Cyber Security
December 10, 2015
Scott Shields, head coach of the Whitman Cross Country Team, feels like he’s “a guy who is pretty careful,” when it comes to the art of computer-virus defense. He received an email recently from an administrative receptionist. It had the Whitman Clock Tower Logo, and it said “You have an important message at you Message Board. We cannot verify your Single Sign-On. Did you recently change your… Update Needed.” It requested a password update, and then said “View this message,” with a hyperlink. He clicked it, and was taken to the Whitman log-in page. He entered his email and password–mechanical motion at this point–and then… something felt weird. He froze, turned everything off and called Brian Griffith.
Brian Griffith is Whitman’s new Information Security Officer (ISO). New not because he recently replaced someone, but because the position has only been around for a year. Griffith, who previously worked in other areas of the Whitman tech department, estimates that Shields was one of thirty-ish victims in the Whitman community of this particular phishing attack. Like most, Shields immediately changed his password, and it seems that a crisis was averted. These attacks–fishing is an apt analogy, as the hackers essentially just throw lines out there, hoping people will bite and reveal their passwords–are common. But this one was unique and worrying in that the attackers went to the trouble to actually replicate Whitman’s seal and log-in page. This was not some shot in the dark; it was thoughtful and targeted.
Griffith says that generally Whitman is a pretty small target, so these sorts of specific attacks are rare. Not so at bigger schools, like University of Oregon, where it is not uncommon to have multiple ISO positions. But still at this point Whitman’s decision to create an ISO position makes it unique among schools of its size.
As our world becomes increasingly (and more opaquely) digitized, cyber-security grows essential. We do not understand the systems we use and we do not understand what it means to obtain personal data.
Your email is real, and it is a cyber-security nexus for a variety of reasons. You probably use the same password for a number of different accounts. Your email is also connected to private data–call records, software license keys, photos, maybe even your current location. It is a port for spam. Last year, hackers sent emails advertising gold watches to the contacts of compromised Whitman emails. It is the tool by which you change your passwords for other accounts, which are worth real money. Krebson Security has documented 8 dollar sales of individual iTunes accounts, 5 dollar Groupon accounts, Facebook and Twitter accounts at the price of a bagel and cream cheese.
When my brother studied jazz in Brazil a few summers back, my family got an email (this was just before Viber, so email was still the way to go) from Daniel talking of old friends, details of home and also his plans to jet ski soon. A few days later, he emailed us that he crashed–not badly hurt though certainly banged up!–and that his passport was confiscated until he could pay off the damage to the jet ski. The parental craze was ignited, money was Western Unioned on down, and it wasn’t until a few days later when dad irritably told Daniel by phone that no he would not send money for the scuba lessons he had just requested by email–was he insane?–and Daniel didn’t know what he was talking about that dad confusedly hung up the phone, thought to himself for a few seconds, and then… shit.
Just as with Shields, in retrospect, it seems so stupid–the signs were all there. Why would Sarah, the administrative assistant request a password change? Why on earth would Daniel request money through Western Union?
“When it becomes so ubiquitous people don’t even think about it anymore, that’s a little scary,” said Griffith. “You rely on big corporations like Apple or Google and you just assume that this stuff is secure, but a lot of times there’s things we do that make it a lot less secure than it could be.”
There is little risk of anyone nefarious gaining entry to Whitman’s hardware–Griffith himself doesn’t even know the code to the Olin server room–but the networks, the cyberspace, that’s where things get tricky.
“In the good old days before we had a handle on this stuff, if you had a virus it could spread computer to computer on a network,” says Griffith. This is where public networks like Whitman_wifi_hotspot are risky. Not only is it fairly easy to intercept information traveling through the network, malware can spread, lay in wait, and it is difficult to contain, or even identify. Despite this, and the fact that Whitman_wifi_hotspot is intended for guests, it still often has more users at a given moment than whitman_secure.
Phishing is a simple concept: trick people into giving you their credentials. Here, Griffith is particularly concerned about those working in administrative offices that deal with social security numbers, or any other sensitive information that might be stolen and distributed on the internet. Malware is also a danger.
Distributed Denial of Service (DDOS) attacks, associated with the vigilante hacker group Anonymous, are made possible by one type of malware, which brings a computer, often without informing the owner, under the power of a distant command server. Typically this computer is one of thousands of others that constitute what is known as a botnet. When the time is right, these Zombie computers, which are periodically phoning home, can be simultaneously turned on a single website, flooding the server with more packets than it can handle, such that it crashes.
Griffith does not mandate that users of the Whitman network use antivirus software (many schools do). Rather, the “secure” in the “whitman_secure” Wi-Fi network is legitimized by three safeguards. Password protection ensures that the tech team knows who is on the network. General encryption ensures that any data that passes through the network is unreadable, even if it is somehow obtained. The third component of whitman_secure is system of firewalls that monitor servers and network traffic for threats and bad-activity. Griffith says this is a baseline. These firewalls analyze fundamental levels of the information, working packet by packet.
A packet is a constituent element of a larger data file (an email, perhaps) that has been broken down for ease of transport. It is composed of bytes, which is the case of your email, might each represent a character. For example, under the American Standard Code for Information Interchange (ASCII), a capital “J” is represented by the binary representation of 74 (01001010). These representational systems are arbitrary, in the sense that there is no intrinsic connection between the representation and the information itself. Perhaps that 74 instead stands for the 74th level of darkness for the fifth pixel in the attached photo of your cat.
Each 1 or 0 is a binary digit, or a bit. We conceive of the information in terms of 1’s and 0’s but at the physical level really these 1’s and 0’s are just mental representations of an electrical switch being on, or off.
In an uncompressed file, every character is represented by eight of these bits in the form of a byte. A megabyte is around one million bytes. At 206,053 words, the text of Moby Dick could be represented in roughly a single megabyte.
A packet is typically around 1000 bytes, which contain all sorts of information–IP address of sender and intended receiver, roll order of packet (eg. fifth out of 500), a flurry of other relevant instructions and, of course, in the case of your email, the message itself. These packets take different routes–perhaps one will go through Seattle’s Internet exchange in the Westin hotel, and then Yakima, before arriving in Walla Walla. If Yakima is particularly jammed up, another packet might bypass the city altogether.
Before these packets are neatly rearranged for consumption before you see them on your email screen, they are screened by tech security. They are not screened for content–they are investigated at a deeper level than that, and Griffith says he has “no idea what websites people go to”–rather tech’s systems seek out patterns, and compare packet signatures against those of known malware.
Kevin Kelly, the school’s Director of Technology Infrastructure, runs the Whitman server system. North Hall holds the primary server room and Olin, the secondary. The server room in Olin holds a row of racks. One rack holds a collection of fifteen or so servers currently processing information for the Chemistry department. Fiber optics, which web all throughout campus, surface and loop in another rack amongst cables red and blue and orange. As we walked down the racks, Kelly was particularly stirred by the site of his brand spanking new virtual servers, whose virtues he listed at considerable length.
The system seems superfluous, but this is before one considers the scale of the Whitman network. The tech department’s extensive monitoring software counted a total of 245 wireless access ports (the white square blue-lit boxes on ceilings hither and thither), and had logged roughly two million events (log-ins, site visits – action essentially), in the past 24 hours. New hard drives were installed over the summer, and now that information is doubled for redundancy, about 80 percent of the 150 terabytes available are occupied. This doesn’t even include our emails, which Google now hosts, a concern for Griffith, because it is difficult to monitor what people put in the cloud. But in-house data is more than bulky enough: student data, a library looking to digitize. As of last year, Matt Banderas and his photography team were using two terabytes alone.
Kelly, Griffith and others on the tech team monitor these systems with an array of software. One program, which the team has automated so that it now acts on its own, informed Kelly that, it had detected a brute force log-in attempt 30 minutes previous. Somewhere a computer had been cycling through thousands of passwords–this is why you use a strong password–and Whitman’s program had blocked the responsible IP address for 24 hours. This is common fare.
Brian Griffith divides what he does into three sections: the technology side, which involves the systems heretofore described, the policy side and the people side.
The policy side is about administrative commitment, established best practices for computer usage. Griffith mentioned the prospect of mandated cyber-security courses, similar to the sexual harassment training every Whitman employee must periodically take.
The people side is where Griffith, who had previously worked primarily on the technological end of these operations, thought would be his biggest challenge even though he believes it is “probably the most important for a place like Whitman.” Cyber-Security, despite pop-culture associations, is not sexy. People don’t want to use multiple passwords, despite the prevalence of extremely secure and usable password safes. People don’t want to use two factor authentication because then there is an extra thing. People don’t want to take a mandatory cyber-security class, because for most that sounds lame. In cyber-security, to be noticed is for something to go wrong.
Griffith says that his primary interest is in “teaching users how to basically be safe online with their Whitman digital lives…There’s an interesting balance in information security in higher ed–in higher ed you want an open environment, you want open dialogue and collaboration and access to information, and that kind of traditionally flies in the face of information security where you close things down as tightly as possible. It’s a balancing act… I want to enable the academic experience as much as possible, and keep things as safe as I can. It’s a fine line to walk at times.”