A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk.
The breach occurred on October 26, 2003. It was detected on June 20, 2005. The attack took advantage of an insecure service, for which no vendor patch was yet available. Careful analysis of the computer indicates that the original compromise was incomplete.
From “The University of Connecticut issues ID alert about computer security incident. See also UConn Server May Have Been Breached
, which contains the interesting tidbit:
The hacking incident came to light after UITS received notification from a non-University corporation that an invalid logon attempt had originated from a computer within the University of Connecticut domain. This automated notification was investigated by UITS technical staff, Kerntke said, and they found that an unauthorized program, known as a rootkit, had been installed on a UITS data center server on Oct. 26, 2003.
Kerntke said that the attack took advantage of vulnerability in the server that was unknown at the time of the breach to the University or the manufacturer. A patch has subsequently been developed by the manufacturer to eliminate security breaches. Kerntke noted that the personal information on the server was not easily accessible.
“The nature of the compromise indicates that the server was breached during a broad attack on the Internet and not the target of a direct attack. Therefore, the attacker most likely had no knowledge of the kind of data stored on the server,” he said.
They seem to be claiming that they were attacked by 0day (unannounced vulnerabilities, in this case found by malicious attackers), and that 0day was embedded in either a worm, or a bulk scanning tool, rather than executed by hand.
Some security analysts claim that that doesn’t happen, or hasn’t happened yet. They claim that attacks are dependent on information garnered from patches and advisories. That claim has always been false, I know a great many people who’ve been attacked by clever new attack code, but the details have always been confidential. One final bit:
We are doing everything we can to prevent this from happening again in the future,” he said, noting that the University is reviewing its dependence on social security numbers as a unique identifier, auditing other servers and departments …
If your organization hasn’t started that review, what are you waiting for? An engraved invitation?
(Via Farber’s IP list.) [Updated 0day paragraph substantially shortly after posting.]