Printer Friendly

Are you protected against hackers and attackers? Viruses breaches and threats have IT directors rethinking security.

Higher ed networks are under attack. Hackers want to break into higher ed databases, sometimes to maliciously flitch the identities of students, alumni and staff, sometimes to use universities' servers--which typically run at high speeds--as efficient launch-pads for spare, virus and worm attacks on other servers. Sometimes stolen high-speed bandwidth is used for illegal movie downloads, or high-speed transfer of personal data. Alarmingly, some hackers are tuition-paying students who crack the cybersecurity code just to prove they can.

"Hacking happens everyday, everywhere," says Ken Kleiner, system manager of the Computer Science Department at the University of Massachusetts Lowell. "Typically people break into a system by accessing a 'door' that is left open," he explains. This can happen when an authorized person gets access to a system to install a security patch upgrade, but fails to "lock" the access door upon exit, leaving the system vulnerable.

Script kiddies are an added nuisance, adds Tom Jackson, executive director of university computing and information services at the University of North Carolina Pembroke. These are amateurs who use pre-written pieces of code to launch an attack. "In one case here, a student probed our network trying to get into applications," he says. A staffer detected the breach. The script kiddie hacker used a UNC Pembroke computer in one of the student IT labs; the staffer detected the violation by recognizing that logins and setups weren't quite right.

Sometimes systems just aren't properly configured, adds Kleiner. On any given day, 1 to 5 percent of systems are broken into because they are not set up correctly to keep hackers out. "I would say 25 percent of my day is spent worrying about security," he says. Some would say any campus IT official would have good reason to fret these days.

They are especially vulnerable to mischief for a variety of reasons. One reality is budgeting. Not all IHEs have the financial resources to install new servers and the systems that protect them. Then, too, there's higher ed's mission, which often calls upon researchers and academics to share information and resources--and to do it quickly. That often entails sharing web files, e-mail attachments, research databases and library materials through the non-commercial Internet2 and the related Shibboleth Project, a system that allows scholars and researchers to share discovery.

Striking the right balance is not easy.

Meanwhile, it is clear that IHEs have to press for the best answer. The Office of Privacy Protection in Sacramento, Calif., reports that incidents at California IHEs accounted for close to 30 percent of all security breaches since 2003. The percentage is highest for higher ed--even greater than the percentage for financial institutions. The motive for many breaches is identity theft. According to a 2003 survey of the Federal Trade Commission, i0 million Americans already have been victims of identity theft at a total estimated loss of $5 billion. U.S. corporations have been hit with $47.6 billion in damages. The cost specifically to higher ed is unknown.

A number of documented cases during the past few years might indicate that things are going to get worse before getting better.

In mid-March of this year, a thief reportedly walked into an office at the University of California Berkeley and stole a laptop containing the Social Security numbers of nearly 100,000 people, mostly graduate students and grad school applicants. UC Berkeley reportedly waited more than a week before going public about the incident, in the hopes that police would catch the thief. When that didn't happen, the university made a wide-spread notification, which is required by California law.

The irony, according to reports, is that data on the laptop was slated to be encrypted during the very month in which it was stolen. The encryption would have made it virtually impossible to read the data without a code, Maria Felde, a university spokesperson, told the media. She added that the computer was left alone for only a few minutes.

The incident received immediate attention. U.S. Sen. Dianne Feinstein (D-Calif.) called for legislation that would require immediate notification when personal data is compromised--similar to the law in effect in California. The UC Berkeley incident is just the latest in a score of security breaches that are forcing officials to rethink IT security.

Several weeks prior, hackers cracked into the personal information of about 59,000 students, staff and faculty at the University of California Chico. In March, the University of Nevada Las Vegas disclosed that hackers accessed the records of 5,000 current and former international students. The case is under FBI investigation. On a Sunday in late winter, hackers broke into the servers at Northwestern University's Kellogg School of Management (Ill.). IT staffers scrambled to change passwords and user names to 3,500 faculty, staff and student accounts and 18,000 alumni accounts.

George Mason University (Va.) confirmed earlier this year that hackers compromised a server that stored campus identity card information for 30,000 students, faculty and staff. Names, photos, Social Security numbers and other data were exposed. The incident contained its own irony given that George Mason is also home to the Information Security Institute and the Center for Secure Information Systems.

This year, Boston College (Mass.) spent $44,000 in postage to send letters to 120,000 alumni warning them that the database containing their Social Security numbers and addresses had been hacked. BC advised that alumni acquire copies of their credit reports and alert their banks to watch for suspicious activity. College officials were quick to add that they did not believe the information had been used for identity theft and that the attacker's real motive was to embed a program into the college's hardware to launch attacks on other machines. The compromised computer was run by a contract company that maintains a data center for fundraising activities. Until that point, BC, like so many other colleges and universities, had used Social Security numbers as the main identifiers for alumni. That process would be changed, they promised.

In April officials at nearby Tufts University (Mass.) warned 106,000 alumni that their personal data had been compromised by "abnormal activity" on one if its computers. The university also used a contract service to manage the alumni data on this computer. The cost to Tufts to warn alumni: $41,000 in postage.

The University of Georgia is reportedly considering changes of its own, after realizing that a student was storing a list of credit card numbers and account holder names on the server used to maintain online student portfolios. An anonymous tip led to the discovery. The server was, of course, taken down and investigators were brought in.

Until this rash of breaches the most famous was perhaps a 2003 incident in which a hacker stole the names and Social Security numbers of 37,000 students, faculty and staff from the University of Texas system. Christopher Andrew Phillips, 22, was indicted late last year with fraud and storing credit card information with the intent to defraud. UT reportedly spent $167,000 responding to the security breach and notifying everyone who was affected.

These and other incidents have promoted a consortium of colleges to form a new technology center dedicated to finding ways to better protect data from cyberattacks. TRUST, which stands for Team for Research in Ubiquitous Secure Technology, will be housed at UC Berkeley and includes Carnegie Mellon University (Pa.), Stanford (Calif.), Smith College (Mass.) and other IHEs. HP, IBM, Microsoft, Sun Microsystems and Symantec will be affiliated with the project. The new center will receive $19 million from the National Science Foundation over the next five years to further its work.

Meanwhile, IT directors continue to cope with day-to-day threats to databases, servers and e-mail systems.

"Worms and things that try to attack our system--we catch tons of those every day," says James Wiedel, MIS director and director of networking at the University of Southern California. He relies on an automated process to help the staff. "We Look at [traffic] flows through our routers. We wrote homegrown software to ask, 'Does this look like an attack or a normal transfer of data?'" USC began such IT protection efforts 10 years ago, as the internet was becoming more integral to university life and learning. There are four, full-time staffers on the case, writing software, scanning reports and upgrading systems.

"Students are from the video game era," adds Abraham Roohy, director of industry solutions, education, for Nortel Networks (www.nortel.com), headquartered in Ontario, Canada. "They are computer savvy and expect to access information from room to room and at any Location on campus."

Unlike their corporate counterparts, campus IT directors deal with a constituency that brings laptops and PDAs to campus. Whereas corporations can install their own security safeguards on the equipment they give employees, higher ed IT staffs have to think ahead to every contingency and create safeguards that apply to a variety of models and operating systems, says Roohy.

At the University of Southern California, no one has access to the system or internet until he or she is a registered user. Students have several computer rooms where they can do this. Here they log in and register their laptops and other devices. Each receives a password and registers a computer's MAC address. A visitor that tries to plug in an unregistered laptop will shut down, says James Wiedel, MIS director. Faculty and staff go through a similar process.

Some systems, such as USC's, are designed to shut computer access down if suspicious activity cannot be contained. "We then record this information on a webpage for review," says Wiedel.

At the University of Notre Dame (Ind.) visiting scholars cannot use the network unless they are sponsored by a staff faculty member, says Gordon Wishon, CIO. "Someone in an academic department has to vouch for the actions of a guest," he explains. After that, the guest is issued an ID and password.

In simple terms, a campus IT network is like a building, says Gary Simpson, chief technology officers, Chili Systems (www.chilisystems.com), Norwalk, Conn. "If you can't get in, it is hard to see what is on the sixth floor." IHEs such as USC and Notre Dame are making sure the doors to the building are well guarded. They are also re-thinking ways to protect each floor and individual "room."

BEYOND the FIREWALL

Almost all systems are protected by firewalls that keep out unwanted viruses and worms. Too, systems have proxy servers that prevent inside users from visiting unauthorized placed on the internet. This "perimeter" protection has been the mainstay of cybersecurity.

However, this isn't enough.

"Many times the traffic on the campus border is so fast, you can't put an independent firewall out there," says James Wiedel, MIS Direcector at the University of Southern California. USC relies on border routers to protect aspects of its system. These routers traffic data very quickly and are just as adept at blocking access to the system. "If you are scanning us, we can block your host or your entire 'net."

Notre Dame University (Ind.) is focusing on a layered security. This is an approach that protects access to not only the system at large, but specific databases in ERP systems, such as SCT's Banner. "We are sorting through this on an application by application basis," says Gordon Wishon, CIO. Many of the administrative applications contain some sensitive data that require their own layer of protection.

The answer may be a series of user names and pass words that are required to drill down to specific applications and administrative fires. Other technologies are emerging that may help. IT security analysts are looking into identification systems that will authenticate a user's identity, says Doug Simmons, a principal consultant on identity and privacy strategies for the Burton Group, (www.burtongroup.com), Midvale, Utah.

Technology would be incorporated into a key that would fit into a computer's ISB port, he explains. When inserted it would flash a code--a string of numbers and letters--that would be required for input. This, plus the added security of passwords and IDs would add more layers of protection. Biometrics, too, may play a bigger part in IT, Simmons adds. Fingerprint readers are built into some new laptop models, such as IBM's ThinkPad T42. The security device, which is no bigger than a key on the keyboard, also helps confirm a user's identity.

Want to know more about IT security trends? Find case studies and details about new applications at www.universitybusiness. com/security.

IT SECURITY TERMS

Below are some terms that you should be familiar with the next time your IT person tells you that an "ankle biter" has breached your computer and a "zombie" is lurking inside. For a complete glossary of security terms, go to www.auditmypc.com

AIS--The letters stand for Automated Information System. This is any equipment that acquires, stores, manipulates, controls, transmits, or receives data. An AIS includes software, firmware, and hardware.

Ankle-Biter--A person who aspires to be a hacker or cracker, but who has Limited knowledge or skills. The term is usually associated with young teens who download and use simple malicious programs.

Back Door--A hole in the security of a computer system deliberately left in place by designers. Synonymous with trap door, this is hidden software or hardware used to circumvent security controls.

Crack--A popular hacking tool used to decode encrypted passwords. System administrators also use a Crack to assess weak passwords by novice users.

Computer Worm--A self-reproducing program that is distinguished from a virus by copying itself without being attached to a program rite, or which spreads over computer networks, particularly via e-mail.

Hacker--A person who enjoys exploring the details of computers and how to stretch their capabilities. A Dark-side Hacker has criminal or malicious intentions.

Letterbomb--A piece of e-mail containing live data intended to do malicious things to the recipient's computer. A Mailbomb urges others to send massive amounts of e-mail to a single system or person, with the intent of crashing a system.

Piggy Back--The gaining of unauthorized access to a system via another user's legitimate connection.

Samurai--A hacker who hires out for legal cracking jobs, snooping for information.

Script Kiddies--The lowest form of a cracker; they do mischief with scripts and rootkits written by others.

Snarl--To grab a large document or rite for the purpose of using it with or without the author's permission.

Spoofing--Pretending to be someone else to gain access to an AIS. Impersonating, masquerading, and mimicking are forms of spoofing.

Trojan Horse--An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

Virus--A program that can "infect" other programs.

Zombie--A specialized type of backdoor or remote access program that identifies itself to a master computer, and then waits for instructions. Upon receipt of instructions, zombie machines will send attack packets to a target computer. Zombie may refer to the control program, or it may refer to a computer being controlled.

DROPPING SOCIAL SECURITY NUMBERS

Social Security numbers can lead to much mischief--bogus credit card accounts, stolen identities, fake drivers' licenses, bank account theft. That's because clever hackers can use a Social Security number to find out just about anything about a person. For this reason, colleges and universities, including Pennsylvania State University, are moving away from the Social Security number as the main way to identify students and staff. Early this year, Penn State issued new, nine-digit numbers to identify some 80,000 students and thousands of additional employees. Some other IHEs, large and small, are doing the same.

Tuscutum College (Tenn.), a much smatter, private IHE, has already moved away from retying on Social Security numbers to identify its 900 undergraduates and additional part-time students and staff. Three staffers wrote a new algorithm that incorporates part of the Social Security number, but that also assigns a unique string of numbers to each individual says Travis Crabtree, webmaster.

Granted, the effort to stop using the Social Security number as the main identifier takes planning. Some IHEs are approaching this in stages, addressing incoming classes first, then working their way back to students already enrolled, and to staff, faculty and alumni. EDUCAUSE, a non profit organization focused on education, has developed a series of resources under the title, "Planning for the elimination of Social Security numbers as primary identifiers." (This can be found through a search at www.educause.edu.)

Others administrators are teaching students the best ways to protect themselves. In February, the University of Colorado launched an education campaign that informs students about personal information online. Using posters and security forums, IT officials give monthly updates on different aspects of cybersecurity, such as spare, viruses and spyware--technology that maliciously tracks a user's online activities. The security forums began just months after CU was targeted by a hacker who tried to access personal information on 1,000 continuing education students. The attacker was unsuccessful, officials add.

Hudson County Community College (N.J.) also has a student-focused education program. Every month the college publishes a one-page flyer that is distributed to all students, says Pinhas Fridenberg, registrar, and vice president for professional development for the Middle State Association of Collegiate Registrars and Officers of Admission (www.msacroa.org).

Students often are naive about identity theft, says Fridenberg. "They say, 'I don't have a bank account or a credit card to worry about" But they are dead wrong," he says. With the right personal information--including a Social Security number--identity thieves can open accounts and abuse them, then ruin a young adult's credit history before there is even much of one. At that point tuition assistance can be denied, he warns. Use of the Social Security number as some form of identification is not going away entirely, though. The number is required for student roan applications and other financial forms. Which is why Fridenberg instructs students on the safest way to provide loan application information on secure government websites.

At press time, the higher education community was divided on whether to endorse the U.S. Department of Education's (www.ed.gov) proposed centralized database that will keep a record on every college and university student in the U.S. The database, which is being considered as part of the Reauthorization of the Higher Education Act, would rely on Social Security numbers for tracking purposes, a move that some say threatens privacy and security. Others view the proposed database as a more efficient way to track retention and graduation statistics.

'Phishing' and 'Pharming'

By now e-mail users can hopefully spot phishing scams. These are messages designed to took Like legitimate requests for personal information or account numbers. Now there's pharming, a type of scam that redirects users to bogus webpages, allowing attackers to embed Trojan programs that track keystrokes and passwords.

Pharming scammers have already pulled off some ploys. In March, attackers breached Symantec firewalls so that some users going to www.google.com or www.ebay.com were redirected to bogus sites. Symantec has fixed the problem, reports the Internet Storm Center.
COPYRIGHT 2005 Professional Media Group LLC
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Angelo, Jean Marie
Publication:University Business
Article Type:Cover Story
Date:May 1, 2005
Words:3178
Previous Article:Grove City College and HP partner on student and faculty laptop program: strategic plan--leveraging leading-edge technology--transforms campus with...
Next Article:More books for the buck: textbook rental programs help students keep more money in their pockets.


Related Articles
From Risk to Reward: E-business is transforming risk. Insurer AIG is transforming the way organizations manage that risk. (CaseStudy).
The war on terrorism: cyberterrorists beware. (Up front: news, trends & analysis).
Mobile code - there is nowhere to hide. (Viewpoint).
Securing the system: in the wake of viruses, hackers and worms, insurers maintain constant guard over their computer systems. (Cyber-Security:...
Fibre Channel security.
Potential wi-fi security risks.
Trend turns, more purchase coverage for cyber crime.
Spyware, spam, and other threats: the six things you need to do now.
Back from the breach: IHEs find that recovery from security breaches must be part of every IT plan.
Storage area network security: the human factor.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters