Shostack + Friends Blog Archive


Indiana University, 5300 students, malware

According to an Associated Press article appearing in the Indianapolis Star,

Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said.
Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said James Anderson, the school’s director of information technology.
“You’re not going to find folks who are not malicious hackers who have access to these programs,??? Anderson said. “They are not something your average computer user would use. They are very cryptic and non user-friendly.???
The programs were accessed in early October, but it could not be determined whether any personal information was removed, the school said.
A letter was sent Friday to 5,278 students notifying them of the security breach. All of the students had been enrolled in an introduction to business course between 2001 and 2005.
Anderson said no misuse of personal information had been reported, but encouraged students who received the letter to take precautions, including a check of their credit report.

According to another report, Social Security numbers “were stored on the computer along with other records”.
Questions for IU:
1. Why did this instructor have information on enrollees for this course?
2. If (s)he taught the course, why was it necessary to maintain several years’ data regarding students? What, precisely, was the nature of the records this instructor had?
3. Who owned the computer on which the malicious programs were found? If it was the instructor’s personal property, why did it contain confidential personal information which students gave to the University?
4. Why did it take six months to discover this malicious software? Aren’t the “routine scans” performed more often?
5. What evidence supports the conclusion that the programs were last accessed in October?
6. If the affected computer is the instructor’s, what assurance has the University obtained that all backup media or internet-based backups made by the instructor are free of the students’ personal information?
7. Why were SSNs among the stored data elements?

2 comments on "Indiana University, 5300 students, malware"

  • Peter says:

    For most universities, the Student ID number is their SSN. Bad idea, and one that has been used for decades. Most students don’t know that they may request a different one.
    1: Do you want a grade when you take the class? The teacher needs your student ID to report grades.
    2, 7: same as 1. Most teachers I know throw almost nothing out.
    4: I’ll answer this one with a question. Sony used the XCP rootkit on music CDs for almost a year. DNS servers report about 500k computers infected. Only this month did anti-virus software mfgrs “detect” the rootkit, as they had been co-opted/bribed in the past by the rootkit manufacturer. If your AV software is in collaboration with your enemy, how will you ever know? How many other rootkits has your AV vendor been paid to ignore? Will you only find out when it becomes a media frenzy?
    As an aside, I used to work part time at financial aid office at a university, and daily inch thick printouts with names + SSNs were just tossed in the trash. Anyone could fish such printouts out of the trash with no one the wiser.

  • Chris Walsh says:

    Even if IU uses SSNs as student ID numbers (I bet they stopped doing this recently — “only” something like 4400 of 5300 students also had SSNs compromised), any Prof with half a brain could construct a unique identifier other than the complete SSN. Heck, mine used to post grades on a bulletin board outside their offices, but suppress all but the last four SSN digits.
    So, there is no excuse for 1,2, and 7 other than lack of initiative/ability to see the problem.
    As for 4, you misunderstand the question. This material was found by a routine scan. If the detection mechanism is so pedestrian, (as opposed to Mark Russinovich having to engage in deep voodoo), why wasn’t it done earlier? If this was some hard-to-detect stuff, per your response, a “routine scan” would not have found it.
    BTW, any security person who has spent time in academia “knows”, or has a darn good first cut at, the answers to all these questions, but I didn’t want to engage in stereotyping :^).
    In this case, a story that fits the facts is that the instructor was lazy, was using his/her own laptop, surfed in a semi-bad section of town, didn’t keep decent AV signatures, and the IT professionals at IU didn’t enforce filesystem (or data classification!!) hygiene.
    There are other possible explanations, of course. That is why the questions need to be asked.

Comments are closed.