Report: Student info still at risk

Students and faculty will be required to change their university ID passwords, most commonly used to log into Testudo, every 90 days beginning next semester, in response to a scathing audit report released in January by a state auditing agency.

The audit, which spanned from October 2004 to August 2005, found several holes in the Office of Information Technolgy's on-campus network security, including directory ID passwords that do not comply with state standards and vulnerabilities in campus wireless networks that could expose sensitive information such as student social security numbers and university financial records.

The report listed seven pressing findings and recommendations to rectify them, and of those issues six were similar to ones found in the previous audit, released in September 2003. Audits of the network are performed every three years.

Jeff Huskamp, chief information officer at OIT, said the state's recommendation of performing 90-day rotation may be the standard for the other state agencies, but the office feared such a plan for the campus would lead to students being locked out of their systems when returning in the fall semester after the summer - rendering them unable to access e-mail or log onto Testudo.

Implementing the 90-day password change will help ensure the security of sensitive information, said Gerry Sneeringer, OIT information technology security officer. The lapses in network security left operating systems open to computer hackers, which OIT is trying to repair.

The password changes will be a part of ongoing upgrades to the university network, which will include ridding the use of social security numbers.

Chuck Easttom, a network security expert and author of nine textbooks on computer science and network security, examined the audit and was "shocked" about its contents.

"I have never seen an organization the size of this university with so many serious security violations," he said.

Huskamp said the state checks in every two or three years to ensure everything is running smoothly. Facing auditors' criticism over the network firewall and open access to network operating systems, the office will be adding several new programs to add layers of protection from outside threats and hackers.

"It's about a balance of usability and security," he said about making the changes listed in the audit.

OIT may also ask students to turn off their personal wireless networks temporarily at the beginning of the Fall 2006 semester while it figures out a way to ensure network security. That decision has not been finalized.

The fear is untrusted users could hack into the university network through students' personal wireless stations.

"People may be able to scan unencrypted wireless and obtain sensitive information on the network," said Bruce Myers, the legislative auditor who signed off on the report.

The current unencrypted system means anyone can jump onto the network via a student's wireless connection. An option may be to require students with personal wireless networks to connect using passwords, which OIT will consider.

"It's a risk that, if someone was determined to exploit it, they might be able to," Myers said about the hackers logging on to the vulnerable wireless networks.

"It's going to be their call as far as how to do it, but they have to do something," he said.

The Office of Legislative Audits submitted the findings to a General Assembly joint audit committee, which has the responsibility of enforcing the recommendations.

IMPACTS OF OIT CHANGES

PASSWORD CHANGES

- Students and faculty will be required to change their directory ID passwords every 90 days.

- The 90-day password change may result in some students being locked out of their e-mail and Testudo systems.

NETWORK SECURITY

- OIT will be adding several new programs to provide layers of protection from outside threats and hackers.

- Students may be asked to shut down personal wireless networks temporarily.

Contact reporter Patrick Reaves at reavesdbk@gmail.com.