Click here to receive your FREE subscription to Campus Technology
Features
University of Memphis: Cooperation, Communication Key to Security
4/29/2003
By Robert Jackson and Dr. Mark N. Frolick
Perhaps the best way to understand how security issues can affect a learning organization is to experience them first-hand. Robert Jackson, Systems Administrator at the University of Memphis, had that opportunity when a Microsoft SQL server was affected.
Warning Signs
The University of Memphis IT department has several groups that are responsible
for various functions. The Intel Server Support Team (ISST) consists of server
administrators who are responsible for the security and well being of the Windows-Intel
servers, and service administrators are responsible for applications that run
on various server platforms. The compromised server was running the Windows
NT4 operating system with service pack 6, MS-SQL 6.5, and IIS 4 in addition
to an older version of a Web programming language, PHP.
In 2002, ISST received a warning message from the server-monitoring software regarding disk space on the affected server. After working with the Web services team, ISST discovered large amounts of disk space being consumed by file structures hidden within the Windows recycle bin. This hidden file structure was enough proof that the server had been compromised. The issue then became how to deal with taking an important server off the network.
Enforcing Policy
The director responsible for infrastructure was notified immediately. After
evidence of the compromise was presented, ISST and the director agreed the server
had to be disconnected from the network. Proper officials within the department
were notified of the server’s compromise and finally agreed that it should be
disconnected from the network. The decision was particularly difficult because
it was the university’s online knowledge base and had been growing in popularity
following a series of promotions by the department. Once the server was taken
off the network, recovery efforts were started.
Because debates ensued about whether the hacked server could be returned to service, 12 hours were required to restore the server: There were attempts to recover data from the server instead of backup; time was required to rebuild the server, as well as to reinstall all necessary applications. Clear security policies and procedures could have eliminated the confusion that occurred during this phase.
Forensics
A forensics investigation revealed hackers gained access to the system through
a blank password on the "sa" account of MS-SQL. Although the service administrators
stated a password did exist for that account, the ISST group determined there
were log entries indicating the "sa" account had been used to compromise the
server. Upon connecting to the server with the open "sa" account, the hackers
used the xp_cmdshell procedure, the result of a default MS-SQL installation,
to execute appropriate commands to gain full access to the server. Once full
access was obtained, the hackers installed an FTP server on the machine and
began to utilize the university’s bandwidth and storage capacity for illegal
means.
Teamwork and cooperation, two of the main tenets of the learning organization model, were called into question when ISST presented the results of the forensic investigation. The goal of any forensic investigation should be to inform and educate, not to place blame.
Recommended Reading
- Cedarville U Sets Up SonicWall Firewalls
Cedarville University in southwestern Ohio has implemented SonicWALL firewalls to provide high-speed gateway firewall protection for its 3,000 students.
- Data Breach Strikes U North Dakota Alumni Association
The alumni association for the University of North Dakota has gone public with a data breach that occurred when a laptop belonging to a software vendor was stolen from a vehicle. The computer contained the names of 84,000 university alumni, donors, and others, according to coverage by the Grand Forks Herald.
- Tips for Selecting a Campus CRM tool
As competition for students increases, colleges and universities are looking more and more to customer (or constituent) relationship management software for help in remaining competitive.
- Intercast Networks Goes into Beta with Kazam Video Service at Internet2 Universities
Intercast Networks has redesigned Kazam, its student Internet TV and video service based on the company's VideoXpress platform. Following a spring semester alpha trial at Columbia and Purdue University, the company redesigned Kazam's interface based on student feedback and added additional content that caters to a student audience.
- Michigan State Managing MRI Images from Africa with Acuo Tech DICOM Services Grid
Doctors at Michigan State University have begun using the Digital Imaging and Communications in Medicine (DICOM) Services Grid from Acuo Technologies to transport and manage magnetic resonance imaging (MRI) results from a hospital in Malawi, Africa in order to monitor the impact of malaria on children.
- IIT Delhi Delivers Services with Ingres Open Source
Administrators at the Indian Institute of Technology Delhi (IIT Delhi) have gone public with their installation of open source database management software from Ingres. IIT Delhi, one of seven leading institutes of technology in India, adopted Ingres Database to support administration functions such as grading, finance, human resources, procurement, and hospital administration.
