Recovery on schedule following website attack
February 21, 2011 —
Although it’s been two weeks since the attack on SVSU’s website, work has been done around the clock to understand exactly what happened and to prevent future attacks.
According to Ken Schindler, executive director of Information Technology Services (ITS), his office has pieced together some evidence from the attack, but there are questions left.
“We are still digging up clues to what happened,” he said. “It’s like panning for gold.”
ITS said that the attack was caused by two vulnerable points in the University’s system, the content management system and a student organization website. The security of the student organization websites has already been fixed. Student organizations now have their own dedicated server to host websites. The separation of the servers will make it more difficult to directly access the University website’s content should a future attack occur. With this change, the only differences student organizations will see are some new file pathnames to follow and URL changes.
Schindler said that he wants to assure students that their information is safe. The Cardinal Direct server, which holds student financial information and personal data, is completely independent and segregated from the website.
“Think of the website as more of a billboard for information,” Schindler said.
Although the attack was primarily based around spam and the e-mail system, there is no danger to student e-mail. The University’s system employs two-way firewalls, which filters incoming and outgoing communication. The spam that was meant to be sent from the system never made it out. The SVSU domain name should not be listed on any e-mail blacklists, which can prevent e-mail from being delivered to its intended recipient.
Another area affected by the attack, the Microsoft Developer Network Association Alliance (MSDNAA) software repository, should be fully functional again this week. The MSDNAA allows students to download discounted Microsoft programs. Schindler said that he hopes students understand that there is a priority in getting certain repairs done first. These repairs include fixing access to transfer equivalency, buttons to the Cardinal Direct page, links for schedule planner systems and important business forms.
He also said that he wants students to know that the team working on the website repairs is “very close to pulling the trigger and going live with the newly reworked site.”
According to the ITS News blog, the current tasks that the team faces include fixing the remaining navigation errors so that web pages follow their paths, activating broken links so hyperlinks lead to their respected content and rebuilding the SVSU search function to return better results.
The source behind the attack has been traced to servers in eastern Europe, but there is currently no indication that the attacks originated there. The servers in Europe may have been a point to relay information in an attempt to disguise the actual source of the attack.
Even though this isn’t the first time the school has faced this type of attack, the day-to-day defenses do succeed on a regular basis. According to Schindler, the SVSU website is probed thousands of times a day. The University’s protective firewalls have done their jobs in keeping those probes from penetrating any systems and exploiting other possible vulnerabilities. Expert studies on cyber attacks have led to the conclusion that the most recent attack was not necessarily targeted directly at SVSU. Botnet attacks, which aim to gain control over a large quantity of computer systems, are not usually aimed at a specific target but at target vulnerabilities in system software. The target selected by this particular botnet was SVSU’s content management system.
In lieu of the attack, ITS brought in Cast Iron Coding, an expert organization based in Oregon, that updated the school’s content management system. Schindler said that he is pleased that they have been so dedicated to getting our system back up and running.
“They have a five man team and have dedicated two of their employees to us,” he said.
There are 55 student employees which have also been working at all hours of the day and night. “My staff did a really good job and have been working very diligently despite the circumstances,” he said. “They have worked their butts off for the past week.” He added that a few employees are working well into the night hours testing links on web pages and preparing a full launch of the new website. The attack has allowed student works to apply their knowledge to a real-world problem. Four students have used information from their courses to repair to web pages and interactive forms on those pages.
Students are also working in disaster recovery training in regards to the website.
As for future litigation in regards to the attack, the ITS office is cooperating with SVSU police and is prepared to take the case to prosecutors if strong evidence surfaces. However, because the attacks are traced to locations thousands of miles outside of U.S. jurisdiction, there may not be any prosecution. “Once it goes offshore, the rules change,” Schindler said.
Despite this, forensic information gathered in the investigation will be added to a repository of cyber attack information. Some of this information could lead to the eventual capture of the attacker, but it is unclear if the vast amount of information could be helpful due to its size.