Ryerson’s cyberwar rages on

Ryerson students are at war. In fact, any individual with a mobile and computing device is at war. While the battleground of this conflict does not exist, it has the potential to compromise everything from our Twitter passwords to our social insurance numbers to our very identities.

Last week, Ryerson’s Computing and Communications Services (CCS) launched a new initiative to block more malicious IP addresses from Ryerson’s networks. This is the latest defensive measure from a plan that was established nine years ago, according to Brian Lesser, Ryerson’s chief information officer, who helped write the new network server security policy.

The truth is, Ryerson is constantly under attack. There is a persistent stream of malware sent to email servers from thousands of machines in over 100 different countries. Lesser explains that the most common threat is brute force password guessing. As such, CCS has developed a series of successful protocols to prevent and mitigate this type of attack.

This initiative, combined with new password rules and a two-factor authentication process, all work together to better protect Ryerson accounts from cyberattacks. Although there has been a small rise in hijacked accounts in 2016, Lesser explains that Ryerson will continue to push two-factor authentication, which is the best thing anyone can do to protect their account.

“Defending you against cyberattacks requires a layered approach,” says Lesser.

While this seems confusing, especially to those who are not technologically minded, it is actually quite simple to understand.

Lesser explains that a connection to the Internet is like two machines talking. One machine will make it known that it wants to talk to the other machine and send a packet of information. That second machine will acknowledge the request and send over another packet of information. Once this exchange has happened, the firewall kicks in and monitors the conversation. If the firewall detects that one of the computer’s IP addresses is not in its memory, then it will block the connection and stop the exchange from happening. When the connection is allowed, the firewall watches the session and records it. Denying by default is essentially the firewall’s version of whitelisting—unless it specifically allows something, it denies it.

We’ve all had to answer security questions about ourselves when we sign up for accounts. This is just one example of two-factor authentication. The point is to go beyond using a password. It requires the user to input a piece of information that only they would know.

Ryerson now offers two-factor authentication for its email service.  Other companies, such as Apple, Google, Yahoo, MSN and Twitter, offer a similar security measure.

Ann Cavoukian, former information and privacy commissioner of Ontario and current executive director of Ryerson’s Privacy & Big Data Institute, has collaborated with the Ted Rogers School of Management to develop a new master’s program, Enterprise Information Security, Privacy and Data Protection, which launched in January.

She also teaches the course “Privacy by Design: The Global Privacy Framework” at the Chang School. This course aims to explain what you need to know to ensure that your data is secure but also properly used.

“There are a lot of misconceptions about privacy,” says Cavoukian. “A lot of people think that privacy is about secrecy, but actually it is about control.”

She says that this message is one that can be disseminated across the board, from the undergraduate to post-graduate level.

Universities are prime targets for malicious actors, as they can be lucrative sources of intellectual property and personal information. In May, the University of Calgary was attacked and forced to pay the unknown actor a $20,000 ransom. This type of attack that sees malicious software designed to block access to a system until a sum of money is paid is fittingly called ransomware.

The attack encrypted the university’s staff and faculty email network, and the money was paid to get the decryption key.

Rutgers University suffered six DDoS attacks in 2015, despite the university investing $3 million and hiring three cyber security firms. The first five attacks were carried out by a hacker called Exfocus, who was commissioned by an underground network and paid in Bitcoin, while the sixth attack was carried out by an unknown actor and targeted the university’s online learning portal.

DDoS, or distributed denial of service, attacks are among the most common cybersecurity attacks, as they use multiple compromised systems to target a single system, causing a denial of service. Norse Corp., a computer and network security firm based in California, has created a live attack map that shows DDoS attacks as they are being launched around the world in real time.

Pennsylvania State University has also been the subject of recent cyberattacks carried out by ATPs (advanced persistent threats) that have exposed the personal information, including social security numbers, of about 18,000 students. It is estimated that the attacks began in September 2012 but were not discovered until November 2014.

 

Lesser explains that malicious actors have a lot to gain from attacking universities. They can potentially gain the ability to send out free spam from hijacked accounts, and make money in the event of a successful ransomware attack. He says that information found in your email or on your computer may be used for credit card fraud, or other types of fraudulent activity. As well, he warns of the use or sale of confidential research data, which can also be accessed.

In one recent case, a student launched a cyberattack in April 2015 at the University of Birmingham. Bioscience student, Imran Uddin, 25, plugged keyloggers into his professors’ computers to retrieve their passwords in order to access exam applications to bump up his grades. Following the attack, Uddin was sentenced to four months in jail.

While the possibility of a cyberattack has become almost inevitable, Lesser explains that there is a lot that students can do to protect themselves from becoming victims.

In addition to using two-factor authentication, he encourages students to keep their operating systems and antivirus software up-to-date. He also advises not to open emails or attachments from unknown sources. He explains that if you must look at an attachment, use a viewer instead of opening it on your computer. As well, ensure Microsoft office macros are not enabled.

“A recent scam involves sending fake invoices that claim they cannot be read properly without enabling macros. Don’t fall for it,” says Lesser.

Lastly, do not use file sharing or free file download services to download movies, music, file sharing utilities, and applications. Lesser explains that if you insist on using one of these services, do so on a computer that you do not use for anything important or that contains confidential personal information.

“Our biggest challenge is time and resources, and picking our battles,” says Lesser.

Cavoukian’s advice to students is simply, “don’t be stupid when you go on Facebook.” Saying that she does not mean to be disrespectful, she explains that today more than ever everyone needs to be smart about what they share on the Internet. Referencing the ongoing Hillary Clinton email scandal, she explains that once something is shared online, it has the potential to be there forever.

“Your lives are just starting, you’re just about to enter the workforce, you don’t want things like this to restrict you or your opportunities. So, be very careful about what you put online,” she says.

Cavoukian suggests that encryption tools can be very useful for students who want an added layer of security. She recommends PGP—Pretty Good Privacy—as the “gold standard” of encryption tools, and offers the web browser, Tor, and search engine, DuckDuckGo, as alternatives to mainstream services, which are more likely to track your online presence.

“Privacy is essential to freedom,” says Cavoukian. “You cannot have free and democratic societies without the foundation of privacy.”

She explains that we are all entitled to zones of privacy where we can have time for reflection and time to talk to your loved ones without worrying about being watched.

“People always say, ‘if you have nothing to hide, you have nothing to fear,’ and I always say that that could have been the motto of the Stasi police in the Third Reich, because it presupposes that the government has the right to access all your information. And that’s not freedom or democracy,” she says.