As thousands of freshmen move into their dorms for the first time, there’s plenty of thoughts rushing through their minds: their first time away from home, what cringey nickname they’re gonna try to make a thing, if there are any parties before orientation kicks off.
But one thing that probably isn’t on their minds is whether they’re going to get hacked.
That’s all Carnegie Mellon University’s IT department thinks about. Back to school season means hordes of vulnerable computers arriving on campus.
The beginning of the semester is the most vulnerable time for a campus network, and every year, with new students coming in, schools have to make sure everything runs smoothly. Carnegie Mellon’s network gets hit with 1,000 attacks a minute — and that’s on a normal day.
Cybersecurity is an increasingly important aspect of our everyday lives, with technology playing a massive role in nearly everything we do. Universities have been vulnerable to attacks in the past, with cybercriminals stealing student and faculty databases and hackers vandalizing university websites.
Students are often targets for hackers, even before they’re officially enrolled. Considering how much money flows into a university from tuition costs, along with paying for room and board, criminals are looking to cash in on weak campus cybersecurity. An added bonus for hackers: Admissions offices often hold data with private information like student Social Security numbers and addresses, as well as their families’ data from financial aid applications.
It’s how thieves were able to steal $30 million from the IRS and put nearly 100,000 people at risk of identity theft, thanks to a vulnerability with a financial aid application tool. Even as an alumnus, I still get warning emails from my alma mater, Syracuse University, about phishing attempts.
School of phish
Phishing attacks are when hackers steal passwords by sending links to fake websites that look like the real deal. It’s how Russians hacked the Democratic National Committee during the presidential election, and it’s a popular attack to use on universities as well.
The latest warning, sent Monday, called out malware hidden in a document pretending to be from Syracuse University’s chancellor.
Digging through my old emails, I found about 20 phishing warnings that had gone out during the four years I’d been there. Syracuse University declined to comment on phishing attacks against the school, but in a 2016 blog post, it said the attacks were “getting more frequent, cunning and malicious.”
The school is not alone. Duo Security, which protects more than 400 campuses, found that 70 percent of universities in the UK have fallen victim to phishing attacks. Syracuse University, which uses Duo Security, prevents phishing attacks with two-factor authentication, which requires a second form of identity verification like a code sent to your phone. But it just rolled out the feature last year.
Kendra Cooley, a security analyst at Duo Security, pointed out that students are more likely to fall for phishing attacks because they haven’t been exposed to them as frequently as working adults have. Also, cybercriminals know how to target young minds.
“You see a lot of click-bait phishing messages like celebrity gossip or free travel,” Cooley said.
All students at Carnegie Mellon are required to take a tech literacy course, where cybersecurity is a focus, said Mary Ann Blair, the school’s chief information security officer. The school also runs monthly phishing campaigns: If a student or faculty member falls for the friendly trap, they’re redirected to a training opportunity.
When your network is being hit with at least two phishing attempts a day, Blair said, it’s a crucial precaution to keep students on guard.
“It’s just constantly jiggling the doorknobs to see if they’re unlocked,” Blair said. “A lot of it is automated attacks.”
Cleaning the campus
It’s not just the thousands of new students that have university IT departments bracing for impact, it’s also their gadgets.
“All these kids are coming on campus, and you don’t know the security level of their devices, and you can’t manage it, because it’s theirs,” said Dennis Borin, a senior solutions architect at security company EfficientIP. A lot of university IT teams have their hands tied because they can’t individually go to every student and scan all their computers.
Borin’s company protects up to 75 campuses across the United States, and it’s always crunch time at the beginning of the semester.
“If I was on campus, I wouldn’t let anybody touch my device,” Borin said. “So, if somebody has malware on their device, how do you protect against an issue like that?”
Instead of going through every single student, Borin said, his company just casts a wide net over the web traffic. If there’s any suspicious activity coming from a specific device, they’re able to send warnings to the student and kick him off the network when necessary.
Keeping school networks safe is important for ensuring student life runs smoothly. A university that had only two people on its team reached out to EfficientIP after it suffered an attack.
All of the school’s web services were down for an entire week while recovering from the attack, Borin said.
Scam artists love to take advantage of timing, and the back to school season is a great opportunity for them.
There was an influx of fake ransomware protection apps when WannaCry hit, as well as a spike in phony Pokemon Go apps stuffed with malware during the height of the game’s popularity. If there’s a massive event going on, you can bet people are flooding the market with phony apps to trick victims into downloading viruses. A quick search for “back to school apps” in August found 1,182 apps that were blacklisted for containing malware or spyware, according to security firm RiskIQ.
Researchers from the company scanned through 120 mobile app stores, including the Google Play store, which had more than 300 blacklisted apps. They found apps for back to school tools; themes and wallpapers for your device; and some apps that promised to help you “cheat on your exams.”
Though most of the blacklisted apps are poorly made games, others pretend to help you be a better student. Take, for instance, the myHomework Student Planner, which RiskIQ found on Mobile24’s app store. The app comes from the company “Free Android Apps,” as if that’s not already suspicious, and claims to be a “planner for English-speaking students.” It had been blacklisted for hiding a Trojan, but it’s still available in some app stores.
Other warning signs to watch out for when it comes to sketchy apps are poorly written reviews and developers using public domain emails for contacts, Risk IQ said. For any educational apps, like Blackboard Learn, you should always check the sources and look for the official versions.
New students coming to school have enough to worry about. Let’s hope a crash course in cybersecurity is enough to ensure they make it to graduation without getting hit by hacks.
It’s Complicated: This is dating in the age of apps. Having fun yet?
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.