New Year's Hacks

Two high-profile hacking incidents reported this week are reminders that January is a month in which cyber-criminals like to remind us just how insecure many computer networks remain.

After all, last January brought news of the "Bagle" and "MyDoom" worms, which were clever Trojan horse programs designed to give their authors control over infected machines -- and thus access to personal financial information. A year before, the "Slammer" worm emerged on a January weekend and spread so quickly that even the worst doomsayers in the cyber-security community were surprised.

The two hacks in the news today -- one at a Northern Virginia's largest university and the other at a major wireless phone firm -- didn't involve computer worms or viruses, but they once again heightened concerns about the problem of identity theft and the growing sophistication of online criminals.

At George Mason University in Fairfax, Va., a hacker nabbed Social Security numbers, names and other personal information from as many as 30,000 students and employees in a break-in discovered Jan. 3 by the university's computer management workers. The Washington Post today followed up its initial report on the incident: "The university said it took almost a week to confirm the nature of the electronic break-in. It then sent an e-mail on Jan. 9 warning its 32,000 students, faculty and staff members that they could be vulnerable to identity theft or credit card fraud. The compromised computer held a massive cache of information, including names, Social Security numbers, university identification numbers and photographs of everyone on campus."

The Post noted that authorities are still investigating who hacked the system -- a Windows 2000 server -- and the extent of data stolen. "Authorities said they were investigating whether basic computer protections were in place and operating on the computer that was attacked. ... GMU is only the latest campus to be hit by a hacker. In the past two years, similar attacks occurred at the University of Georgia, the University of Texas at Austin, the University of Missouri at Kansas City, the University of California at San Diego, and the University of California at Berkeley."

According to The Post, universities are popular hacker targets "because their systems house large amounts of personal data. But protecting the information is more complex than for a typical business because universities are built to foster collaboration and free exchange of information."
• The Washington Post: George Mason Officials Investigate Hacking Incident (Registration required)

While it is not clear yet if data has been used for fraud, school officials are playing it safe. "Officials are strongly recommending that GMU students and employees contact their banks and creditors," Virginia's Community Times Newspapers reported. The Associated Press quoted GMU spokesman Daniel Walsch, who said that prior to the breach "the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft. That was in response to a law passed last year requiring Social Security numbers to be removed from various ID cards to deter identity theft. Officials shut down part of the server after finding out about the hack job and are reviewing other computer security measures, he said."
• Community Times Newspapers: Hacker Cracks GMU
• The Associated Press via The Daily Press: Hackers Steal George Mason Student, Staff Information

And how is this for ironic? "GMU, with its main campus in Fairfax, has a reputation as a center for high-tech instruction. It is home to the Center for Secure Information Systems, a new venture with the Department of Homeland Security, which conducts research and development into making information systems more secure," the Richmond Times-Dispatch reported. More on this, from Computerworld: "The incident is a black eye for an institution that is one of a few select universities to be designated as Centers of Academic Excellence in Information Assurance Education by the National Security Agency. Students at the university's Information Assurance Scholarship Program are placed in Defense Department jobs upon completion of the program, according to the school's Web site."
• The Richmond Times-Dispatch: GMU Confirms Computer Hacker Attack
• Computerworld: Hacker Compromises Data At George Mason University

The Washington Times interviewed several GMU students, who were concerned about the security of their information at the university. "Sara Fernandez, a sophomore from Arlington, said that even if the hackers were not trying to steal personal information, they might have pointed the way for copycats. 'Mason's full of a lot of smart students,' she said. 'If one person can do it, I'm sure someone can figure out how to do it again.' Kia Kianersi, a communications major from Fairfax, said he thought the university had tighter security for its server. 'We're so close to Washington, D.C. I think our security would be [better] overall.'"
• The Washington Times: GMU Officials 'Have No Idea' What Hacker Sought

A Wake-Up Call For T-Mobile

Late yesterday, cell phone carrier T-Mobile USA confirmed it suffered a security breach in 2003, in which a hacker stole sensitive files and the names and Social Security numbers of 400 customers. While few people were affected, it's a fascinating and complicated story.