While GMU officials say they have not determined how the attack on the university's system was carried out, there are some indications that the vulnerable computer may have lacked the firewall protection that experts urge for every computer connected to a network.
Firewall software is designed to prevent unauthorized access to a computer. The university's computers are normally protected by a firewall, said Thomas W. Bacigalupi, the university police detective handling the hacking inquiry, but in this case, he said the firewall may have been missing or not turned on. "We're looking into that," he said.
Hughes, the university's chief information officer, said there are indications the intruder may have been breaking into the computer since November or earlier. She said the hacker loaded it with software including a "remote probing tool and a password-cracking tool."
"It has been very stressful, both for people who've gotten the [warning] letter and the people who are working around the clock" to get answers, Hughes said. To date, she has received about 50 e-mails from GMU students and staff members expressing anger. Some criticized her for taking too long to send out a warning, she said, others for alarming the campus community when it is not yet clear anything has been stolen.
George Mason fashions itself as a major technology center. It houses the Center for Secure Information Systems, which works to develop improved security technology. The center receives $2 million a year in funding from federal agencies such as the National Security Administration, the National Science Foundation and the Air Force, as well as private corporations.
"It's not surprising to me that somebody was able to get into our systems," said Sushil Jajodia, director of the center, who was consulted by the university after the incident. Even the Defense Department and the FBI, he said, deal with occasional hacking intrusions that are not always publicized. "There's no way to achieve 100 percent security, no matter how much money you spend," he said. "GMU is not unique in this instance, although yes, we should do better."
After GMU revealed the attack on its system, some Washington area campuses reviewed their cyber-security. Georgetown University officials took steps to tighten security, a spokeswoman said, declining to describe the measures. Officials at the University of Maryland at College Park, George Washington University and American University said those schools had already taken steps to enhance security, including keeping Social Security numbers separate from student ID numbers. AU's systems do not use Windows software, which is especially vulnerable to attack, said Carl Whitman, the school's executive director of e-operations.
With most departments at George Mason University still on winter break, some students were only beginning to find out about the security breach.
Ryan P. Surber, a part-time graduate student in public policy, said he is enraged about the breach and thinks it could be related to $1,500 in fraudulent charges made recently on his credit card.
"It's just too much of a coincidence," Surber said, although he can not prove the hacking incident is related to the two unauthorized online purchases made at electronics stores on Dec. 29. The university has said credit card information was not stored on the computer that was attacked.
Carrie M. Patterson, a law student at GMU's Arlington campus, said she had tried repeatedly since Monday to get through to a credit bureau to report the problem, as recommended by the university.
The first day, she called after 4:30 p.m. and the company was closed. The next day, she called during the day from school, only to be cut off. Her efforts to notify the agency online also failed, she said. In the meantime, her mother, who lives in Connecticut, heard about the GMU security problem and called to insist that Patterson reach the credit bureau. "Now I'm going to have to do it because she's going to ask me every day," Patterson said.
Nursing student Kimberly A. Dawson and friends were discussing the incident over lunch in the university's George W. Johnson Center on its main campus yesterday.
A year ago, Dawson had to put a fraud alert on her credit cards after a brokerage firm lost a box containing her personal account information. "It's a big concern because it's a huge chunk of your life in the hands of people who can do a lot of bad things," she said. "It could be something that affects you years down the road."
Staff writers Jonathan Krim and Michael Rosenwald contributed to this report.