[ISN] Colleges easy prey to hackers

InfoSec News isn at c4i.org
Thu Nov 18 06:21:39 EST 2004


By George Merritt 
Denver Post Staff Writer
November 17, 2004 

Boulder - University computer systems are an easy and likely target
for computer hackers, and experts warn that students will be more
likely to become victims of identity theft if changes don't come soon.

"These universities have a real issue on their hands," said Jay Foley
of the Identity Theft Resource Center in San Diego.

Foley said hackers can use personal information such as Social
Security numbers to open fraudulent credit accounts in students'

"It does you absolutely no good to graduate a class of 1,000 highly
skilled people ... who can't get jobs because most of them are so
deeply in debt that no one will hire them," he said.

Last month, about 1,000 University of Colorado continuing-education
students became the latest to have their personal information

Officials said CU's hacker was a "joyrider" who broke into the system
without actually taking identifying information. But the break-in
added CU to the list of victim universities throughout the country.

In August, a hacker broke into the University of California at
Berkeley's system and got access to about 600,000 people's personal
information. A University of Texas hacker accessed about 55,000
identities from that system last year.

There have been similar incidents recently from Boston University to
Georgia Tech, from Southern Illinois University to San Diego State

Campus technology experts say universities are in a unique and
vulnerable security situation. While their computer systems contain a
wealth of personal identifiers, universities represent a culture of
open information sharing.

"It is hard because security and convenience are kind of mutually
exclusive," said San Diego State's technology security officer, John
Denune. "So with a university environment, we always have to keep our
educational mission in perspective because we can't lock things down
like a business would."

CU officials have been trying since summer 2003 to combat the risk by
issuing new students identification numbers that are different from
their Social Security numbers. There are plans to convert ID numbers
for the entire student body sometime next year.

The University of Denver has also done away with Social Security
numbers as identifiers, and Colorado State University students can opt
for a different identification number. CSU plans to change over
completely in 2006.

State law requires all universities to drop Social Security numbers as
identification by 2008.

Security experts praise the effort but say it is only one step.

"Security has become the No. 1 agenda item every day for all the IT
professionals," said Dennis Maloney, CU's head of information
technology. "It is a daunting task because it is hard to know what is
going on with (the university's) 25,000 computing devices at all
points in time."

Maloney said his staff tries to lock down students' most sensitive
personal information.

"Why hack universities?" asked Rick Dakin, president of Coalfire
Systems Inc., a Superior computer security consulting firm. "Because
there is a ton of personal information, a ton of computing power and a
ton of computers."

Maloney said CU offers free antivirus software for students to
download and a computer scan to make sure individual computers have
up-to-date defenses. He said campuses have to rely more and more on
students to keep up security on their personal computers.

Identity theft is not the only motivation for those hacking into
university systems - in fact, identity thieves represent a small
percentage of hackers, experts said.

Hackers are also intent on scoring bragging rights among their online
buddies or manipulating an army of computers to do their bidding. As
they look for any holes in a system's security, universities can even
fall prey out of dumb luck.

"Most of the worms - or even the low-level hackers - out there are
just looking for any vulnerability out there that they can exploit,"  
Denune said. "Universities tend to be a large target of opportunity
because we have a lot of bandwidth."

Enforcing the laws against hacking is complicated. While there has
been success tracking down hackers, authorities said the nature of the
Internet makes it hard to know where to begin investigating, or whose
jurisdiction should handle it.

"There really isn't any central agency for this," said Mike Knight,
spokesman for the district attorney's office for the 18th Judicial

Maloney said security remains the top priority. But even with changes,
hackers remain an elusive "moving target" for universities.

"I look at the security alerts every day, and there is a new
vulnerability every day somewhere on campus," Maloney said. "I don't
think we've seen the light at the end of the tunnel for that

More information about the ISN mailing list