School wasnt even in session, and Dartmouth College CIO Lawrence Levine was penning the kind of letter technology executives dread.
To the College Community:
Late Wednesday, July 28, [Dartmouth] confirmed that an unauthorized user had gained access to eight computer servers in the Berry Machine Room and apparently installed an unauthorized program … Because sensitive personnel information may have been copied, we are notifying by e-mail all affected individuals for whom we have addresses; all others will receive a letter early next week. In addition to our own increased security measures, we have also notified the Federal Bureau of Investigation of the intrusion.
One of the servers contained human-resources data of Dartmouth employees. The “unauthorized user” also accessed research data and student immunization information. In his memo, Levine said there was no evidence that user names or other personal identifiers were taken, but he urged alumni, employees and students to monitor their credit reports in case their electronic identities had been stolen. Levine was unavailable for comment, but said in his letter that the affected program had been removed and “additional safeguards” put in place to protect the servers.
Welcome back to school, Fall 2004. Its a new academic year, one in which deployers of technology at universities have to ratchet up their ability to stay ahead of the students they are teaching. Most of the students are 17- to 22-year-olds who may already have a decade of technical experience under their belt from poking around school networks, downloading music and circumventing instructors, using everything from cell phones to instant messaging devices. The threats, according to technology executives at universities, include the introduction of viruses into school networks, improper use of file sharing services, hogging bandwidth when downloading huge graphic files such as movies, and outright theft of information about their school records, those of other students and personal data that can be reused in online transactions.
Dartmouth is not alone. Last year, a graduate student at the University of Michigan, Ning Ma, was accused of stealing the user names and passwords of 60 students and faculty members. He was arrested, charged with eavesdropping and unauthorized access to a computer, and expelled, according to the states attorney general.
Statistics tallying university hacking incidents arent available, and most officials dont disclose breaches. But executives such as George Kahkedjian, chief information officer of Eastern Connecticut State University, say the largest challenge for university officials is keeping students from bringing viruses into the network via downloads and keeping mishaps from infecting the entire campus.
Check out eWEEK.coms Security Center for the latest security news and analysis. And for insights on security coverage, take a look at Security Editor Larry Seltzers Weblog.
Mike Droney, vice president of information services at Cleveland State University, says college information security will always be an issue. “At a corporation, the strategy is clear: You secure everything you can,” he says. “At a university, youre dealing with academic freedom and information exchange. Nothing is secure unless it has to be.”
Indeed, University of Miamis M. Lewis Temares is torn when he lands a student with perfect SAT scores. As dean of the College of Engineering, hes happy to attract a potentially great student. But Temares, who doubles as the universitys vice president for information technology, is also reticent.
“In engineering, Im happy we have that student,” says Temares. “The VP side of me realizes that this kid may know a lot more about my network than I do. We could have 15,000 hackers at this school.”
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page
Next Page: Academic freedom vs. network monitoring.
Academic Freedom vs
. Network Monitoring”>
Potential problems are found with network monitoring software that tries to sleuth out the answers to the following questions: Does this IP address have access to a human-resources database? Why is this student downloading 10 movies? Does this student have the right to this content? The answers to these questions arent necessarily easy to find when monitoring contents of e-mails and messages is a no-no because of academic freedom. Corporations can take much greater liberties in watching employees.
Its a delicate balance, Temares says. The strategy is to learn as much as possible from students and implement technology such as messaging and bandwidth partitioning accordingly while not compromising security. One caveat: Executives say student networks need to be kept separate-even quarantined in some cases-if they are plagued with viruses. For instance, student residential networks are able to connect to an academic research database at various points, but the connection can be terminated quickly by administrators.
And aside from firewalls, network monitoring and antivirus software, a clearly enforced computing security policy that carries penalties of expulsion for hackers can head off problems better than any technology, according to Temares.
The University of Miami clearly states that hacking is grounds for expulsion, he says. Other schools treat student Internet security breaches, such as probing unauthorized servers and publishing copyrighted materials, as they would other campus offenses-say, drinking and noise violations-and send the issue to Student Affairs for hearings. If theres a serious breach such as identity theft, cases are handled by law enforcement agencies.
Kahkedjian learned the hard way last year. On a five-point rating system where the worst is a 1, Eastern Connecticut State had a level-2 outage last year, meaning it “posed a threat to the integrity or operation of critical university systems.” Students used to just plug and play on the residential network. When students plugged in at the beginning of last year, they brought a host of viruses such as SoBig with them. Kahkedjian says there wasnt one major virus that hurt the network, just an onslaught of many. As a result, the network collapsed, with some dormitories going as long as two weeks without access.
Luckily, Eastern Connecticut State keeps residential networks separate from its academic and administrative systems. Students can gain access when needed through virtual private networks, but executives like Kahkedjian can cut them off.
This year, the school will require all students on the residential network to authenticate their identity with passwords, and will ensure that all computers are up to date with the latest antivirus software and patches. For instance, if a students Windows XP desktop doesnt have the latest security patches, he wont gain access to the network until the patches are put in.
“Its forced awareness,” says Kahkedjian. “When it comes to security, faculty and students get the same message. A lot of students dont realize how vulnerable they are.”
By monitoring networks, universities are hoping to head off security issues before they arise. Northeastern University, which counts Napster founder Shawn Fanning among its former students, has another technique. When a student is on the network doing something that may raise red flags-downloading 10 movies, for instance-his connection is cut off, says Bob Weir, vice president of information services at Northeastern. Excessive traffic from viruses also prompts Northeastern to terminate the connection.
Once the connection is cut, the student is invited to a class outlining the universitys appropriate use policies. Weirs group can also examine the students machine to debug it, if necessary. Service is restored in 24 hours, Weir says, adding that hes only seen one or two repeat offenders in the last three years.
The University of Miami also has safeguards to keep unauthorized users away from its core systems. To access one of the schools academic or administrative networks, a student needs a user name and password to access an application, has to be at a location connected to the network unless there are VPN privileges, must pass through a firewall with intrusion detection, and is registered into a database that logs who accessed the software. During a session, all IP addresses and activities are logged for auditing.
Technology executives, however, say you cant completely segregate students. A more viable strategy, according to Temares, is to include students in technology decisions, get their input, and watch how they use messaging, personal digital assistants and the like. When bandwidth usage got out of hand, Temares went to student government groups for help. The choices: self-regulation, or more tuition hikes to pay for bandwidth. Now students largely regulate their file transfers in keeping with network constraints.
When Cleveland State built its wireless network, Droney consulted student groups. One suggestion: Students didnt want to carry laptops everywhere. As a result, Droney set up laptop checkout counters near classes where students could use laptops for four hours at a clip.
Stanford University is also looking to students to get ahead. Chris Handley, Stanfords chief information officer, says the school has put students on faculty advisory committees. Handley is also looking to create a separate student advisory group focused on “what computing should look like.”
Temares has an army of 120 work-study students in his technology labs where he not only gets labor, but also can observe how they use messaging, collaboration systems and other applications. The main finding is that universities arent sure how to proceed with implementing these tools. That fact may not have surfaced without observing students in action.
“[Work study] is a teaching tool, but we also learn what we can from the honest ones,” Temares says. “We learn from the dishonest ones the hard way.”
Next Page: How You Should study skilled users.
Studying Skilled Users
How You Should STUDY SKILLED USERS
Watch Your Class
See what devices they use. Ask what theyre being used for. Evaluate.
Monitor Behavior
Track connections by Internet Protocol address. Watch usage, in progress.
Set Expectations
Let them know that monitoring is legal and possible. Establish penalties for unauthorized use of the network.
Encourage Involvement
The best security comes from getting intelligent input from affected users.
REPORT CARD
Heres a look at how universities are coping with technologies that can hamper academic or network performance, if used improperly.
Bandwidth: Northeastern University uses “traffic shapers” to prevent hogging. This software designates bandwidth for certain activities. Although Northeastern cant monitor content, it can designate certain activities, such as downloading a research paper, as more favorable than downloading a movie. For instance, no more than 5 percent of bandwidth can be used at any one time to connect to file sharing services such as Kazaa.
Grade: Pass.
PDAs in the classroom: Universities across the board have punted on the use of communications tools that could be used for cheating. The “technical” answer: leave it up to professors to decide whether PDAs are permitted in their classrooms.
Grade: Fail.
Wireless networking: A few colleges such as Cleveland State University offer access almost anywhere on campus, through the air. Others are just beginning to test wireless service.
Grade: Incomplete.
Viruses: Dramatic increase in protective activities, on servers and individual computers. Student welcome kits even include CDs that include ready-to-install antivirus software. The coming academic year will show whether these efforts pay off.
Grade: Incomplete.