Search The Site
 
More options | Back issues
Home
News
Opinion & Forums
Careers
Multimedia
Leadership Forum
Technology Forum
Resource Center
Campus Viewpoints
Services

The Chronicle of Higher Education
The Wired Campus

June 26, 2009

Computer With Personal Information of Cornell U. Students and Professors Is Stolen

A laptop containing the names and Social Security numbers of some 45,000 Cornell University students and faculty members has been stolen, The Cornell Daily Sun reports.

The computer was stolen earlier this month, when a university employee was correcting file-processing transmission errors and left the computer unattended.
In a press release, the university said it will offer a year’s worth of free credit reports, credit monitoring, and identity-theft protection to anyone affected.

On a separate Web page, the university said it would not provide any additional information on the theft, as local police are investigating the incident.

Aaron Lewis, a New York State police investigator, told The Sun that the theft appeared to be a “crime of opportunity,” not a concerted effort to steal sensitive information. He said the media attention devoted to the theft could inform the thief of the sensitive information contained on the laptop. “It’s obviously a Cornell computer and has a Cornell sticker,” he said. —Marc Beja

Posted on Friday June 26, 2009 | Permalink | Comment [13]

June 24, 2009

Hackers Rebuke Obama Via Oregon University Computers

Instead of reaching the Oregon University System’s Web site this morning, visitors found an angry message directed at President Obama.

Diane Saunders, a university spokeswoman, said hackers had redirected the system’s home page to a site claiming to be “from Iran.” The message was up for approximately 90 minutes before an employee arrived at work and found the breach.

The Web page, which was sent to The Chronicle and the Associated Press by the university system, told “Stupid Fly Catcher Obama” to stop talking about Iran and the recent Iranian election, which has prompted protests since the June 12 vote.

“Iran’s election doesn’t have problem and Moosavi with his tiny brain will be in jail in near future, so don’t pay your time and money for him and for his fans,” the site reads. “70-80% of Iranian people hate Moosavi nowadays… We never cheated in elections and even Moosavi knows that.”

A message sent to the e-mail address listed on the Web site was not returned. Ms. Saunders said the hackers were most likely able to access the university Web page through ClickHeat, a free program that documents what areas of Web sites are being clicked most. She said the program does not automatically update solutions to problems that are found, and the university had not downloaded the most recent security update.

The university will pay more attention to updates for ClickHeat and five other third-party programs it uses that do not perform automatic updates, and Oregon State University is trying to find out exactly how someone was able to access the Web site, she said.

Ms. Saunders said she did not know why the university system’s page was targeted. “My guess is that hackers have ways of finding vulnerable entry points in Web sites,” she said. “I don’t know if this was a random or purposeful selection of going through our site.” — Marc Beja

Posted on Wednesday June 24, 2009 | Permalink | Comment [12]

June 23, 2009

Feds Reach Out to Universities Targeted in Massive Spam Operation

Prosecutors are reaching out to universities that may have been victims of spammers who allegedly culled e-mail addresses from more than 2,000 colleges and bombarded students with messages.

It’s the latest twist in a story that broke in April, when prosecutors announced the indictment of two brothers who allegedly used the University of Missouri computer network in a national spamming operation. The spammers are said to have deployed extracting programs that harvested more than eight million student e-mail addresses.

Martin Manjak, information-security officer at the State University of New York at Albany, said that a “U.S. Department of Justice Victim Notification System” e-mail message he received last week was the “first such notice we had received” from the department. He was one of nearly a dozen people from universities around the country to discuss the notifications in recent days on a security listserv maintained by Educause, the higher-education technology association.

“It came out of the blue as far as we were concerned,” Mr. Manjak told The Chronicle. “We had no idea that we had been victimized by these individuals, although we certainly get our fair share of spam.”

The e-mail message the university received, which Mr. Manjak shared with The Chronicle, came from the U.S. Attorney’s Office for the Western District of Missouri. It begins, “Your name was forwarded to our office by law enforcement as a victim (or potential victim)” in the spamming case. The message notifies receivers of their rights as victims and provides instructions for seeking more information. It also tells recipients how to notify prosecutors if they believe they may have “information or evidence that will aid in the prosecution of this case.”

The trial is scheduled to begin November 2, but the e-mail message cautions that “most criminal cases are resolved by a plea agreement.”

Asked if he was sure the notification wasn’t itself a piece of spam, Mr. Manjak e-mailed this reply: “It would be a pretty elaborate hoax if it wasn’t from the DOJ, but I rarely use the word ‘sure’ in anything that deals with Internet security.” —Marc Parry

Posted on Tuesday June 23, 2009 | Permalink | Comment [4]

June 22, 2009

As White House Presses Fight Against Computer Crime, Community Colleges Mobilize 'Cybergrunts' for Front Lines

Arnold, Md. — If you work at a community college that teaches cybersecurity, it pays to be located in the backyard of a spy agency. Just don’t ask Kelly A. Koermer what’s inside those dark towers at Fort Meade.

“Not sure,” laughs the Anne Arundel Community College administrator as she drives past the National Security Agency’s headquarters at the Maryland base.

She points out other highlights of the restricted region: an employees-only exit off the highway, a sign that warns of military dogs, a large ball-shaped device that she figures is for radar signals. And another area that “must be really important, judging by the barbed wire,” says Ms. Koermer, director of computer technologies at the college.

Community colleges like Anne Arundel want to train people to reach the other side of that fence — legitimately, as workers. With Barack Obama stressing the importance of such colleges and a new White House cybersecurity push that points to a need for work-force training, some experts foresee an increasing role for two-year colleges that can supply government agencies and private companies with workers steeped in cybersecurity.

An article published today on The Chronicle’s Web site takes a look at the trend, including the obstacles community colleges face and the extra money that may be coming their way. —Marc Parry

Posted on Monday June 22, 2009 | Permalink | Comment [1]

June 17, 2009

Cyber Attackers Strike Johns Hopkins U. Lab

A prominent Johns Hopkins University laboratory engaged in government cybersecurity research recently suffered its own Internet attack.

The Applied Physics Laboratory, in Laurel, Md., took down its external Web site after finding “penetration from an unwanted source” on the site, according to the Baltimore Sun.

The lab’s engineers and scientists conduct military and space projects, with about 20 percent of the research sponsored by NASA, according to The Sun.

The attackers didn’t breach the lab’s internal network or gain access to classified information, a spokeswoman, Helen Worth, told the newspaper. But Ms. Worth described the intrusion as the most serious to date for a Web site that had previously experienced smaller attacks.

All the site’s computers will be scanned and the site will likely be down for “a couple days” as information-technology officials conduct a review, she said.

President Obama has been spotlighting cybersecurity recently, and one aspect of the government’s computer strategy involves building a “cyber-range” to test security technology and defend networks. The Hopkins Applied Physics Laboratory has been awarded $7.3-million to work on the initial phase of the project, which is sponsored by the Defense Advanced Research Projects Agency. —Marc Parry

Posted on Wednesday June 17, 2009 | Permalink | Comment [2]

MIT Tops List of College Copyright Violators

The Massachusetts Institute of Technology had the most instances of digital piracy and other copyright infringements among American colleges and universities in 2008 for the second year in a row, according to a report released by Bay-TSP, a California company that offers tracking applications for copyrighted works.

According to the company’s annual report, MIT had 2,593 infringements of media owned by Bay-TSP’s clients. The University of Washington and Boston University ranked second and third, with 1,888 and 1,408 infringements, respectively.

Clients of the company, whose name means “Bay-Area Track, Security, Protect,” include motion-picture studios; software, video-game and publishing companies; and sports and pay-per-view television networks.

The annual report provides an analysis of data collected using piracy-network crawling software. The company does not track all instances of Internet-based piracy, said Jim E. Graham, a Bay-TSP spokesman. It only monitors violations of movies, videos, TV shows, or software that clients ask the company to follow.

Mr. Graham also said not all violations result in a take-down notice. Clients give the company varying instructions for their data, ranging from sending take-down notices to simply tracking how often and by whom the material is infringed.

Although MIT ranks first among domestic colleges and universities, it is not in the top 10 worldwide. The University of Botswana had 9,027 infringements, followed by Sweden’s Uppsala University, which had 8,032 infringements, according to the report.

Jeffrey I. Schiller, the information-services and technology-network manager at MIT, said he has not seen a copy of Bay-TSP’s report, but the institution does not tolerate copyright infringement, nor does it receive an unusual number of take-down notices.

“I haven’t formally counted the number of take-down notices we’ve received, but if we get more than a few, it’s a big day,” he said. “If we represented truly the worst-case scenario, then copyright infringement can’t be a really big problem, because we don’t have that much.” —Erica R. Hendry

Posted on Wednesday June 17, 2009 | Permalink | Comment [13]

June 10, 2009

Cornell Prof to Congress: Don't Legislate Cybersecurity Education

Washington—As the federal government enlists universities in the battle against computer threats, a Cornell University cybersecurity expert cautioned lawmakers this morning against legislating what professors teach.

More faculty members will be working in computer-system trustworthiness and will be available to teach the subject as more research money becomes available, said Fred B. Schneider, a professor of computer science at Cornell who is chief scientist for a cybersecurity center backed by the National Science Foundation.

“But understand that, like any new discipline, this field is in flux,” Mr. Schneider testified during a House subcommittee hearing on cybersecurity research and development. “There is not yet a widespread agreement on the core. So we would be ill advised to be legislating what gets taught.”

Mr. Schneider’s remarks come as a bill circulates in the Senate that would direct the National Science Foundation to prioritize research that deals with cybersecurity problems (see section 11 of this link). Meanwhile, President Obama is using his bully pulpit to spotlight computer threats. The federal push could have an impact on higher education, one expert told The Chronicle last week, particularly on the workforce-training efforts of community colleges.

The academic experts at today’s hearing came from research universities, but Rep. Paul Tonko, a New York Democrat, questioned witnesses about the potential of community colleges to “develop some earlier investment in cybersecurity professionals.”

One way of achieving that could be an expansion of the NSF program that provides scholarships to those who agree they will later take cybersecurity jobs in the federal government. People who participate in the program, called Scholarship for Service, could fulfill their service obligation by teaching in a community college instead of working in an agency, suggested Seymour E. Goodman, co-director of the Georgia Tech Information Security Center.

“Community colleges, unless they basically use adjuncts from industry to develop curricula and teach the subject, are going to not be able to attract Ph.D.s from the major universities,” Mr. Goodman said in an interview after the hearing, “unless something happens to encourage that.” —Marc Parry

Posted on Wednesday June 10, 2009 | Permalink | Comment

June 3, 2009

Colleges May Have a Role in Obama's Cybersecurity Plan

There’s good news and bad news for higher education in President Obama’s new push to protect the nation’s digital infrastructure.

The good news is that colleges could benefit as the federal government promotes — and possibly pays for — work-force training and cybersecurity research.

The bad news is that anybody looking for specific details on what will happen — and how much money might be available — won’t find them in the new report put out by the White House last week.

“Cyberspace is real, and so are the risks that come with it,” Mr. Obama said as he pledged to make the issue a priority. “This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.”

One of the problems with the status quo is a shortage of cybersecurity workers, said Rodney Petersen, coordinator of the security task force at Educause, the higher-education-technology association.

That means jobs like chief information-security officer. Forensics expert. Security analyst. Incident handler. Training these workers is one of the main areas where colleges — especially community colleges — can play a role, Mr. Petersen said.

The report urges the federal government to “expand support for key education programs.” Mr. Petersen pointed to two National Science Foundation programs in particular. One is Scholarship for Service, though which students can get money for college in exchange for taking an agency job in the federal cybercorps. Another is called Advanced Technological Education, which focuses on two-year colleges.

The report also recommends increased money for cybersecurity research through the National Science Foundation and other organizations.

The catch: It’s just a concept paper. It doesn’t come with any money. For Mr. Petersen, who participated in the process that led to the report, the disappointment is that specific details on how all this will happen are “left for another stage.” He also pointed out that we’ve been down this road before with other presidents.

“A lot of people feel this is a little different because unlike previous administrations, Obama seems to have a personal level of commitment that hasn’t been stressed before,” he said.

For those interested in learning more, next month Mr. Petersen will give a presentation about the White House review and other legislative and regulatory developments at Dartmouth College’s Securing the eCampus conference. —Marc Parry

Posted on Wednesday June 3, 2009 | Permalink | Comment

May 12, 2009

D.C. Data Breach Affects Thousands of Financial-Aid Applicants

An employee of the Washington, D.C., agency that processes college financial-aid requests inadvertently e-mailed personal information — including Social Security numbers and home addresses — to about 1,250 applicants, The Washington Post reported today.

At the center of this breach was the “DC OneApp,” an online application through which Washington students apply for grants. The disclosure happened when an employee of the district’s Office of the State Superintendent of Education accidentally attached a spreadsheet to an e-mail message that went to 1,250 applicants to one of the grant programs, the DC Tuition Assistance Grant Program.

Those students received a wealth of personal information for about 2,400 student applicants, including names, dates of birth, telephone and Social Security numbers, and e-mail and home addresses. The office did not publicly announce the breach, but did notify those whose personal information was exposed and, to keep watch against identity theft, offered them subscriptions to a credit-monitoring service. The Post reported on the incident after a parent forwarded the newspaper an e-mail message from the office.

Some parents were livid about the breach, the Post reported. But breaches involving personal information are not uncommon in higher education.—Marc Parry

Posted on Tuesday May 12, 2009 | Permalink | Comment [1]

May 8, 2009

Hackers Access Medical Information of 160,000 in U. of California at Berkeley Database

San Francisco — Over a six-month period, a group of computer hackers accessed a database containing the medical information of more than 160,000 people associated with the University of California at Berkeley, including social security numbers and immunization records, Berkeley announced today.

Hackers gained access in October 2008 to the electronic medical records of Berkeley students, alumni, and their parents dating back to 2001. The compromised information includes social security numbers, doctor histories, and immunization records, but not specific diagnoses or treatments, the university said in a statement.

The breach lasted until April 9, when campus computer administrators noticed messages left behind by the hackers, according to the statement. The university immediately notified law enforcement authorities and today it began notifying students, staff, and others — including 3,400 students at neighboring Mills College whose information was also compromised because they were eligible to receive health care at Berkeley.

Security breaches involving social security numbers are not uncommon at colleges, but the length of time that hackers had access to university records is unusual, and university officials are certain to face questions about why they did not learn of the breach sooner. In addition to general medical information, hackers may have stolen the self-reported medical histories of students who studied abroad, the university said in an e-mail message sent to students, alumni and others.

“The university deeply regrets exposing our students and the Mills community to potential identity theft,” Shelton Waggener, Berkeley’s associate vice chancellor for information technology and its chief information officer, said in a statement. “The campus takes our responsibility as data stewards very seriously. We are working closely with law enforcement and information security experts to identify the specific causes that may have contributed to this breach and to implement recommendations that will reduce our exposure to future attacks.” — Josh Keller

Posted on Friday May 8, 2009 | Permalink | Comment [13]

Previous

Copyright © 2009 by The Chronicle of Higher Education | Contact us
User agreement | Privacy policy | About The Chronicle | Site map | Help
Subscribe | Advertise with us | Press inquiries | RSS | Today's most e-mailed
Home | Chronicle Careers | The Chronicle Review