A Jan. 13 Business article incorrectly identified one of the agencies that fund research at the Center for Secure Information Systems at George Mason University. It is the National Security Agency, not the National Security Administration. (Published 1/14/2005)
At about 9:30 a.m. on Jan. 3, Curtis L. McNay was performing his daily morning maintenance check on George Mason University's computers.
McNay, who manages some of the university's computing systems, could tell from data streaming across his monitor that someone was trying to break into a database by entering password after password. The intruder had already penetrated one of the university's computers and was apparently looking for a back door into another of GMU's 130 other servers, which store information including students' grades, financial aid and payrolls, according to Joy R. Hughes, GMU's chief information officer.
It was the first sign of a serious security breach at Virginia's largest university. The university said it took almost a week to confirm the nature of the electronic break-in. It then sent an e-mail on Jan. 9 warning its 32,000 students, faculty and staff members that they could be vulnerable to identity theft or credit card fraud.
The compromised computer held a massive cache of information, including names, Social Security numbers, university identification numbers and photographs of everyone on campus.
The university and authorities said yesterday that they were still working to determine who broke into the campus system, how it was done and how much valuable information was stolen. Authorities said they were investigating whether basic computer protections were in place and operating on the computer that was attacked.
On Tuesday, the university handed over the hacked computer -- a Windows 2000 server -- to the Fairfax County Police Department. The police and the FBI were running forensic tests, looking for electronic clues to the hacker's identity. GMU is only the latest campus to be hit by a hacker. In the past two years, similar attacks occurred at the University of Georgia, the University of Texas at Austin, the University of Missouri at Kansas City, the University of California at San Diego, and the University of California at Berkeley.
University campuses present a particularly inviting security target, experts say, because their systems house large amounts of personal data. But protecting the information is more complex than for a typical business because universities are built to foster collaboration and free exchange of information.
"This meant few policies, few restrictions" on how computer networks were to be accessed and used, said Rodney J. Petersen, security task force coordinator for Educause, which works on information technology issues for about 2,000 higher-education institutions. "But our greatest strength is now a weakness."
Some schools are beginning to use software to scan individual computers before they are allowed to connect to campus networks. Others are setting up multiple smaller networks that house sensitive data, keeping them separate from the main networks. And campus officials are more actively monitoring network activity.
GMU is looking to take those steps as well, said Daniel L. Walsch, a spokesman for the university.
While GMU officials say they have not determined how the attack on the university's system was carried out, there are some indications that the vulnerable computer may have lacked the firewall protection that experts urge for every computer connected to a network.
Firewall software is designed to prevent unauthorized access to a computer. The university's computers are normally protected by a firewall, said Thomas W. Bacigalupi, the university police detective handling the hacking inquiry, but in this case, he said the firewall may have been missing or not turned on. "We're looking into that," he said.
Hughes, the university's chief information officer, said there are indications the intruder may have been breaking into the computer since November or earlier. She said the hacker loaded it with software including a "remote probing tool and a password-cracking tool."
"It has been very stressful, both for people who've gotten the [warning] letter and the people who are working around the clock" to get answers, Hughes said. To date, she has received about 50 e-mails from GMU students and staff members expressing anger. Some criticized her for taking too long to send out a warning, she said, others for alarming the campus community when it is not yet clear anything has been stolen.
George Mason fashions itself as a major technology center. It houses the Center for Secure Information Systems, which works to develop improved security technology. The center receives $2 million a year in funding from federal agencies such as the National Security Administration, the National Science Foundation and the Air Force, as well as private corporations.
"It's not surprising to me that somebody was able to get into our systems," said Sushil Jajodia, director of the center, who was consulted by the university after the incident. Even the Defense Department and the FBI, he said, deal with occasional hacking intrusions that are not always publicized. "There's no way to achieve 100 percent security, no matter how much money you spend," he said. "GMU is not unique in this instance, although yes, we should do better."
After GMU revealed the attack on its system, some Washington area campuses reviewed their cyber-security. Georgetown University officials took steps to tighten security, a spokeswoman said, declining to describe the measures. Officials at the University of Maryland at College Park, George Washington University and American University said those schools had already taken steps to enhance security, including keeping Social Security numbers separate from student ID numbers. AU's systems do not use Windows software, which is especially vulnerable to attack, said Carl Whitman, the school's executive director of e-operations.
With most departments at George Mason University still on winter break, some students were only beginning to find out about the security breach.
Ryan P. Surber, a part-time graduate student in public policy, said he is enraged about the breach and thinks it could be related to $1,500 in fraudulent charges made recently on his credit card.
"It's just too much of a coincidence," Surber said, although he can not prove the hacking incident is related to the two unauthorized online purchases made at electronics stores on Dec. 29. The university has said credit card information was not stored on the computer that was attacked.
Carrie M. Patterson, a law student at GMU's Arlington campus, said she had tried repeatedly since Monday to get through to a credit bureau to report the problem, as recommended by the university.
The first day, she called after 4:30 p.m. and the company was closed. The next day, she called during the day from school, only to be cut off. Her efforts to notify the agency online also failed, she said. In the meantime, her mother, who lives in Connecticut, heard about the GMU security problem and called to insist that Patterson reach the credit bureau. "Now I'm going to have to do it because she's going to ask me every day," Patterson said.
Nursing student Kimberly A. Dawson and friends were discussing the incident over lunch in the university's George W. Johnson Center on its main campus yesterday.
A year ago, Dawson had to put a fraud alert on her credit cards after a brokerage firm lost a box containing her personal account information. "It's a big concern because it's a huge chunk of your life in the hands of people who can do a lot of bad things," she said. "It could be something that affects you years down the road."
Staff writers Jonathan Krim and Michael Rosenwald contributed to this report.