Malware infects Tufts University computers and exposes personal information
|
Date Reported:
6/8/10
Organization:
Tufts University
Contractor/Consultant/Branch:
None
Location:
Medford/Somerville, Massachusetts
Victims:
Alumni
Number Affected:
"Seven thousand"
Types of Data:
"Social Security numbers and other personal information"
Breach Description:
"Thousands of Tufts University alumni have received letters over the past few days warning about a computer security breach that may have left Social Security numbers and other personal information exposed."
Reference URL:
The Boston Globe
Blast Magazine
New Hampshire State Attorney General breach notification (dated 6/3/10)
Report Credit:
John Guilfoil, The Boston Globe
Response:
From the online sources cited above:
Thousands of Tufts University alumni have received letters over the past few days warning about a computer security breach that may have left Social Security numbers and other personal information exposed.
"We have determined that certain users were unknowingly infected with the "torpig" malware, which may have allowed third party access to stored data on Tufts computers."
[Evan] The original torpig came to us in 2005 and it has been around (like most viruses) ever since. It is also known as "Win32.Anserin.C" by Symantec. The only purpose for torpig is to collect stolen financial and personal information from infected machines. Students from the University of California- Santa Barbara took control of the torpig botnet for ten days in early 2009, and their report is pretty interesting. According to their numbers, they observed "more than 180 thousand infections and recorded almost 70 GB of data that the bots collected."
"The first two such incidents came to our attention on February 18, 2010."
"Additional incidents came to our attention on March 9, March 16 and April 2."
[Evan] This seems to me like four such incidents, not two as claimed earlier. It took more than three months to detect the intrusion, conduct an investigation, and inform victims.
"Because of the similarity of the malware, we are treating the incursion as one multi-faceted incident.
[Evan] OK not two or four incidents, but one multi-faceted incident. Now that we have that figured out.
"The forensic analysis of the various computers by the outside consultant retained by Tufts was completed on May 7, 2010."
"The attacks involved malicious advertisements that were placed on remote websites; upon visiting the website the Tufts computers were scanned and vulnerabilities were exploited, allowing the attackers to install and run malware without requiring any input of clicking on the part of the Tufts user."
[Evan] I wonder what controls were/are in place for outbound Internet access and response. Does the school filter web traffic or place any restrictions on web site usage? Is inbound web traffic scanned for malicious software ("malware"). Were these infected workstations patched (no)? Did these infected workstations have anti-virus software installed with the latest virus definitions? Did intrusion detection/prevention systems alert anyone? Any combination of these controls could have potentially helped in averting this incident.
"The malware, classified as a variant of 'torpig', was designed to search the computer for personal information and then upload it to remote command and control servers, in addition to providing the remote attacker the ability to install and execute arbitrary software on the compromised computer."
"All of the personal information involved was in electronic form. and all were Social Security numbers. (Until 2004, Tufts used students' Social Security numbers as their university identification number, so older records would contain this number even if no health or financial information was involved.)"
[Evan] Many organizations who used Social Security numbers as identification numbers are struggling with the clean up. Social Security numbers were never intended to be used as identification numbers in schools, or to compile personal financial information either, for that matter.
"One individual computer was compromised but our forensic consultant, after extensive testing, informed us on May 11, 2010 that it could not reach a definitive opinion as to whether or not personal information was accessed."
"To be cautious, we have decided to notify the individuals whose information was on that computer, and are in the process of gathering those individuals' addresses."
"Upon learning of the first incident, Tufts arranged for an internal forensic review of the hard drives, as well as several days of netflow, anti-virus and IDS log messages."
"The computers in question were promptly isolated so that no further access was possible."
"Tufts also engaged an outside contractor, cmd Labs of Baltimore, MD, to assist in the analysis."
"Cmd Labs' three principals are recognized experts in the field of digital forensics and cyber-crime investigation."
"Tufts has diligently updated anti-virus definitions to improve detection of this class of malware, and has deployed security patches from software vendors to mitigate the risk going forward."
[Evan] Going forward this is good. Besides, who would have thought to ensure anti-virus software and patching were up to date in the first place? ;)
"Additionally, schools and departments across the University are implementing provisions from our Written Information Security Program, including (i) identifying where personal information is being stored, (ii) securely destroying information that is no longer needed, and (iii) reviewing the security safeguards in place for personal information that does need to be maintained, to ensure that such safeguards meet the requirements outlined within 201 CMR 17.00."
[Evan] For those who are unaware, "201 CMR 17.00" is reference to the Massachusetts law "Standards for the Protection of Personal Information of Residents of the Commonwealth " enacted earlier this year.
Seven thousand alumni are affected, and warning letters started going out May 24.
Tufts is offering each alumnus a free year of credit monitoring service from Experian.
"Please accept our apologies for any inconvenience or concerns this may cause."
"If you should have any further questions, please contact our information line, which is operation Monday-Friday 9:00 a.m. to 5:00 p.m. ET at 1- (toll-free) or 1-."
Commentary:
This breach could/should have been easily prevented. There are a number of controls that should have been in place (See comments above).
Computers in at least two departments appear to be affected by this breach; the Athletics Department and the Dining Services Department.
Past Breaches:
Unknown
Posts Atom 1.0
Comments