[ISN] University Blames Security Breach On Un-patched Symantec Bug

From: InfoSec News (alerts@private)
Date: Thu May 24 2007 - 22:25:47 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=199701978

By Sharon Gaudin
InformationWeek
May 24, 2007 

The University of Colorado at Boulder said sensitive information on 
44,998 students was exposed because a worm attacked the network through 
an un-patched bug in Symantec's anti-virus software.

A server in the university's College of Arts and Sciences' Academic 
Advising Center held the names and Social Security numbers of students 
enrolled at CU-Boulder from 2002 to the present, according to an online 
advisory.

On May 12, the university's IT security investigators discovered that 
the worm entered the server through the vulnerability, which the IT 
staff had failed to patch, the university reported. Investigators said 
they did not believe the hacker behind the worm was after the personal 
information, but instead was using the flaw as an entryway to other 
computers on the university network.

"The server's security settings were not properly configured and its 
sensitive data had not been fully protected," said Bobby Schnabel, 
CU-Boulder vice provost for technology, in a written statement. "Through 
a combination of human and technical errors, these personal data were 
exposed, although we have no evidence that they were extracted."

A Symantec spokesman told InformationWeek that they have been trying to 
get in touch with the university's IT team but have not yet talked to 
them to get details about the attack or even to find out what 
vulnerability was involved. "We hate to see any customer with a 
problem," he said. "We encourage customers to post patches as soon as 
possible."

Todd Gleeson, a dean CU-Boulder, said in a statement that he wants the 
College of Arts and Sciences IT operations to be placed under the direct 
control of the university's larger IT department. He said all of the 
students affected by the breach are being notified through letters 
mailed to their homes.

"We have also taken steps to ensure that all sensitive personal data has 
been removed from our Academic Advising Center servers," said Gleeson. 
"I want to assure our past and present students that we have taken 
strong measures to protect our advising center computers and our 
students' personal information."

Students who are looking for more information about protecting 
themselves following a data exposure can go to the advisory Web site.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu May 24 2007 - 22:39:09 PDT