Hack To School

School wasn’t even in session, and Dartmouth College chief information officer Lawrence Levine was penning the kind of letter technology executives dread.

To the College Community:

Late Wednesday, July 28, [Dartmouth] confirmed that an unauthorized user had gained access to eight computer servers in the Berry Machine Room and apparently installed an unauthorized program … Because sensitive personnel information may have been copied, we are notifying by e-mail all affected individuals for whom we have addresses; all others will receive a letter early next week. In addition to our own increased security measures, we have also notified the Federal Bureau of Investigation of the intrusion.

One of the servers contained human-resources data of Dartmouth employees. The “unauthorized user” also accessed research data and student immunization information. In his memo, Levine said there was no evidence that user names or other personal identifiers were taken, but he urged alumni, employees and students to monitor their credit reports in case their electronic identities had been stolen. Levine was unavailable for comment, but said in his letter that the affected program had been removed and “additional safeguards” put in place to protect the servers.

Welcome back to school, Fall 2004. It’s a new academic year, one in which deployers of technology at universities have to ratchet up their ability to stay ahead of the students they are teaching. Most of the students are 17- to 22-year-olds who may already have a decade of technical experience under their belt from poking around school networks, downloading music and circumventing instructors, using everything from cell phones to instant messaging devices.

The threats, according to technology executives at universities, include the introduction of viruses into school networks, improper use of file sharing services, hogging bandwidth when downloading huge graphic files such as movies, and outright theft of information about their school records, those of other students and personal data that can be reused in online transactions.

Dartmouth is not alone. Last year, a graduate student at the University of Michigan, Ning Ma, was accused of stealing the user names and passwords of 60 students and faculty members. He was arrested, charged with eavesdropping and unauthorized access to a computer, and expelled, according to the state’s attorney general.

Statistics tallying university hacking incidents aren’t available, and most officials don’t disclose breaches. But executives such as George Kahkedjian, chief information officer of Eastern Connecticut State University, say the largest challenge for university officials is keeping students from bringing viruses into the network via downloads and keeping mishaps from infecting the entire campus.

Mike Droney, vice president of information services at Cleveland State University, says college information security will always be an issue. “At a corporation, the strategy is clear: You secure everything you can,” he says. “At a university, you’re dealing with academic freedom and information exchange. Nothing is secure unless it has to be.”

Indeed, University of Miami’s M. Lewis Temares is torn when he lands a student with perfect SAT scores. As dean of the College of Engineering, he’s happy to attract a potentially great student. But Temares, who doubles as the university’s vice president for information technology, is also reticent.

“In engineering, I’m happy we have that student,” says Temares. “The VP side of me realizes that this kid may know a lot more about my network than I do. We could have 15,000 hackers at this school.”

Next Page: Academic freedom vs. network monitoring.