part...

...just think: Fully 100% of the recent graduates of Ohio University's computer sciences program have been taught by instructors who apparently know no one whit about security.

Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.

Amazing. Absolutely amazing. Also, stoopid!

rb

[maxwis]

Maybe They Did

Maybe some of the students DID test the servers and found the holes. They just didn't tell the school.

[dland51]

Funny part?

Why would any of those instructors or students have valid reason to test the university system for security breaches, let alone do patches and updates? That would be a real nightmare and is most likely forbidden in their respective university handbooks!

[mpettyjohn]

You'd be surprised...

As a recent graduate of Ohio University this security breach is quite distressing.

During my junior year, a member of the student senate managed to break in to several of the universities computers. His attempts were apparently to demonstrate to the university how weak their defenses were as he informed them about the break in and the information he had access to after he did it.

What was the universities response? Acadamic discipline! Two years later they find out they have been seriously compromised. It's a classic story of people not caring until it happens, on a large scale.

[jay_ai]

even funnier/sad part

An even funnier/sad part is that hundreds of schools that are reading this story won't do much about it. Some won't have the talent to pentest their own network, while some will just be lazy to do anything. I don't know if their budgets allow them to hire external pentesters,, but without getting those security experts to come and pentest their network, i don't think they can secure their environment. As a network admin or operations, you have countless pending tasks already ... hence the motivation to do extra without getting anything extra is close to nil.

I guess what they should do is hire the student security gurus and have them recommend procedures to secure the network. Every school has atleast 10 geeks who can exploit network at their will ... now all you do is hire one Security Professional to recruit those 'skilled' students.

[catmistake]

CS ~= systems administration

A computer science program is supposed to teach computer
science, a subset of mathematics. I'm not aware of any university
program that teaches computer or systems adminstration (of
which computer/network security would be a subset of).

Something weird happened in the early 00's. Computer Science
grads could no longer find those swank jobs at developer-
houses fresh out of school for >65K/yr, and started looking
elsewhere. When the market got used to it, employers looking
for, say, a Windows Administrator, instead of requiring such
banal things as certifications, started requiring degrees in
Computer Science... but the pay did not increase... so these
employers were requiring a $20K-100K education for a lowsy
$15/hr job. And the CS grads chomped at the bit. What I think
happens is that most CS grads end up taking their first job at
the university they graduated from, and this may help explain
the security issues... a Computer Science degree, a security
minded systems administrator does not make.... Most, if not all,
of the sys admins I know learned by hands on training and years
of experience under an experienced (toor)mentor.

[Zymurgist]

Let's not be silly.

Neither student nor faculty has authority to
install updates or patches on the systems --
they are managed by the campus computer services
group. Further, I don't know about this
particular school, but at most universities
independently "testing" the campus network
security would be grounds for dismissal or
expulsion.

The same if frequently true outside academia
too. I work in computational sciences, but out
company systems are managed by a separate IT
department. We haven't administrative authority
on any machines save systems quite specifically
designated as ours (namely, the compute clusters
and instrumentation control systems). We also
find that IT is not generally knowledgable about
the systems and security -- where we might have
specific understanding of the implementation of
a technology, their knowledge is typically
limited to the installation and general
administration of the same technology. As a
result, when something is not right, they
generally tell us to stick it until we develop a
pedantic presentation about the specific issues
at hand (last time I had to do this, I had to
give a lecture on privilege escalation on our
improperly configured filers -- and I'm a
biologist).

[maxwis]

Imagine What It's Like At Community Colleges

If major educational institutions are compromised, imagine what it's like at the community college level. If you went to one of those schools, I'd start applying for an identity change.

[Pushrod]

Community Colleges not that bad

I don't think Community Colleges is as bad as those big time Colleges simply because $$ and they aren't that well known.

[maxwis]

Imagine What It's Like At Community Colleges

If major educational institutions are compromised, imagine what it's like at the community college level. If you went to one of those schools, I'd start applying for an identity change.

[Pushrod]

Community Colleges not that bad

I don't think Community Colleges is as bad as those big time Colleges simply because $$ and they aren't that well known.

[inachu]

This is real nice!

I bt the information is now in information brokers servers and will sell to any company to let them know that Janet has aids or maybe something minor. Any company using this information should be shot dead.

[inachu]

This is real nice!

I bt the information is now in information brokers servers and will sell to any company to let them know that Janet has aids or maybe something minor. Any company using this information should be shot dead.

[westrajc]

Security is NOT "Academic"

This is yet another example of the failure of the liberal PC (pun intended) world of Academia! But don't colleges like this all run Linux and Open Source software because they are immune to hackers!?

The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.

[wnurse]

i wish the academic world was all liberal

Then there would be no smart conservatives (cause all academics would be liberal). Injecting politics in a tech discussion.. hmmm.. very risky (espicially when you sound stupid also). Westrajc, i'd keep the politics to a political forum.

[dland51]

Why do you assume...

What does the education of students have to do with the business side of the University? The faculty and students do not provide the security or IT services for the Univeristy. They might be employed in some capacity, but they are not going to be responsible. I don't think I have ever heard anyone at anytime same Linux and Open Source software were immune to hackers! They are generally more secure by their very nature, because any vulnerabilites can be found and fixed because they are open to everyone for examiniation! No matter how many patches, or security updates are provided if they aren't installed they do no good! When you have a server sitting on the network that everyone thinks is shut down, the problem isn't software or security updates, the problem is someone not doing their job! I would call that personal responsibility which is something that should be taught at home, not at some University! If you ain't got it when you leave home, you ain't ever gonna get it!! What does politics have to do with anything on this issue? I couldn't find any relevance for that at all!

[westrajc]

Security is NOT "Academic"

This is yet another example of the failure of the liberal PC (pun intended) world of Academia! But don't colleges like this all run Linux and Open Source software because they are immune to hackers!?

The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.

[wnurse]

i wish the academic world was all liberal

Then there would be no smart conservatives (cause all academics would be liberal). Injecting politics in a tech discussion.. hmmm.. very risky (espicially when you sound stupid also). Westrajc, i'd keep the politics to a political forum.

[dland51]

Why do you assume...

What does the education of students have to do with the business side of the University? The faculty and students do not provide the security or IT services for the Univeristy. They might be employed in some capacity, but they are not going to be responsible. I don't think I have ever heard anyone at anytime same Linux and Open Source software were immune to hackers! They are generally more secure by their very nature, because any vulnerabilites can be found and fixed because they are open to everyone for examiniation! No matter how many patches, or security updates are provided if they aren't installed they do no good! When you have a server sitting on the network that everyone thinks is shut down, the problem isn't software or security updates, the problem is someone not doing their job! I would call that personal responsibility which is something that should be taught at home, not at some University! If you ain't got it when you leave home, you ain't ever gonna get it!! What does politics have to do with anything on this issue? I couldn't find any relevance for that at all!

[dland51]

Why the connection

Something I do not understand is why the free flow of information should have anything to do with a server system that stores student, or private data! Those systems should not need, to be interconnected! Why would you want internet access available, to that type of data?

[dland51]

Why the connection

Something I do not understand is why the free flow of information should have anything to do with a server system that stores student, or private data! Those systems should not need, to be interconnected! Why would you want internet access available, to that type of data?

[baswwe]

It was a WINDOWS machine that was compromised - What'd ya expect!

Holes are all over MS Window products.

[gggg sssss]

WTF

Not sure where I read THAT in the article - or do you have inside knowledge?

[OUITAlum]

Actually, it was most likely Solaris

Given that most of the Windows machines are end user workstations and less than 20% of campus servers are Windows (typically department domain controllers), I'm thinking this one would be a Unix box (typically Solaris).

Every machine I had to connect to for ANY personal details for my job there was Unix. Specifically, Solaris!

Granted these assumptions are based off observations from four years ago. But again, universities are very political in even the most trivial decisions. This tends to slow down any process to improve what isn't a marketing tools.

Examples:
>A computer in every FRESHMEN dorm room first, then to upperclassmen...implemented!
>Wireless campus...implemented!
>A CSO role reporting to either the CIO, the provost, or the president.....hmmm

[baswwe]

It was a WINDOWS machine that was compromised - What'd ya expect!

Holes are all over MS Window products.

[gggg sssss]

WTF

Not sure where I read THAT in the article - or do you have inside knowledge?

[OUITAlum]

Actually, it was most likely Solaris

Given that most of the Windows machines are end user workstations and less than 20% of campus servers are Windows (typically department domain controllers), I'm thinking this one would be a Unix box (typically Solaris).

Every machine I had to connect to for ANY personal details for my job there was Unix. Specifically, Solaris!

Granted these assumptions are based off observations from four years ago. But again, universities are very political in even the most trivial decisions. This tends to slow down any process to improve what isn't a marketing tools.

Examples:
>A computer in every FRESHMEN dorm room first, then to upperclassmen...implemented!
>Wireless campus...implemented!
>A CSO role reporting to either the CIO, the provost, or the president.....hmmm

[Fireweaver]

It's all about money

It's all about money, of course. But isn't everything?

Who wants this server job on campus?

Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.

Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.

Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.

So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.

[Fireweaver]

It's all about money

It's all about money, of course. But isn't everything?

Who wants this server job on campus?

Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.

Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.

Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.

So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.

[DivI_UnivIT_Employee]

View from the inside

I work in IT at a Division I university, and here's what I see:
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.

That's not all, but isn't that too much already?

(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)

[DivI_UnivIT_Employee]

View from the inside

I work in IT at a Division I university, and here's what I see:
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.

That's not all, but isn't that too much already?

(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)

[RoyalWulff]

One Year and No One Had a Clue

"They don't want to spend money on it," Litan said."

"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."

This comment by the CIO is out of touch and out of date. Yes information needs to be ?free flowing? but what type and category of information. As for not wanting to spend money on the problem ? from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of ?free flowing? information ? well at least it was free flowing for a year.

One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for ?No Child Left Behind? :-)

" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (http://www.educause.edu). All they do is address University and high educational institution?s IT and information security needs and requirements.

Have a great Day...

[RoyalWulff]

One Year and No One Had a Clue

"They don't want to spend money on it," Litan said."

"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."

This comment by the CIO is out of touch and out of date. Yes information needs to be ?free flowing? but what type and category of information. As for not wanting to spend money on the problem ? from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of ?free flowing? information ? well at least it was free flowing for a year.

One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for ?No Child Left Behind? :-)

" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (http://www.educause.edu). All they do is address University and high educational institution?s IT and information security needs and requirements.

Have a great Day...