It’s said the world is a strange place. If so, the Web is even stranger. The biggest difference may be that in the real world it’s easier to keep your secrets hidden. On the Web, thanks in large part to search engines, your secrets are wide open. I was reminded of this after writing What a Children's Magazine Teaches About Data Breach Management which briefly discusses the very strange case involving Professor Bonnie Yankaskas and UNC Chapel Hill.
In a nutshell, the case involved a compromised FTP server within the Professor’s department. The server contained medical data which – though there was no indication it had actually been accessed – required privacy disclosures to those potentially impacted. What made the Yankaskas case so unique wasn’t the compromise itself, but rather the inept way it was handled by UNC Chapel Hill administrators.
According to The Daily Tarheel, the university provost, Bruce Carney, claimed “Yankaskas exhibited ‘deliberate neglect’ in her oversight of the project’s data security. Carney then goes on to claim, “I was appalled. The first question you have to ask is, ‘How does this happen?.”
“How does this happen” seems a very odd question for a provost of a major medical university to ask. After all, data breaches involving medical records happen, on average, every other day. Further, as we will see a bit later, compromises of digital assets at UNC Chapel Hill are hardly a new or isolated occurrence and date back to at least 2003.
Carney then goes on to complain that the IT person hired by Yankaskas was “underqualified”. That’s a strange assertion to make considering the employee, Melinda Boyd, was hired directly from UNC Chapel Hill’s own IT department. Additionally, the UNC-CH IT department awarded Ms. Boyd in 2002 for her “outstanding information technology support on campus”. If an award-winning member of the UNC CH IT department is under qualified, then who at the university is qualified?
Regardless, however, blaming Ms. Boyd is also not a solution. Indeed, by choosing to focus energies on finding any scapegoat (I’m so reminded of the Queen of Hearts screaming “Off with their heads!”), the real issue is conveniently smoke screened – a systemic failure at the university level to properly secure their digital assets.
Search for site:unc.edu pharmacy online 2003 and you’ll find over 2,000 hits on compromised pages from UNC Chapel Hill’s websites in 2003. Remove the 2003 constraint and you’ll find over 17,000 through to current day. If you want to hone in on a specific section from UNC, try something like site:jomc.unc.edu pharmacy online which returns compromised pages hosted by the university’s School of Journalism.
Of course, cache poisoning is one thing. Direct compromise of a page is another altogether. With that in mind, perhaps a better illustration of the systemic nature of the problem can be found at http://planunc.radonc.unc.edu/portal_memberdata/portraits/mh. A view of the source page reveals an obfuscated embedded script that forcibly redirects a victim surfer to http://securetabsonline.com/index.html?id=201, also peddling online pharmaceuticals and hosted at 64.28.186.3.
Yet another example would be pages hosted in the /applications/images/store directory on http://johnstoncenter.unc.edu which also cause forcible redirects to the same securetabsonline.com. Previously, these pages redirected to sinfull-paradise.com, a site also hosted at the IP address 64.28.186.3.
The intent in pointing these out, of course, isn’t to pick on UNC Chapel Hill’s School of Journalism or the James M. Johnston Center, or the PLanUNC project, or any other department at UNC Chapel Hill. The intent is to point out that Web-facing assets are frequently compromised. Recognizing this is the first step in learning how to manage the problem effectively.
If university officials at the highest level at UNC Chapel Hill persist with a "how does this happen" mentality and continue to fire (or forcibly retire) every department head that hosts a compromised device, they will soon divest the university of all its talent. Which is regrettably exactly what is happening in the Bonnie Yankaskas case. And that, in my opinion, is Goofus indeed.