University server in hackers' hands for a year

An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university's computer services department.

Bill Sams, Ohio University's chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers.

In a disclosure that hasn't been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.

At least one security expert was astonished that a compromise could go undetected for so long.

"That's unbelievable," said Avivah Litan, security analyst with research firm Gartner. "I have never heard of that much of a delay. Why would it take a year to discover this? It doesn't make any sense."

What's also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities.

Ohio University only became aware that a problem existed after the FBI discovered someone had remotely taken control of one of the school's servers.

Litan estimates that a third of all data leaks are at universities. She says information bandits are preying on the nation's colleges for three reasons. First, the schools possess Social Security numbers and other information useful in committing identity theft. Secondly, she says universities don't take security serious enough.

"They don't want to spend money on it," Litan said.

Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks.

At the time of the attacks at Ohio University, the school operated 90 servers, Sams said. And that was just the school's primary computer network; more servers are operated by individual university departments.

"If you're a corporation, you can just lock everything down," Sams said. "We don't have that luxury. The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn't receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.

The culprits who broke into the other two servers made off with health records belonging to students treated at the university's health center, as well as Social Security numbers of an additional 60,000 people.

"We had a failure of both policies and procedures," Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn't quicker to order a security audit, Sams replied: "Should we have? Yes. Did we? No."

[booboo1243]

Those who can't ... end up at universities

"we need someone somewhere to come up with a set of best practices for schools."

Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.

[MrNougat]

Open Source

Agreed. "Best Practices" are open source. If you're not satisfied with the features of existing "best practices," then make your own.

[booboo1243]

Those who can't ... end up at universities

"we need someone somewhere to come up with a set of best practices for schools."

Oh please. "Somebody help me, I'm clueless." This guy's making the big money as the CIO, if he can't figure it out or pay someone to figure it out he should be part of the reorg.

[MrNougat]

Open Source

Agreed. "Best Practices" are open source. If you're not satisfied with the features of existing "best practices," then make your own.

[rpbell]

Here's the funny part...

...just think: Fully 100% of the recent graduates of Ohio University's computer sciences program have been taught by instructors who apparently know no one whit about security.

Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.

Amazing. Absolutely amazing. Also, stoopid!

rb

[maxwis]

Maybe They Did

Maybe some of the students DID test the servers and found the holes. They just didn't tell the school.

[dland51]

Funny part?

Why would any of those instructors or students have valid reason to test the university system for security breaches, let alone do patches and updates? That would be a real nightmare and is most likely forbidden in their respective university handbooks!

[mpettyjohn]

You'd be surprised...

As a recent graduate of Ohio University this security breach is quite distressing.

During my junior year, a member of the student senate managed to break in to several of the universities computers. His attempts were apparently to demonstrate to the university how weak their defenses were as he informed them about the break in and the information he had access to after he did it.

What was the universities response? Acadamic discipline! Two years later they find out they have been seriously compromised. It's a classic story of people not caring until it happens, on a large scale.

[jay_ai]

even funnier/sad part

An even funnier/sad part is that hundreds of schools that are reading this story won't do much about it. Some won't have the talent to pentest their own network, while some will just be lazy to do anything. I don't know if their budgets allow them to hire external pentesters,, but without getting those security experts to come and pentest their network, i don't think they can secure their environment. As a network admin or operations, you have countless pending tasks already ... hence the motivation to do extra without getting anything extra is close to nil.

I guess what they should do is hire the student security gurus and have them recommend procedures to secure the network. Every school has atleast 10 geeks who can exploit network at their will ... now all you do is hire one Security Professional to recruit those 'skilled' students.

[catmistake]

CS ~= systems administration

A computer science program is supposed to teach computer
science, a subset of mathematics. I'm not aware of any university
program that teaches computer or systems adminstration (of
which computer/network security would be a subset of).

Something weird happened in the early 00's. Computer Science
grads could no longer find those swank jobs at developer-
houses fresh out of school for >65K/yr, and started looking
elsewhere. When the market got used to it, employers looking
for, say, a Windows Administrator, instead of requiring such
banal things as certifications, started requiring degrees in
Computer Science... but the pay did not increase... so these
employers were requiring a $20K-100K education for a lowsy
$15/hr job. And the CS grads chomped at the bit. What I think
happens is that most CS grads end up taking their first job at
the university they graduated from, and this may help explain
the security issues... a Computer Science degree, a security
minded systems administrator does not make.... Most, if not all,
of the sys admins I know learned by hands on training and years
of experience under an experienced (toor)mentor.

[Zymurgist]

Let's not be silly.

Neither student nor faculty has authority to
install updates or patches on the systems --
they are managed by the campus computer services
group. Further, I don't know about this
particular school, but at most universities
independently "testing" the campus network
security would be grounds for dismissal or
expulsion.

The same if frequently true outside academia
too. I work in computational sciences, but out
company systems are managed by a separate IT
department. We haven't administrative authority
on any machines save systems quite specifically
designated as ours (namely, the compute clusters
and instrumentation control systems). We also
find that IT is not generally knowledgable about
the systems and security -- where we might have
specific understanding of the implementation of
a technology, their knowledge is typically
limited to the installation and general
administration of the same technology. As a
result, when something is not right, they
generally tell us to stick it until we develop a
pedantic presentation about the specific issues
at hand (last time I had to do this, I had to
give a lecture on privilege escalation on our
improperly configured filers -- and I'm a
biologist).

[rpbell]

Here's the funny part...

...just think: Fully 100% of the recent graduates of Ohio University's computer sciences program have been taught by instructors who apparently know no one whit about security.

Not even one instructor or student was sharp enough to use their training (?) and skills (?) to test the university system for security breaches, nor even for periodic patches and updates to insure that it was secure.

Amazing. Absolutely amazing. Also, stoopid!

rb

[maxwis]

Maybe They Did

Maybe some of the students DID test the servers and found the holes. They just didn't tell the school.

[dland51]

Funny part?

Why would any of those instructors or students have valid reason to test the university system for security breaches, let alone do patches and updates? That would be a real nightmare and is most likely forbidden in their respective university handbooks!

[mpettyjohn]

You'd be surprised...

As a recent graduate of Ohio University this security breach is quite distressing.

During my junior year, a member of the student senate managed to break in to several of the universities computers. His attempts were apparently to demonstrate to the university how weak their defenses were as he informed them about the break in and the information he had access to after he did it.

What was the universities response? Acadamic discipline! Two years later they find out they have been seriously compromised. It's a classic story of people not caring until it happens, on a large scale.

[jay_ai]

even funnier/sad part

An even funnier/sad part is that hundreds of schools that are reading this story won't do much about it. Some won't have the talent to pentest their own network, while some will just be lazy to do anything. I don't know if their budgets allow them to hire external pentesters,, but without getting those security experts to come and pentest their network, i don't think they can secure their environment. As a network admin or operations, you have countless pending tasks already ... hence the motivation to do extra without getting anything extra is close to nil.

I guess what they should do is hire the student security gurus and have them recommend procedures to secure the network. Every school has atleast 10 geeks who can exploit network at their will ... now all you do is hire one Security Professional to recruit those 'skilled' students.

[catmistake]

CS ~= systems administration

A computer science program is supposed to teach computer
science, a subset of mathematics. I'm not aware of any university
program that teaches computer or systems adminstration (of
which computer/network security would be a subset of).

Something weird happened in the early 00's. Computer Science
grads could no longer find those swank jobs at developer-
houses fresh out of school for >65K/yr, and started looking
elsewhere. When the market got used to it, employers looking
for, say, a Windows Administrator, instead of requiring such
banal things as certifications, started requiring degrees in
Computer Science... but the pay did not increase... so these
employers were requiring a $20K-100K education for a lowsy
$15/hr job. And the CS grads chomped at the bit. What I think
happens is that most CS grads end up taking their first job at
the university they graduated from, and this may help explain
the security issues... a Computer Science degree, a security
minded systems administrator does not make.... Most, if not all,
of the sys admins I know learned by hands on training and years
of experience under an experienced (toor)mentor.

[Zymurgist]

Let's not be silly.

Neither student nor faculty has authority to
install updates or patches on the systems --
they are managed by the campus computer services
group. Further, I don't know about this
particular school, but at most universities
independently "testing" the campus network
security would be grounds for dismissal or
expulsion.

The same if frequently true outside academia
too. I work in computational sciences, but out
company systems are managed by a separate IT
department. We haven't administrative authority
on any machines save systems quite specifically
designated as ours (namely, the compute clusters
and instrumentation control systems). We also
find that IT is not generally knowledgable about
the systems and security -- where we might have
specific understanding of the implementation of
a technology, their knowledge is typically
limited to the installation and general
administration of the same technology. As a
result, when something is not right, they
generally tell us to stick it until we develop a
pedantic presentation about the specific issues
at hand (last time I had to do this, I had to
give a lecture on privilege escalation on our
improperly configured filers -- and I'm a
biologist).

[maxwis]

Imagine What It's Like At Community Colleges

If major educational institutions are compromised, imagine what it's like at the community college level. If you went to one of those schools, I'd start applying for an identity change.

[Pushrod]

Community Colleges not that bad

I don't think Community Colleges is as bad as those big time Colleges simply because $$ and they aren't that well known.

[maxwis]

Imagine What It's Like At Community Colleges

If major educational institutions are compromised, imagine what it's like at the community college level. If you went to one of those schools, I'd start applying for an identity change.

[Pushrod]

Community Colleges not that bad

I don't think Community Colleges is as bad as those big time Colleges simply because $$ and they aren't that well known.

[inachu]

This is real nice!

I bt the information is now in information brokers servers and will sell to any company to let them know that Janet has aids or maybe something minor. Any company using this information should be shot dead.

[inachu]

This is real nice!

I bt the information is now in information brokers servers and will sell to any company to let them know that Janet has aids or maybe something minor. Any company using this information should be shot dead.

[westrajc]

Security is NOT "Academic"

This is yet another example of the failure of the liberal PC (pun intended) world of Academia! But don't colleges like this all run Linux and Open Source software because they are immune to hackers!?

The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.

[wnurse]

i wish the academic world was all liberal

Then there would be no smart conservatives (cause all academics would be liberal). Injecting politics in a tech discussion.. hmmm.. very risky (espicially when you sound stupid also). Westrajc, i'd keep the politics to a political forum.

[dland51]

Why do you assume...

What does the education of students have to do with the business side of the University? The faculty and students do not provide the security or IT services for the Univeristy. They might be employed in some capacity, but they are not going to be responsible. I don't think I have ever heard anyone at anytime same Linux and Open Source software were immune to hackers! They are generally more secure by their very nature, because any vulnerabilites can be found and fixed because they are open to everyone for examiniation! No matter how many patches, or security updates are provided if they aren't installed they do no good! When you have a server sitting on the network that everyone thinks is shut down, the problem isn't software or security updates, the problem is someone not doing their job! I would call that personal responsibility which is something that should be taught at home, not at some University! If you ain't got it when you leave home, you ain't ever gonna get it!! What does politics have to do with anything on this issue? I couldn't find any relevance for that at all!

[westrajc]

Security is NOT "Academic"

This is yet another example of the failure of the liberal PC (pun intended) world of Academia! But don't colleges like this all run Linux and Open Source software because they are immune to hackers!?

The IT director should be fired the servers consolidated, uniform security policies established and students AND faculty given the option to embrace secure computing or find another place to study/work! The longer we tolerate mediocrity on our college campuses, the farther/faster we will fall behind the rest of the world.

[wnurse]

i wish the academic world was all liberal

Then there would be no smart conservatives (cause all academics would be liberal). Injecting politics in a tech discussion.. hmmm.. very risky (espicially when you sound stupid also). Westrajc, i'd keep the politics to a political forum.

[dland51]

Why do you assume...

What does the education of students have to do with the business side of the University? The faculty and students do not provide the security or IT services for the Univeristy. They might be employed in some capacity, but they are not going to be responsible. I don't think I have ever heard anyone at anytime same Linux and Open Source software were immune to hackers! They are generally more secure by their very nature, because any vulnerabilites can be found and fixed because they are open to everyone for examiniation! No matter how many patches, or security updates are provided if they aren't installed they do no good! When you have a server sitting on the network that everyone thinks is shut down, the problem isn't software or security updates, the problem is someone not doing their job! I would call that personal responsibility which is something that should be taught at home, not at some University! If you ain't got it when you leave home, you ain't ever gonna get it!! What does politics have to do with anything on this issue? I couldn't find any relevance for that at all!

[dland51]

Why the connection

Something I do not understand is why the free flow of information should have anything to do with a server system that stores student, or private data! Those systems should not need, to be interconnected! Why would you want internet access available, to that type of data?

[dland51]

Why the connection

Something I do not understand is why the free flow of information should have anything to do with a server system that stores student, or private data! Those systems should not need, to be interconnected! Why would you want internet access available, to that type of data?

[baswwe]

It was a WINDOWS machine that was compromised - What'd ya expect!

Holes are all over MS Window products.

[gggg sssss]

WTF

Not sure where I read THAT in the article - or do you have inside knowledge?

[OUITAlum]

Actually, it was most likely Solaris

Given that most of the Windows machines are end user workstations and less than 20% of campus servers are Windows (typically department domain controllers), I'm thinking this one would be a Unix box (typically Solaris).

Every machine I had to connect to for ANY personal details for my job there was Unix. Specifically, Solaris!

Granted these assumptions are based off observations from four years ago. But again, universities are very political in even the most trivial decisions. This tends to slow down any process to improve what isn't a marketing tools.

Examples:
>A computer in every FRESHMEN dorm room first, then to upperclassmen...implemented!
>Wireless campus...implemented!
>A CSO role reporting to either the CIO, the provost, or the president.....hmmm

[baswwe]

It was a WINDOWS machine that was compromised - What'd ya expect!

Holes are all over MS Window products.

[gggg sssss]

WTF

Not sure where I read THAT in the article - or do you have inside knowledge?

[OUITAlum]

Actually, it was most likely Solaris

Given that most of the Windows machines are end user workstations and less than 20% of campus servers are Windows (typically department domain controllers), I'm thinking this one would be a Unix box (typically Solaris).

Every machine I had to connect to for ANY personal details for my job there was Unix. Specifically, Solaris!

Granted these assumptions are based off observations from four years ago. But again, universities are very political in even the most trivial decisions. This tends to slow down any process to improve what isn't a marketing tools.

Examples:
>A computer in every FRESHMEN dorm room first, then to upperclassmen...implemented!
>Wireless campus...implemented!
>A CSO role reporting to either the CIO, the provost, or the president.....hmmm

[Fireweaver]

It's all about money

It's all about money, of course. But isn't everything?

Who wants this server job on campus?

Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.

Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.

Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.

So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.

[Fireweaver]

It's all about money

It's all about money, of course. But isn't everything?

Who wants this server job on campus?

Educational budgets are shrinking. I guarantee you that most IT positions on a campus pay 20% less than in a business environment. For high-end server managers the gap is even higher.

Also, campus environments are VERY political and often hard to work in. You have to jump through hoops that don't always make "business" sense and often run against it.

Finally, education demands a TON from their IT people without wanting to pay a lot- for staffing in particular. There's always a zillion projects waiting to be done and everyone wants something.

So when you demand that education steps up maybe you should be demanding that they also get better funding. Once that happens then you can look into demanding that they in turn spend more on their IT security. One won't happen without the other, though.

[DivI_UnivIT_Employee]

View from the inside

I work in IT at a Division I university, and here's what I see:
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.

That's not all, but isn't that too much already?

(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)

[DivI_UnivIT_Employee]

View from the inside

I work in IT at a Division I university, and here's what I see:
1. The pay is far lower than available in the private sector.
2. One needn't be particularly skilled/intelligent/industrious to retain one's job, especially true for those in management.
3. One can preach security until one is blue in the face without being able to make a difference.
4. Servers get compromised frequently, and lessons seem to take repeated exposure to be learned (if ever they are.)
5. It seems that only security issues dealing with usability of the campus network get much attention. Nimda ran wild through the network for over a month, but it was only within the last couple of years that significant inroads were made in containing malware, as the network edged ever nearer to a "notwork" due to the volume of malicious traffic.
6. Compromise of personal information is underreported, possibly to the degree of illegality. I know personally of a server that contained credit card and SSN data that was compromised, without notification being given.
7. The way things SHOULD be done and the way things ARE done are more different than similar.
8. Priorities are politically motivated, and usually bass ackwards.

That's not all, but isn't that too much already?

(Personal inertia is why I'm still here, that and other personal issues unrelated to skill and/or intelligence.)

[RoyalWulff]

One Year and No One Had a Clue

"They don't want to spend money on it," Litan said."

"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."

This comment by the CIO is out of touch and out of date. Yes information needs to be free flowing but what type and category of information. As for not wanting to spend money on the problem  from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of free flowing information  well at least it was free flowing for a year.

One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for No Child Left Behind :-)

" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (<a class="jive-link-external" href="http://www.educause.edu" target="_newWindow">http://www.educause.edu</a>). All they do is address University and high educational institutions IT and information security needs and requirements.

Have a great Day...

[RoyalWulff]

One Year and No One Had a Clue

"They don't want to spend money on it," Litan said."

"Lastly, universities are at a disadvantage because they must keep information free flowing. Part of their mission is to share knowledge. While the Internet has simplified that task, it has also presented greater risks."

This comment by the CIO is out of touch and out of date. Yes information needs to be free flowing but what type and category of information. As for not wanting to spend money on the problem  from the article it does not appear that money was an issue (although I am sure it is) as the CIO her self says that they thought the problem was fixed! But they did not follow up.
And then we have the YEAR it took to find the compromise and than by the FBI! There is something terrible wrong here. When your own security department can not follow up, monitor the universities systems, and then blame it on the requirement of free flowing information  well at least it was free flowing for a year.

One has to wonder why the Professors and students in their IT program it not see anything! Could this be the case for No Child Left Behind :-)

" The academic side is trying to find a line between maximum flexibility and data security...We need someone somewhere to come up with a set of best practices for schools."

Again the CIO is not in touch with here colleges. Has she ever heard of EDUCAUSE (<a class="jive-link-external" href="http://www.educause.edu" target="_newWindow">http://www.educause.edu</a>). All they do is address University and high educational institutions IT and information security needs and requirements.

Have a great Day...

[ouguy318]

I'm a current OU student

It's been my personal experience that CNS (Computer Network Services) is little more than a glorified tech support line for the idiot students who don't know how to clean their computers of the latest malware they downloaded while watching their pr0n. They also mass-flood pretty much the entire network on ports 135-137, and I asked them why they do this, and they said that they're just checking to make sure those ports are closed, because they're common ports for viruses.

Regarding why health records were on the server, I don't know why they were in the physical space they were at. A more logical place to keep the server would be at the Student Health Center itself... at the Health Center, because they are on lock-down network-wise, they have to now tell students to take one slip of paperwork a whopping 8 feet across the room (instead of entering the data on the computer and submitting it through some sort of database... I've only gotten glimpses of the software they use to fill out the form, but it's running on Windows 98, I do know that)

[ouguy318]

I'm a current OU student

It's been my personal experience that CNS (Computer Network Services) is little more than a glorified tech support line for the idiot students who don't know how to clean their computers of the latest malware they downloaded while watching their pr0n. They also mass-flood pretty much the entire network on ports 135-137, and I asked them why they do this, and they said that they're just checking to make sure those ports are closed, because they're common ports for viruses.

Regarding why health records were on the server, I don't know why they were in the physical space they were at. A more logical place to keep the server would be at the Student Health Center itself... at the Health Center, because they are on lock-down network-wise, they have to now tell students to take one slip of paperwork a whopping 8 feet across the room (instead of entering the data on the computer and submitting it through some sort of database... I've only gotten glimpses of the software they use to fill out the form, but it's running on Windows 98, I do know that)

[sunergeos]

Exactly!

That was what I was thinking! Why doesn't that school of "higher education" make the same connection? We're talking about segregating information that should be public and taking the private info and putting it behind a firewall. There is something terribly wrong when a school official thinks their situation is unique - that person it totally out of touch.

[sunergeos]

Exactly!

That was what I was thinking! Why doesn't that school of "higher education" make the same connection? We're talking about segregating information that should be public and taking the private info and putting it behind a firewall. There is something terribly wrong when a school official thinks their situation is unique - that person it totally out of touch.

[pentium4forever]

scary

Man, that just sounds horrible and embarrassing. college needs to lock down regardless of rules.