The Breach That Wasn't

by Sam Bowne

On January 13, 2012, a front-page headline screamed "Viruses Stole City College of S.F. Data for Years."¹

The news echoed around the world, on ABC television², IEEE Spectrum³, Huffington Post⁴, and many other news outlets.

The City College of San Francisco (CCSF) newspaper^5,6 later published complete accounts of this disaster: viruses infected our computers for a decade, stealing private data from students.  Furthermore, our technical staff were so incompetent, they failed to notice or amend this awful situation, and, when alerted, just covered it all up.

I was amazed to see this, because I have taught networking and security classes at CCSF since circa 2000, and my students performed a security audit of the college recently.  We use anti-virus on the workstations, and Deep Freeze; we have a Layer 7 firewall, and other security measures - far more than other similar colleges have.

In addition, we had two complete hardware replacements of the workstations in the last decade.  How is it possible that such a virus infestation eluded all our countermeasures?

And how is it that no teachers, IT staff, or campus administrators knew anything about this until we read it in the newspaper?

Alarmed staff members, administrators, and teachers tried to get answers from our Chief Technology Officer (CTO), who was the sole source of the "virus" story.  But none of us could get anything from him - the "viruses" had been found by an outside contractor, and a November 2011 report explained it, but that report was so confidential that none of us were allowed to see it, not even the IT staff.  In addition, an FBI investigation was in process, requiring total secrecy.

After four months of complaints, investigations, and extreme pressure from all levels of the administration, the truth finally came out: it was all false.  The "viruses" were false positives reported by a misconfigured network forensics device - direct inspection of the "infected" machines showed no viruses, except for one small lab in which the anti-virus had been disabled by a misguided local administrator.  There was no FBI investigation.  There was no November 2011 report.  The contractor provided an incomplete report in January 2012 - after the media scandal - and another one in April, both claiming that we had thousands of infected machines, but lacking evidence.  It even reported Windows viruses infecting our UNIX servers.

Finally, under extreme pressure, the CTO provided a spreadsheet listing the IP addresses of the "infected" machines, so we could examine them directly.  No viruses were present on them.

However, none of this convinced the CTO that he was wrong.  He concluded that the staff, the administration, and I were all in a conspiracy to conceal the viruses, and published this assertion, along with the "confidential" contractor report, in the newspaper.  He continued to demand that we send breach notifications to thousands of students, until he was placed on suspension and ejected from the campus by CCSF police⁷.

The media did nothing - no retractions, no follow-ups, no corrections.  This will likely pass into history and security textbooks as proof that we are the sleaziest college on Earth, with the worst virus problem ever known.

I would like to let security professionals know the truth, however, even if the mass media doesn't care.  So I decided to talk about this at HOPE and DEFCON and other conferences, and to send it to 2600.

References

1. www.sfgate.com/education/article/Viruses-stole-City-College-of-S-F-data-for-years-2502338.php
2. abc30.com/archive/8503743/
3. spectrum.ieee.org/riskfactor/telecom/security/computer-virius-infection-at-city-college-of-san-francisco-may-have-started-10-years-ago
4. www.huffingtonpost.com/2012/01/14/city-college-of-san-franc_n_1206578.html
5. theguardsman.com/bug2
6. theguardsman.com/bug3
7. www.fogcityjournal.com/wordpress/4600/ccsf-chancellor-suspends-technology-adminstrator-launches-investigation

Note: My statements are my own, not necessarily official CCSF positions.  However if you read the article, you understand how completely absurd that statement is.