Whether it is the Department of Defense or just a CSUN professor’s Web portal e-mail account, where there is a will, there is a way to break through computer security.
In recent years, “the way” has been through university computer systems, which hackers have used to prove their supremacy over their gatekeepers and have shown to be easy pickings.
Most simply seek self-gratification in being able to bypass security, though some computer hackers are still in it for the money that accompanies identity theft, said Michael Zweiback, U.S. attorney in the cyber crimes and intellectual property unit.
Campus computer systems have become their frequent targets because they are much easier to break into than bank systems and contain the same kind of personal identifying information like Social Security and credit card numbers, Zweiback said.
This data is kept by colleges for employee and student aid purposes. What makes college students’ personal identifying information so alluring to hackers is that it is not difficult to impersonate someone with a small credit history.
It would be much harder to steal the identity of an older person who has more information to keep track of like the exact amount of mortgage or car payments as opposed to a student that only has loans, said Jay Foley of the Indentity Theft Resource Center.
Hackers also profit when ad-ware companies pay them to infect computers with ads.
Similar backdoors into a computer system include instant message file transfers, file-sharing programs, rootkits, which are not detected by antivirus software, and botnets.
“Every day we have millions of bots looking for Web servers to hijack and use for spam or chat rooms, attacking laptops to mine for personal information,” said Information Security Officer Al Arboleda, “and every so often a few do manage to get through.”
A California man was recently convicted of using these programs to hijack a CSU network and others in order to damage Defense Department computer systems.
But it does not take much technological savvy to acquire private student information because faculty often have this information on their computers and roll sheets, said Foley.
Until recently, this was a vulnerability for CSU campuses, which identified students by Social Security numbers, but most have now switched to using their own ID numbers.
Under federal law, this information is still requested when applying for student aid but it is only accessible from a data center in Salt Lake City, not from computer systems in the financial aid office, said Financial Aid Director of Operations Kevin O’Leary.
At CSUN, professors do not store this information on their personal computers and instead access the SOLAR database if they need to contact students or look over their academic records when considering whether or not to add them to their courses.
History professor Ronald Davis said that this is how he finds students’ information and that class roll sheets only list their full names, academic rank and ID numbers.
Information provided on housing contracts is not even stored electronically, said DaVon Henson of Housing Services. Instead, paperwork is kept under lock and key.
Arboleda said that there are still easier ways to find somebody’s personal identifying information, as there are online services that provide such information for a small fee.
Once located, it takes a minimal amount of this information to commit identity theft.
“With your Social Security number, I could go and open a whole line of credit in your name, open several bank accounts, and leave you to deal with creditors,” said Foley.
“I could also get you in serious trouble with law enforcement,” said Foley, “by giving them your full name and your date of birth if I get picked up for committing crimes.”
Stored in university systems, this information is vulnerable when technicians do not know how to effectively estimate risks, by either lacking the expertise to do so or running time-consuming assessments that involve responding to every problem.
“They don’t take it seriously,” said Educational Policy Analyst Rodney Petersen, “and often lack of awareness makes them realize that they are at risk and possibly liable.”
While there is no set law or court precedent for it, universities could very well be held liable for identity theft that occurs on their computer systems under certain circumstances.
Tracy Mitrano, director of computer law at Cornell University, said that this could be done if it is believed that harm was caused as a result of the institution’s negligence.
As a rule, CSUN risk assessments are performed annually, and viruses that do infect computers are isolated to the individual segments that comprise the campus network.