Spyware, Spam, and other Threats

Spyware, Spam, and other Threats

The six things you need to do now
By:

Malware is out there, in cyberspace, and ready to make a home on your network's computers. Malware, the catchall description for spyware, viruses, worms, and other IT nemeses, can do expensive and time-consuming damage to a campus system. Are you doing all you can to protect your IT assets?

University Business has come up with six essential steps that all IT administrators should be researching now to protect against threats.

Spyware is at the top of the list of IT security threats. Spyware is malware that clandestinely records users' online activity and even specific keystrokes. Often users are unaware that hackers have broken into their computers and are stealing data such as passwords and credit card numbers. The appearance of popup windows is one sure giveaway that a computer has been infected with spyware. Granted, many users give the OK for cookies to follow their online actions so they can access certain sites. An inordinate number of popups, however, is sure proof that spyware is lurking on a machine.

"I recently saw one
computer with more than
5,000 infections on it."
-Scott Brown,
Colby-Sawyer College (N.H.)

On campus, illegal filesharing is the most common path spyware takes to get onto computers, says Michael Cooper, program coordinator for the Technology Support Center, West Virginia University. Basically, if students are using Kazaa, Grokster, Morpheus, or any other free P2P service, an IT director can be sure that spyware is on their PCs and laptops, probably causing compatibility problems, watching users, hogging bandwidth to propagate itself, and slowing down the network.

Cooper combats the problem with network monitoring that identifies illegal P2P users, in part by noting if they are using an inordinate amount of bandwidth.

Those identified as illegally downloading music and movies are sent an online warning. The next step is to shut the user out of the network. "I am guessing we have 400 shutdowns per year," he notes. Students who are cut off from the network must bring their computers to the center for scanning. Through the use of Symantec software, machines are cleaned of spyware and any potential virus problems that can result from spyware infiltration.

Such protection is necessary on campus given the continued popularity of free P2P downloads. Even though the Recording Industry Association of America has filed lawsuits against college students and IHEs, campus users continue to download. Consider the statistics issued by Student Monitor, a research organization. During the last month of 2004, 29 percent of all four-year, full-time undergraduate students admitted to downloading unlicensed music or movies. In general, males are more likely to download, with 40 percent owning up to the behavior, compared to 19 percent of females. And 35 percent of the students surveyed believed "almost everyone" on campus downloads illegal files and 75 percent are in favor of illegal file sharing because it is such a common activity.

Monitoring P2P use, and following through on the necessary cleanup and spyware checks, costs money and takes up staff time. But it is necessary. As Cooper says, "The music is free, but the problems aren't." All the more reason to get a policy in place regarding illegal file sharing and put the correct network safeguards in place to protect against illegal P2P activity and inevitable spyware problems.

A handful of colleges and universities, such as Pennsylvania State University, have subscribed to legitimate P2P services, such as the revamped Napster. In Penn's case, all students registered for at least one course during a semester can use the P2P service. Up until the last day of spring semester classes, 85 percent of Penn's student body had signed up for an ID and password and were downloading an average of 250,000 songs per day, notes Sam Haldeman, assistant to the associate vice provost. Getting such a volume of traffic to migrate to the legitimate service is saving bandwidth on the network, he adds.

Other schools, including Colby-Sawyer College (N.H.), are relying on the type of detection software that West Virginia University uses and have similar policies for shutting out P2P offenders.

Earlier this year, security company LANDesk added a spyware detection and removal application. It is a sure bet that many IT security companies will be promoting spyware protection in the same way they now focus on virus scans and spam. "Students can download anything on their own PCs and this introduces risks," says Dave Taylor, the company's vice president of Worldwide Marketing. The higher education sector is especially vulnerable because users are more mobile than corporate employees. Bringing laptops on and off campus, and plugging into several networks, adds to the security risks.

"People lose as much as 50 percent of bandwidth to spyware," notes Taylor, whose higher ed clients include Tufts University (Mass.) and Baylor University (Texas).

On a Monday morning in mid-May, Bryan Lucas, server administrator at Texas Christian University, knew something had gone wrong over the weekend. The university, which has an enrollment of 8,500, was pounded with about 2,000 e-mail spam messages--all in German. Worse, the spammers were able to hijack some of TCU's computers and use them as "zombies," embedding programming that commanded these computers to launch another 100,000 to 150,000 additional German spam e-mails.

While those receiving the messages hadn't a clue what they said, almost everyone recognized them as spam and called the university's help desk. "The number of calls swamped us," says Lucas. "My phone started ringing at 8 a.m.; my CIO met me at the door."

Luckily for TCU, certain spam and security safeguards were in place. Otherwise, these spam messages, which may have carried viruses with them, could have crippled the network, resulting in a denial of service. One of Lucas' first actions was to look at Symantec's website to get the latest spam and e-mail news. After an hour, information was posted on this latest spam attack. Next came a message from CipherTrust, an e-mail security company whose Iron Mail product is used by TCU. CipherTrust provided an explanation of what was happening: The messages were known as German political spam, which luckily did not carry viruses; they did contain German messages related to the 60th anniversary of World War II and the Allied bombing of Dresden. Some messages referred to the bombing as a "mass murder." Many of the e-mails included links to German political websites. Some used language that was translated as saying the senders were "against forgetting" the bombing of Dresden.

CipherTrust supplied remedy code that could be loaded onto the network to stop the spam attack.

Unlawful peer-to-peer services strain
networks. "The music is free, but the
problems aren't."
-Michael Cooper, Technology Support Center,
West Virginia University

Unfortunately, hackers will attack systems through common applications like e-mail, warns Ken Kleiner, system manager of the Computer Science Department at the University of Massachusetts, Lowell. Because servers allow e-mail traffic to get in and out, hackers commonly attack the code that runs e-mail software. Given e-mail's security vulnerability, and the proliferation of spam, some universities are considering blocking forwarding options to Hotmail, Yahoo, and other free e-mail accounts.

The high volume of spam moving around the internet will certainly slow systems down. A reported 15 percent of the 400,000 daily e-mail messages that come into George Mason University (Va.) carry viruses. That amount of malware drags on a network's performance.

Adding to the e-mail security problem is the nature of higher education. "Typically in a university setting, dare I say, the IT environment can be chaotic," says Tim Griffin, director of ITS Systems and Networks for Mississippi State University. There is always a lot of legacy "baggage," he notes. Where the corporate IT world might replace hardware every two years, the world of higher ed doesn't have that luxury. The same is true for software and related applications. The end result: IHEs hold on to a mix of legacy e-mail systems that faculty users simply won't part with. Then again, campus IT directors also serve the early adopters who will be the first to ask about Google Gmail accounts or other new applications.

"We have five different e-mail environments here," says Griffin, who suspects that trying to impose standardization at MSU would be futile. "To standardize is to imply authority," he adds. The higher ed environment rails against limits, maintaining the ideal of an open exchange of information and ideas.

Griffin's solution has been to find an e-mail security product that works with a variety of e-mail clients. All MSU e-mail runs through Roaring Penguin's anti-spam software. This particular company bases its software on open-source tools, says Griffin. "Their spam software sits in front of any solution, allowing you to have many e-mail packages." And while network users can opt out of having their e-mail filtered, they must agree to run all messages through an anti-virus program.

"Our entire campus is behind a firewall," says UMass's Kleiner. This firewall acts as a protection to deny unwanted traffic from having access to the network. For example, students and faculty using the system can have access to certain web servers, but they do not have access to the department's FTP server. "We close all the doors, except a few," says Kleiner.

His department also relies on Auditor 128, a network appliance that monitors traffic. "This application scans the network for vulnerabilities," says Kleiner, and provides analysis on the fly. The auditor scans e-mail and network traffic and looks for trouble. "It looks for weaknesses in the code," says Kleiner. Then the program sends an e-mail suggesting that he might want to install a software patch for protection. "Every day we get an update on the latest vulnerabilities," he concludes.

Nearby, at the University of Connecticut's School of Business, Nortel and other vendors safeguard the students' leased laptops and high-speed internet connections in the school's 14 classrooms and faculty offices. Security systems further manage student access to network resources, not just by turning networks on and off, but by allowing professors to specify what types of networks the students can use. Nortel's Optivity Policy Services controls access to UConn's "Financial Accelerator" trading floor, a business center that provides students with real-time brokerage feeds.

"Giving students laptops was a bit of a distraction in class," says Michael Vertefeuille, director of information technology for the School of Business. Through network access controls, professors are able to turn protocols on and off, in essence controlling what students do in class and protecting the network from any malware students might inadvertently download.

At Colby-Sawyer College, the IT administrator is most concerned with protecting computers from damage done by students. Anytime they plug their laptops into the network, whether in their dorm rooms or elsewhere on campus, they introduce the possibility of downloading malware and spreading it throughout the network, says Scott Brown, information security analyst. "I recently saw one computer with more than 5,000 infections on it," he says, adding that oftentimes service packs will fail to clean up the mess thoroughly because the infections are so bad. More typically, a student's computer might have 400 to 500 infections, he says. "Cleaning up something like this is so time-consuming and the computer can barely function. It has taken up to three hours to work on a computer riddled with spyware."

For him the antidote will be mandated security scanning and access for each computer. Beginning with the 2005 fall semester, every student and network user will have to agree to a scan done by the product NOD32 offered by the company ESET. Every port to every student computer will have to be registered with the college.

UConn's School of Business has equipped every laptop with a personal firewall. This is exactly what it sounds like: an individual firewall for every computer in the school. "We used to centralize protection," says Vertefeuille, "but we found that when one machine gets attacked, they all get attacked. We had to block things at the machine level."

Vertefeuille calls this "edge protection," as opposed to the traditional "core" approach. "We are able to block viruses at the end-user's port," he asserts. UConn's School of Business began going to the "edge" two years ago. Putting these safeguards in place helped protect the network from the I Love You and Nimba viruses. "We tracked specific patterns on the network and could block the e-mail containing the virus at the computer port level," he explains.

MSU strongly encourages users to have personal firewalls, but the school doesn't require that they do so, says Griffin. His first suggestion is for Microsoft Windows users--which make up 90 percent of the computer users on campus--to turn on the personal firewall application built into Windows XP Service Pack 2. "It is better than using nothing," he notes.

The list of colleges and universities that have experienced security breaches gets longer by the day.

Academe walks a fine line between fulfilling its mission as an open institution and safeguarding IT data. This spring, administrators at Jackson Community College (Ohio) learned the hard way that it is necessary to err on the side of caution when it comes to protecting assets. The college reportedly was almost 90 percent finished with shielding its network behind a firewall when a hacker was able to access Social Security numbers housed on one of the computers not yet protected. The upshot: 8,000 people had to be notified about the security breach and all IT administrators had to scramble to issue new network passwords to everyone on campus and quickly move away from a Social Security-based ID system.

At the University of Toledo (Ohio), IT administrators have already been granted $15 million to begin the overhaul of the computer network, including revamping the ID system to replace Social Security numbers with other codes, according to media reports. Many other IHEs, including Texas Southern University, have announced network changes. This spring, TSU said it will be dropping Social Security numbers in favor of random ID numbers for its 11,000 students. The university describes the switch as a "large-scale project" that will take up to 12 months to complete.

Malware and spyware are the latest buzzwords. But new threats are coming. Phishing scams, which include urgent spam messages that plead for consumers to supply bank account information and credit card numbers in the effort to "verify" accuracy, are fairly easy to identify. But phishing is getting more sophisticated as hackers get savvier. New phishing scams are timed so that e-mail recipients are tricked into giving out information early in the month, so that they will not notice problems until they receive their bank statement or other monthly bills for 30 more days.

There are, no doubt, more layers of complexity that IT directors will have to be wary of up in the months ahead.

According to a survey commissioned by MailFrontier and conducted by Insight Express in March 2005, 56 percent of IT directors are worried about phishing, yet only 40 percent have protection against phishing e-mail scams. In addition, 45 percent of those surveyed are concerned about zombie attacks--the backdoor programs that lay dormant on an in-house computer until commanded to launch attacks on other computers and networks. But only 45 percent have protection against zombies.

According to Educause's Current Issues Survey on IT trends, IT security and identity management is fast becoming the most critical issue, surpassing IT funding in its potential importance.

"Perhaps more important than security breaches is the fundamental issue of individual computer vulnerability, which can turn machines into open doors or worse," according to the Educause survey summary. "Without a comprehensive plan to protect institution-owned, as well as personally owned, network-connected computers from malware, there can be no reasonable level of reassurance."


Advertisement