This month's hacking attack on over 100 computers at Tufts' Medford/Somerville campus came about after hackers compromised a number of passwords which allowed them onto the network, according to Dawn Irish, director of communications and organizational effectiveness for University Information Technology (UIT).
The hackers used their newfound access to take over storage space, saving files like movies and music that could be used for peer-to-peer sharing, Irish said.
The attackers did not destroy any files and the security breach did not leave any lasting damage, according to Irish.
"We call it a brute force attack with a password," she said. Hackers can easily guess passwords that are not complicated enough.
"Hackers have tools to process millions of passwords a minute," Irish added.
Beginning on the morning of Oct. 3 and continuing for a couple days, UIT officials noticed increased activity on over 100 machines in faculty and staff offices in the Schools of Arts and Sciences and Engineering, in Tisch Library and in Undergraduate Education, Student Affairs and Student Services (USS), according to Irish. Some computers in the Fletcher School of Law and Diplomacy also came under attack, she added.
The breach caused USS' technology team to pull WebCenter offline for about two days to protect sensitive student data used by the Web portal.
About 10 to 12 computers were infiltrated during the following week and weekend, Irish said on Tuesday. Of all the computers originally impacted, only two belonged to students one fewer than she had said were affected last week, Irish added.
Over the past couple of weeks, information technology officials identified impacted computers, worked with users to strengthen passwords and tweaked network infrastructure settings to bolster security.
UIT requires that users create passwords for Tufts' local area network that are at least eight characters long and include uppercase and lowercase letters, at least one symbol and at least one number.
"Many of the passwords of the computers that were compromised did not employ as safe passwords as they could have been," Irish said.
Irish declined to comment on network changes, saying that if the information were made public, it could compromise security.
The Tufts network is relatively open compared to other large computer networks, like those at corporations, which often block access to sites like Facebook.com and YouTube.com or do not allow their users to download files that may not be secure. A diverse population of researchers, students, faculty and staff uses the Tufts network for a variety of purposes, making these sorts of restrictions untenable.
"We can't lock things down that other places would," Irish said. "We are cautious in areas that we can be cautious."
Despite security updates, this breach will probably not be the last, according to Irish.
"We have to be constantly vigilant against attacks," she said. "People are constantly scanning our system for holes."
