[ISN] CU seeking help to evaluate hacked system

Thu Aug 4 06:01:04 EDT 2005

http://www.denverpost.com/news/ci_2909173

By Jennifer Brown and John Ingold 
Denver Post Staff Writers 
08/03/2005

The University of Colorado will hire a computer-security company to
audit its technology safeguards after hackers broke into the system
three times in two weeks, officials said Tuesday.

CU also plans to put firewalls on some of its 26,000 computers that
are now accessible to the public, said Bobby Schnabel, vice provost
for technology.

A hacker last week broke into files containing Social Security
numbers, names and photographs of 29,000 students, some former
students and up to 7,000 staffers. The files related to CU's Buff
OneCards, which students use for after-hours access to some campus
buildings and to buy meals and snacks.

The university isn't sure what the hacker wanted and may never know
whether Social Security numbers were stolen.

CU did not notify the public of the security breach until Monday
because it took a forensics team working through the weekend to
confirm that an intruder had cracked the system.

"If your house gets robbed, you can pretty much figure out what's gone
and what's not," Schnabel said. "On a computer, you can't tell."

A team from Boulder-based Applied Trust Engineering, which has been
scanning CU files since computer breaches were discovered July 14,
noticed some suspicious files July 27, said Larry Drees, Buff OneCard
program director. The team created an image of the hard drive that was
hacked, and the server was disconnected from the network.

Computer scientists continue to analyze the image of the hard drive to
see what the hacker might have retrieved. That information could help
determine whether the hacker wanted to use the system to store pirated
materials, such as movies or pornography, or if the hacker wanted
access to sensitive information, said Dan Jones, information-security
coordinator.

The worst-case scenario is that someone could use the Social Security
numbers to get credit cards they never pay off or open bank accounts.  
"The bad credit report is on you and not on them," Schnabel said.

It's also possible, though unlikely, the hacker could use the
information to make fake Buff OneCards, Drees said.

Just in case, CU began replacing Buff OneCards on Tuesday and plans to
replace them all within 30 to 40 days, Drees said.

Just knowing the card number won't result in much access because a
card swipe is required to get inside buildings and to make purchases,
he said. Students are able, however, to make deposits on their Buff
OneCards online and access the library online with just their number.

CU took Social Security numbers off all Buff OneCards last spring,
replacing them with a student-ID number. The file that was hacked was
used in the transition and listed people's ID numbers and Social
Security numbers, Schnabel said.

CU technology officials decided Monday they would look for a private
company to audit their system, focusing on 10 to 20 servers with the
most sensitive information, Schnabel said. CU has about 6,000 servers.

The university also will investigate which of its 26,000 computers
that have public access truly need it, he said. Public access to some
machines is necessary so people can register for classes online, for
example.  The rise in identity theft is forcing universities to act
more like corporations that must protect their networks, Schnabel
said.

Across the country, security breaches at universities have become
almost commonplace.

There have been at least 85 major computer-security breaches in the
country this year, said Jay Foley of the Identity Theft Resource
Center in San Diego. About half of those have been at universities, he
said.

Hackers have spared no college, from the small, such as Jackson
Community College in Michigan, to the large, such as the University of
California at Berkeley.

In a two-week span from late May to early June, hackers struck
computers on at least five university campuses.

"It's an inviting target because the main data they collect is about
all who attend and all who work there," Foley said. "They become a
rich target environment for identity thieves."

Many schools, including CU and the University of Denver, have switched
from Social Security numbers to other unique ID numbers.

DU built a card-secure building last year to house and protect servers
that hold sensitive information, spokesman Warren Smith said. The
university also has "physically secured" computers that hold personal
student information, said Smith, who declined to go into many
specifics.

DU also has hired an outside company to regularly test the
university's network security. "They try to break in and notify us of
any problems," Smith said.

Foley said universities struggle to protect their systems, in part
because they use in-house staffers rather than outside experts such as
corporations. But it's also because university computer networks are
typically open environments that promote the sharing of information.

He suggests universities start keeping sensitive student information
in as few places as possible and secure those computers tightly.

CU discovered security breaches July 14 at the Wardenburg Health
Center and the College of Architecture. A breach last year in the
continuing-education department was the first for the university.

-=-

Staff writer Jennifer Brown can be reached at 303-820-1593 
or jenbrown at denverpost.com.