The New York Times The New York Times Technology 3 funds that are more
than 1-quarter wonders.


NYTimes: Home - Site Index - Archive - Help

Welcome, vsauter2 - Member Center - Log Out
0 0 0 0 0 0 0

<img src="" border=0 width=1 height=1><A href="" target="_blank"><img src="" border=0 width=336 height=850 alt="TajMahal_NewBlack"></a>

NYT Store
Photo: An early computer, the "mechanical mind" developed at MIT, 1927.
Photo: An early computer, the "mechanical mind" developed at MIT, 1927.
Price: $195. Learn More.

High Life

What's "the ultimate power-up" in video games?

Also in Technology:
An easy way to print your digital photos
Most popular digital cameras
Browse reviews of 1,000+ tech products

Some Colleges Falling Short in Security of Computers


Published: April 4, 2005

Printer Friendly Format Printer-Friendly Format
Most E-mailed Articles Most E-Mailed Articles
Reprints & Permissions Reprints & Permissions

null Ivory Towers, Leaky Networks
Amid rising concerns over the security of personal data, several colleges and universities have reported the loss or theft of confidential information from their networks.

If the computer age is continually testing how well institutions protect personal information, the nation's colleges and universities may be earning a failing grade.

Last Monday, administrators at the University of California, Berkeley, acknowledged that a computer laptop containing the names and Social Security numbers of nearly 100,000 people - mostly graduate school applicants - had been stolen. Just three days earlier, Northwestern University reported that hackers who broke into computers at the Kellogg School of Management there may have had access to information on more than 21,000 students, faculty and alumni. And one week before that, officials at California State University, Chico, announced a breach that may have exposed personal information on 59,000 current, former and prospective students.

There is no evidence that any of the compromised information has been used to commit fraud. But at a time of rising concerns over breaches at commercial data warehouses like ChoicePoint and LexisNexis, these incidents seem to highlight the particular vulnerabilities of modern universities, which are heavily networked, widely accessible and brimming with sensitive data on millions of people.

Data collected by the Office of Privacy Protection in California, for example, showed that universities and colleges accounted for about 28 percent of all security breaches in that state since 2003 - more than any other group, including financial institutions.

"Universities are built on the free flow of information and ideas," said Stanton S. Gatewood, the chief information security officer at the University of Georgia, which is still investigating a hacking incident there last year that may have exposed records on some 20,000 people.

"They were never meant to be closed, controlled entities. They need that exchange and flow of information, so they built their networks that way."

In many cases, Mr. Gatewood said, that free flow has translated into a highly decentralized system that has traditionally granted each division within a university a fair amount of autonomy to set up, alter and otherwise maintain its own fleet of networked computers. Various servers that handle mail, Web traffic and classroom activities - "they're all out in the colleges within the university system," Mr. Gatewood explained, "and they don't necessarily report to the central I.T. infrastructure."

Throw in aging equipment, an entrenched sense that information should be as free-flowing as possible, and a long-standing reliance on Social Security numbers as the primary means of identifying and tracking transient populations, and the heightened vulnerabilities of universities become apparent.

"We sometimes battle networks and mainframes in place since the 1960's," said Mr. Gatewood, "and mind-sets in place even longer."

For years, the Social Security number served as the default identifier for students, faculty and staff at nearly every university and college. It was printed on identification cards, posted on bulletin boards along with grades, and used to link bits of information - spread across dozens of networked databases - on each individual.

A handful of states - Wisconsin, California, Arizona, New York and West Virginia - now ban or limit the use of Social Security numbers in this way, according to a compilation of state and federal laws by the privacy advocate Robert Ellis Smith. And many universities have already abandoned or are in the process of moving away from using Social Security numbers as the primary means of identifying students.

But a 2002 survey by the American Association of Collegiate Registrars and Admissions Officers indicated that at least half were still using it as the primary identifier for students in their databases. And because the number has been used to link so many records across so many different databases in so many different departments for so long, abandoning it quickly is nearly impossible.

"It's complicated," said Virginia Rezmierski, the assistant to the vice provost for information technology at the Ford School of Public Policy at the University of Michigan. "We started a long time ago, and gave the university seven years to complete the process."

The University of Michigan essentially completed a migration to randomly generated identifier numbers in 2003. But Professor Rezmierski points out that myriad entities both inside and outside the university still use Social Security numbers, forcing universities to continue to handle them. Most of the national testing agencies, for instance, still use Social Security numbers to identify the scores of incoming students, Professor Rezmierski said.

Another problem, according to Jonathan Bingham, the president of Intrusic, a company that develops tools designed to uncover security breaches, is that universities have tended to put too much emphasis on preventing attacks from worms and viruses and too little on capturing troublemakers who quietly stroll through their databases.

The leaking of names and Social Security numbers from all these universities was not the result of noisy, destructive attacks, Mr. Bingham pointed out. "These are all problems that have nothing to do with that," he said. Rather, "someone's been able to get into the network that doesn't want to be detected."

Of course, not all universities are equally vulnerable, and some are more adept at protecting their data.

"Many of the better universities have better security in place than some corporations," said Eugene H. Spafford, the executive director of the Center for Education and Research in Information Assurance and Security at Purdue University. And because federal laws governing the handling of student data - specifically the Family Educational Rights and Privacy Act of 1974 - have been in place for longer than many other privacy statutes, Mr. Spafford said, data security "has been a concern at universities for some time."

And yet it appears that, on the whole, schools remain comparatively low-hanging fruit for hackers and thieves.

"I think it has shaken people up," said Professor Rezmierski of the University of Michigan, who is conducting a study of computer-based incidents at colleges and universities across the country.

"Often it takes these kinds of incidents to get people to pay attention."

Home Delivery of The Times from $2.90/week - Act Now!

.Students' Data on Web, and N.Y.U. on Defensive  (January 10, 2004)  $
.Hackers Steal Data on 55,000 at U. of Texas  (March 7, 2003)  $
Find more results for Colleges and Universities and Social Security (US)

. E-Commerce Report: Trouble for Online Vendors of Cigarettes
. Some Colleges Falling Short in Security of Computers
. Group Puts $100 Laptops in Poor Countries
. U.S. Blocks Use of Mapping System in China
Go to Technology

We unite people and ideas. We solve business problems. Can we help you?

Up to 30% off select new Dell Home systems. Click for details.

The HP Color LaserJet 3500. Now with a $100 mail-in rebate.



Colleges and Universities

Social Security (US)

Computers and the Internet


Track news that interests you.