[ISN] Failure to patch flaw exposes data on 60,000 at Antioch

From: InfoSec News (alerts@private)
Date: Sun Apr 06 2008 - 23:18:21 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9075098

By Jaikumar Vijayan
April 4, 2008
Computerworld

Windows systems may be the most frequently attacked by malicious 
hackers, but they certainly are not the only targets.

Serving as the latest reminder of that fact is Antioch University in 
Yellow Springs, Ohio, which recently disclosed that Social Security 
numbers and other personal data belonging to more than 60,000 students, 
former students and employees may have been compromised by multiple 
intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server 
that had not been patched against a previously disclosed FTP 
vulnerability, even though a fix was available for the flaw at the time 
of the breach, university CIO William Marshall said today.

The university was alerted to the breach while IT officials were 
investigating a separate virus that had also infected the system and was 
broadcasting obscene material from it, Marshall said. That particular 
virus was programmed to broadcast the material on the 13th of every 
month and was detected by the university's antivirus software, when it 
started doing so on Feb. 13, he said.

"When we went in and did a further investigation, we found that there 
was an IRC bot installed on the system," Marshall said.

According to Marshall, the university ERP system, based at Antioch's 
main campus in Yellow Springs, appears to have been breached on three 
separate occasions.

The first break-in occurred June 9, 2007, when intruders gained remote 
access to the ERP server via the unpatched Solaris FTP vulnerability. 
"The first one was an automated attack. It happened very, very quickly," 
Marshall said. The IRC bot discovered Feb. 13 appears to have been 
installed on the system one day after the initial intrusion, he said. 
Forensic analysis shows that the third time the server was illegally 
accessed was Oct. 11, 2007, Marshall said.

As far as the university can tell, the data on the server appears not to 
have been illegally downloaded or copied by the intruders, he said.

Following the discovery of the intrusions, the infected server was taken 
offline, the data on it was backed up and the operating system was 
reinstalled from scratch, Marshall said. "That's the only way we can be 
sure that we got everything on it that shouldn't be there," he said.

The compromised server contained information on current and former 
students and employees across all of Antioch's six campuses going back 
to 1996, Marshall said.

The system also contained information on individuals who had applied to 
Antioch but may have never attended the university and information on 
vendors who may have supplied their Social Security numbers in order to 
get paid. The compromised data included names, addresses, Social 
Security numbers, telephone numbers and academic records.

Notices informing the affected individuals about the breach and urging 
them to take measures to protect against ID theft were sent out last 
week, Marshall said. There are a couple of reasons for the delay, he 
added. First, the university needed at least two weeks to understand the 
full scope of the breach, and the university did not want to compromise 
investigations by law enforcement authorities by disclosing the breach 
prematurely, he said.

The main lesson from the intrusions is to make sure that patches get 
installed in a timely fashion whatever the environment, Marshall said. 
Just because Windows systems get patched and attacked the most often is 
no reason for getting complacent about security on other operating 
systems, he said.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Sun Apr 06 2008 - 23:29:27 PDT