Version: 2008

Comments on: University server in hackers' hands for a year

Intruders go undetected in total on three servers containing student data at Ohio University.

Add a Comment (Log in or register) Showing 2 of 2 pages (62 Comments)
I'm a current OU student
by ouguy318 May 23, 2006 9:16 AM PDT
It's been my personal experience that CNS (Computer Network Services) is little more than a glorified tech support line for the idiot students who don't know how to clean their computers of the latest malware they downloaded while watching their pr0n. They also mass-flood pretty much the entire network on ports 135-137, and I asked them why they do this, and they said that they're just checking to make sure those ports are closed, because they're common ports for viruses.

Regarding why health records were on the server, I don't know why they were in the physical space they were at. A more logical place to keep the server would be at the Student Health Center itself... at the Health Center, because they are on lock-down network-wise, they have to now tell students to take one slip of paperwork a whopping 8 feet across the room (instead of entering the data on the computer and submitting it through some sort of database... I've only gotten glimpses of the software they use to fill out the form, but it's running on Windows 98, I do know that)
Reply to this comment
I'm a current OU student
by ouguy318 May 23, 2006 9:16 AM PDT
It's been my personal experience that CNS (Computer Network Services) is little more than a glorified tech support line for the idiot students who don't know how to clean their computers of the latest malware they downloaded while watching their pr0n. They also mass-flood pretty much the entire network on ports 135-137, and I asked them why they do this, and they said that they're just checking to make sure those ports are closed, because they're common ports for viruses.

Regarding why health records were on the server, I don't know why they were in the physical space they were at. A more logical place to keep the server would be at the Student Health Center itself... at the Health Center, because they are on lock-down network-wise, they have to now tell students to take one slip of paperwork a whopping 8 feet across the room (instead of entering the data on the computer and submitting it through some sort of database... I've only gotten glimpses of the software they use to fill out the form, but it's running on Windows 98, I do know that)
Reply to this comment
Exactly!
by sunergeos May 23, 2006 10:02 AM PDT
That was what I was thinking! Why doesn't that school of "higher education" make the same connection? We're talking about segregating information that should be public and taking the private info and putting it behind a firewall. There is something terribly wrong when a school official thinks their situation is unique - that person it totally out of touch.
Reply to this comment
Exactly!
by sunergeos May 23, 2006 10:02 AM PDT
That was what I was thinking! Why doesn't that school of "higher education" make the same connection? We're talking about segregating information that should be public and taking the private info and putting it behind a firewall. There is something terribly wrong when a school official thinks their situation is unique - that person it totally out of touch.
Reply to this comment
scary
by pentium4forever May 23, 2006 11:54 AM PDT
Man, that just sounds horrible and embarrassing. college needs to lock down regardless of rules.
Reply to this comment
scary
by pentium4forever May 23, 2006 11:54 AM PDT
Man, that just sounds horrible and embarrassing. college needs to lock down regardless of rules.
Reply to this comment
Nothing new here!
by heystoopid May 23, 2006 1:10 PM PDT
Nothing new here, poor computer security, merely reflects how fossilized and ossified ,that most University Deans, and their respective administrations have become in this day and age, for they are still thinking so last century, and are incapable of moving forward with the times!
Reply to this comment
Nothing new here!
by heystoopid May 23, 2006 1:10 PM PDT
Nothing new here, poor computer security, merely reflects how fossilized and ossified ,that most University Deans, and their respective administrations have become in this day and age, for they are still thinking so last century, and are incapable of moving forward with the times!
Reply to this comment
Why Are Servers Containing Personal Data Connected to the Internet ...
by Joe Blow May 23, 2006 7:37 PM PDT
when they should be completely physically isolated from any other systems? They shouldn't even be connected to the Internet via a firewall, especially in such a technologically-clueless environment (which apparently extends up to the CIO - most CIOs came from the financial world, because computing in the non-technology world was originally used for financial processing, e.g., payroll, accounts receiveable/payable, etc.).

If every academic computing support or IT organization doesn't have everyone, including the CIOs (assuming they even know what a CAT 5 cable and an RJ-45 connector look like), physically unplugging every one of their servers from networks accessible via the Internet right now, until they can audit and rearchitect their network topology to ensure physical isolation of systems containing sensitive data from the Internet, this kind of crap by incompetent people is just going to keep on happening. If they think someone needs access to these servers remotely via laptops, just wait until they have happen what the VA just experienced. This kind of data belongs behind physical barriers, with no remote access - ever. It's bad enough that backups have to be made and stored off-site, but at least those are usually kept under lock-and-key, and aren't accessible on-line (assuming the troglodytes responsible know what they're doing, which may be a bad assumption).

I'm just glad my college days were long before every idiot who could fill out a requistion form got a computer, hooked up to the Internet, with no further justification or thought about why they needed that. Of course, they're excellent Solitaire players, if they're not spending all their time writing e-mail to all of their friends, or posting junk to sites like c|net ... OOPS! BUSTED! ;)

All the Best,
Joe Blow
Reply to this comment
Why Are Servers Containing Personal Data Connected to the Internet ...
by Joe Blow May 23, 2006 7:37 PM PDT
when they should be completely physically isolated from any other systems? They shouldn't even be connected to the Internet via a firewall, especially in such a technologically-clueless environment (which apparently extends up to the CIO - most CIOs came from the financial world, because computing in the non-technology world was originally used for financial processing, e.g., payroll, accounts receiveable/payable, etc.).

If every academic computing support or IT organization doesn't have everyone, including the CIOs (assuming they even know what a CAT 5 cable and an RJ-45 connector look like), physically unplugging every one of their servers from networks accessible via the Internet right now, until they can audit and rearchitect their network topology to ensure physical isolation of systems containing sensitive data from the Internet, this kind of crap by incompetent people is just going to keep on happening. If they think someone needs access to these servers remotely via laptops, just wait until they have happen what the VA just experienced. This kind of data belongs behind physical barriers, with no remote access - ever. It's bad enough that backups have to be made and stored off-site, but at least those are usually kept under lock-and-key, and aren't accessible on-line (assuming the troglodytes responsible know what they're doing, which may be a bad assumption).

I'm just glad my college days were long before every idiot who could fill out a requistion form got a computer, hooked up to the Internet, with no further justification or thought about why they needed that. Of course, they're excellent Solitaire players, if they're not spending all their time writing e-mail to all of their friends, or posting junk to sites like c|net ... OOPS! BUSTED! ;)

All the Best,
Joe Blow
Reply to this comment
Apologies not accepted
by apaolella May 26, 2006 2:28 PM PDT
I am an Ohio University student, and there has been recent uproar in the newspapers about this situation. The administration just keeps apologizing, but they are not taking any steps to assist the victims of this breech. They sent out a measely three e-mails about the situation, and I hadn't even heard some of the information that was in this article.

Apologies are not enough. The administration needs to take steps to assist each victim of this breech, and ensure it will not happen in the future.
Reply to this comment
Apologies not accepted
by apaolella May 26, 2006 2:28 PM PDT
I am an Ohio University student, and there has been recent uproar in the newspapers about this situation. The administration just keeps apologizing, but they are not taking any steps to assist the victims of this breech. They sent out a measely three e-mails about the situation, and I hadn't even heard some of the information that was in this article.

Apologies are not enough. The administration needs to take steps to assist each victim of this breech, and ensure it will not happen in the future.
Reply to this comment
Showing 2 of 2 pages (62 Comments)
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET