digg

Facebook Connect Join Digg About

University server in hackers' hands for a year

news.com.com An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university's computer services department.

Who dugg this? Made popular May 22, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

46 Comments

show profanity settings
expand all
  • rv8ch, on 10/12/2007, -0/+21Cool - blame the poor tech. He's probably managing hundreds of machines, with no tools, no help, no money. Probably helping knuckleheads configure POP3 on their laptops, fielding calls from irate professors that can't figure out how to work a powerpoint presentation, and getting calls on weekends when one of the schools "top dogs" can't boot their PC.

    On top of all that, he's probably been writing memo after memo to try to get his superiors' OK to upgrade the firewall, get the social security numbers out of the school's databases, and buy the maintenance contract that is required to get the server updates.

    Things are not always as cut and dried as they seem. Cut this guy some slack until you know the whole story.


  • rageguy, on 10/12/2007, -6/+20Indeed, it was like a hobby when I had spare time between classes. I compromised several staff machines, workstations which had security measures on them and the mail and database servers. The database server had a list of every single students passwords along with report cards, inventory, timetabling, personal information for staff and students.

    I never really was caught, the only time I got into trouble was when I was caught showing people how to bypass the various filtering proxies and firewalls they had in place and get a direct outside world IP address.

    Mostly I just played pranks, my favourite was sending remote AppleScript events to the Macintosh performers they had in the Library during quiet study time. I'd use the in built text-to-speech system in OS 7.5.5 to make them talk or sing at their maximum volume. Alternatively I'd tell Netscape to open and goto hamsterdance.com and tell the system to set the volume to 7 (which was the maximum volume) on all the machines.

    It was good fun freaking people out as their Macs suddenly started talking to them and doing things on their own.
  • hagrin, on 10/12/2007, -0/+10See, I can ALMOST forgive having a machine compromised for a year without knowing. For instance, I would guess that over 90% of admins wouldn't be able to spot a rootkit infected machine these days even with full-blown network monitoring software, etc. And MAYBE the traffic originating from the compromised boxes were just normal looking enough to not throw up any red flags or alerts.

    However, when the article states that they thought a server was OFFLINE and had really been online without ANY PATCHES for almost a year ... well, that's the real reason the person needs to be fired. That doesn't require any technical knowledge, just a following of protocol and using common sense. You can't run a network and not even know what servers you have online no less their installed patches and software versions. Completely unacceptable.
  • UnpossibIe, on 10/12/2007, -0/+6I agree. It's easy to point fingers and say it's the guy's fault. I blame this on the school's leadership. We need more information on what the tech actually did. Was he asleep half the time? Was he the sole administrator? Were there any checks and balances? What did management do about this?
  • slantyeyed, on 10/12/2007, -0/+4rageguy,nnthe first rule about boasting about your computer exploits and prowess is to not to publicly post them using a screen name that can be directly traced back to you and the supposed school or university where you performed them . . . I REALLY REALLY REALLY hope you%u2019re not the same %u201Crageguy%u201D that appears when you type in %u201Crageguy%u201D in google . . .nnhe first two links show a %u201Crageguy%u201D at a certain university and the classes he / she took at that certain university (where the supposed exploits could have been performed).
  • Alphateam, on 10/12/2007, -2/+5They should have let that guy go. While everyone isn't perfect and everyone can not be 100% certain their system is 100% secure. But a YEAR....come one. That is in excusable. If you don't even know enough, that you don't know enough to do your job properly...then that is just sad.
  • Demagogue, on 10/12/2007, -0/+3I didn't see that anywhere in the article. Plus a windows server can be just as secure as a *nix server
  • sophiaperennis, on 10/12/2007, -1/+4Somebody hacked my toaster once, it was disastrous.
  • troon, on 10/12/2007, -1/+4Paid administrative leave. Sweet, were it not for the negative connotations (i.e. likely to get fired at the end of it...)
  • scottalexander, on 10/12/2007, -0/+3I go to OU as well, and the problem here is that every department is in charge of their own technology, but the server is held by our tech dept. So let say the chess club wants a website, the tech dept. for the school gives them the server space. Now you have people running a server, who don't know how, and even if they did know how, they don't have control of it, because they don't even know what a server is. It is like this for every department in the school. I think this is common for big schools, businesses, and organizations. As soon as you de-centralize how things are done, they will be used incorrectly.
  • mynicka, on 10/12/2007, -0/+3We've had tons of problem with security here at OU. I think it was 3 years ago that our student senate was debating on upgrading the security on our grades database. The senate felt that it would be a waste of time and money to do this; that was until a CS student walked up to the council leader and handed all of her grades which they got from the weakly protected server. I guess she even tried suing the guy who did that, even though it was a creative way of saying 'fix your damn security issues'
  • kevin_ou, on 10/12/2007, -0/+3I go to OU and it's been a little crazy down here. First the alumni and donor server was compromised...then we find out the OU health clinic server was compromised. The health clinic server has students names, dates of birth and SSNs. My professor told me this server was used in a denial of service attack. That leaves me to wonder if the any info was stolen. If you stole data, would you launch an attack and make it obvious you had control of the machine? Or would you quietly leave?

    Rv8ch, this tech is not part of the help desk, my buddy works there. OU is generally pretty good about keeping equipment up to date as well....well the wireless anyways. Our whole campus will be wireless by the fall and most of the wireless B equipment has already been upgraded to B/G. But my other professor, who runs one of the 2 IT departments here (not the part responsible for this mess) told us in class that he is constantly under attack for budget cuts. He told us that the higher-ups wanted to cut his budget because "with a wireless network, what's the need for the wired network?" Actually, kind of funny.

    On another note, I've been doing some identity theft research just in case. If you have Paypal, you can get free alerts from Equifax. Digg this: http://digg.com/deals/Free_credit_monitoring_for_PayPal_customers
  • r00tus3r, on 10/12/2007, -0/+3I don't think I'll be so quick to play judge, jury and executioner on this one. Did the University make any attempt to insure that this guy was properly trained? Was he regularly sent on courses to hone his skills? People in administrative positions tend to overlook security and are often hesitant to pay the money required to have someone properly trained in this area, and this is the end result.
  • drye, on 10/12/2007, -0/+3I went to OU, Security has always been an issue there. While I was there a student on student Senate was asked to submit a report on security in doing so he hacked the system and presented the entire Senate with there SS#'s and grades, then did the same with the presidents personal info. He was just trying to prove that they were not secure, but instead they kicked him out and obviously didn't fix the problems, heck maybe it was him who did this.
  • serra, on 10/12/2007, -0/+2Ah, nice to see all of the people from Athens turning out on this thread! I live 20 miles from Ohio University, and frequently go up there to party and play pool. I was just talking to someone who works in their computer department the other night, he was out at Tony's having a drink (on a night that he normally wouldn't be drinking, since this ***** was about to explode).
  • cjurczak, on 10/12/2007, -0/+2Damn, thats a crappy situation...I feel sorry for those guys...Although that story sounds quite familar to the same thing that happened to me a couple years ago...lol
  • silverbritt, on 10/12/2007, -0/+2This is so eerie. A friend of mine used retina to port scan the school's computers at our university and found two servers completely open for anonymous ftp. The servers had been set up to hold information that was required after 911 for our foreign students. A couple days later, this guys roommate went into the tech center (because he work-ed- there) and told them about the problem. The director went nuts! That afternoon, the local police and the FBI came out and confiscated all the computers in the apartment. They took 4 computer, hard drives and backed-up data. All because our tech-center didn't protect there own files. Shame on them for punishing the guys for doing the right thing and telling them about the hole. All there people in the apartment had to go through a review after being declare and imminent threat to the university. After realizing the the guys did nothing wrong, they were given a slap on the wrist and allowed back in. They still don't have there computers back--it's been over a year.
  • leohart, on 10/12/2007, -0/+2In education institutes, not many IT gets paid accordingly. You cannot expect a IT guy with 10 year experience coming from MIT to work for a college IT department where budget is shrinked every year and jobs include talking to people who do not understand what HTTP is.
  • nickwebb, on 10/12/2007, -0/+2r00tus3r:

    Playing devil's advocate, let's say no effort was put forth by the university to ensure security other than through the work of the administrators themselves.

    This guy *still* had no idea the server was even up. I agree with the above, that in and of itself is grounds for letting the guy go; its called negligance.

    I will agree with the fact that the university is partly responsible. His manager should take some heat. And if the guy really is incompetent (IE, not lazy), they should punish the guy who hired him as well.
  • r00tus3r, on 10/12/2007, -0/+1I bet this kind of thing happens more often than alot of people realise. Are the ones responsible all inept, should they be dragged from their server rooms and shot at dawn? Not really, the fact is, that everyone makes mistakes, and sometimes you're lucky, but other times, you get bitten.
  • drye, on 10/12/2007, -0/+1you know, I am not certain how the hack was carried out. I was on a Judicial Review Committee and heard about it from a University official, besides that there was some news about it in the local paper the Post, none of which went into how the hack was carried out. I seem to remember it was passwords stored in clear text on an open FTP server, but I could be wrong.
  • thundercleese, on 10/12/2007, -1/+1drye, I had heard rumors about this hack. While I would like to think the system hacked by the student is now secure, I am wondering how the student went about hacking the system. Just a general overview would be fine...
  • mcdougrs, on 10/12/2007, -1/+1While I find this sort of security breach pretty horrifying, I must admit the article mentions a good point. There does need to be a set of good rules that universities can work out to help ensure the security of their information AND ensure that the professors and students have all the resources (internet and/or network) that they need.
  • kevin_ou, on 10/12/2007, -1/+1That's funny, mynicka is a bobcat too and we posted one minute apart. By the way, it was the FBI that told the university about the breaches.
  • s1ipstream, on 10/12/2007, -0/+0While I was at OU (early '90s), I found a Novell 3.11 server (lots of users) with an administrator user that had a BLANK password. If I had told anyone, I'd likely have gotten into trouble even though I didn't do anything with it. Like the article said, universities put little if any funds towards security (or hiring a knowledgable admin), and they prosecute anyone who tries to help them. Stupid is as stupid does. How ironic.
  • wilkeson, on 10/12/2007, -1/+1Did it say that somewhere in the article? I must have missed it if it did. I mean, why would you go around making baseless assumptions?

    On a side note, anyone who finds this story interesting should pick up a copy of Cuckoo's Egg. Just trust me on this.
  • hagrin, on 10/12/2007, -0/+0Leohart -

    You're completely missing the point. The point is you don't need ANY technical knowledge to have avoided this problem. This problem, as described by the article, was simply a failure to do an assets audit, identify servers online and perform a software audit - something that even the most junior of admins can perform. This isn't a technical expertise problem, this is a laziness/failure to follow procedure problem.

    This sort of story gives 100% credence to the phrase "no matter linux or windows, your network is only secure as the humans administering it".
  • s1ipstream, on 10/12/2007, -0/+0"... a windows server can be just as secure as a *nix server"

    ah, no. There really isn't any wiggle room on that. It's a simple truth, and any admin with *nix experience will know that *nix is more secure than Windows can ever hope to be. Windows-only admins will always trumpet Windows and hide its shortcomings, but it's all a bunch of fanfare.
  • MatthewDuke, on 10/12/2007, -0/+0I miss Tony's. Most underrated bar in Athens.
  • hazmat007, on 10/12/2007, -1/+1just goes to show you that in most cases of identity theft there is some dumbass on the other end giving up the info.
  • hagrin, on 10/12/2007, -1/+0Nowadays, not knowing a server is still online is just completely unacceptable. With such network monitoring tools such as BigFix, Cisco Works, anything by AdventNet, etc. it's amazing that a group of network admins could possibly have no idea that a server was still online.

    I wouldn't mind, but geez, what else were they doing this entire time?
  • diecastbeatdown, on 10/12/2007, -2/+1not to mention all the freeware tools out there for monitoring like nagios and bigbrother.
  • Xtrem3, on 10/12/2007, -2/+1*cracker
  • protiek, on 10/12/2007, -9/+7english in please?
  • mordain, on 10/12/2007, -8/+6And the moral of this story (if true) is "If you find something good, shut your head, telling all your friends to big note yourself will make you lose said good thing".
  • mooninite, on 10/12/2007, -7/+1Hm, I wonder what OS they were running on. *cough* Windows 2000/2003 Server *cough*

    Now, explain to me how safe Windows is to hold SSN/credit info.
  • adml_shake, on 10/12/2007, -16/+2Where do I send a resume!
  • ThomasCJohnson, on 10/12/2007, -22/+3Cuddlepies Galore!
  • wogboi, on 10/12/2007, -24/+1teach me your ways Darwinian
  • Darwinian, on 10/12/2007, -28/+3I've hacked the schools network server multiple times, and they don't appear to have ever noticed.

    Although I was actually on the network when I did it, so it doesn't really count.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.