Students, faculty pose hacking risk at universities, experts warn

Feb. 4 (UPI) — After cyberattacks surged worldwide in 2019, potential targets are taking steps to mitigate the possibility of ransomware hijacking their computer systems — including educational institutions, where such attacks may be aided by students and faculty.

A recent study by British non-profit research company Jisc tracked the frequency of denial-of-service, or DDoS, attacks over the course of two years and found the periods with the least activity coincided with breaks in the academic calendar.

Two possible conclusions to draw from the trend is that students and staffers might be the ones doing the hacking, or they may be opening the doors for cybercriminals.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” the Jisc report said. “Whichever the case, there’s no point sending a DDoS attack to an organization if there’s no one there to suffer the consequences.”

“Universities are currently experiencing an increase in malicious cyber activities,” Florida Atlantic University Associate Provost Jason Ball noted in a recent letter to faculty and staff. “These attacks are carried out by both state-sponsored attackers who attempt to steal research data and post political messages and by financially motivated criminals who target actual money.”

Reza Azarderakhsh, an associate professor at the university’s Department of Computer & Electrical Engineering & Computer Science, said the very structure of university campuses make them more vulnerable. Their computers are more easily infected by flash drives in computer labs, and such large numbers of unique Internet-connected devices on campus can give hackers the access they need to infiltrate.

Such a network of interrelated devices is referred to as “Internet of things,” or IoT, and they are popular among modern computer hijackers.

“You can bring an IoT development board on campus have it connected to the campus Wi-Fi system, and then since it doesn’t come with security solutions, attackers can exploit it within minutes,” Azarderakhsh said in an interview with UPI.

He said university research projects, which often involve classified information or are supported by federal or industry grants, make the schools enticing targets for hackers looking to steal or expose precious data — or delete it to shake up the system.

“Sometimes, you can’t even get your own data to become public; your data disappears,” Azarderakhsh said. “They take your data; they delete it from your system.

“For example, let’s say you got paid a couple of millions of dollars from the government or industry to perform the research and your data is not available anymore.”

One significant threat to universities, especially, is phishing — a practice that involves attackers posing as a trusted source and sending bogus emails to gain access to a network. All it takes is for one recipient to click on a link in the email to open the door for hackers. If successful, they can infect the system with malware or mine sensitive and critical information.

“Due to the increased activity, there may be a greater-than-usual number of phishing scams and malware sent via email,” Ball said in his letter.

A number of municipalities and government entities were targeted by ransomware hackers in 2019 — including Baltimore and Greenville, N.C. Two Florida towns opted to pay the ransom — more than a combined $1 million — in an attempt to recover their files. Some still haven’t fully recovered.

Universities in Colorado, New Jersey, Ohio, Iowa and New York were targeted last year, and the University of Maryland Medical System was hit in late 2018. Last month, hackers demanded a ransom after hitting a computer network at the University of Maastricht in the Netherlands. The school paid up, to the tune of hundreds of thousands of dollars.

Experts say simple knowledge and awareness are the best weapons against the rise of cybercrimes.

“We still need our staff to be trained on what cybersecurity attacks look like, and how to avoid them,” said Thomas Dobbert, chief technology officer at Truckee Meadows Community College in Reno, Nev. The school recently contracted a firm to provide security awareness training.

“This kind of training is valuable,” Dobbert added.

Florida Atlantic’s Azarderakhsh said one of the best tools against attacks at colleges and universities is awareness — and understanding that truly everyone on campus can be used as a vector for a larger attack.

“People don’t take these things seriously,” he said. “Although we have a lot of cyber awareness at schools, people still come to universities easily sharing private data online — or even sometimes offline — to people they really don’t know.”

.

Please let us know if you're having issues with commenting.