Higher ed networks are under attack. Hackers want to break into higher ed databases, sometimes to maliciously flitch the identities of students, alumni and staff, sometimes to use universities' servers--which typically run at high speeds--as efficient launchpads for spam, virus and worm attacks on other servers. Sometimes stolen high-speed bandwidth is used for illegal movie downloads, or high-speed transfer of personal data. Alarmingly, some hackers are tuition-paying students who crack the cybersecurity code just to prove they can.
"Hacking happens everyday, everywhere," says Ken Kleiner, system manager of the Computer Science Department at the University of Massachusetts Lowell. "Typically people break into a system by accessing a 'door' that is left open," he explains. This can happen when an authorized person gets access to a system to install a security patch upgrade, but fails to "lock" the access door upon exit, leaving the system vulnerable.
Script kiddies are an added nuisance, adds Tom Jackson, executive director of university computing and information services at the University of North Carolina Pembroke. These are amateurs who use pre-written pieces of code to launch an attack. "In one case here, a student probed our network trying to get into applications," he says. A staffer detected the breach. The script kiddie hacker used a UNC Pembroke computer in one of the student IT labs; the staffer detected the violation by recognizing that logins and setups weren't quite right.
Sometimes systems just aren't properly configured, adds Kleiner. On any given day, 1 to 5 percent of systems are broken into because they are not set up correctly to keep hackers out. "I would say 25 percent of my day is spent worrying about security," he says. Some would say any campus IT official would have good reason to fret these days.
They are especially vulnerable to mischief for a variety of reasons. One reality is budgeting. Not all IHEs have the financial resources to install new servers and the systems that protect them. Then, too, there's higher ed's mission, which often calls upon researchers and academics to share information and resources--and to do it quickly. That often entails sharing web files, e-mail attachments, research databases and library materials through the non-commercial Internet2 and the related Shibboleth Project, a system that allows scholars and researchers to share discovery.
Meanwhile, it is clear that IHEs have to press for the best answer. The Office of Privacy Protection in Sacramento, Calif., reports that incidents at California IHEs accounted for close to 30 percent of all security breaches since 2003. The percentage is highest for higher ed--even greater than the percentage for financial institutions. The motive for many breaches is identity theft. According to a 2003 survey of the Federal Trade Commission, 10 million Americans already have been victims of identity theft at a total estimated loss of $5 billion. U.S. corporations have been hit with $47.6 billion in damages. The cost specifically to higher ed is unknown.
A number of documented cases during the past few years might indicate that things are going to get worse before getting better.
In mid-March of this year, a thief reportedly walked into an office at the University of California Berkeley and stole a laptop containing the Social Security numbers of nearly 100,000 people, mostly graduate students and grad school applicants. UC Berkeley reportedly waited more than a week before going public about the incident, in the hopes that police would catch the thief. When that didn't happen, the university made a wide-spread notification, which is required by California law.
The irony, according to reports, is that data on the laptop was slated to be encrypted during the very month in which it was stolen. The encryption would have made it virtually impossible to read the data without a code, Maria Felde, a university spokesperson, told the media. She added that the computer was left alone for only a few minutes.
The incident received immediate attention. U.S. Sen. Dianne Feinstein (D-Calif.) called for legislation that would require immediate notification when personal data is compromised--similar to the law in effect in California. The UC Berkeley incident is just the latest in a score of security breaches that are forcing officials to rethink IT security.
Several weeks prior, hackers cracked into the personal information of about 59,000 students, staff and faculty at the University of California Chico. In March, the University of Nevada Las Vegas disclosed that hackers accessed the records of 5,000 current and former international students. The case is under FBI investigation. On a Sunday in late winter, hackers broke into the servers at Northwestern University's Kellogg School of Management (Ill.). IT staffers scrambled to change passwords and user names to 3,500 faculty, staff and student accounts and 18,000 alumni accounts.
George Mason University (Va.) confirmed earlier this year that hackers compromised a server that stored campus identity card information for 30,000 students, faculty and staff. Names, photos, Social Security numbers and other data were exposed. The incident contained its own irony given that George Mason is also home to the Information Security Institute and the Center for Secure Information Systems.
This year, Boston College (Mass.) spent $44,000 in postage to send letters to 120,000 alumni warning them that the database containing their Social Security numbers and addresses had been hacked. BC advised that alumni acquire copies of their credit reports and alert their banks to watch for suspicious activity. College officials were quick to add that they did not believe the information had been used for identity theft and that the attacker's real motive was to embed a program into the college's hardware to launch attacks on other machines. The compromised computer was run by a contract company that maintains a data center for fundraising activities. Until that point, BC, like so many other colleges and universities, had used Social Security numbers as the main identifiers for alumni. That process would be changed, they promised.
In April, officials at nearby Tufts University (Mass.) warned 106,000 alumni that their personal data had been compromised by "abnormal activity" on one of its computers. The university also used a contract service to manage the alumni data on this computer. The cost to Tufts to warn alumni: $41,000 in postage.
The University of Georgia is reportedly considering changes of its own, after realizing that a student was storing a list of credit card numbers and account holder names on the server used to maintain online student portfolios. An anonymous tip led to the discovery. The server was, of course, taken down and investigators were brought in.
Until this rash of breaches the most famous was perhaps a 2003 incident in which a hacker stole the names and Social Security numbers of 37,000 students, faculty and staff from the University of Texas system. Christopher Andrew Phillips, 22, was indicted late last year with fraud and storing credit card information with the intent to defraud. UT reportedly spent $167,000 responding to the security breach and notifying everyone who was affected.
These and other incidents have promoted a consortium of colleges to form a new technology center dedicated to finding ways to better protect data from cyberattacks. TRUST, which stands for Team for Research in Ubiquitous Secure Technology, will be housed at UC Berkeley and includes Carnegie Mellon University (Pa.), Stanford (Calif.), Smith College (Mass.) and other IHEs. HP, IBM, Microsoft, Sun Microsystems and Symantec will be affiliated with the project. The new center will receive $19 million from the National Science Foundation over the next five years to further its work.
Meanwhile, IT directors continue to cope with day-to-day threats to databases, servers and e-mail systems.
"Worms and things that try to attack our system--we catch tons of those every day," says James Wiedel, MIS director and director of networking at the University of Southern California. He relies on an automated process to help the staff. "We look at [traffic] flows through our routers. We wrote homegrown software to ask, 'Does this look like an attack or a normal transfer of data?'" USC began such IT protection efforts 10 years ago, as the internet was becoming more integral to university life and learning. There are four, full-time staffers on the case, writing software, scanning reports and upgrading systems.
"Students are from the video game era," adds Abraham Roohy, director of industry solutions, education, for Nortel Networks (www.nortel.com), headquartered in Ontario, Canada. "They are computer savvy and expect to access information from room to room and at any location on campus."
Unlike their corporate counterparts, campus IT directors deal with a constituency that brings laptops and PDAs to campus. Whereas corporations can install their own security safeguards on the equipment they give employees, higher ed IT staffs have to think ahead to every contingency and create safeguards that apply to a variety of models and operating systems, says Roohy.
At the University of Southern California, no one has access to the system or internet until he or she is a registered user. Students have several computer rooms where they can do this. Here they log in and register their laptops and other devices. Each receives a password and registers a computer's MAC address. A visitor that tries to plug in an unregistered laptop will shut down, says James Wiedel, MIS director. Faculty and staff go through a similar process.
Some systems, such as USC's, are designed to shut computer access down if suspicious activity cannot be contained. "We then record this information on a webpage for review," says Wiedel.
At the University of Notre Dame (Ind.) visiting scholars cannot use the network unless they are sponsored by a staff faculty member, says Gordon Wishon, CIO. "Someone in an academic department has to vouch for the actions of a guest," he explains. After that, the guest is issued an ID and password.
In simple terms, a campus IT network is like a building, says Gary Simpson, chief technology officer, Chili Systems (www.chilisystems.com), Norwalk, Conn. "If you can't get in, it is hard to see what is on the sixth floor." IHEs such as USC and Notre Dame are making sure the doors to the building are well guarded. They are also re-thinking ways to protect each floor and individual "room."