Mississippi joins list of colleges leaking data

Universities at risk
The security lapse at the University of Mississippi comes at a time when news of privacy breaches at major universities have seemingly become commonplace. In recent weeks, high-profile data theft incidents at Boston College and the University of California at Berkeley have exposed over 100,000 people to identity theft. In March, Chico State in California had a theft incident involving 59,000 people. The University of Nevada-Las Vegas, the Wharton School of Business, and the Northwestern University Kellogg School of Management, have all reported theft incidents.  And on Wednesday, the San Francisco Chronicle reported that hackers may have stolen 7,000 identities from the University of California at San Francisco.

Jonathan Bingham, president of security firm Intrusic, issued a warning to colleges and universities last fall that increased hacker attacks were likely. He says schools have a unique challenge in the information security age.  The public, academic side of the university needs to maintain open standards and a spirit of free information sharing; but the corporate side of the university needs to guard critical financial information the way any financial institution would.

"Depending on the university, some don't have resources to develop two separate networks.  So they use the same resources for their public activities as they do their business activities," he said. Such practices predictably lead to theft of critical data. "Everything at a university is about sharing. Hackers know this."

He said the situation for schools has only gotten worse during the past several months because more criminals are becoming familiar with simple ways to find accidentally-exposed information through search engines like Google, popularly called "Google hacking."

The source who found the information on the University of Mississippi's Web site used a search engine -- he wasn't sure which one -- to find the leaked data.

"I'm concerned about the breaches we've been seeing and want to figure out how to get it through peoples' heads that this is not something that is harmless," Ray said.

Google yourself
Google hacking -- using the powerful search engine to find documents with private information that have been accidentally posted to the Web -- continues to be a concern security professionals.

A team of researchers gathered in Seattle last weekend for an impromptu Google hacking contest found hundreds of sensitive computer files, said Josh Pennell, CEO of IOActive, which participated in the hunt. His staff members found 300 passports which had been digitally scanned and placed online, along with about 3,000 Social Security Numbers. His team even found a set of internal employee performance reviews.

Pennell recommends consumers regularly Google themselves to see if their private information is lying around somewhere on the Web.

Consumers can enter their entire name in quotes in the search engine, as a start. Adding as a second search term part of a financial identifier -- such as the first few digits of a credit card number or a Social Security Number -- is an even more effective way to dig up accidental Web page listings. Entering full account numbers is a bad idea, because they will then be transmitted across the Internet across an insecure connection, and may end up stored in computers along the way.

But the most dangerous data is usually stored in Word Documents of Excel spreadsheet files that have been posted to the Internet, Pennell said. That was the case in the University of Mississippi incident.

"If you really want to find the scary stuff, look into the advanced features at Google," he said.  "And ask Google, 'I want to look for my name in all Word doc files or Excel spreadsheets.' That's where I see most of the scary stuff."

And if you find yourself, and your sensitive data, listed in a search engine results, you can take some action by contacting the search engine and requesting it remove the listing.

Bob Sullivan is author of  Your Evil Twin:  Behind the Identity Theft Epidemic.

MORE FROM SECURITY

Security Section Front

‘Black screen of death’ for some Windows users Internet activists push for greater democracy EU assembly adopts Internet, phone user rights 'Mr. Right' grifts widow's $50K in Web scam U.K. cops arrest people ‘just for the DNA’ Virus attacks ‘jail broken’ iPhones China attacks ‘biased’ U.S. cyber-spying report Chinese military Web site target of cyberattacks FBI: Hackers targeting law and PR firms House pushes ban on peer-to-peer software Security Section Front   Add Security headlines to your news reader: