Skip Top Menu Linfield Home | Directory | Site Index | Alumni | Current Students | Faculty and Staff | Portland Campus | Adult Degree Program
 
Integrated Technology Services 900 SE Baker Street McMinnville, OR 97128 503-883-2553 support@linfield.edu

Incident Details

This page provides details on the intrusion we experienced on the server running www.linfield.edu.  The text in red at below repeats an email that was delivered to all members of the Linfield community.  The rest of the page has additional information for those that might be interested.

On July 3, 2008 ITS staff learned that an unknown intruder compromised one of the Linfield web servers possibly as early as March 18, but more likely not until June 22.  We know that the object of this intrusion was to use the server to send SPAM and PHISHING email messages.  Several ITS staff worked long and hard over the Fourth of July holiday weekend to remediate the vulnerabilities that led to this incident.  We are confidant that we have resolved all issues with this server.

There was a small chance that sensitive information belonging to about 200 people that registered for DCE classes was exposed during this incident.  Even though the chance this information was exposed is very small, DCE staff has already contacted those people with information on how to protect themselves from identity theft.
If you did register for a DCE class in this time period you should have received, or will shortly receive, a letter from DCE about this incident including information on how to protect yourself from identity theft.  Otherwise, ITS believes your information is not at risk of exposure.

For more information on this situation, please see http://www.linfield.edu/incident . 

Please don’t hesitate to contact me if this message and the information at the above web link leaves you with concerns or unanswered questions.

People regularly access and provide sensitive information via the web at Linfield.  Nonetheless, I want to assure everyone that the small risk of exposure was limited to those very few DCE students that registered during this time period.  That is because “the web” at Linfield isn’t one server at all, but is actually composed of at least nine different machines located here on campus and at least three services that we have outsourced to other businesses. 

We have run extensive diagnostics on all other web and other servers at Linfield and have confirmed that only the server that runs www.linfield.edu was compromised.  The only sensitive information that was collected on this compromised machine was registration information for DCE students.  Because we know this information is sensitive, it was collected for use and deleted every day.  I say “was collected …” because we have a project underway well before this incident to move collection of this information off this server to another location. A much more secure registration system is planned for the Fall DCE registration process.

All the other web servers that constitute “the web” at Linfield have much tighter security and are much less vulnerable to intrusion.  These are all single purpose machines, which in of itself provides more security.  For the most part, these machines are configured with a separate “front end” user interface on one machine from the “back end” server where data is actually stored, further isolating the actual data from unauthorized access.

In addition to the notification of potentially affected people and replacing the DCE registration system with a more secure system, ITS has taken the following actions to further secure this server:

  • The www.linfield.edu server has been completely rebuilt from a known clean copy of the web site to eliminate any possible contamination from this intrusion.
  • All possible implicated login passwords have been changed.
  • An additional firewall with stronger protection has been installed in front of the server.
  • We have identified and are in process of installing a software firewall designed to protect against unauthorized changes to the web server.
  • We have insured that all updates to software running the server content are up to date with the most current security patches installed.
  • Permissions on upload directories have been greatly restricted and we are investigating alternative ways to reproduce affected functionality.
  • Web pages that use programming techniques with security flaws have been removed and are in process of being replaced with more secure code.
  • Coincidentally on July 3 we received the results of an Internet security audit we contracted for several months ago.  A quick scan of the results confirm the flaws we discovered.  We will be giving this report and its recommendations a lot of attention over the next days and weeks.

Some additional resources you might be interested in that provide information on identity theft:

  • Federal Trade Commission Identity Theft Web Site, www.consumer.gov
  • Oregon Department of Justice Identity Theft Web Site, www.doj.state.or.us/finfraud/idtheft.shtml
  • Social Security Administration Fraud Line, 1-800-269-0271
  • Major Credit Bureau Numbers
    • Equifax, 1-800-525-6285
    • Experian, 1-888-397-3742
    • Trans Union, 1-800-680-7289

Please don’t hesitate to contact me if this message leaves you with concerns or unanswered questions.


Irv Wiswall                                | irvw@linfield.edu
Chief Technology Officer       | 503 883 2575
Linfield College                       | McMinnville OR 97128