Wednesday, April 06, 2005

Some Colleges Falling Short in Security of Computers

Why on earth would you put thousands of names and Social Security numbers on a laptop?

A legacy system that used Social Security on paper doesn't require transferring those numbers to an easily lost or stolen system.

Common sense, which apparently is uncommon at UC Berkeley, tells you that this is a catastrophe waiting, impatiently, to happen.
Last Monday, administrators at the University of California, Berkeley, acknowledged that a computer laptop containing the names and Social Security numbers of nearly 100,000 people - mostly graduate school applicants - had been stolen. Just three days earlier, Northwestern University reported that hackers who broke into computers at the Kellogg School of Management there may have had access to information on more than 21,000 students, faculty and alumni. And one week before that, officials at California State University, Chico, announced a breach that may have exposed personal information on 59,000 current, former and prospective students.

There is no evidence that any of the compromised information has been used to commit fraud. But at a time of rising concerns over breaches at commercial data warehouses like ChoicePoint and LexisNexis, these incidents seem to highlight the particular vulnerabilities of modern universities, which are heavily networked, widely accessible and brimming with sensitive data on millions of people.

Data collected by the Office of Privacy Protection in California, for example, showed that universities and colleges accounted for about 28 percent of all security breaches in that state since 2003 - more than any other group, including financial institutions.

‘Universities are built on the free flow of information and ideas,’ said Stanton S. Gatewood, the chief information security officer at the University of Georgia, which is still investigating a hacking incident there last year that may have exposed records on some 20,000 people.

‘They were never meant to be closed, controlled entities. They need that exchange and flow of information, so they built their networks that way.’

In many cases, Mr. Gatewood said, that free flow has translated into a highly decentralized system that has traditionally granted each division within a university a fair amount of autonomy to set up, alter and otherwise maintain its own fleet of networked computers. Various servers that handle mail, Web traffic and classroom activities - ‘they're all out in the colleges within the university system,’ Mr. Gatewood explained, ‘and they don't necessarily report to the central I.T. infrastructure.’

Throw in aging equipment, an entrenched sense that information should be as free-flowing as possible, and a long-standing reliance on Social Security numbers as the primary means of identifying and tracking transient populations, and the heightened vulnerabilities of universities become apparent.

‘We sometimes battle networks and mainframes in place since the 1960's,’ said Mr. Gatewood, ‘and mind-sets in place even longer.’ ”

Social Security numbers have served as the default identifier for students, faculty and staff at nearly all universities and colleges. Printed on identification cards, posted on bulletin boards along with grades, it was used to link bits of information, across dozens of networked databases, on each individual.

A few states - Wisconsin, California, Arizona, New York and West Virginia ban or limit the using Social Security numbers in this way, according to privacy advocate Robert Ellis Smith. Many universities have abandoned or are in the process of ceasing to use Social Security numbers as the primary means of identifying students.

A 2002 survey indicated that at least half were still using it as the primary identifier for students in their databases. Because the number has been used to link so many records, in so many different databases, in so many different departments for so long, abandoning it quickly is nearly impossible.

‘It's complicated,’ said Virginia Rezmierski, the assistant to the vice provost for information technology at the Ford School of Public Policy at the University of Michigan. ‘We started a long time ago, and gave the university seven years to complete the process.’

The University of Michigan completed a migration to randomly generated id numbers in 2003. But Professor Rezmierski points out that groups inside and outside the university still use Social Security numbers, forcing universities to continue to handle them. National testing agencies still use Social Security numbers to identify the scores of incoming students.

Universities have tended to put too much emphasis on preventing attacks from worms and viruses and too little on capturing troublemakers who quietly stroll through their databases.

Leaking names and Social Security numbers from all these universities was not the result of noisy, destructive attacks, someone's been able to get into the network without being detected.‘’
con·cept: Some Colleges Falling Short in Security of Computers