Weakest link

Challenges of being the low-hanging fruit of the hacker world.

On Friday May 12, PC users across the world opened their laptops to a brick wall — or, more accurately, a paywall. Over the following weekend, some 300,000 people found themselves locked out of their computers, all data encrypted. To get their data back, one had to pay a specified amount of Bitcoin (BTC) — an untraceable cryptocurrency — to the hackers. The typical payment was close to three hundred dollars, or 0.13752951 BTC at the time of publishing. Though given the vast spread of the attack, that relatively small fee crippled massive organizations.

The attacks were implemented with the WannaCry ransomware program, though how and who infected so many computers remains unclear. The most severe shocks were felt in Europe, though Britian was hit hardest. The National Health Service, Britain’s single-payer healthcare system, was crippled by the attack — some 48 out of 258 systems were shut out entirely.

What does any of this mean to the average UBC student? For starters, stop thinking you’re immune and that you can trust those TV streaming sites hosted in Azerbaijan. If you decide to pirate your TV or music, watch out for the file type. If your Gilmore Girls season five is full of .exe files, don’t click on them, and make sure to delete LimeWire. It’s not just your computer you’re protecting, it’s the network.

“There’s personal information as well as their interest in accessing the internet [at UBC] — there are potential vulnerabilities all around us,” notes Dr. Hasan Cavusoglu, an associate professor emeritus focusing in information technology management at UBC.

“Although you can try to put all of the protection mechanisms around the network, [it] still creates some further vulnerabilities for everyone in the network.”

While these viruses can be largely harmless — locking your PC until you read a trite poem, for example — viruses have gained the power to steer democracy and target institutions, including universities, with an abundance of sensitive and valuable information.

Hacker? I barely know her!

The methods used by the WannaCry hackers may be novel, but hacking is as old as computing itself. The first viruses were spread through malicious floppy disks, cooked up by a ninth grader in 1981.

And still, the hacking everyone’s been talking about lately is less of the ‘[ACCESS GRANTED]’ hacking you see on NCIS, and more social engineering. The most well-known attacks are called phishing, and can be either precisely targeted or broad, aiming to make you willingly give up your information.

For example: you log into Gmail to see an email from Apple saying that your account has been hacked — and you need to log in to change your password. What you didn’t notice is that the email was from help@apple.xyz, a fake account. It’s too late now, and your credit card is maxed out. While these attacks are nothing new — a freakishly prescient Radiolab in September 2015 told the story of one woman’s computer being locked by a WannaCry clone — their scale is unprecedented.

Recently, MacEwan University in Edmonton paid $11.8 million in university funds to a fraudulent account posing as a regular university contractor, using a similar scheme as the previously mentioned false Apple emails.

As though the original WannaCry wasn’t enough, a second ransomware attack spread across Europe last month, starting in Ukraine. The program was different this time, known as Petya, and infiltrated affected computers through malicious email attachments. Other than the name, the spread — which began in Eastern Europe, and is now spreading further — has the potential to cripple entire infrastructure networks.

“Security is the weakest link,” said Cavusoglu. “Even if you cover everything, even if there is one particular aspect that has not been protected properly, that can cause the problem.”

For the UBC community of some 60,000 students, faculty and staff, information security breaches have ramifications from leaking personal records to intellectual property theft concerns. But in a university setting, security has to be balanced with flexibility — and the right ratio is hard to strike.

While UBC has not disclosed the number of detected hacks on its networks in recent years, according to Cavusoglu, this is part of its security strategy.

“The nature of the security is a cat and mouse kind of game, like a moving target,” he said.

Information ecology

But UBC, despite its size and vault of information, lacks the privileges afforded to large corporations who can lock down their data behind a single firewall.

“We don’t have that option because we have to allow researchers and professors and staff doing their work some flexibility in what they do,” said Don Thompson, UBC’s chief information officer. “Our network and our ecosystem here is very diversified and that definitely presents a challenge.”

The “greatness of UBC” adds to those challenges as well.

“We’re a tier one research university, so we have a lot of information of interest to people,” Thompson added.

While he urges extreme caution when storing personal information on any public server, Thompson emphasized that UBC does everything possible to protect students.

“UBC’s servers have protection on them as do our email gateways. They’re scanning for malware, phishing attempts and all of that. Then we have protection on individual computers, whether that be antivirus, encryption or various other technologies that we put in place for that.”

UBC’s cybersecurity network attempts to keep your data between as many layers of security as possible, at least while on UBC networks, including malware scanners on servers. And UBC doesn’t go it alone either, according to Thompson.

“We’re part of an organization called BC Net, which provides network and connectivity to all post-secondary institutions in BC,” he said, referring to the not-for-profit of which all higher education institutions in BC are members.

Securing its information isn’t a project UBC can handle on its own.

“Some organizations might say, ‘Oh, I’m going to close all the loops, I’m not going to allow students access to this and that, you can’t use Facebook, you cannot use this, you can’t do any filesharing,’” he elaborated.

“But my external observation is that UBC IT recognizes the importance [of freedom and flexibility]. They see it as a really proper risk management perspective instead.”

Growing pains

According to Cavusoglu, these challenges are those that all universities face as they update their systems and try to stay current during the new technology age.

“Universities are viewed as one of those low hanging fruits,” he said, which makes them a potential target for hackers. “Especially due to the massive amounts of data that universities have about their students, hacks are potentially devastating.”

And it is not just that students are vulnerable — they are also potential liabilities due to the laptops they often take to class.

“If it were a standard organization, either a company or government organization, you could have a lot more ways to ensure certain standards of protection. [But] a student might bring a laptop, which may not have any protection,” said Casuvoglu, noting that this could compromise the whole network.

The sheer number of devices that each student is bringing in compounds the issue, with each being a potential source of malware. If a hacker gets access to the SSC, the consequences would be dire, but Cavusoglu said they are hard to foresee.

“Certain metrics of student information would be exposed, [and there] might be some loss of credibility, reputation or damage [to UBC],” he said. Even so, the extent of these damages would be hard to predict even after the hack had been discovered and halted.

Practice safe browsing

Thompson doesn’t want students to worry — but it would certainly help him if they were more aware. He urged students to make their CWL password and login unique and to not share them with any other accounts.

“When they have your information because with your username and password, they can become you,” he warned, adding that it is equally important to not using Facebook, Google, or Twitter credentials anywhere else.

As well, keeping up with your updates can have a huge impact on the security of your information.

“[In] the WannaCry outbreak from May, or the outbreak in Ukraine a couple of weeks ago, the avenues for all of the bad guys to get on to the systems were unpatched, older versions of the operating system,” said Thompson, stressing the need to keep your systems up to date. “Believe it or not, Apple, Microsoft and Linux developers use those incessant updates to keep their security infrastructure up to date.”

Ultimately, Thompson highlighted the importance of using two-factor authentication for as much of one’s online presence as possible. Two-factor authentication refers to a system where you can’t just log in with a password, you need two forms of ID, such as a password and a code sent to your phone.

While it’s not the reality at UBC yet, two-factor authentication will be rolling out for CWL login within the coming few months. Part of the reason is Thompson finds many students storing and sharing passwords between accounts and devices.

“If you recall, some of the largest internet companies have had breaches — Yahoo had millions of accounts breached, or not breached but made public, and the problem was that people used their business account, or their company account, also for their Yahoo account,” he said.

The bottom line is that if employees at a tech company are vulnerable, so are members of the UBC community. To see if your personal information has been compromised, the website haveibeenpwned.com pinpoints which of your accounts could have become vulnerable by searching your email address.

“As a university, we want to promote as much possible access to the network and to allow students to access information,” said Cavusoglu.

“But at the same time, we recognize the challenges of balancing our responsibilities.”