Online theft forces University system to rethink security

Mon, December 17, 2007
Posted in Alaska News

An analysis by USA Today shows electronic record theft nearly tripled last year. The University of Alaska, Fairbanks wasn’t immune.

Ben Markus, KUAC - Fairbanks

Standard Podcast: Play Now | Play in Popup | Download

Comments

One Comment to “Online theft forces University system to rethink security”

mpb on December 31, 2007 at 3:02 pm

I think a little background on this item may be useful for folks to consider whether the technology, the user, and/or the organizational culture which contributes to abuse of privacy and then how to go about solving the problem.

The UAF KuC computer breach referred to is –

UAF investigating breach of Kuskokwim Campus server, The Associated Press
Last Modified: April 20, 2006 at 04:30 PM
http://www.adn.com/news/alaska/ap_alaska/story/7645779p-7557468c.html

FAIRBANKS, Alaska (AP) - A computer server at the Bethel campus of the University of Alaska Fairbanks was breached, university officials said Thursday… Among other information, the server at the Kuskokwim Campus contained two files with nearly 39,000 names, e-mail addresses and Social Security numbers of current and former UA and UAF staff, faculty and students…. Break-ins to the server apparently started in February 2005… A computer technician at the Kuskokwim Campus first noticed an anomaly on the server on March 30. The technician alerted the main campus and the university assigned a technician to the problem April 3…. Other than a letter being e-mailed today and going out by regular mail Monday, the university will not initiate any contact about the breach and will not ask for confirmation of any information, such as addresses or Social Security numbers, officials said.” [The university sent notices to some, but not all, affected users.]

However, the computer break-ins were actually reported to campus administration in December 2000.

Prior to that, at least by the fall semester of 2000, there was no firewall for the Kuskokwim servers and computers. Social security numbers for students were listed publicly. The UAF administrative computers were directly connected to the local campus (sometimes UAF techs came to service the server). Pornographic websites were left as home pages on public machines.

I was successful in getting the Social Security numbers removed but unsuccessful in getting security improved. IT support was self-taught which can be useful, but does not ensure a knowledge of basic privacy, security systems, and law.

The campus director at that time (who had never taught at the university level) insisted that students in computer labs double-up on computers. Why? It would increase enrollments without paying for increased faculty or paying for extra classes. Why the insistence to double classes? First semester students were required to take 19 credit hours (not the usual 12 or 15) of classes because “if you don’t keep them busy they just get into trouble.”

In January 2001 entire directories of files for targeted faculty vanished from the network.

Server performance continued to be poor. Even some basic business technology teaching was impossible due to ad hoc remedies for spam. Eventually the hard drive crashed and thousands of dollars spent to recover some of the data, too late for many students that year.

In May 2006, after the breach was reported to the public, the University of Alaska Fairbanks received an award of cybersecurity excellence by the Dept of Homeland Security and the National Security Agency.

from the press release

The designation recognizes UAF’s commitment to and expertise in training the next generation cybersecurity professionals. UAF is among only 67 schools nationwide to earn the designation, awarded by the National Security Agency and the Department of Homeland Security…..

“The CAE designation is quite prestigious in the field of cybersecurity, and means UAF is being recognized for its cutting-edge efforts to make computers and networks across the world more safe and secure,” said Kara Nance, director of the UAF Advanced System Security Education, Research and Training Center….

“The CAE designation means much more than just another feather in UAF’s cap,” said UAF Chancellor Steve Jones. “What it means is that Alaskans, who live, work and play in one of the most geographically isolated and network-dependent parts of the world, can enjoy the same kind of safe and secure access to the commercial and educational resources that people in the lower 48 states take for granted.”…

I do not believe that people in the United States changed their definition of privacy after 9-11, as Donald Kerr, the principal deputy director of National Intelligence said recently. I do wonder why the abuse of information and technology at rural campuses was allowed to continue for so long (at least 5 years). I do hope UAF/UAA re-thinks their interactions within the entire university community.