[ISN] Report: One hacked OU server should have been offline

[InfoSec News]

http://www.athensnews.com/issue/article.php3?story_id=25314

By Jim Phillips 
Athens NEWS Senior Writer 
2006-06-26 

Part of the recently released consultant's audit of OU's computer
security systems (see related story, page 6) is a review of two major
hacking incidents and how OU responded to them.

In one case, the server that was hacked into was apparently vulnerable
to such a breach because many personnel at OU were not even aware it
was still hooked up to the university's computer system.

The two hacking incidents, which have caused OU no end of public
relations grief, are what prompted the university to hire Moran
Technology Consultants to conduct its audit in the first place.

OU has also found three other security breaches.

According to the audit report, the two breaches examined in the report
involved OU servers named ALUMINFO3 and SHSSRV1.

The first contained personal and contact information for 300,000
alumni, including Social Security numbers for about 137,000 people.

This server was apparently left vulnerable to hacking because IT
personnel thought it had been taken offline, but it hadn't.

The second is used by OU's Hudson Health Center, and includes about
60,000 patient records, with Social Security numbers. Hackers
apparently broke into this server, then tried to use it to attack
another OU server.

Moran suggests that OU discovered the Hudson security breach mainly
because two other hacking incidents triggered a "heightened
awareness," prompting OU to run virus scans on various other computer
systems.

Donor database breach:

The first known problem with this database dates to March 1, 2005, the
consultant found. Someone (whose identity is redacted from the audit)  
reported an apparent breach in April 2006 via e-mail to Bob Watkins,
an operating systems programmer at CNS.

Moran concludes that the system was vulnerable to hacking (by some
particular method that has been redacted from the report) from March
1, 2005, to April 24, 2006, but that there is not enough information
available to tell if hackers actually stole any information from the
system.

 From Feb. 1, 2006 to April 11, 2006, the report adds, "the system was
apparently used as a music file sharing server," and on April 22,
2006, "the system was used to attack another server."

Numerous employees interviewed by Moran said they thought this server
had been turned off and disconnected from the OU network since a prior
application upgrade.

Records show, however, that it was in more or less continuous service
from May 5, 2004 to April 24, 2006, when the breach was discovered -
though it had been taken offline for a total of about 14 days since
March 25, 2005.

Moran concluded that this system should have turned off and
disconnected from the network after April 14, 2005, when it was
decommissioned. "However, apparently due to poor communication, lack
of decommissioning procedures, and poorly defined responsibilities,
the system was turned off but then turned back on 10 days later."

The report adds that the initial break-in to the system apparently
happened before it was decommissioned, and that leaving it connected
afterwards greatly increased the odds that data was stolen, and led to
other abuses of the system.

Hudson patient database breach:

This server was apparently hacked into first on Dec. 19, 2005,
according to Moran. In early January 2006, the administrator of
another OU server reported that the SHSSRV1 server was trying to log
on to his server.

The incident was reported to OU's computer security team, but "it is
not clear what action was taken beyond this," the report says.

IN EACH INCIDENT, once the breach was detected, the systems were
quickly taken offline, the report says, and appropriately reported to
OU's CIO, Office of Legal Affairs, and PR personnel.

Moran concludes that up to a certain point, the response of OU's
security team to the breaches was "relatively well orchestrated and
organized." After the point at which the team began trying to find out
how widespread the problem was, however, "activities became poorly
organized and fragmented," according to Moran.

CNS Director Tom Reid took over the job of managing the response from
the lead member of the security team, who, according to Moran, was
better qualified to handle the job.

Reid said Sunday that it wasn't his decision to take over the response
team, but that of CIO Bill Sams.

"I was assigned that task by the CIO," he claimed.

OU also put three Computer Services employees on administrative leave
at this point, an action that Moran believes "greatly contributed to
the confusion and disorganization in the wake of the problems. The
people who knew the compromised systems best were sent home, instead
of being available to assist in the response."

The report also notes that the three employees placed on leave (OU has
said it is recalling them) had previously "made efforts to get help
from CNS" with security problems, but probably should have taken their
concerns to higher management.

The report concludes that OU's initial containment procedures "were
appropriate and effective," but after these initial steps, "the
process faltered."

UNIVERSITY CHIEF Information Officer Bill Sams told the OU Trustees at
a meeting last week that OU has gotten about two dozen reports of
identity theft since the breaches were discovered, though these may
not all be traceable to the problems with OU computers.

OU has said that it will not take financial liability for financial
loss due to identity theft unless a person can show that his or her
personal data was not stolen from some other source that was holding
it.

Sams called the number of identity theft reports two "surprisingly
small," given the volume of personal information potentially exposed
in the computer security breaches.

He said that based on what OU investigators have discovered about the
hacking incidents, they believe they were unrelated to each other.

"It was not a continuous series of attacks," he told the Trustees.

Based on the audit findings, Sams said, it appears that CNS was more
concerned with performance than with security, and wanted to avoid
slow-downs that might result from taking needed security measures. He
promised that OU will take steps to change the culture within its IT
departments that helped allow the breaches to occur.

Trustee C. Robert Kidder noted that the security breaches "cost us
greatly" in terms of both money and bad publicity.

During the meeting, the Board of Trustees approved a motion to spend
up to $4 million on addressing the IT problems.

Asked where that money will come from, President Roderick McDavis said
he is not sure, but that it definitely will not be taken come from
extra money set aside for priorities laid out in OU's Vision Ohio
comprehensive plan.