There was an under-reported IT security story this past week that caught my eye involving the City College of San Francisco (CCSF). Back in November, a keystroke logger virus, among others, was discovered in its computer systems. By itself, this would not be major news, because college campuses are ripe hacking targets for a variety of reasons.
However, according to a story in the San Francisco Chronicle, one of the seven viruses had resided in the system undetected for longer than a decade! The oldest virus is thought to date to 1999.
As of Friday, the viruses were still active. The Chronicle says that CCSF administrators are telling students and employees to "…change computer passwords, avoid using school computers for banking or purchases, and to check home computers for viruses" since the viruses have, the college's Chief Technology Officer warned, infected servers and desktops "…across administrative, instructional and wireless networks."
CCSF has about 100,000 students attending it every year, and 3,000 employees. Anyone downloading information onto a flash drive from CCSF's computer networks could have also unwittingly downloaded one of the viruses and potentially infected any computer the drive was connected to.
An AP story about the incident noted that every day at 10:00 PM, the virus would start trolling the college's networks looking for data to send overseas. That would make it morning in Eastern Europe and afternoon in Asia where the college says the suspected hackers reside.
The AP quotes John Rizzo, president of the college’s Board of Trustees as saying that:
"We don’t know the extent to which data was captured. We don’t know if individuals were affected, if they had data stolen that has affected them. But the potential is there."
Mr. Rizzo also indicated that it may take several weeks to fully understand the extent of the infection, and likely much longer to create a truly secure IT environment again. The SF Chronicle reports that the college's vice chancellor for finance "... defended the college's past efforts at virus protection, saying the school had two firewalls." It went on to quote him as saying:
"In spite of that, bad guys keep trying to get ahead of the good guys. And in this case they did."
Yeah, by about 10 years.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.