Re: followup: CO University of Colorado at Boulder

["B.K. DeLong" <bkdelong () pobox com>]

Ouch - an unpatched bug in so-called SECURITY software? Isn't such software
supposed to work against issues that lead to data breaches?

On 5/25/07, security curmudgeon <jericho () attrition org> wrote:
> ---------- Forwarded message ----------
> From: InfoSec News <alerts () infosecnews org>
> Subject: [ISN] University Blames Security Breach On Un-patched Symantec
> Bug
>
> http://www.informationweek.com/news/showArticle.jhtml?articleID=199701978
>
> By Sharon Gaudin
> InformationWeek
> May 24, 2007
>
> The University of Colorado at Boulder said sensitive information on 44,998
> students was exposed because a worm attacked the network through an
> un-patched bug in Symantec's anti-virus software.
>
> A server in the university's College of Arts and Sciences' Academic
> Advising Center held the names and Social Security numbers of students
> enrolled at CU-Boulder from 2002 to the present, according to an online
> advisory.
>
> On May 12, the university's IT security investigators discovered that the
> worm entered the server through the vulnerability, which the IT staff had
> failed to patch, the university reported. Investigators said they did not
> believe the hacker behind the worm was after the personal information, but
> instead was using the flaw as an entryway to other computers on the
> university network.
>
> "The server's security settings were not properly configured and its
> sensitive data had not been fully protected," said Bobby Schnabel,
> CU-Boulder vice provost for technology, in a written statement. "Through a
> combination of human and technical errors, these personal data were
> exposed, although we have no evidence that they were extracted."
>
> A Symantec spokesman told InformationWeek that they have been trying to
> get in touch with the university's IT team but have not yet talked to them
> to get details about the attack or even to find out what vulnerability was
> involved. "We hate to see any customer with a problem," he said. "We
> encourage customers to post patches as soon as possible."
>
> Todd Gleeson, a dean CU-Boulder, said in a statement that he wants the
> College of Arts and Sciences IT operations to be placed under the direct
> control of the university's larger IT department. He said all of the
> students affected by the breach are being notified through letters mailed
> to their homes.
>
> "We have also taken steps to ensure that all sensitive personal data has
> been removed from our Academic Advising Center servers," said Gleeson. "I
> want to assure our past and present students that we have taken strong
> measures to protect our advising center computers and our students'
> personal information."
>
> Students who are looking for more information about protecting themselves
> following a data exposure can go to the advisory Web site.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 208 million compromised records in 670 incidents over 7
> years.



--
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 208 million compromised records in 670 incidents over 7 years.