Hacker Attacked School Computer at an Ontario University

Oct. 25, 2004
'Keystroke logger' discovered on server, recorded access into server

A Northern Ontario university is advising students and staff to check their credit records for unauthorized loans, after discovering a hacker has been keeping tabs on the school's computerized administration system.

Spying software that records every keystroke was discovered on a central computer server at Nipissing University, in North Bay, last week - nearly seven months after it was first installed.

The breached server contained registration and payroll information for the entire school.

"We do what everybody else does when it comes to computer security, but whoever it was still broke in," said Murray Green, vice-president for administration and finance at Nipissing University. "I was shocked."

Green said the hacker could have accessed the names, addresses and social insurance numbers for approximately 7,000 university students, graduates and staff. Bank account numbers for employees also might have been exposed.

Suspicions were raised a month ago when the school noticed unusually high levels of traffic on the computer network. Security specialists from Sun Microsystems were called in to investigate the problem and found spying software, known as a keystroke logger, had been running on the machine since March 25.

For the last seven months, whenever someone logged in to the system, the keystroke logger recorded their username and password. Such information could have been automatically transferred to the hacker via the Internet, Green said.

Once the hacker had someone's password, he could have used it to access their personal information. Hackers often go after social security numbers and banking information to assist in identity theft, taking out mortgages or credit cards in other people's names.

Consequently, the school is advising Nipissing students, staff and alumni to check their credit records and call their bank to ensure no loans have been taken out without their knowledge.

"The programs installed on our servers were done by a sophisticated user(s) and ordinary operating commands would not detect their activity. How this information was used is unknown at this time but anything is possible," Green wrote in a candid e-mail sent out to staff on Oct. 15. "This includes payroll information, bank accounts, passwords providing access to other secure sites, etc."

While not overly alarmed, students and staff at the university admitted concern.

"I think most people are adopting a wait-and-see attitude," said sociology professor Stan Lawlor, adding people are anxious to know the hacker's purpose. "Was it to obtain private information, or information on the university, or identity theft?"

Anthony Digiacomo, a second-year business student, said the university has more to worry about than individual students.

"I guess I keep thinking that the worst that could happen is that the hacker gets to pay my student loans for me, so I'm not exactly worried about it.

"If someone wants to steal my identity, they're going to have a whole lot of debt to pay."

Staff Sergeant Rick Sapinski of the North Bay Police Service said officers are investigating.

"We do not as yet have any suspects. We're just starting the investigations," he said. "We're working as quickly as we can."

He said the North Bay police have never dealt with such a major computer security breach before.

Green said that while the school often deals with viruses on student computers, it's the first time the university's administration system has fallen victim to a hacker.

Roger Thompson, director of malicious content research for Computer Associates International Inc., said the hacker probably did steal some financial data given the length of time he had to perpetrate the crime.

Thompson said keystroke loggers are "very prevalent." But he said they are normally found on personal computers, not major servers run by large institutions.

Green insists the school followed all the standard security procedures and had firewalls and monitoring software in place to catch hackers.