Under siege: inside the war for the University’s information
When Andrew Sheeler went to his computer, everything seemed all right at first.
Sheeler, a justice major, was in California for winter break, and he wanted to check his grades before spending some quality time with his family.
When he tried to log into UAOnline, however, something was wrong. The system rejected his PIN, and he was sure he hadn’t mistyped it. He tried again, to no avail. Confused, he clicked the “Forgot PIN?” button, and what he saw in place of his security question surprised him: in bold capital letters, the question field read, “YOU HAVE BEEN HACKED BY UNIVERSITY OF ALASKA G-UNIT.”
Sheeler opted against trying to answer the ‘question,’ and instead called UAF’s Office of Information Technology. When he returned to Alaska, university officials verified his identity and restored access to his account, but when Sheeler was able to log in again, he found a few unwelcome surprises: the ‘hackers’ had not only changed all of his contact information, they had disenrolled him from all of his spring semester classes. Fortunately, since UAOnline no longer stores Social Security numbers or credit card information, he was not in financial danger, but Sheeler said the experience was unnerving nevertheless. “There was literally nothing I could do about it – until I got back to Alaska and got things worked out, I didn’t know if I had passed any of my classes or if my information was safe.”
In the trenches
In a belowground office at the Rasmuson Library, OIT Chief of Security Kerry Digou and two other OIT employees form the front line of defense against hackers. Sporting a full, round beard and dressed in black cotton shorts and a t-shirt, Digou looks more like someone who would be on the offensive end of an attack on the university’s servers than the person tasked with fending it off.
Digou said Sheeler’s case wasn’t common. “Typically, we don’t see many attacks on [UAOnline]. Most of the time they’re simply looking for systems to use… for sending spam, or hosting malware, or putting links in forums for their Viagra ads.”
The reason UAOnline isn’t attacked more frequently, according to Digou, is that the risk-to-reward ratio is too low. “Compromised, your identity is worth about a dollar,” he said. “They’re looking for large numbers. Onesies and twosies aren’t going to buy them anything.” Digou cited the recently acknowledged theft of 77,000 state employees’ personal data from an accounting firm as the sort of identity theft attack worth hackers’ effort.
What makes the university’s servers more attractive to computer criminals, Digou said, are the size of its “tubes” – the relatively massive bandwidth common to research institutions like UAF. “We get attacked constantly… we have huge bandwidth compared to other locations.” The larger pipe equates to greater capacity for compromised machines to do the attackers’ bidding, whether in the form of sending spam, spreading worms and Trojan horses, or participating in denial-of-service attacks on target websites.
The university’s primary defense against the attacks is the firewall Digou and his team maintain around the campus’ servers, academic network, and the dormitories. While the firewall is generally very effective in stopping intrusions, some invariably get through. Last semester, 41 machines were compromised across the university system, and four university affiliates’ accounts were compromised. Sheeler was one of the unlucky four.
The hackers are adaptive, too. “When there’s [an exploit] or some new break-in that hits,” Digou said, “Attacks against that specific thing will skyrocket, especially when there isn’t a patch for it.”
Overall, attacks appear to be trending upward. Digou attributes the increased number of attacks both to increased automation on the part of attackers and the university’s decision to move more machines behind the firewalls, making attacks visible that were never recorded before. “We saw a huge jump in the attacks we were seeing when we put the students behind the firewall,” he said.
Although ill-intentioned users don’t frequently target student accounts, Digou offered a tip to those interested in making their online identity more secure. “Our passwords now, because we require complexity, are pretty safe,” he said. “But if your secret question is, ‘What’s my favorite color?’ and everybody knows it… they can reset your password. So don’t use easy-to-answer questions.”
The university’s recent move to a single AuthServ password to access multiple online services – including email, MyUA, and Blackboard, among others, has had positive and negative effects on security. “The disadvantage is that if [hackers] get access to that account, they get access to everything,” Digou said. “This is something we looked at when we first started looking at consolidating accounts, but from my point of view, looking at security, the fact of the matter was, most people were setting their passwords to the same in all the various systems anyway. So having one system that we can look at to see if somebody’s attacking rather than eight, 10, 12, however many systems are out there, is easier in that sense.”