http://securityratty.com/tag/duke Thu, 06 Dec 2007 08:37:20 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/c7ac0212b7ea0a34816a3630ea9cae15 http://securityratty.com/article/c7ac0212b7ea0a34816a3630ea9cae15 Security Breach

Date Reported:
5/20/08

Organization:
New York University

Contractor/Consultant/Branch:
Duke University, Fuqua School of Business

Victims:
Former NYU students

Number Affected:
273

Types of Data:
Names and Social Security numbers

Breach Description:
"DURHAM, N.C. - Duke University’s Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008."

Reference URL:
The News & Observer
NBC Channel 17 News

Report Credit:
Eric Ferreri, The News & Observer

Response:
From the online sources cited above:

DURHAM - Duke University's Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008.
[Evan] The information was public and went unnoticed by school, IT, and information security officials for nine months.

The NYU students were part of a 1997 class taught by a professor who now teaches at the Duke business school
[Evan] Why would a professor ever need access to Social Security numbers?  NYU may use or might have used Social Security numbers as student numbers.  Many schools are migrating away from this practice due to obvious (hopefully) privacy implications.  It is troubling that a former professor was allowed to leave NYU with confidential information belonging to students.

The professor is not identified

The personal data included student names and Social Security numbers, and was contained in the faculty member’s NYU research records.
[Evan] Did the professor not notice that he/she had Social Security numbers as part of his/her research records?

There has been no indication of any unauthorized access or use of the personal information

Duke’s Internet security team has ascertained that the information could have been accessed only if searched by specific student names, along with a search code for Social Security numbers.
[Evan] I suppose we could take them at their word although it would be very difficult to state this claim with certainty.  Search algorithms are very closely guarded secrets by Google, Yahoo, et. al.

The personal information was removed from Fuqua's public drives within 30 minutes of the school becoming aware of the problem on April 30.
[Evan] The ability to post information for public consumption must be closely monitored by organizations, and those with permissions must be properly trained.

Within hours, all major search engines had cleared their caches and indexes of the student information

Fuqua began notifying the former NYU students immediately after receiving addresses from NYU

Fuqua officials have undertaken a thorough review of the school’s electronic accounts to ensure no personal information is subject to unauthorized access.

No former or current Fuqua students were affected.

Commentary:
Most of my commentary is remarked above.  What do the schools plan to do in order to reduce the chances of this happening again?

Past Breaches:
Unknown

]]> Wed, 21 May 2008 10:27:07 +0000 nyu nyu students immediately nyu students information personal information fuqua current fuqua students specific student names names Former NYU personal information exposed at Duke University http://securityratty.com/article/26f7b1c688ec864f0ccf677c71a53dcc http://securityratty.com/article/26f7b1c688ec864f0ccf677c71a53dcc Security Breach

Date Reported:
12/4/07

Organization:
Duke University

Contractor/Consultant/Branch:
School of Law

Victims:
Current and prospective Law School applicants

Number Affected:
3,200*

*1,400 in one database containing applicant data and some Social Security numbers, 1,800 in a second database containing applicant data and passwords used by applicants tracking their applications.

Types of Data:
Names, addresses, phone numbers, Social Security numbers, and passwords

Breach Description:
The Duke University School of Law reported that they detected unauthorized and illegal activity on a their web site.  An investigation revealed that two databases were exposed in the attack that contained sensitive personal information about some current and prospective Law School applicants and students.

Reference URL:
Duke School of Law Incident Web Page
The News and Observer Story
United Press International Story

Report Credit:
Melinda Vaughn, Executive Director of Communications at Duke University

Response:
From the official incident web page and sources cited above:


On the Duke University home page

Thank you very much for your patience as we continue to work to restore our web site and understand the full ramifications of the attack on our web site and server. The attack was a criminal act, and it is now being investigated by law enforcement officials.

Earlier this evening, the Law School sent emails to about 3,200 prospective and current applicants notifying them that some of their personal information was exposed during the recent attack on our web site.

We have no evidence that the intruders actually downloaded or acquired any of this information. Nonetheless, we know the intruders had the opportunity and the tools to do so, and we therefore felt it was important to notify those who might have been affected as quickly as possible.
[Comfyllama] A good forensic analysis should provide clues if the proper trail exists.  You would think that a web server containing sensitive information would employ extensive logging.

On Thursday, Nov. 29, at about 3:30 p.m., we detected unauthorized links and coding in our web site. As soon as a breach was confirmed, we took the site offline and launched our investigation.

By Friday, it appeared that we had removed the unauthorized content, and we reposted the web site.
[Comfyllama] Ugh.  Thursday afternoon until Friday was all it took to re-certify the site?  Doesn't seem like a good incident response.  If a site is compromised, it is usually a better practice to replace it with a new rebuilt server so that the original can be thoroughly examined.

Our continuing investigation, however, found that the web server had been compromised, and that the attack had penetrated more deeply than originally thought.
[Comfyllama] In incident response, it's not a bad idea to hope for the best but assume the worst.

We took the web site down again by Saturday morning pending a more complete security scan by the university’s IT Security Office. We do not believe that any new problems were introduced during the short time that the site was reposted.

As we further evaluated the site, we found that several databases stored on the server were exposed during the attack.
[Comfyllama] Databases on a web server?  Bad.

There were two databases containing sensitive or potentially sensitive information. The first held records containing information submitted by prospective applicants who were requesting information from the admissions office.

A small percentage of those prospective applicants had provided Social Security numbers when they completed our online request form. That group of 1,400 prospective students received notifications this afternoon about the security breach.
[Comfyllama] Social Security numbers in a database on a web server? Worse.

The second database in question included contact information and self-generated passwords for about 1,800 current applicants who were using our web site to track the status of their law school applications.

Even though our second database did not contain Social Security numbers, we also have notified this group of the security breach, in case the passwords they used on our site are the same as the passwords they use on other sites.
[Comfyllama] Prudent decision on the part of the school.

the first intrusion occurred in early November, when a directory of foreign files was inserted into the site. Another set of files was deposited on Thanksgiving Day. We believe that nothing was done with these files until the attack began on the afternoon of Nov. 29.
[Comfyllama] Write access to the web server, and the responders didn't think that the compromise "had penetrated more deeply than originally thought"?

Duke University has a policy not to gather Social Security numbers, except in a limited number of circumstances including some transactions with applicants and prospective applicants.
[Comfyllama] This is a good policy.

The Social Security numbers in this database were no longer being used, and we had in fact stopped collecting them from applicants earlier this fall. But the database had not been purged of old data.
[Comfyllama] Lack of audit and review.

We are reviewing our policies to ensure we are in full compliance with all policies that pertain to the handling of Social Security numbers.
[Comfyllama] Sometimes it takes a breach to spur additional audit and review that should have been conducted regularly all along.  Unfortunately, there are people affected already.

What has been done to secure the web site and prevent this from happening again?
Over the weekend, we moved the site off our web server to allow us to install a completely new operating system and new software. While that was being done, we also reviewed all the data from the old server’s system for remnants of the intrusion.

The application status tracker is being restructured so that it will not require passwords. Social Security numbers have been removed and will not be stored on our web server.

We are continuing our investigations into how this attack occurred and what additional steps can be taken in the short and long term to further secure our web site and all our electronic data. We will update you on our progress in coming weeks, and we will provide a full report to the community once the investigation and security planning is complete. In the meantime, if you have any questions or concerns, please feel free to contact me **email address removed**, Liz Gustafson **email address removed**, or Jill Miller **email address removed**.
[Comfyllama] We (meaning The Breach Blog) removed the email addresses because we are still a little "old school" in this regard and think that publishing email addresses without obfuscation increases the likelihood of increased spam.

Commentary:
This has to be one of the best incident disclosure announcements I have ever seen in terms of depth.  The explanation of what occurred is clear, Duke's response is clear, and what they plan to do is clear.  I am impressed.

Now, what I am not impressed about is the decision to store confidential information on a web server.  More often than not, this is bad news.  Common information security practice is to place publicly accessible servers in a DMZ, segmented from more secure systems that contain databases.  Extensive monitoring is then placed on both systems and in between.  I am curious how the server itself was compromised.  Was it not patched, was it not configured well, was the code written poorly, was someone surfing the web on the server and downloaded malicious code, etc.?  I am also curious about whether or not the University conducts regular audits of these systems and runs intrusion detection.  Even after such a wonderful announcement by the school, so many questions still remain!

Past Breaches:
Unknown



]]> Thu, 06 Dec 2007 08:37:20 +0000 school duke school breach security comfyllama social security complete breach description complete security scan security breach Duke School of Law breach affects 3,200