IT security breach causes WebCenter shutdown
Published: Tuesday, October 6, 2009
Updated: Tuesday, October 6, 2009 07:10
An unusually large-scale hacking attack over the weekend affected at least 100 computers on Tufts' Medford/Somerville campus, causing the university to temporarily shut down WebCenter and send many employees home early.
The security breach likely resulted from people outside of the university trying to hijack Tufts-affiliated computers in order to send out spam e-mails or to use network storage space for other purposes, according to Dawn Irish, director of communications and organizational effectiveness for University Information Technology (UIT). Irish said that information technology officials will not know for sure what caused the attack until they complete an analysis this week.
Impacted computers included those in faculty and staff offices in the Schools of Arts and Sciences and Engineering, as well as machines in Tisch Library and in Undergraduate Education, Student Affairs and Student Services (USS), Irish said.
She added that to the best of her knowledge only three of the approximately 100 computers affected belonged to students.
The breach did not affect all sectors of the university, or even of the Medford/Somerville campus. The university advancement office and the Fletcher School of Law and Diplomacy were among several sectors that escaped harm.
Information technology employees began noticing jumps in traffic from a number of compromised machines around midnight on Saturday morning. The appearance of spikes in activity — which can result in slow performance but which are not always noticeable by users — spread to scores of other computers throughout the day on Saturday and into Sunday, Irish said.
Over the weekend, UIT notified relevant information technology teams across campus of the security breach, and those offices subsequently employed a variety of anti-virus and security measures on hacked machines, according to Irish. Officials reinstalled computer operating systems, made passwords more complicated and tweaked network settings.
UIT this weekend traced the attack to servers located in Amsterdam. After those servers were blocked, the attack shifted to Brazil and — after the Brazilian base was denied access — to Estonia. This offshore hacking method is common in these cases, according to Irish, who added that it can prove difficult to absolutely stop an attack when offenders switch servers so easily.
"We shut down their access to the university, but it doesn't do much to alleviate the problems," she said.
After computers were pulled offline on Saturday, UIT saw the attack wane on Saturday night. Irish said yesterday she thought fewer than 10 computers were affected on Sunday.
But more machines became affected during the day on Monday, inhibiting many staff's ability to carry out their jobs, Dean of Student Affairs Bruce Reitman said last night. Reitman decided in the afternoon to allow many USS staff members to return home if they felt they could not work productively, and most left by 4 p.m. Many were unable to leave behind "out-of-office" messages on e-mail or voicemail accounts.
USS employs about 125 people, including staff at cultural centers, the Office for Campus Life and the Office of Residential Life and Learning (ResLife), among other offices.
"There are a lot of people whose jobs really depend on the technology," said Reitman, who himself learned midday on Monday that his computer and several others had been "newly compromised."
Hackers most likely gained access to the Tufts network via a security weakness, such as a password of inadequate complexity, which attackers can exploit to gain access to a vulnerable computer.
Universities often come under attack by hackers, a result of their relatively open computer networks with fewer restrictions, according to Irish. Corporate networks, on the other hand, have the luxury of locking down to a greater extent, she said.
The high number of hacked computers stood out from other more common attacks, which occasionally impact one or two computers if, for example, a student connected to a Tufts network accidentally downloads a virus onto her machine.
Because of the atypical nature of this breach, Tricia Sheehan, the director of Student Information Systems Technology, decided on Saturday morning to take down WebCenter, a student services Web portal, and all other online Student Services applications, including similar WebCenter versions for faculty, staff and parents.
Sheehan said she did not want to take any chances given the amount of sensitive student data on Student Services servers. "I was actually being overly cautious," she said.
Student Services put WebCenter back online yesterday around 9 a.m.
Reitman said that "the assumption is" that USS will open as usual today.
UIT did not observe any increased network traffic yesterday, according to Irish, although she said it is possible that additional computers may have been hacked yesterday without showing telltale signs.
A lot still remained unclear yesterday, with UIT not providing much information publicly, such as on its Web site, a tactic Irish said would have been unnecessary.
"You don't always want to advertise when it's sort of localized," Irish said. A more sizable security breach impacting more machines or students would have warranted a public announcement, she added.
Irish said the last time she could remember such a significant security breach at Tufts was when the Blaster virus infected computers earlier this decade.
As an investigation into the causes of the hacking attack carries on this week, university information technology officials remain cautious yet optimistic that the attack has died out.
"We think the measures we took pretty much fixed the problems, but we can't know for sure," Irish said yesterday morning.