[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Lapses on Campuses Permit Theft From JSTOR Database -Chronicle of Higher Education Online, 12/12/2002

To: liblicense-l@lists.yale.edu
Subject: Security Lapses on Campuses Permit Theft From JSTOR Database -Chronicle of Higher Education Online, 12/12/2002
From: Ann Okerson <ann.okerson@yale.edu>
Date: Thu, 12 Dec 2002 08:10:21 -0500 (EST)
Reply-To: liblicense-l@lists.yale.edu
Sender: owner-liblicense-l@lists.yale.edu

FYI, a freely available article in this morning's Online Chronicle:

*  SOMEONE EXPLOITING A SECURITY WEAKNESS on college computer 
   networks this fall tried to illegally download the entire 
   collection of scholarly journals kept in the JSTOR database.
   --> SEE http://chronicle.com/free/2002/12/2002121201t.htm

___

  Thursday, December 12, 2002

  Security Lapses on Campuses Permit Theft From JSTOR Database

  By DAN CARNEVALE
  
  Someone exploiting a security weakness on college computer
  networks this fall tried to illegally download the entire
  collection of scholarly journals kept in the JSTOR database.
  
  JSTOR, a nonprofit organization that creates digital copies of
  scholarly journals and sells access licenses to institutions,
  was able to put a stop to the attempted thievery after about
  50,000 journal articles were downloaded. Kevin M. Guthrie,
  president of JSTOR, said this is less than 5 percent of the
  organization's electronic library and that JSTOR did not take
  a significant financial loss.
  
  The culprits infiltrated the database by finding college proxy
  servers that were unintentionally left open for use by the
  public, Mr. Guthrie said. Proxy servers are programs used in
  computer networks to ensure that only authorized users have
  access to restricted materials such as online journals and
  databases. But the JSTOR incident shows that colleges that
  don't configure their proxy servers correctly can accidentally
  leave avenues for others to use the servers to gain access to
  the materials.
  
  Mr. Guthrie said he was concerned that institutions may not be
  aware that online thieves can use open proxy servers to
  disguise themselves as a user at a college to break into
  computer networks and databases. More sensitive and
  confidential information could be stolen if institutions don't
  find a way to protect against this behavior, he said.
  
  The JSTOR network was penetrated in September and October by a
  person or people in another country who gained access to proxy
  servers at American colleges, Mr. Guthrie said.
  
  They then launched what Mr. Guthrie called a "systematic"
  attack on the JSTOR database to download its contents. JSTOR
  staff members detected the activity and took steps to prevent
  the downloads, but the culprits worked to find ways around the
  roadblocks, he said.
  
  Mr. Guthrie said the attack stopped after JSTOR sought outside
  help, which he declined to describe. He also declined to
  identify the institutions and the countries that were
  involved.
  
  Although the attack on JSTOR's database was halted, Mr.
  Guthrie said, he wants to let others know what happened so
  institutions and organizations can secure their servers from
  such attacks. "My motivation for this is really to create
  awareness of the problem," he said. "It's not motivated by
  what we perceive as a direct commercial threat. We can deal
  with that internally."
  
  The proxy servers at colleges can be accidentally left open to
  outside access, he said. Officials at institutions need to
  keep a constant eye out to guard against unauthorized uses of
  college equipment, he said.
  
  "Anybody on a campus can set up a Web server and can either
  accidentally or for some other reason open up some other
  proxies," Mr. Guthrie said. "People have figured this out.
  They understand this. So what they do is they go out and
  search for these open proxies."
  
  Ann S. Okerson, associate university librarian for collection
  and technical services at Yale University, said the incident
  at JSTOR could be a symptom of a larger problem.
  
  Ms. Okerson said she's concerned that the instances of attacks
  on proxy servers could grow and allow outside users to view
  confidential information, like scholarly work or medical
  records or even love letters. "It's things that you and I
  really hold dear and private and confidential," she said.
  
_________________________________________________________________

You may visit The Chronicle as follows:

   http://chronicle.com

_________________________________________________________________
Copyright 2002 by The Chronicle of Higher Education

Prev by Date: RE: Message from Kevin Guthrie, JSTOR's President
Next by Date: Security Issues (was JSTOR) Pt. 2.
Prev by thread: RE: Security Issues (was JSTOR) Pt. 2.
Next by thread: Ruling Could Extend Reach of Libel Law
Index(es):
- Date
- Thread