M-GO-Beek

January 17th, 2023 at 8:47 PM ^

I doubt if it was something as mild as accessing HIPPA protected material that the cops would be involved.  All of the university EHR data is monitored with access logs. He looked somewhere he shouldn't, it would be a very simple open shut case and he likely would just be fired (without legal intervention). The fact unmarked cars are at his house and the cops are involved at all suggests something worse. 

Joined: 02/03/2015

MGoPoints: 5667

Blue Texan

January 17th, 2023 at 9:09 PM ^

So, retired IT exec and former CISO so my 2 cents. If the report on “assess” is accurate, then it seems like a form of “hacking”. Hacking is an unauthorized access to systems and/or data. Wide range under this umbrella. 
 

I would not think it viewing ugly internet things. This wouldn’t be considered unauthorized access. The report did not say “inappropriate use”.

Joined: 10/25/2012

MGoPoints: 4367

Blue Texan

January 17th, 2023 at 9:30 PM ^

Depends if he accessed UofM systems/data or an external one. Two points: first, most unauthorized access comes from compromised credentials, usually due to people who don’t care about info-security

Secondly, do you really think public universities invest heavily in IT security?  The success of IT security is directly proportional to the budgeting allowed by the people who don’t understand IT security. 

Joined: 10/25/2012

MGoPoints: 4367

killerseafood3

January 17th, 2023 at 9:36 PM ^

To answer your second question, yes, public universities do invest heavily in IT security. Take it from me, I'm in charge of IT at a public university.

UM is heavily decentralized when it comes to how they handle IT management, and that may explain why there are lax controls or something along those lines. But for any college to even qualify for cyber insurance (which is key in today's world), the standards are incredibly high, not to mention federal regulations to adhere to (HIPAA, FERPA, GLBA, etc.), in which the penalties can be staggering.

Joined: 12/06/2014

MGoPoints: 32977

bronxblue

January 17th, 2023 at 9:43 PM ^

It wouldn't be remotely difficult for someone to get access via someone else's credentials who does enjoy such authorization.  Again, pure speculation but getting too caught up in the details of the system accessed vs. what the actor did to access it isn't necessarily going to lead to a good result.

Joined: 11/22/2008

MGoPoints: 171931

BornInA2

January 17th, 2023 at 8:27 PM ^

The level of ignorance and/or stupidity required to think that one will get away with computer-based crime on a computer owned and managed by even a half-competent university is staggering.

Joined: 02/15/2014

MGoPoints: 12802

GOBLUE4EVR

January 17th, 2023 at 9:04 PM ^

My company installed an A/V system in one or the auditoriums back in 2019, we have been doing 6 montb check ups on the system ever since... in November U of M IT department was doing security scans and it caught that the firmware on the run of the mill Epson projector was out of date and it flagged it as potential security issue... so that should tell you how serious U of M's IT department is...

Joined: 01/09/2009

MGoPoints: 4282

killerseafood3

January 17th, 2023 at 9:23 PM ^

Na, that's IT 101. Im sure they have an appliance or some service that scans anything with network connectivity. Should be happening monthly, if not more frequent. If firmware / system software is out of date, you better be flagging that and putting it in a walled garden vs. letting it on your network with out of date, and possibly exploitable, software.

Joined: 12/06/2014

MGoPoints: 32977

GOBLUE4EVR

January 18th, 2023 at 9:42 AM ^

i understand what you are saying, but again that projector has been in this space on campus since 2019... as i said before its a basic Epson bulbed projector, i have been in this industry for almost 14 years now and i have never heard once of firmware needing to be updated on a $5000/$6000 projector... now if it was a large venue projector that runs north of 20 grand then i can understand that firmware updates need to be done when needed... but anyone that works in AV world will tell you that you only ever do a firmware update when it is 100% needed, and that you just don't do them to do them. I have seen a small firmware update on one piece of equipment take down an entire system because the brains of that system has an issue with it and then it becomes a full on shit show, which usually consists of programming needing to be redone, updating firmware across the board for every piece and part of the system... if its a small system, no big deal. if its a multi room and or multi floor system it could days or weeks to get it all straightened out... 

Joined: 01/09/2009

MGoPoints: 4282

Um1994

January 17th, 2023 at 10:39 PM ^

You would think...but UM has experienced multiple financial fraud issues, mostly not significant for an organization of their size. However, they took surprisingly long to root them out. From lower level admin staff submitting fraudulent charges to unauthorized use of university accounts. Sometimes large organizations aren't as efficient as they should/could be. 

Joined: 11/18/2017

MGoPoints: 3777

MaizeBlueA2

January 17th, 2023 at 8:47 PM ^

That was my initial thought, but computer access crime is generally a fancy way of saying, "hacking."

I'm just trying to figure out what the OC at Michigan is trying to hack.

  • Is it some kind of counterfeit ring where he's siphoning money to himself?
  • Is he hacking grades to keep someone eligible?
  • Is he trying to dig up dirt on Warde Manuel? 
  • Does he have an ex and he's hacking an account? 

I'm joking about the first three, the 4th one...not so much. 

I'm not saying it's NOT the other thing, I'm saying, generally it's some hacking you see in the movies or it's someone guessing or hacking passwords (more on the side of fraud).

Joined: 11/06/2018

MGoPoints: 50271