Steal my data, please

Learning a lesson about system security can be easy -- or very, very hard

Last year I landed a job as assistant IT manager at a midsize university. The network there was a typical mix of NetWare and Windows servers, with one big surprise: Our most critical database, the one that handled dorm-room assignments and payment records for the Housing Department, was still running on a Windows NT4 server, long after Microsoft had dropped support for the platform.

It turns out my boss had been in his job for only a few months, and his predecessor had been a bit of a dinosaur. Many security patches hadn’t been applied, and the most critical upgrade -- to Windows 2000 Server or something even more current -- hadn’t been made at all.

The Housing database stored students’ names, addresses, phone numbers, Social Security numbers, and more. And if that wasn’t bad enough, the same server was our Windows domain controller and handled syncing users between the Novell and Windows environments. Needless to say, the thought of something bad happening to this machine scared the pants off both of us. But it seemed to be running fine, so rather than rush down an upgrade path, my boss figured we could hang on until it was time to implement the next revision of the database.

Then one day end-users discovered that they couldn’t log in. We rushed to the server room and found the monitor riddled with error messages. We tried rebooting, but the server complained endlessly about this missing .DLL and that corrupt file. Even worse, it wouldn’t let us copy those files from the installation disks. After finding some files on the backup tapes and downloading others from the Net, we got it to boot into Windows and run the database server. But it was ugly. No support, remember?

Then it dawned on me. I looked at my boss and said, “Did you see a firewall?”

“Firewall?” he said, looking troubled.

We looked hard. No firewall. The server was connected directly to the Internet, public IP and all, with no firewall as protection.

“OK,” I said. “We gotta -- “

“No way,” he interrupted me, an expression of terror on his face. “I’m not touching this thing again until I have to.”

Well, he was the boss. We went about our business, and for a while the server ran fine. Then, a couple of months later, we received a call from the university’s Information Security department. Apparently their intrusion-detection system was picking up traffic on the network that suggested our NT4 server had been hacked.

Information Security took the machine -- bringing down the database and other network systems -- and performed a forensic analysis; the FBI even got involved. They concluded that the personal data on the server had been compromised.

Several days later we got the server back. We cleaned up the malware, installed the firewall we should have put in months earlier, and got the server back online. The university spent a fortune sending out notices to every current and former student, warning them that they were at risk for identity theft. We staffed a call center and built a Web site to deal with the mess. It even hit the papers.

All because my boss was too scared he’d break the server by installing a firewall on it.

Copyright © 2006 IDG Communications, Inc.