Three computers at the University of Colorado are compromised
Technorati Tag: Security Breach
UPDATE (May 6th, 2008):
"The University of Colorado at Boulder today announced that a forensic analysis of a computer suspected to have been compromised last week revealed no malicious software, and no exposure of student and staff private data."
As reported at the University of Colorado.
Date Reported:
4/25/08
Organization:
University of Colorado
Contractor/Consultant/Branch:
University of Colorado at Boulder
Victims:
Students and instructors involved with the Division of Continuing Education and Professional Studies between 1997 and 2003.
Number Affected:
~9,500*
*According to the school's response, "approximately 9,000 students, and approximately 500 instructors"
Types of Data:
"names, Social Security numbers, addresses, grades"
Breach Description:
"The University of Colorado at Boulder has announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students, and approximately 500 instructors."
Reference URL:
University of Colorado at Boulder
KUSA Channel 9 News
KJCT Channel 8 News
FOX News Colorado
Report Credit:
University of Colorado at Boulder
Response:
From the online sources cited above:
BOULDER - The University of Colorado at Boulder announced Friday that three computers in the Division of Continuing Education and Professional Studies were compromised, leaving nearly 10,000 people open to potential identity theft.
[Evan] It's not clear whether or not these computers were client computers or servers.
CU Boulder IT security investigators on Thursday discovered a malicious file on the computers and began analyzing log files to determine the extent of the exposure and whether any information was accessed.
[Evan] Hmm. A "malicious file" could mean a lot of things.
Investigators are still trying to determine the intent of the malicious file and whether it allowed the perpetrator to gain access to any private data.
[Evan] The school must think that there is a chance that the intent of the malicious file was to capture and transmit sensitive information and that there was a chance of success. Otherwise, why would the school report it? If it were a run of the mill virus (supposing one exists nowadays), would you report it? Hard to say.
Bronson Hilliard, a spokesman for CU-Boulder, says one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and about 500 instructors.
[Evan] Should we assume that these were client computers and that "had" means stored?
"The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," stated Chancellor G.P. "Bud" Peterson
"We will continue and strengthen our security efforts and hold our departments accountable for their success."
[Evan] Excellent quote, from G.P. "Bud" Peterson. The keywords that I really like are "continue", "strengthen" and "accountable".
Hilliard says they do not believe the data has been accessed, but CU is in the process of contacting the affected students and instructors by mail.
Officials say students and instructors who were involved in the Division of Continuing Education and Professional Studies between 1997 and 2003 were affected.
[Evan] Does the school still need to store personal information that is 5 - 11 years old?
CU says a computer forensics firm has been hired to conduct an analysis.
Over the past few years, the CU-Boulder campus has stepped up efforts to increase security awareness and address IT security.
These efforts have included:
Commentary:
Generally, I get the feeling that the University of Colorado is much better off in their information security efforts than most schools. The leader of the organization, G.P. "Bud" Peterson seems to be in touch based on his remarks, and this should not be undervalued. Organizational leadership is absolutely critical for the implementation and management of an effective information security program.
Let’s make some assumptions.
Assumption #1 - Most malicious files are obtained through web browsing and email. There are numerous controls that can prevent (or detect early) attempted infections through this avenue of attack. Are these in place at CU?
Assumption #2 - The compromised computers were client computers. Generally, it is not advised to store confidential information on client computers unless there is a compelling business case.
Assumption #3 - The compromised computers were servers and Assumption #1 is true. I have run into many cases where a server was compromised through administrator web surfing. I also used to remember when it was recommended that people not run anti-malware applications on servers (due to heavy I/O primarily). A tip: Don't surf the web from servers and in most cases run (and maintain) anti-malware applications on servers.
So, I make a lot of assumptions. Some may be true, and some may be so far off that I should be writing this article on the moon. Either way breaches get me thinking and thinking is mostly a good thing.
Past Breaches:
Unknown
UPDATE (May 6th, 2008):
"The University of Colorado at Boulder today announced that a forensic analysis of a computer suspected to have been compromised last week revealed no malicious software, and no exposure of student and staff private data."
As reported at the University of Colorado.
Date Reported:4/25/08
Organization:
University of Colorado
Contractor/Consultant/Branch:
University of Colorado at Boulder
Victims:
Students and instructors involved with the Division of Continuing Education and Professional Studies between 1997 and 2003.
Number Affected:
~9,500*
*According to the school's response, "approximately 9,000 students, and approximately 500 instructors"
Types of Data:
"names, Social Security numbers, addresses, grades"
Breach Description:
"The University of Colorado at Boulder has announced that it discovered three computers in the Division of Continuing Education and Professional Studies were compromised and that one of the computers contains private data (i.e. names, Social Security numbers, addresses, grades) of approximately 9,000 students, and approximately 500 instructors."
Reference URL:
University of Colorado at Boulder
KUSA Channel 9 News
KJCT Channel 8 News
FOX News Colorado
Report Credit:
University of Colorado at Boulder
Response:
From the online sources cited above:
BOULDER - The University of Colorado at Boulder announced Friday that three computers in the Division of Continuing Education and Professional Studies were compromised, leaving nearly 10,000 people open to potential identity theft.
[Evan] It's not clear whether or not these computers were client computers or servers.
CU Boulder IT security investigators on Thursday discovered a malicious file on the computers and began analyzing log files to determine the extent of the exposure and whether any information was accessed.
[Evan] Hmm. A "malicious file" could mean a lot of things.
Investigators are still trying to determine the intent of the malicious file and whether it allowed the perpetrator to gain access to any private data.
[Evan] The school must think that there is a chance that the intent of the malicious file was to capture and transmit sensitive information and that there was a chance of success. Otherwise, why would the school report it? If it were a run of the mill virus (supposing one exists nowadays), would you report it? Hard to say.
Bronson Hilliard, a spokesman for CU-Boulder, says one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and about 500 instructors.
[Evan] Should we assume that these were client computers and that "had" means stored?
"The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," stated Chancellor G.P. "Bud" Peterson
"We will continue and strengthen our security efforts and hold our departments accountable for their success."
[Evan] Excellent quote, from G.P. "Bud" Peterson. The keywords that I really like are "continue", "strengthen" and "accountable".
Hilliard says they do not believe the data has been accessed, but CU is in the process of contacting the affected students and instructors by mail.
Officials say students and instructors who were involved in the Division of Continuing Education and Professional Studies between 1997 and 2003 were affected.
[Evan] Does the school still need to store personal information that is 5 - 11 years old?
CU says a computer forensics firm has been hired to conduct an analysis.
Over the past few years, the CU-Boulder campus has stepped up efforts to increase security awareness and address IT security.
These efforts have included:
- Launching a campus risk assessment process in 2005 to identify campus IT security risks and to locate and eliminate unnecessary databases of social security and credit card numbers;
- Switching from Social Security numbers to a student identification number system in 2005;
- Using a restrictive network firewall installed in August 2006 that has greatly reduced the campus’s exposure to vulnerabilities;
- Conducting computer security training for all employees.
Commentary:
Generally, I get the feeling that the University of Colorado is much better off in their information security efforts than most schools. The leader of the organization, G.P. "Bud" Peterson seems to be in touch based on his remarks, and this should not be undervalued. Organizational leadership is absolutely critical for the implementation and management of an effective information security program.
Let’s make some assumptions.
Assumption #1 - Most malicious files are obtained through web browsing and email. There are numerous controls that can prevent (or detect early) attempted infections through this avenue of attack. Are these in place at CU?
Assumption #2 - The compromised computers were client computers. Generally, it is not advised to store confidential information on client computers unless there is a compelling business case.
Assumption #3 - The compromised computers were servers and Assumption #1 is true. I have run into many cases where a server was compromised through administrator web surfing. I also used to remember when it was recommended that people not run anti-malware applications on servers (due to heavy I/O primarily). A tip: Don't surf the web from servers and in most cases run (and maintain) anti-malware applications on servers.
So, I make a lot of assumptions. Some may be true, and some may be so far off that I should be writing this article on the moon. Either way breaches get me thinking and thinking is mostly a good thing.
Past Breaches:
Unknown
Posts Atom 1.0
Comments