[ISN] Hacker attacks college server

From: InfoSec News (isn@private)
Date: Wed Jul 06 2005 - 23:44:37 PDT


http://www.statenews.com/article.phtml?pk=30684

By AMY DAVIS
The State News
July 7, 2005

More than 27,000 students were informed by e-mail on Tuesday that
their Social Security numbers could have been compromised by an attack
on the College of Education's server.

The server housed information that included student names, addresses,
student courses and personal identification numbers. After the
intrusion was discovered at the beginning of April, the server was
taken off-line and a computer forensic investigation on the incident
was started, said College of Education Assistant Dean Gail Nutter.  
Now, the college no longer maintains student Social Security numbers
on its server.

Because personal information could have been accessed, Judith Collins,
director of MSU's Identity Theft Partnerships in Prevention and
associate professor of criminal justice, said students should
immediately call their credit companies to put a fraud alert on their
accounts.

"If someone has a name and Social Security number, they can apply for
a credit card, so this is a major issue," Collins said. She added that
no business or university is immune to intrusions.

Curriculum and teaching graduate student Nick Husbye said he isn't
concerned about the security of his personal information, but he
wished the university had warned students of the intrusion earlier.

"If they knew in April, it would have been more pertinent to let us
know then, but I'm going to trust my college that they had a reason to
let us know now," Husbye said.

Husbye said he will continue to keep an eye on his credit report.  
"That is what you should do anyway - you just need to be vigilant
about your own stuff," he said.

The attack on the College of Education server is the latest in a
string of similar intrusions on MSU servers. Last week, an intrusion
was discovered within MSU's Department of Human Resources, which could
have allowed the culprit to gain access to the Social Security numbers
of all MSU employees and retirees.

David Gift, vice provost for Libraries, Computing & Technology, said
MSU's policy of fully disclosing all intrusions gives the illusion
that it's happening all of the time.

"These security breeches are happening so frequently these days that
it doesn't matter if you know about the intrusion," Gift said, adding
that unknown intrusions can happen almost as frequently and are a
greater threat.

The university is taking a number of steps to protect sensitive
information, Gift said. MSU is bolstering work security and minimizing
sensitive information's potential exposure by eliminating personal
data that doesn't need to be stored for a long period of time.

Gift said most computer intrusions are done for reasons other than to
steal data, such as people seeking file space to illegally move files
around. He added that it's difficult to determine the culprit of any
hacking attempt because the culprits take extra measures to disguise
their identities.

Adult education graduate student Jonathan Lembright received the
e-mail about the computer server break-in and said he wasn't very
concerned about the attack.

"I trust that MSU is doing their best to see our security is watched,"  
Lembright said.

-=-

Amy Davis can be reached at davisam8 at msu.edu. Staff writer Maggie
Lillis contributed to this report.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Wed Jul 06 2005 - 23:53:38 PDT