http://www.athensnews.com/issue/article.php3?story_id=25314 By Jim Phillips Athens NEWS Senior Writer 2006-06-26 Part of the recently released consultant's audit of OU's computer security systems (see related story, page 6) is a review of two major hacking incidents and how OU responded to them. In one case, the server that was hacked into was apparently vulnerable to such a breach because many personnel at OU were not even aware it was still hooked up to the university's computer system. The two hacking incidents, which have caused OU no end of public relations grief, are what prompted the university to hire Moran Technology Consultants to conduct its audit in the first place. OU has also found three other security breaches. According to the audit report, the two breaches examined in the report involved OU servers named ALUMINFO3 and SHSSRV1. The first contained personal and contact information for 300,000 alumni, including Social Security numbers for about 137,000 people. This server was apparently left vulnerable to hacking because IT personnel thought it had been taken offline, but it hadn't. The second is used by OU's Hudson Health Center, and includes about 60,000 patient records, with Social Security numbers. Hackers apparently broke into this server, then tried to use it to attack another OU server. Moran suggests that OU discovered the Hudson security breach mainly because two other hacking incidents triggered a "heightened awareness," prompting OU to run virus scans on various other computer systems. Donor database breach: The first known problem with this database dates to March 1, 2005, the consultant found. Someone (whose identity is redacted from the audit) reported an apparent breach in April 2006 via e-mail to Bob Watkins, an operating systems programmer at CNS. Moran concludes that the system was vulnerable to hacking (by some particular method that has been redacted from the report) from March 1, 2005, to April 24, 2006, but that there is not enough information available to tell if hackers actually stole any information from the system. From Feb. 1, 2006 to April 11, 2006, the report adds, "the system was apparently used as a music file sharing server," and on April 22, 2006, "the system was used to attack another server." Numerous employees interviewed by Moran said they thought this server had been turned off and disconnected from the OU network since a prior application upgrade. Records show, however, that it was in more or less continuous service from May 5, 2004 to April 24, 2006, when the breach was discovered - though it had been taken offline for a total of about 14 days since March 25, 2005. Moran concluded that this system should have turned off and disconnected from the network after April 14, 2005, when it was decommissioned. "However, apparently due to poor communication, lack of decommissioning procedures, and poorly defined responsibilities, the system was turned off but then turned back on 10 days later." The report adds that the initial break-in to the system apparently happened before it was decommissioned, and that leaving it connected afterwards greatly increased the odds that data was stolen, and led to other abuses of the system. Hudson patient database breach: This server was apparently hacked into first on Dec. 19, 2005, according to Moran. In early January 2006, the administrator of another OU server reported that the SHSSRV1 server was trying to log on to his server. The incident was reported to OU's computer security team, but "it is not clear what action was taken beyond this," the report says. IN EACH INCIDENT, once the breach was detected, the systems were quickly taken offline, the report says, and appropriately reported to OU's CIO, Office of Legal Affairs, and PR personnel. Moran concludes that up to a certain point, the response of OU's security team to the breaches was "relatively well orchestrated and organized." After the point at which the team began trying to find out how widespread the problem was, however, "activities became poorly organized and fragmented," according to Moran. CNS Director Tom Reid took over the job of managing the response from the lead member of the security team, who, according to Moran, was better qualified to handle the job. Reid said Sunday that it wasn't his decision to take over the response team, but that of CIO Bill Sams. "I was assigned that task by the CIO," he claimed. OU also put three Computer Services employees on administrative leave at this point, an action that Moran believes "greatly contributed to the confusion and disorganization in the wake of the problems. The people who knew the compromised systems best were sent home, instead of being available to assist in the response." The report also notes that the three employees placed on leave (OU has said it is recalling them) had previously "made efforts to get help from CNS" with security problems, but probably should have taken their concerns to higher management. The report concludes that OU's initial containment procedures "were appropriate and effective," but after these initial steps, "the process faltered." UNIVERSITY CHIEF Information Officer Bill Sams told the OU Trustees at a meeting last week that OU has gotten about two dozen reports of identity theft since the breaches were discovered, though these may not all be traceable to the problems with OU computers. OU has said that it will not take financial liability for financial loss due to identity theft unless a person can show that his or her personal data was not stolen from some other source that was holding it. Sams called the number of identity theft reports two "surprisingly small," given the volume of personal information potentially exposed in the computer security breaches. He said that based on what OU investigators have discovered about the hacking incidents, they believe they were unrelated to each other. "It was not a continuous series of attacks," he told the Trustees. Based on the audit findings, Sams said, it appears that CNS was more concerned with performance than with security, and wanted to avoid slow-downs that might result from taking needed security measures. He promised that OU will take steps to change the culture within its IT departments that helped allow the breaches to occur. Trustee C. Robert Kidder noted that the security breaches "cost us greatly" in terms of both money and bad publicity. During the meeting, the Board of Trustees approved a motion to spend up to $4 million on addressing the IT problems. Asked where that money will come from, President Roderick McDavis said he is not sure, but that it definitely will not be taken come from extra money set aside for priorities laid out in OU's Vision Ohio comprehensive plan. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 26 2006 - 22:38:23 PDT