Duke School of Law breach affects 3,200
Technorati Tag: Security Breach
Date Reported:
12/4/07
Organization:
Duke University
Contractor/Consultant/Branch:
School of Law
Victims:
Current and prospective Law School applicants
Number Affected:
3,200*
*1,400 in one database containing applicant data and some Social Security numbers, 1,800 in a second database containing applicant data and passwords used by applicants tracking their applications.
Types of Data:
Names, addresses, phone numbers, Social Security numbers, and passwords
Breach Description:
The Duke University School of Law reported that they detected unauthorized and illegal activity on a their web site. An investigation revealed that two databases were exposed in the attack that contained sensitive personal information about some current and prospective Law School applicants and students.
Reference URL:
Duke School of Law Incident Web Page
The News and Observer Story
United Press International Story
Report Credit:
Melinda Vaughn, Executive Director of Communications at Duke University
Response:
From the official incident web page and sources cited above:

On the Duke University home page
Thank you very much for your patience as we continue to work to restore our web site and understand the full ramifications of the attack on our web site and server. The attack was a criminal act, and it is now being investigated by law enforcement officials.
Earlier this evening, the Law School sent emails to about 3,200 prospective and current applicants notifying them that some of their personal information was exposed during the recent attack on our web site.
We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so, and we therefore felt it was important to notify those who might have been affected as quickly as possible.
[Comfyllama] A good forensic analysis should provide clues if the proper trail exists. You would think that a web server containing sensitive information would employ extensive logging.
On Thursday, Nov. 29, at about 3:30 p.m., we detected unauthorized links and coding in our web site. As soon as a breach was confirmed, we took the site offline and launched our investigation.
By Friday, it appeared that we had removed the unauthorized content, and we reposted the web site.
[Comfyllama] Ugh. Thursday afternoon until Friday was all it took to re-certify the site? Doesn't seem like a good incident response. If a site is compromised, it is usually a better practice to replace it with a new rebuilt server so that the original can be thoroughly examined.
Our continuing investigation, however, found that the web server had been compromised, and that the attack had penetrated more deeply than originally thought.
[Comfyllama] In incident response, it's not a bad idea to hope for the best but assume the worst.
We took the web site down again by Saturday morning pending a more complete security scan by the university’s IT Security Office. We do not believe that any new problems were introduced during the short time that the site was reposted.
As we further evaluated the site, we found that several databases stored on the server were exposed during the attack.
[Comfyllama] Databases on a web server? Bad.
There were two databases containing sensitive or potentially sensitive information. The first held records containing information submitted by prospective applicants who were requesting information from the admissions office.
A small percentage of those prospective applicants had provided Social Security numbers when they completed our online request form. That group of 1,400 prospective students received notifications this afternoon about the security breach.
[Comfyllama] Social Security numbers in a database on a web server? Worse.
The second database in question included contact information and self-generated passwords for about 1,800 current applicants who were using our web site to track the status of their law school applications.
Even though our second database did not contain Social Security numbers, we also have notified this group of the security breach, in case the passwords they used on our site are the same as the passwords they use on other sites.
[Comfyllama] Prudent decision on the part of the school.
the first intrusion occurred in early November, when a directory of foreign files was inserted into the site. Another set of files was deposited on Thanksgiving Day. We believe that nothing was done with these files until the attack began on the afternoon of Nov. 29.
[Comfyllama] Write access to the web server, and the responders didn't think that the compromise "had penetrated more deeply than originally thought"?
Duke University has a policy not to gather Social Security numbers, except in a limited number of circumstances including some transactions with applicants and prospective applicants.
[Comfyllama] This is a good policy.
The Social Security numbers in this database were no longer being used, and we had in fact stopped collecting them from applicants earlier this fall. But the database had not been purged of old data.
[Comfyllama] Lack of audit and review.
We are reviewing our policies to ensure we are in full compliance with all policies that pertain to the handling of Social Security numbers.
[Comfyllama] Sometimes it takes a breach to spur additional audit and review that should have been conducted regularly all along. Unfortunately, there are people affected already.
What has been done to secure the web site and prevent this from happening again?
Over the weekend, we moved the site off our web server to allow us to install a completely new operating system and new software. While that was being done, we also reviewed all the data from the old server’s system for remnants of the intrusion.
The application status tracker is being restructured so that it will not require passwords. Social Security numbers have been removed and will not be stored on our web server.
We are continuing our investigations into how this attack occurred and what additional steps can be taken in the short and long term to further secure our web site and all our electronic data. We will update you on our progress in coming weeks, and we will provide a full report to the community once the investigation and security planning is complete. In the meantime, if you have any questions or concerns, please feel free to contact me **email address removed**, Liz Gustafson **email address removed**, or Jill Miller **email address removed**.
[Comfyllama] We (meaning The Breach Blog) removed the email addresses because we are still a little "old school" in this regard and think that publishing email addresses without obfuscation increases the likelihood of increased spam.
Commentary:
This has to be one of the best incident disclosure announcements I have ever seen in terms of depth. The explanation of what occurred is clear, Duke's response is clear, and what they plan to do is clear. I am impressed.
Now, what I am not impressed about is the decision to store confidential information on a web server. More often than not, this is bad news. Common information security practice is to place publicly accessible servers in a DMZ, segmented from more secure systems that contain databases. Extensive monitoring is then placed on both systems and in between. I am curious how the server itself was compromised. Was it not patched, was it not configured well, was the code written poorly, was someone surfing the web on the server and downloaded malicious code, etc.? I am also curious about whether or not the University conducts regular audits of these systems and runs intrusion detection. Even after such a wonderful announcement by the school, so many questions still remain!
Past Breaches:
Unknown

12/4/07
Organization:
Duke University
Contractor/Consultant/Branch:
School of Law
Victims:
Current and prospective Law School applicants
Number Affected:
3,200*
*1,400 in one database containing applicant data and some Social Security numbers, 1,800 in a second database containing applicant data and passwords used by applicants tracking their applications.
Types of Data:
Names, addresses, phone numbers, Social Security numbers, and passwords
Breach Description:
The Duke University School of Law reported that they detected unauthorized and illegal activity on a their web site. An investigation revealed that two databases were exposed in the attack that contained sensitive personal information about some current and prospective Law School applicants and students.
Reference URL:
Duke School of Law Incident Web Page
The News and Observer Story
United Press International Story
Report Credit:
Melinda Vaughn, Executive Director of Communications at Duke University
Response:
From the official incident web page and sources cited above:

On the Duke University home page
Thank you very much for your patience as we continue to work to restore our web site and understand the full ramifications of the attack on our web site and server. The attack was a criminal act, and it is now being investigated by law enforcement officials.
Earlier this evening, the Law School sent emails to about 3,200 prospective and current applicants notifying them that some of their personal information was exposed during the recent attack on our web site.
We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so, and we therefore felt it was important to notify those who might have been affected as quickly as possible.
[Comfyllama] A good forensic analysis should provide clues if the proper trail exists. You would think that a web server containing sensitive information would employ extensive logging.
On Thursday, Nov. 29, at about 3:30 p.m., we detected unauthorized links and coding in our web site. As soon as a breach was confirmed, we took the site offline and launched our investigation.
By Friday, it appeared that we had removed the unauthorized content, and we reposted the web site.
[Comfyllama] Ugh. Thursday afternoon until Friday was all it took to re-certify the site? Doesn't seem like a good incident response. If a site is compromised, it is usually a better practice to replace it with a new rebuilt server so that the original can be thoroughly examined.
Our continuing investigation, however, found that the web server had been compromised, and that the attack had penetrated more deeply than originally thought.
[Comfyllama] In incident response, it's not a bad idea to hope for the best but assume the worst.
We took the web site down again by Saturday morning pending a more complete security scan by the university’s IT Security Office. We do not believe that any new problems were introduced during the short time that the site was reposted.
As we further evaluated the site, we found that several databases stored on the server were exposed during the attack.
[Comfyllama] Databases on a web server? Bad.
There were two databases containing sensitive or potentially sensitive information. The first held records containing information submitted by prospective applicants who were requesting information from the admissions office.
A small percentage of those prospective applicants had provided Social Security numbers when they completed our online request form. That group of 1,400 prospective students received notifications this afternoon about the security breach.
[Comfyllama] Social Security numbers in a database on a web server? Worse.
The second database in question included contact information and self-generated passwords for about 1,800 current applicants who were using our web site to track the status of their law school applications.
Even though our second database did not contain Social Security numbers, we also have notified this group of the security breach, in case the passwords they used on our site are the same as the passwords they use on other sites.
[Comfyllama] Prudent decision on the part of the school.
the first intrusion occurred in early November, when a directory of foreign files was inserted into the site. Another set of files was deposited on Thanksgiving Day. We believe that nothing was done with these files until the attack began on the afternoon of Nov. 29.
[Comfyllama] Write access to the web server, and the responders didn't think that the compromise "had penetrated more deeply than originally thought"?
Duke University has a policy not to gather Social Security numbers, except in a limited number of circumstances including some transactions with applicants and prospective applicants.
[Comfyllama] This is a good policy.
The Social Security numbers in this database were no longer being used, and we had in fact stopped collecting them from applicants earlier this fall. But the database had not been purged of old data.
[Comfyllama] Lack of audit and review.
We are reviewing our policies to ensure we are in full compliance with all policies that pertain to the handling of Social Security numbers.
[Comfyllama] Sometimes it takes a breach to spur additional audit and review that should have been conducted regularly all along. Unfortunately, there are people affected already.
What has been done to secure the web site and prevent this from happening again?
Over the weekend, we moved the site off our web server to allow us to install a completely new operating system and new software. While that was being done, we also reviewed all the data from the old server’s system for remnants of the intrusion.
The application status tracker is being restructured so that it will not require passwords. Social Security numbers have been removed and will not be stored on our web server.
We are continuing our investigations into how this attack occurred and what additional steps can be taken in the short and long term to further secure our web site and all our electronic data. We will update you on our progress in coming weeks, and we will provide a full report to the community once the investigation and security planning is complete. In the meantime, if you have any questions or concerns, please feel free to contact me **email address removed**, Liz Gustafson **email address removed**, or Jill Miller **email address removed**.
[Comfyllama] We (meaning The Breach Blog) removed the email addresses because we are still a little "old school" in this regard and think that publishing email addresses without obfuscation increases the likelihood of increased spam.
Commentary:
This has to be one of the best incident disclosure announcements I have ever seen in terms of depth. The explanation of what occurred is clear, Duke's response is clear, and what they plan to do is clear. I am impressed.
Now, what I am not impressed about is the decision to store confidential information on a web server. More often than not, this is bad news. Common information security practice is to place publicly accessible servers in a DMZ, segmented from more secure systems that contain databases. Extensive monitoring is then placed on both systems and in between. I am curious how the server itself was compromised. Was it not patched, was it not configured well, was the code written poorly, was someone surfing the web on the server and downloaded malicious code, etc.? I am also curious about whether or not the University conducts regular audits of these systems and runs intrusion detection. Even after such a wonderful announcement by the school, so many questions still remain!
Past Breaches:
Unknown
Comments