CU seeking help to evaluate hacked system

August 3, 2005

By Jennifer Brown and John Ingold, Denver Post

The University of Colorado will hire a computer-security company to audit its technology safeguards after hackers broke into the system three times in two weeks, officials said Tuesday.

CU also plans to put firewalls on some of its 26,000 computers that are now accessible to the public, said Bobby Schnabel, vice provost for technology.

A hacker last week broke into files containing Social Security numbers, names and photographs of 29,000 students, some former students and up to 7,000 staffers. The files related to CU's Buff OneCards, which students use for after-hours access to some campus buildings and to buy meals and snacks.

The university isn't sure what the hacker wanted and may never know whether Social Security numbers were stolen.

CU did not notify the public of the security breach until Monday because it took a forensics team working through the weekend to confirm that an intruder had cracked the system.

"If your house gets robbed, you can pretty much figure out what's gone and what's not," Schnabel said. "On a computer, you can't tell."

A team from Boulder-based Applied Trust Engineering, which has been scanning CU files since computer breaches were discovered July 14, noticed some suspicious files July 27, said Larry Drees, Buff OneCard program director. The team created an image of the hard drive that was hacked, and the server was disconnected from the network.

Computer scientists continue to analyze the image of the hard drive to see what the hacker might have retrieved. That information could help determine whether the hacker wanted to use the system to store pirated materials, such as movies or pornography, or if the hacker wanted access to sensitive information, said Dan Jones, information-security coordinator.

The worst-case scenario is that someone could use the Social Security numbers to get credit cards they never pay off or open bank accounts. "The bad credit report is on you and not on them," Schnabel said.

It's also possible, though unlikely, the hacker could use the information to make fake Buff OneCards, Drees said.

Just in case, CU began replacing Buff OneCards on Tuesday and plans to replace them all within 30 to 40 days, Drees said.

Just knowing the card number won't result in much access because a card swipe is required to get inside buildings and to make purchases, he said. Students are able, however, to make deposits on their Buff OneCards online and access the library online with just their number.

CU took Social Security numbers off all Buff OneCards last spring, replacing them with a student-ID number. The file that was hacked was used in the transition and listed people's ID numbers and Social Security numbers, Schnabel said.

CU technology officials decided Monday they would look for a private company to audit their system, focusing on 10 to 20 servers with the most sensitive information, Schnabel said. CU has about 6,000 servers.

The university also will investigate which of its 26,000 computers that have public access truly need it, he said. Public access to some machines is necessary so people can register for classes online, for example. The rise in identity theft is forcing universities to act more like corporations that must protect their networks, Schnabel said.

Across the country, security breaches at universities have become almost commonplace.

There have been at least 85 major computer-security breaches in the country this year, said Jay Foley of the Identity Theft Resource Center in San Diego. About half of those have been at universities, he said.

Hackers have spared no college, from the small, such as Jackson Community College in Michigan, to the large, such as the University of California at Berkeley.

In a two-week span from late May to early June, hackers struck computers on at least five university campuses.

"It's an inviting target because the main data they collect is about all who attend and all who work there," Foley said. "They become a rich target environment for identity thieves."

Many schools, including CU and the University of Denver, have switched from Social Security numbers to other unique ID numbers.

DU built a card-secure building last year to house and protect servers that hold sensitive information, spokesman Warren Smith said. The university also has "physically secured" computers that hold personal student information, said Smith, who declined to go into many specifics.

DU also has hired an outside company to regularly test the university's network security. "They try to break in and notify us of any problems," Smith said.

Foley said universities struggle to protect their systems, in part because they use in-house staffers rather than outside experts such as corporations. But it's also because university computer networks are typically open environments that promote the sharing of information.

He suggests universities start keeping sensitive student information in as few places as possible and secure those computers tightly.

CU discovered security breaches July 14 at the Wardenburg Health Center and the College of Architecture. A breach last year in the continuing-education department was the first for the university.

main page ATTRITION feedback