Wow, now ISU has had a computer break-in that possibly gave up credit card and social security numbers. That makes at least one in each of the three state universities in Iowa this year. Think we need to step up security?

A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of social security numbers and pages of credit card information, university officials said.

Officials were unsure if the hacker broke into the computer system in search of the information but that it was possible the data was accessed and misused. More than 2,300 student and volunteer social security numbers and nearly 2,400 credit card numbers were stored in the system.

Campus officials said they were notifying individuals about the security breach.

Update: The University of Colorado was just hacked too.

One of our sister institutions, the University of Iowa, suffered a breach of their book store computer systems last month, potentially exposing the credit card info of 30,000 people. This follows the breach we had at our campus public radio station in March, affecting a smaller group on our own campus. As this article shows, this year, over half a million people have had their credit card numbers, social security numbers, and other personal data potentially stolen from universities with shoddy computer security. Oh, and the year is barely half over.

At this point, you've got to think (and I hope) a Congressional investigation or legislation is coming in the future. Many institutions, including my own, need to change their approach to computer security if they're going to reverse this trend.

One of the problems on many campuses is that the IT staff is distributed, because the IT dollars are distributed. There's usually not a single IT department, there are 50 of them, with varying practices, levels of skill, staffing, and funding. Some campus IT staff don't get near the level of training dollars spent on them that they need to do their jobs properly, due to declining tax revenues in many states. This distributed model also means that an institution's critical information is spread across dozens, if not hundreds, of computers spread throughout the campus network, with greatly varying degrees of security placed upon them. A spreadsheet containing social security numbers or other private information might be on the same computer that a student worker is installing spyware-infested games on to play when they're bored.

A lot of campuses have "open" computer networks, that allow most, if not all types of network traffic to flow to and from their borders, rather than just allowing certain types. This gives students, faculty, and staff the ability to use whatever types of software they like, so it's very flexible, but it also exposes them to a much greater risk.

As the ComputerWorld article says, this philosophy of openness is pervasive:

The most fundamental factor is the openness of the university. The free and open exchange of ideas has long been at the core of the university mission. As a result, the typical campus is physically open to all comers; no identification badge is needed. Its intellectual property is openly aired, and members of the college community interact in public forums online and off-line. Names of professors are public knowledge much more often than their middle-management counterparts in private industry, and rosters of students aren't hard to come by, either. The campus is like this because everyone there, except IT security, wants it that way.

I know it probably seems strange to hope that Congress intervenes in one's own profession, I think it can only improve the situation at this point. While we are working to improve our campus network security, I know it would happen a lot faster if there were tougher laws requiring us to do so...

While testing Symantec Client Security for possible use on our network, I noticed two machines tripping the portscan IDS signature on port 30999. A quick Google search revealed that this was port was primarily used as a back door by the Kuang2 trojan, so we disabled the network ports of the two workstations and sent some techs to check it out. They couldn't find any malware on the machines, but since no one could tell me what was portscanning our subnet on 30999 from them, I told them to wipe them anyhow. As one of the techs was setting the machine back up, it tripped my firewall again, and I immediately called him and asked him what he was doing. He said he's just installed VectorWorks, so I asked him to run it, and sure enough, that's when the machine portscans on 30999.

I searched Google, the manufacturer's web site, and their support forum, and none of them mention that port, so I e-mailed their tech support and got this response:

Dear Nemetschek North America Customer:

Thank you for your inquiry.

VectorWorks does do a network check to see if any serial numbers are duplicated and are used at the same time. It can not be prevented since it is hard coded into the software.

If you have any other questions, comments, or suggestions, please feel free to contact us at (410) 290-5114 (tel) or (410) 290-8050 (fax) or tech@nemetschek.net (e-mail).

Respectfully, Technical Support

So, it's legitimate (annoying) behavior. The kicker is SCS will disable all communication with the "attacking" machine for 30 minutes by default. So, you can launch VectorWorks, then find that all the machines on your subnet running Symantec Client Security refuse to talk to you for half an hour. Congratulations, you've DoSed yourself!

Obviously, the best solution here is to run a firewall that filters your outgoing packets, and deny VectorWorks the ability to talk on your network, or better yet, configure your managed switch network to not allow all port 30999 communications. Or, even better yet, stop using VectorWorks until they decide to trust you as a customer.

A few weeks ago, I mentioned being busy with something I couldn't talk about here. It's public now.

If you even come into passing contact with a Windows box, take a few minutes to visit first Windows Update and then Office Update to install the latest critical patches for your system. There are some truly nasty holes that were patched today, and I'm sure at least one of them will be ripe for a worm soon. The TCP/IP stack, Windows/MSN Messenger, and even Microsoft Word all have "critical" security flaws in them, so get patching!