Home > Uncategorized > Another Intrusion Detection Failure at the University of California-Berkeley

Another Intrusion Detection Failure at the University of California-Berkeley

The University of California-Berkeley (UCB) recently experienced a major data security compromise. This one involved health services center data pertaining to more than 160,000 students, alumni, and sometimes also their parents or spouses – Social Security numbers (SSNs) and health insurance data. Sadly, the break-in ostensibly transpired in early October last year, but the breach was not detected until early April this year. The attackers appear to have had access to the victim server for at least a half year after their initial unauthorized access to the victim machine. The apparent cause of the incident, which university officials reported was perpetrated by computer criminals from Eastern Europe, was an unpatched SQL injection vulnerability in a Web application. A law enforcement investigation is ongoing.

This is not the first major data security breach at UCB.  You may recall that in 2004 someone broke into a computing system there that housed a database containing personally identifiable information pertaining to 1.4 million Californians who were on some kind of state assistance program. A university researcher had reportedly arrogantly resisted the warnings of a conscientious system administrator who noticed the lax security and tried to get the researcher to do something about it. The researcher reportedly “retaliated” by trying to get the system administrator fired.

Just one year later UCB informed more than 98,000 graduate students and applicants that a laptop belonging to its graduate school admissions office was apparently stolen, thus potentially exposing their personal information to unauthorized persons. The laptop was eventually recovered, although whether or not personally identifiable information had fallen into malicious hands could not be determined with certainty.

To its credit, the university was prompt and diligent in informing the individuals who were potentially affected by the most recent data security breach there. Recent postings by UCB officials have also stated what this university is doing to improve information security on campus. After reading these postings, however, I wonder if the CIO’s office there or anyone else really has much of a clue concerning what really needs to be done for the sake of security. The fact that the most recent incident was not even noticed for approximately six months despite the fact that attackers re-entered the victim system time after time over this period shows that there is something dreadfully wrong with this university’s intrusion detection capabilities. Indeed, a home-built intrusion detection system (IDS) is the mainstay of the intrusion detection effort there. This IDS is much more of a research tool than an effective tool for operational settings. It is not benchmarked by independent, qualified quality assurance experts, nor are peer reviews of the code conducted. Perhaps this IDS was capable of detecting attacks when it was newly created over ten years ago, but unlike other open source software, there is no community of developers who add to the code base. The most recent round of attacks is not the first set of extremely serious attacks that this tool has completely missed over the years, either.

UCB is a world-class university. Anyone who has a degree from this school should be immensely proud of having achieved this feat. But UCB is not a class act when it comes to information security practices; and the choice of the IDS used by this institution is more than proof. UCB administrators, it is well past time to change.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.