Oklahoma State University Parking Services server is compromised
Technorati Tag: Security Breach
Date Reported:
5/14/08
Organization:
Oklahoma State University ("OSU")
Contractor/Consultant/Branch:
OSU Parking & Transit Services
Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008
Number Affected:
as many as 70,000
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."
Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman
Report Credit:
Oklahoma State University
Response:
From the online sources cited above:
STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.
Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?
Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.
The confidential information has been removed from the database.
The illegal access was limited to the parking and transit server.
As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.
OSU contacted and worked with federal law enforcement authorities.
After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.
We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.
OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.
OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?
In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.
Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).
Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.
Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.
The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.
The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something
. I like the "full review". This should be done no less than annually.
The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.
Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.
Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?
Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.
Past Breaches:
Unknown
Date Reported:5/14/08
Organization:
Oklahoma State University ("OSU")
Contractor/Consultant/Branch:
OSU Parking & Transit Services
Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008
Number Affected:
as many as 70,000
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."
Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman
Report Credit:
Oklahoma State University
Response:
From the online sources cited above:
STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.
Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for? Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?
Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.
The confidential information has been removed from the database.
The illegal access was limited to the parking and transit server.
As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right. Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol? That's not cool. A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs. All this for parking? Ugh.
OSU contacted and worked with federal law enforcement authorities.
After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.
We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.
OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah! Review your bills (pay them occasionally) and financial transactions carefully. But wait, you do this already? Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.
OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story! What do you suppose his stance was prior to being notified of the breach?
In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management. You have the organizations that just don't get it and don't really care or know that they don't get it. These organizations lose information over and over and dangerously continue to operate in a business as usual manner.
Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^! They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either).
Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem. These companies may seek guidance and consultation in the effort to build a comprehensive information security program. These programs should be built around business objectives and sound risk management.
Lastly, there are the companies that were proactive and built a sound information security program because it was good business. These organizations didn't need an adverse event or breach before taking action. These organizations don't panic when an adverse event occurs. They know that eventually an adverse event will occur and they will be prepared when it does.
The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow. The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?! That is way, way, way too long for a compromised server to go unnoticed. We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.
The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required. It's too bad that it took a breach for this to happen. Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack. Maybe the IT Data Center has better firewalls or something
. I like the "full review". This should be done no less than annually.The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.
Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim. I'm not saying whether this is likely, or not.
Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question! Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?
Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above. I made plenty.
Past Breaches:
Unknown
Posts Atom 1.0
Comments