SCSU web server becomes spam server and exposes personal information
Technorati Tag: Security Breach
Date Reported:
4/24/08
Organization:
Southern Connecticut State University
Contractor/Consultant/Branch:
None
Victims:
Current and former students
Number Affected:
11,000
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."
Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education
Report Credit:
Southern Connecticut State University
Response:
From the online sources cited above:
From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.
The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.
Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.
Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.
There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.
The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?
The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?
Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?
A help desk has been established to respond to questions. The help desk number is: and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.
A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/
Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.
The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.
"The hackers were using our Web server as a host for their own Web site," he said.
Pages on the university's site contained ads for diamond rings, Viagra and Cialis.
After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.
The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate
Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.
Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.
Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)
Date Reported:4/24/08
Organization:
Southern Connecticut State University
Contractor/Consultant/Branch:
None
Victims:
Current and former students
Number Affected:
11,000
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."
Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education
Report Credit:
Southern Connecticut State University
Response:
From the online sources cited above:
From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.
The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.
Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.
Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.
There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.
The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?
The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?
Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?
A help desk has been established to respond to questions. The help desk number is: and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.
A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/
Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.
The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.
"The hackers were using our Web server as a host for their own Web site," he said.
Pages on the university's site contained ads for diamond rings, Viagra and Cialis.
After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.
The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate
Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.
Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.
Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)
Posts Atom 1.0
Comments