By Anna L. Mallory
The Roanoke Times
January 20, 2008
Within 10 hours on Jan. 9 -- midnight to 10 a.m. -- computer hackers
lurking in cyberspace scanned Virginia Tech's computer networks 15,000
times, looking for a way to reach information, such as credit card or
Social Security numbers, contained in some of the cabinet's drawers.
That keeps people such as Randy Marchany busy, competing a fast-paced
race colleges run with hackers -- some tied to organized crime -- to
Many are falling behind.
As director of Tech's information security lab, Marchany spends his time
monitoring the university's vast computer networks, hunting for
potential break-ins, updating software, patching system holes and
educating people about the best ways to protect their information
"Every time somebody comes up with a new hole and you find a fix for the
attack, somebody comes up with a countermeasure," Marchany said. "It's
always very fluid."
And some protective steps, such as cutting off the university
community's access to certain Web sites or computer programs, aren't
"Because we're a university, and you're maybe doing research, I'm not
going to get in the way of you doing your job," Marchany said. "In a
university environment, we have to be open."
But that doesn't mean information isn't protected.
Tech -- and most schools -- use tools such as firewalls and encryption
to keep unwanted people from viewing their data.
An appealing target
Because of the intricate web of information stored in computers across
college campuses, they are increasingly becoming targets for hackers,
said Walter Conway, a private consultant with Walter Conway Associates
who works with colleges to help protect their payment systems.
College campuses offer multiple wireless access points and each
department typically has its own information technology department that
handles data differently, things that make the system as a whole
In 2007, the nation's schools, including Virginia Tech, put 1.2 million
sensitive records at risk, according to the Identity Theft Resource
Stolen, leaked or publicly accessible Social Security numbers, credit
card digits and student and staff addresses are the kind of data that
can lead to identify theft in the wrong hands.
The ITRC tracked 111 of 448 security breaches in 2007 to schools. In
September, a dozen or more of those documents that contained students'
Social Security numbers or partial numbers came from Blacksburg computer
systems. But no evidence exists that anyone's identity was stolen,
according to the center.
Earlier this month, the University of Georgia had to contact 4,000
current and former students when a hacker accessed one of its networks
and got a list of Social Security numbers.
One reason for so many leaks is that the tools that schools use --
firewalls, anti-virus software, passwords and even Google searches --
are the same resources that would-be hackers have, Marchany said.
And these days, hackers are more brazen.
Instead of trying to tear down network walls, hackers often try to con
users out of sensitive information.
A common technique is phishing. To do that, hackers pose as reputable
organizations and send out e-mails with links to phony Web sites. When
victims open the e-mails, they are sent to a page that looks like the
reputable site -- except any information or passwords given out go to
Another criminal act, often called social engineering, is to pose as an
employee inside an organization and just ask for a password or sensitive
"It's a lot easier if I'm a bad guy to get you to give me the
information than to go storm the IT walls," Conway said. Both Tech and
Radford University use third-party processing agents to complete credit
card transactions for payments, such as tuition. Those systems are held
to national protection standards, Conway said.
Getting the word out
While most people think of hackers as people slaving over keyboards to
break into computer networks for fun, many hackers actually use computer
programs that work to guess passwords or hunt for unsecured wireless
networks to steal information, Conway said.
Even if potential hackers don't ask for information, they can still find
it legitimately. Conway said often organizations don't have the time, or
the money, to educate people about the best ways to store information or
how to take precautions against social engineering.
In September, when Liberty Coalition, an identity-theft watchdog group,
found documents listing Social Security numbers and names of Tech
students published to a public file on one of the university's servers,
the group contacted Tech, and the information was removed from public
view -- but its presence meant no one had to hack and no one had to ask.
Marchany attributes that security breach to a "digital pack rat,"
someone who stockpiles information long after it's needed. He said the
error was corrected and that it underscored the need for more education.
Teaching people about the dangers of storing personal information online
is key. Although many tips are common sense, Marchany said people often
Chief among the safeguards is to delete the personal information,
Marchany said, or to store it on a portable device such as a USB drive.
But even that can cause problems. Conway suggests that storing info on
disks or drives is most dangerous because it can be easily lost.
Schools try to promote software tools that will scan for sensitive
information and try to safeguard documents. Some of the resources are
free and can scan individual computers for potentially dangerous
IT employees at Radford and Tech use advanced Google searches to hunt
for personal information that might be stored on their Web sites. But so
In January 2007, Radford officials found that someone had broken into a
server containing "personal information" in the Waldron College of
Health and Human Services on campus. Investigators didn't find that any
information had been stolen or even viewed, a spokeswoman said.
Tech tracks potential break-ins and hunts for public documents that
could compromise identity, but often it has to wait for someone else to
tell them about a potential breach, he said. And some schools, such as
Radford, don't have time to track the number of potential hacks on
"We know there are attempted attacks, whether it's one or 30,000, we
still want to have as secure a system as we can have," said Danny Kemp,
chief information officer at Radford. "Is the number that important?"
State law requires that public institutions report security incidents to
VITA, the Virginia Information Technology Agency. But the rules apply
only if they result in a personal information breach.
Tech -- along with the University of Virginia and William and Mary -- is
exempt from the state's reporting rules. The exemption is part of the
state's Higher Education Restructuring Act, passed in 2005. The act
gives the three schools more autonomy. Regardless, Marchany said, their
IT department follows most of the same guidelines, such as reporting
incidents that result in exposure of sensitive data.
In 2007, colleges across the state reported 70 security incidents to
VITA. One was from Radford. Not all of the incidents were data breaches,
according to a VITA spokeswoman. She did not say how many were.
VITA suggests that IT directors report incidents that disrupt daily
activities, or those that cannot be explained. For the most part,
schools aren't required to report threats or social engineering
Still, Conway suggests that schools should follow a higher standard
because of their higher level of vulnerability.
Conway and Indiana University's Dennis Reedy performed an analysis of
security breaches between 2000 and 2007 that showed that colleges do
have a hacking problem, he said.
"Nearly 40 percent of higher education breaches were the result of
hacks. This is twice the rate for businesses, and there is no indication
that this high rate of higher ed hacking is slowing," Conway wrote in a
blog on the subject.
He admits that schools will never cease all vulnerability, but he
predicts a shift in the schools of thought surrounding data security.
Right now, people think, "Protect, protect, protect." He said the key
element is to purge all nonvital sensitive data or "get off the bull's
"You can protect, but no security comes with a guarantee," he said. "If
somebody wants something, they can get it."
Subscribe to InfoSec News