October 21, 2004
Purdue computer users urged to change passwords
WEST LAFAYETTE, Ind.Computer security experts at Purdue University are asking all students, staff and faculty to change their Purdue passwords as a preventative measure following the discovery of unauthorized access of the university's computer systems.
Scott Ksander, who leads the inforensics investigative team within Information Technology at Purdue (ITaP), said all university computer users should update their passwords a practice that should be done periodically for protection.
"We have confirmed that some computer passwords have been obtained by unauthorized users accessing a number of computer systems," Ksander said. "The full extent of the problem is still being analyzed, but we think it is important to exercise caution, and the best action to take is for all users to change their passwords at this time."
After the initial breach of security was discovered, an investigation found that systems located in several areas of Purdue's West Lafayette campus had been accessed.
"At this point we do not have any evidence that any data other than passwords has been obtained, although that is still under investigation," Ksander said.
The Purdue Police Department was notified of the incident on Wednesday (Oct. 20).
Joseph L. Bennett, vice president for university relations, said that the IT systems will continue to function effectively.
"Unfortunately, all large information systems can be vulnerable to this kind of intrusion," Bennett said. "Purdue's information technology professionals identified the situation quickly and now are working hard to determine the extent of the problem. Our immediate priorities are to assure that all students, faculty and staff take the steps needed to secure their data files and to guard against future incidents of this nature."
Information Technology at Purdue has posted tips on creating passwords that are difficult to crack. These tips can be found at https://www.itap.purdue.edu/security/policies/procedures/passguidlines.cfm
The investigation into the incident may not be able to determine whether users' personal information was obtained. Because of this, Ksander cautions that users should be watchful for signs that personal data may have been copied.
"We have a software detection toolkit that we have delivered to system administrators and that is running now," Ksander said. "When a compromised machine is detected, we are capturing data for analysis, and there is a cleanup software tool that we have developed that allows these system administrators to correct the situation on that machine."
Computer tampering is a Class D felony subject up to three years in prison and a $10,000 fine. Computer trespassing is a Class A misdemeanor and is punishable by up to one year in prison and a $5,000 fine.
Writer: Steve Tally, (765) 494-9809, email@example.com
Sources: Scott L. Ksander, (765) 496-8289, firstname.lastname@example.org
Joseph L. Bennett, (765) 494-2082
Purdue News Service: (765) 494-2096; email@example.com
To the News Service home page