There has been a significant rise in attacks on the education sector this year, and it’s not just students hacking into school computer networks to change their grades. Sure, that does happen, but that is not the main problem that educational institutions seem to be having. The fact that students can break into protected areas of university networks only exposes one of the reasons why educational institutions have become targets.
Recently, cyber security experts have seen the education sector become the target for both financially motivated and nation-state attacks. It is not too difficult to guess why. First of all, universities store the personal information of thousands of students and employees. In addition, besides allowing students and staff to connect to their networks, universities also maintain network connections with a large number of contractors and suppliers. These could include anything from those who supply food for the cafeterias, to local, state, and federal government agencies, to healthcare institutions. Besides personal information, university networks may also store scientific and other research which could be valuable to certain foreign governments and industries. In other words, a big and growing target is clearly on the backs of our educational institutions.
Probably one of the most thankless jobs a person could have is to be the head of IT at a university. No matter what they do, they’re sure to aggravate someone. If they try hard to secure the network so as to protect important data and personal information, they may get criticized by students, teachers, and others who want easy access. Too many complaints and the IT Department is likely to have the administration coming down on them and the department head may even find that their job is in jeopardy. On the other hand, if the IT Department makes it too easy for people to use the network and the network gets hacked, they’ll also have to answer to the administration and may end up losing their job for this. It’s your basic no-win situation.
The IT department must also deal with the realities of modern university life. Much more is done online than it used to be. Classes may be held online and assignments may be sent in via email. All of these must match the ‘easy-but-secure’ standards that all universities seek. Some parts of the network must be more protected than others. Important data may need to be encrypted and access to various parts of the network must be controlled. Deciding on how and how much to protect different types of data can be a challenge, to say the least.
For example, a professor may feel more comfortable with using offsite storage such as Dropbox for storing student records. Maybe they find using the university network too restrictive or the university prohibits remote access. The professor might think that using an offsite service may be the answer. Unfortunately, using offsite storage could lead to exposing the data to some sort of attack, like a man-in-the-middle attack. The IT department must, therefore, determine what, if any, sites those using its university network can be allowed to access. This will take a lot of time. In addition, they have to decide who has access to what. Certainly, students shouldn’t have access to the same information that professors have.
However, if I wanted to hack into a professor’s access rights, I’d have to think that this would be pretty easy. I’d probably pose as a student sending in an assignment, The assignment would be attached as a file that would have a name that appeared to be valid. Clicking on the attachment, however, would trigger a program that would put malware on the professor’s computer (or whatever endpoint was connected to the network). If my malware was good enough, I would be able to remotely control the professor’s device and have his or her privileges to access whatever information they could access. I could even use the professor’s credentials to launch a similar attack on higher level users. I could, by leapfrogging, eventually gain access to any information stored on the network…just saying. It’s a possibility.
Of course, if I get a list of users, usernames and, perhaps, passwords for all those individuals and institutions that have access to the university network, I could use the university network as a platform to attack higher level targets such as government agencies, companies, and health agencies that work with the school. I could, at least theoretically, even gain access to information that could compromise national security. It is no surprise, then, that some universities have traced attacks back to China and Russia.
Just for fun, and the purposes of this post, I decided to prepare for a cyber attack on a university. Don’t worry, I didn’t carry it out. I just wanted to see if I could get enough publicly available information to write a good spear phishing letter that would have a good chance of getting past any server filters and gaining the trust of the receiver. I figured I’d try to compromise a top university, one that is noted for its good security, so I chose Harvard.
I soon found a list of Harvard graduate students. They all gave their Harvard email addresses. That was helpful. At least now I know where to send the email. Some grad students, proud of their accomplishments, gave a short profile of themselves. I, thus, learned their majors, departments, interests, and even some companies and agencies they worked for. Next, I went to the administration and faculty pages. Again, I had no trouble getting their email addresses and finding some who gave a lot of personal information. Some of them even post their resumes. This gave me their history and even the names of references and assistants, often with their email addresses. If I could find people that they knew in other organizations, I could construct an email that would appear to come from these people, complete with the organization’s logo. I would probably put the person’s legitimate email address in parentheses next to their name, which would make the email look more authentic. They could even check this out if they were suspicious. And if they did check it, they would find that, in fact, the address was genuine. I could, then, with trust established, ask them to open a document that appeared legitimate or check something out on a fake or cloned site. Either way, I could get them to inadvertently install malware on their device.
Since graduate students and faculty both posted information on the departments they were in, I could even send an email that appeared to come from a faculty member or someone from the administration to a student in a particular department. This is somewhat risky, though, as the student may check with the professor or administrator to see if the email was legitimate. However, many students may not do this because they don’t want to appear overly cautious or ignorant. Many would simply feel uncomfortable bothering someone who was higher up in the university.
Of course, none of these techniques may work, but they would be the angle an attacker would take if they had no other information such as usernames, login IDs, passwords, or pin numbers. Often, these spear phishing emails appear to come from the IT Department itself. They often look like the following actual spear phishing email:
Although this is more of a phishing than spear phishing email, it has still proven effective in a number of cases. This was clearly designed by nonnative English speakers and this is often the easiest way to see that something is not right.
Here is a better designed phishing email:
The English is still convoluted but at least they went through the trouble of putting on a logo and adding some other formatting niceties. In any event, if a student believed this to be valid, and inevitably some would, they would be led to the following cloned page:
As you can see from the address in the address bar, filling out this information would send it to someone other than the IT department.
Of course, the biggest problem for all universities is that they have so many endpoints connected to their networks. In the case of Harvard, one source noted, that, “beyond the University’s sheer size and expanse, perhaps the greatest threat to security comes in the form of countless laptops and other devices connected to the network 24 hours per day, seven days per week, by students, faculty and staff. Every time a student connects to the Harvard University wireless network, he creates a pathway into Harvard’s system, one that could be potentially exploited by a hacker.” Harvard computer science professor, J. Gregory Morrisett added that, “The really smart attackers break into your system, own your machine, but don’t let you know it.”
That appears to be what happened at the Pennsylvania State University engineering school in May. Apparently, Chinese hackers had been hiding in the school’s servers and gathering information for the past two years before they were discovered. The school was linked to over 500 partners which included government agencies. It’s just impossible to know what was taken or if the school was used as a platform to launch other attacks. But Pennsylvania State University’s engineering school is not alone in its victimization by Chinese hackers. Both John Hopkins and MIT have been targeted and who knows how many other universities are currently under attack but have not yet discovered the fact. As Morrisett pointed out, “it’s a losing game in the long run, because the malware never goes away, and there are still versions of viruses from 15 years ago floating around that you have to protect against…and the attackers get more clever about crafting the attacks so that they’re not easily recognized by simple scanning.” In other words, expect to see more of these educational institution attacks being exposed in the future or, in the worst case scenario, seeing higher level attacks on government agencies traced back to universities which were being used as launching platforms. This is a story that has yet to be played out in full.
The basic IT dilemma is how to balance user freedom with network security. In no place is this dilemma put to more of a test than at universities. Students, faculty, and others connected to the network want to use their own smartphones and tablets in whatever way they wish, without being told what they can and cannot do. However, if you are a university IT worker, you cannot allow those connected to the network so much freedom… or can you? In fact, given the right security architecture, you can allow users to do whatever they want without compromising network security. How? Check this out.