It only took a few seconds.

With a couple mouse clicks, some clever programming and a fiery curiosity, a mischievous hacker gained illegal access to an administrative computer in the Gaylord College of Journalism and Mass Communication and was browsing through the system's files.

At that moment, he had access to grades, sensitive memos and other confidential material that wasn't meant for his eyes.

This hacker is Paul, an OU engineering major who wished to remain anonymous, and he has been hacking into computers as a hobby for 15 years, he said.

University information technology security networks battle hackers like Paul every day, but stopping them isn't as easy as it sounds, especially with the advent of wireless Internet and extensive campus networks.

A virtual playground

Paul said he views university networks as his playground.

"University networks are like bars or clubs for hackers?kids with computers and no idea that they're completely exposed," he said.

Using programs he downloaded from hacking Web sites and some of his own programming, Paul can access dozens of unprotected machines on the university network. The easiest targets are users using no form of firewall protection and users who haven't installed security patches for Microsoft Windows, Paul said.

"These people don't realize that I'm out there getting in," he said. "It's so easy."

Paul said he isn't the only one who knows how to hack into the university network.

"This is something lots of students know about," he said. "It's not just me or a few people. The only reason I'm talking about it now is because it's a real problem, I think."

Still, Paul said he doesn't hack into the network to steal information or cause problems but to satisfy an unusual curiosity and also because he can.

"I don't know why I want to get in there and read stuff," he said. "It's just a thrill, being able to get in and have it all at your fingertips. It's a thrill."

OU IT security

The thrill for Paul does not excite Calvin Weeks, director of the OU Cyber Forensics Lab. Over the past 22 years, Weeks has worked in communication technology and for the last 12 years he has worked in computer, network and electronic media security.

Weeks said he has seen his share of hackers and wasn't surprised about Paul's attempts.

"It happens daily," Weeks said. "It doesn't make it right, but there are people out there who want to see if they can do it. Bad things happen."

Like Paul, hackers test the systems simply to see if they can get past the network security, Weeks said. They don't have malicious intent or harm in mind, they are just testing their skills, he said.

Weeks said he understands the problems at other universities, like hackers and virus attacks. The IT department can fight security threats, Weeks said, but the unique nature of the OU campus makes fighting the problems difficult, especially when the hackers are users of the network, like Paul. Unlike many large corporate networks, OU has to adapt to students, faculty, commuters and residents of the OU campus.

"This network is wide open," Weeks said. "It's not like a corporate network, where the luxuries and the freedoms are taken away. This is our users' home and to function as freely as possible, they need flexibility."

Weeks said OU's networks do not filter any content, incoming or outgoing, because they have to be flexible in order to accommodate users. Weeks said reviewing users' content would severely limit the education capabilities of the students and faculty.

The idea of restrictive access does not appeal to Cassie Clark, university studies sophomore. Clark said filtering could potentially close off information that she may need.

"What if I need something they determine to be a security risk," she said. "It would hamper my efforts at getting information."

Weeks said that without filtering content, the problems will continue to exist.

Michelle Wiginton, OU IT communications liaison, said this structure of the OU network and the job of IT staff is comparable to running the network for a medium-sized town.

"It really is just like a town," Wiginton said. "It's a totally different environment than most. In the corporate world, someone would be fired. Here, you don't have that accountability. This is education and you can fight an uphill battle until you restrict everything that is going on."

Michael Sewell, director of IT security, said the OU network handles a large amount of traffic on the network: about 200 megabits per second incoming and 150 megabits outgoing. To keep the system running, the network can't be bogged down with restrictions, Sewell said.

"It could be anyone, it could be anything," Sewell said. "Our first priority is the student, and our faculty and staff."

OU is not immune to attack. In 2003, 25 to 30 Microsoft Windows and Unix computers and servers at the OU Health Sciences Center in Oklahoma City were attacked by hackers, which caused a shutdown of the HSC system for about a week.

According to a Jan. 12, 2004, story in The Daily, the attack forced IT employees to block all incoming traffic to the HSC servers, keeping students and faculty out. No computers were attacked on the OU Norman campus in the incident.

The attack on the HSC system gave cause for more training and protection, Weeks said.

"We want to give you more training," he said. "We're working on beginning steps?privacy issues, securing your password, safety online, outreach?and we're doing it in formalized sessions and online."

Attacks at other colleges

Hackers are not new to campus networks. The problem of hackers has plagued universities for some time, and many experts say the attacks seem to be worsening.

A former University of Texas student is awaiting trial on four counts of fraud, accused of hacking into the UT system and downloading 55,200 names and Social Security numbers, according to the Texas Department of Safety's criminal records database. That attack cost UT more than $122,000 to respond to the attack and $45,000 to identify and send letters to those affected, according to the indictment.

The student had tried hacking into the system three previous times in January, February and April of 2002 and was warned by the UT information technology department not to try again, according to UT incident reports. The student could face up to 10 years in prison if found guilty.

The list of similar attacks is long. Hackers at the University of Missouri gained access to hundreds of students' personal information before shutting the network down, according to its Web site.

According to University of Georgia IT documents, hackers gained access to a server that connected with at least 10 other government and university servers, giving access to hundreds of documents and information that could lead to identity theft. More than 380,000 students, faculty and staff at the University of California were notified last April of the possible theft of their personal information by hackers taking names and Social Security numbers, the university said in an April press release.

In another case of university hacking, George Mason University, whose network had been hailed by the National Security Agency as one of the toughest to beat in the country, was hacked into in January 2005.

George Mason University said in a press release in January that a routine examination of computer security logs at the university revealed a staggering discovery? a hacker had broken into the system and gained access to names, photos and Social Security numbers of more than 32,000 students, faculty and staff.

The attack prompted the school to disconnect the compromised server from the network and open an investigation into what information was lost, according to an e-mail following the attacks sent to university users by Joy Hughes, GMU's vice president for information technology.

"It appears that the hackers were looking for access to other campus systems rather than specific data," Hughes said in the e-mail. "However, it is possible that the data on the server could be used for identity theft."

Daniel Walsch, GMU's media center director, said that while the attack was discovered in January, school officials now believe hackers may have had access since November. Officials are still unsure exactly of what information was accessed, Walsch said.

"We felt that everything was secure and that we had safeguarded against something like this," he said. "There were some hints that they were trying to open some other doors. We are not sure if anything else was compromised."

Advanced technologies

As technology and computer strength has expanded, so have the opportunities for hackers to gain access in new ways, Sewell said.

Financial security consultant Brian Dahl claims wireless technology is some of the least secure technology available. Banks and finance groups hire Dahl and his firm, Network Consultants, to perform IT and security audits that identify the weakest parts of their networks. The biggest security problem on the networks Dahl has examined is wireless technology, he said.

"Someone could easily sit in your lobby and get as much information as they had time for," he said. "And even if they couldn't sit in your lobby, they can sit outside on the sidewalk or in their car. Wireless networks are just like open books that ask hackers to break in."

As wireless technology becomes increasingly popular with students, identity theft and privacy issues may rise, Dahl said.

"Students just aren't aware about who are on these networks, and they should be," he said. "You can't use these networks like wired networks."

Caleb Fox, broadcasting and electronic media sophomore, uses wireless technology in Oklahoma Memorial Union and in some of his classes. Fox said he enjoys being able to get online from anywhere.

"It's nice to be able to just get online anywhere," he said. "I get online in class and between classes. I stay connected."

However, Fox said he is aware of the lack of security, so he limits his online activities.

"I know it's out there for anyone, so I don't do it very much," he said.

Fox said his computer became infected with a virus through his wireless connection. He said it took him by surprise and caused him to be more active in protecting his computer.

"I installed a new firewall and virus protection right after," Fox said. "I don't want to get them anymore. They are very difficult to deal with."

OU's wireless networks have little security, but even if they did, there is no guarantee that the data would be safe, Weeks said.

"You never know who is listening," Weeks said. "But even if we did, once it's out, there's no guaranteeing anything. We can't secure the destination end of the data, only our end."

Weeks compared wireless technology to using a cordless telephone and emphasized the need for careful practices while surfing the Internet wirelessly.

"With wireless, you're just broadcasting," he said. "Browsing is fine, and with e-mail, someone can and may read it. You just have to understand the environment to use it."

Solutions

For students, online safety isn't tough, Weeks said.

"Just use common sense," he said. "I don't do banking transactions online or purchases online. I always check and verify secured sites and identify a credit card that you use solely online and put a limit on it."

Weeks also suggested using credit card companies that have special programs for online purchases.

MBNA America credit cards have a "ShopSafe" program that allows consumers to create a new credit card number for every purchase and to put limits on how much they can charge to the card.

Weeks also said students should be cautious when opening e-mail attachments and files from people they don't know.

For OU as a whole, Weeks said that without creating a strict, heavily monitored corporate structure, the solution to network security is not attainable.

"There is no 100 percent protection," he said.

And for hackers like Paul, there will always be new ways to circumvent security measures.

"It's all computer programming," Paul said. "No matter what they do, there will always be a counter to it, and we'll keep trying until we figure it out."
hello there & you too