http://www.denverpost.com/Stories/0,1413,36~53~2539839,00.html By George Merritt Denver Post Staff Writer November 17, 2004 Boulder - University computer systems are an easy and likely target for computer hackers, and experts warn that students will be more likely to become victims of identity theft if changes don't come soon. "These universities have a real issue on their hands," said Jay Foley of the Identity Theft Resource Center in San Diego. Foley said hackers can use personal information such as Social Security numbers to open fraudulent credit accounts in students' names. "It does you absolutely no good to graduate a class of 1,000 highly skilled people ... who can't get jobs because most of them are so deeply in debt that no one will hire them," he said. Last month, about 1,000 University of Colorado continuing-education students became the latest to have their personal information compromised. Officials said CU's hacker was a "joyrider" who broke into the system without actually taking identifying information. But the break-in added CU to the list of victim universities throughout the country. In August, a hacker broke into the University of California at Berkeley's system and got access to about 600,000 people's personal information. A University of Texas hacker accessed about 55,000 identities from that system last year. There have been similar incidents recently from Boston University to Georgia Tech, from Southern Illinois University to San Diego State University. Campus technology experts say universities are in a unique and vulnerable security situation. While their computer systems contain a wealth of personal identifiers, universities represent a culture of open information sharing. "It is hard because security and convenience are kind of mutually exclusive," said San Diego State's technology security officer, John Denune. "So with a university environment, we always have to keep our educational mission in perspective because we can't lock things down like a business would." CU officials have been trying since summer 2003 to combat the risk by issuing new students identification numbers that are different from their Social Security numbers. There are plans to convert ID numbers for the entire student body sometime next year. The University of Denver has also done away with Social Security numbers as identifiers, and Colorado State University students can opt for a different identification number. CSU plans to change over completely in 2006. State law requires all universities to drop Social Security numbers as identification by 2008. Security experts praise the effort but say it is only one step. "Security has become the No. 1 agenda item every day for all the IT professionals," said Dennis Maloney, CU's head of information technology. "It is a daunting task because it is hard to know what is going on with (the university's) 25,000 computing devices at all points in time." Maloney said his staff tries to lock down students' most sensitive personal information. "Why hack universities?" asked Rick Dakin, president of Coalfire Systems Inc., a Superior computer security consulting firm. "Because there is a ton of personal information, a ton of computing power and a ton of computers." Maloney said CU offers free antivirus software for students to download and a computer scan to make sure individual computers have up-to-date defenses. He said campuses have to rely more and more on students to keep up security on their personal computers. Identity theft is not the only motivation for those hacking into university systems - in fact, identity thieves represent a small percentage of hackers, experts said. Hackers are also intent on scoring bragging rights among their online buddies or manipulating an army of computers to do their bidding. As they look for any holes in a system's security, universities can even fall prey out of dumb luck. "Most of the worms - or even the low-level hackers - out there are just looking for any vulnerability out there that they can exploit," Denune said. "Universities tend to be a large target of opportunity because we have a lot of bandwidth." Enforcing the laws against hacking is complicated. While there has been success tracking down hackers, authorities said the nature of the Internet makes it hard to know where to begin investigating, or whose jurisdiction should handle it. "There really isn't any central agency for this," said Mike Knight, spokesman for the district attorney's office for the 18th Judicial District. Maloney said security remains the top priority. But even with changes, hackers remain an elusive "moving target" for universities. "I look at the security alerts every day, and there is a new vulnerability every day somewhere on campus," Maloney said. "I don't think we've seen the light at the end of the tunnel for that stopping." _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Nov 18 2004 - 06:54:46 PST