Hacker May Have Hit Over 97K at Univ. of Florida

For the second time in less than four weeks, the University of Florida has been forced to notify students, staff and faculty about a cyber attack.

This time, a hacker got into the university’s antiquated Grove system, set up in 1996, and possibly stole the names and social security numbers of more than 97,000 people.

The school’s IT staff noticed something unusual while conducting a regular review of the system January 14, and immediately shut Grove down, university spokesperson Janine Sikes told InternetNews.com. Investigation showed someone had broken into the system December 22, and IT notified campus police.

The hacker’s IP address was traced to Barbadua, in the Caribbean state of Antigua and Barbadua. The university posted news of the breach on its Web site yesterday. A spokesperson for the university said it didn’t release details of the potential scope of the break-in until it completed its investigation.

At least 97,200 people who were in the Grove system between 1996 and 2003 could have had their social security numbers stolen, Sikes said. They include former students, and former and current faculty members and staff.

They were exposed because Grove hosted course materials for classes and faculty, and these included course lists which had the names and social security numbers of people in the system before 2003.

“Before 2003, the university used social security numbers as students’ ID numbers, but after that we gave them our own ID numbers,” Sikes explained. The university’s 52,000 current students, and those who were enrolled from 2003 on, have not been impacted, she said.

Grove also hosted Web sites for fraternities and sororities, and was used to provide students, staff and faculty free e-mail. These have been moved off to new systems.

The investigation into the breach has stalled. “We’ve gone as far as we can go at this point, and there isn’t anywhere we can take it,” Sikes said. The university is not pursuing the matter with any law enforcement agencies outside of its own police department.

So what happened?

Because the system is so old, the university’s IT department has no idea just what the hacker did. “The system is antiquated and we don’t have the capabilities to run additional searches,” university spokesperson Janine Sikes said. “We know somebody got in there, but we don’t know where they went or if they took anything.”

The university is conducting an internal review to identify similar systems that could also be hacked.

Security experts said protecting old systems like Grove is difficult, at best.

“Anything that old was designed before we really knew much about Internet security,” Martin Reynolds, a distinguished analyst at Gartner, told InternetNews.com. “It predates any security systems – we hadn’t heard of spam then, and we didn’t know about e-mail addresses either.”

The University of Florida was last in the headlines in late January, when a hacker got into a text messaging system that is part of the university’s alert system and sent a possibly racist message to the cell phones of 42,000 students and faculty. The message, which said “the monkey got out of the cage,” was sent out on Inauguration Day and many thought it was racist because several racist videos distributed during the presidential election depicted then-candidate Barack Obama as a monkey.

Next page: No place for old computers

Page 2 of 2

No place for old computers

The best way to handle legacy systems like Grove is to retire them, unless they run applications or contain data with a very high business value, Reynolds said. If they do, they could be retrofitted with a custom designed firewall.

Jason Wright, senior product manager at unified threat management systems vendor Fortinet, told InternetNews.com that ageing systems are a major problem, especially for larger companies where they are part of the Internet infrastructure.

“Having a publicly facing system that’s antiquated is a real worry,” he said. “They have antiquated hardware, applications and operating systems, and perhaps these are not updated regularly or the application providers no longer support them.”

Given Grove’s age, the system was probably hacked through a password, Reynolds said. “This isn’t some magic thing where the hacker injected something through a buffer overflow, he probably got in there as an administrator. “For all we know, they could have had the first password from 1996 still in there.”

The university has begun sending out letters in batches to those who may have been affected, Sikes said. It is still trying to track about 5,000 possible victims for whom it does not have any contact information, and has set up a toll-free hot line at its privacy office.

Grove is not being replaced, Sikes said. “The active systems will be relaunched on new, more secure, updated programs of systems. This was an old system that was barely being used anyway.”

News Around the Web