University of Missouri Burned in Second Hack Attack

For the second time this year, hackers have victimized the University of Missouri. The names and Social Security numbers of 22,396 current or former students who were employed by UM during 2004 may have been compromised, according to university officials.

The hacker or hackers reportedly gained access to the personal information via a 2004 Web page set up by the IT help desk.

The IT staff noticed unusual activity on a computer application on May 3, and confirmed the next day that an attack had taken place. Two overseas IP (Internet protocol) addresses -- one traced to China and the other to Australia -- were the likely vectors.

"The University of Missouri takes this breach very seriously and is working to alert the individuals whose information was improperly accessed," the University says in an advisory, adding that it will provide instructions about how those affected can monitor their credit reports for suspicious activity.

"The University has been and will continue to work diligently to secure confidential data held in its computer systems," the statement continues. "We are also working closely with law enforcement in our investigation of this event."

The university's computer system was also compromised in January, when hackers gained access to a Web-based application that had been poorly secured.

Easy Target

The fact that the University of Missouri has been targeted twice does not mean it is particularly careless with its data.

"More than likely, it means that somebody has found a way into the system -- perhaps a stolen password -- and now has a base set up to make repeated entries," Shane Coursen, senior technical consultant at Kaspersky Lab, told TechNewsWorld.

Universities and colleges in general tend to be targeted more than, say, banks, retailers or the government, he noted.

"They are information-rich because there are so many students," Coursen said. "Secondly, universities are not as heavily manned, security-wise, compared to large institutions."

Physical security is also more of an afterthought for many campuses' IT systems, he pointed out. "True, a lot of times the attacks come through the Internet. But just as many can occur from people having physical access to a system. I think we will be seeing upgraded physical security and processes at universities as more of these events happen."

It is true that universities are a favorite fishing pier for hackers, agreed Mark Sunner, chief security analyst at MessageLabs, who noted that the huge numbers of students and employees cycling through the institutions provide numerous opportunities to exploit the safeguards that do exist.

"There are a lot of people using a lot of equipment that hook into the network but are not necessarily dedicated to it," Sunner told TechNewsWorld.

Also, universities tend to use open source software, which provides more of a road map to a database or system, he commented.

Profit Toolkit

There may be a more insidious reason for the University of Missouri's vulnerability, suggested Sunner. It may have been targeted by hackers using a new business model: marketing toolkits specifically to launch one-off hack attacks against a certain institution or vertical, such as education.

Since December 2006, the antivirus community has been aware of commercially packaged toolkits -- some of which come with service packages and automated updates -- for sale on shady Russian and Ukrainian Web sites.

"They are scarily commercialized," Sunner said. "You can buy a one-off Trojan for (US)$200. If it becomes detectable by an AV, you can get an update for $50. For $2,000, you can get the bad guy equivalent of a service contract and receive automatic updates."

Besides education, other sectors for which Trojans have been built include the public sector, electronics, retail , aviation, communications, financial and the military, Sunner said.