Attacks/Breaches

University Databases In the Bull's Eye

Recent wave of university hacks nationwide exposes vestiges of former practice of using social security number as identifiers

A high-profile breach announced this week at the University of Hawaii (UH) Manoa was the latest in a rash of summertime university database exposures -- and it serves as a reminder of how much work postsecondary institutions still must do to improve their data security practices.

The UH Manoa breach affected approximately 53,000 students, faculty, and other customers of the university's parking facilities. It was the result of a hacker gaining entry into a server containing a database full of parking facility customer information, including social security numbers and credit card data.

The education vertical has been hit by at least three other glaring database breaches at big universities across the country during the past few months, comprising:

  • a breach at the University of Maine, which exposed a database that included names, social security numbers, and clinical information for every student who had used the school's counseling center services since the summer of 2002;

  • a vulnerability in an academic tracking database at Florida International University, which exposed GPAs, test scores, and social security numbers of more than 19,000 students; and

  • a botnet infection on a PC owned by Penn State University, which was transmitting personal information from a pool of nearly 16,000 records stored in a cached copy of a database of social security numbers once housed on that machine. The original database had been deleted after the university discontinued the use of social security numbers as identifiers five years ago, but the copy remained.

This spate of breaches at higher-education institutions is hardly a surprise to security experts.

"When you think about it, educational institutions have a wealth of information," says Thom VanHorn, vice president of global marketing for Application Security Inc. "They obviously have records on the students themselves, they have social security numbers, they have health records, and they also have financial information from the parents who are paying the bills. So they have a lot of very marketable data, which makes them a very attractive target."

The social security numbers, in particular, are a hot button issue. Many universities have historically repurposed social security numbers as student identifiers -- a practice that has been abandoned by most organizations in light of the dangers it puts on student records. However, the vestiges of records from when that was common still remains on many systems: The Penn State breach is a perfect example of how that can happen.

"In a lot of instances, you can also still find that stuff on test databases, and there may be some legacy test databases that still have information like that," VanHorn says. "That's why it's so important for organizations not only to protect their production databases, but also to protect databases that are connected to the network that were test databases, because the database infrastructure is only as strong as its weakest link. Once you're on the network, you can probe around and you can find test databases that have actual data."

While the database breaches hitting higher education institutions this summer are a fresh reminder of why data security is so important, the fact is these latest incidents are just a few isolated beads in a string of incidents that date back far beyond this year. According to Rich Mogull, analyst with Securosis, these types of breaches have been going on so long he'd hardly class them as news anymore.

"Education has been one of the most frequently targeted verticals out there," he says. "It's not like a business; universities are very distributed organizations, and they tend to have more open networks. And the fact is that not all of their systems are maintained all that well."

He recommends educational institutions work on better segmenting their networks to protect more valuable information and work to improve their vulnerability assessment processes. One of the most important ways to get started is to initiate a thorough data discovery process to figure out where all of the sensitive data resides both in and out of databases scattered across the network. He says the free Cornell Spider tool is one created just for these organizations embarking on a data discovery hunt, and is worth a look.

But even more critical is that educational institutions begin to shift their political and organizational climates to make it possible for IT to make meaningful security changes that will prevent incidents in the future. "And that's what's hard," Mogull says. "There's no easy answer there."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.