In this case, the "Symentec vulnerability" apparently had a patch available, but the server was misconfigured and allowed the hole to remain open. Human error, yes, but why was the vulnerability there in the first place?


University of Colorado at Boulder blames human error not Symantec for data breach

May 28, 2007

By Steve Ragan

http://tech.monstersandcritics.com/news/article_1310103.php/University_of_Colorado_at_Boulder_ blames_human_error_not_Symantec_for_data_br%0Aeach



University of Colorado at Boulder reported that the Arts and Sciences Academic Advising Center was attacked on May 12th. The attack happened because of an unknown vulnerability in their Symantec Anti-virus software. The files that might have been compromised contained the names and social security numbers of students who were enrolled at the university from 2002 to the present. Officials at CU-Boulder have begun notifying the forty-four thousand nine hundred ninety-eight students that their personal information - including names and social security numbers - might have been exposed in the attack.

CU-Boulder IT security investigators discovered that the Malware entered the server through a whole in its Symantec anti-virus software. That vulnerability had not been properly patched by Arts and Sciences Advising Center IT staff. CU-Boulder IT security investigators do not believe the hacker who launched the worm was seeking personal data, but rather was attempting to take control of the machine to allow it to infiltrate other computers both on-and-off the CU-Boulder campus.

"The server's security settings were not properly configured and its sensitive data had not been fully protected," said Bobby Schnabel, CU-Boulder vice provost for technology. "Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted."

The potential for data theft prompted CU officials to make sweeping changes to the IT policy on the school's network. "We have also taken steps to ensure that all sensitive personal data have been removed from our Academic Advising Center servers," said Gleeson. "I want to assure our past and present students that we have taken strong measures to protect our advising center computers and our students' personal information."

Other steps taken include steps to envelop the Arts and Sciences Advising Center IT operations and selected other CU-Boulder IT operations under the control of the central ITS department. Such steps include, ordering and deploying new host-intrusion detection software, as well as, maintaining their efforts to identify and purge Social Security numbers from all CU-Boulder computers in all departments. CU-Boulder switched from Social Security numbers to a Student Identification number system in 2005.


main page ATTRITION feedback