Calif. Community College's Computers Compromised Beyond Belief

By P.J. Connolly, P. J. Connolly  |  Posted 2012-01-13

SUMMARY: Colleges and universities across the country are trying to do more with less these days, and in most states, the community colleges are at the end of the funding train. Unfortunately, the last decade of belt-tightening at the City College of San Francisco has led to a state of affairs where almost anyone who used a computer on the main campus or its satellites in the last dozen years has to assume that their activities were captured, keystroke by keystroke, and then sent to unknown destinations. But any organization with a lot of turnover and an IT budget that isn't sufficient for the assigned tasks could easy wind up in the same boat as CCSF.

Seal of the City College of San FranciscoToday's big-deal security breach comes from right here in San Francisco, where the City College of San Francisco (CCSF) has found itself host to a virus-driven security crisis that could affect anyone who used the college's networks or systems since the turn of the millennium.

As staff writer Nanette Asimov of the San Francisco Chronicle wrote in the January 13 edition:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, [CCSF CTO David] Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.
The college's CTO, who has been in the position for almost two years, isn't pulling any punches:
"We may never know the full extent of the damage, and how many lives have been affected by this," Hotchkiss told three college trustees Thursday evening who met to discuss school buildings and technology issues. "These viruses are shining a light on years of (security) neglect."
Apparently, this has been going on for at least a decade, although the first signs of this problem didn't surface until late November 2011. The one bright side to this is that the school's computers holding medical information of staff and students appear to be clean, but the community college's accounting, admissions and payroll systems have yet to be audited, notes the Chronicle.

This isn't the school's first security blunder, either. Back in 2007, CCSF discovered that a file which had been created in 2000 for providing students access to their grades, containing names, addresses and Social Security Numbers, could be viewed from external systems. I have to suspect that whatever audit took place after that kerfuffle produced results so alarming that the report was marked "Burn Before Reading."

Penny-wise but pound- foolish never looks good on the resume. Certainly, one can't hold Hotchkiss responsible for the state of affairs that he inherited at CCSF. When he came on board in the summer of 2010, Asimov's article notes, some systems hadn't seen a password change in a decade; attempts to modernize the IT infrastructure have been hobbled by an inadequate budget, which has been exacerbated by the state's financial crisis.

This brings me back to the biggest problem with IT security: it isn't cheap and it won't make any money for the organization, and therefore, it's as low of a priority as one can get away with; the only time the purse strings loosen is when the proverbial barn is a pile of smoldering ash. I've covered IT security for almost 15 years and ceased long ago to be surprised by this sort of incident, because business leaders are only slightly better than politicians about taking the "it can't happen here" approach to budgeting for augmented defenses, even when they should know better.

Rocket Fuel