University Times

Increasing reliance on email and social media coupled with ever-wilier attempts by hackers and identity thieves make cyber security an issue of ongoing importance for Pitt’s computer users.

Computing Services and Systems Development (CSSD) has assembled a one-stop online shop where staff and faculty can proceed through eight steps to ensure they’re doing all they can to keep their computers and data safe. The “Secure Your Data” community pages can be found by clicking on “My Resources” on the my.pitt.edu portal.

CSSD information security officer John Hudson will outline the data protection resources as part of the Staff Association Council’s Nov. 15 “Effectively Using Technology in Your Job” fall assembly.

(Registration and information on the sessions is available at www2.hr.pitt.edu/sac/default.html.)

As a measure of the growing need, in just eight years CSSD security staffing has risen from one half-time position to the current nine full-time positions, said CSSD director Jinx Walton.

In all of 2005, CSSD email filters blocked nearly 20 million spam messages and 7.7 million messages containing malware, computer viruses or other malicious programs. Today, CSSD estimates that each month it blocks 25 million spam messages and 1.3 million email viruses from the University’s system.

CSSD monitors more than 6,100 network devices through its network operations center (NOC) and secures more than 39,000 devices behind its network firewalls.

While CSSD does its part, users play a crucial role as well.

“Regardless of how much we’re trying to do with technology, if we don’t keep data secure, we jeopardize all we’re trying to do,” Walton said. “In the University, we’re always balancing security and access because there’s such a need for collaboration with colleagues around the world.”

Hudson agreed. “It’s a very distributed environment. We control certain parts of it and the rest of it we’re here to empower other people to control.”

Users may view security measures as draconian, but in light of the fact that many cyberthreats can be invisible, constant vigilance is necessary, Hudson said.

Layers of security

“In isolation, you can pick holes in any one aspect of security. Security is layers of different things that you do,” Hudson said. As in home security, more than one precaution is necessary. “You lock the doors, use decent locks, maybe buy an alarm system, be sure the gas is shut off. It’s not just one thing,” he said.

“If people took the same amount of care of their data as they did with securing their house, we would be in good shape.”

Users may downplay the risks because threats often can’t easily be seen. Identity Finder software, available through CSSD, can offer a glimpse of what personal information might be at risk. Identity Finder will scan a computer — down to the document level — and produce a report of potentially sensitive information such as passwords, birth dates and Social Security or credit card numbers it finds.

People tend to assume that providers of applications or software are handling security on their behalf. “That is not always the case,” Hudson said.

“It’s teaching you things you don’t know,” he said, noting that users can review the report and take action to remove sensitive information from their computers.

“It definitely helps you change your behavior, even when you think you’re secure.”

Clever hackers

“There are some very clever hackers out there,” Hudson said, noting that while some hackers may seek to breach systems just for fun, more often the threats on universities are aimed at obtaining valuable student information or gaining access to financial systems and credit card data.

Hackers also may seek to exploit the speed of Pitt’s system, Walton said. “If they’re able to hack into our system here, they can use this hacked account to send out millions of spam messages,” even if the intrusion is discovered quickly.

Hudson said, “The days of just trying to hack into the University or the Pentagon or NASA for the fun of it, people still do that, but this is big, organized business.

“The attacks happening these days are very, very targeted. So security has to be very, very targeted in response to that,” he said.

Human nature

Recognizing that computer users typically have firewalls and antivirus software in place to thwart malicious attacks, hackers now are exploiting the power of human nature to circumvent the technology.

CSSD security staffers focus on understanding potential points of entry that could make Pitt’s system vulnerable, he said.

Actions as simple as taking a poll or quiz on Facebook or putting off installing software patches when they become available can pave the way for identity theft or hacking, Hudson warned.

Facebook scams

Hudson said an estimated 600,000 Facebook accounts are hacked every day. “A lot of those are happening due to social engineering or profiling,” he said.

“A lot of hackers are putting false ‘polls’ on there asking you to put in a username and account — username usually being your email, and a password. Ninety-nine percent of people will use the same username and password for the poll as they use for their Facebook account, as they use for their bank account, as they use for every other thing out there,” he said. With that information in hand, hackers can search for ways to use the information.

The risk is immense: “If that 600,000 holds true and half of those are corporate users — most of those people have bank accounts if nothing else,” Hudson said.

“They’re looking at human behavior and that’s the weakness in most security — it’s not compromised because of lack of technology. Most people on their desktops have antivirus software, they have personal firewalls, all of these things. It’s the human behavior side of it.”

Putting off patching

Procrastination also can lead to vulnerability. Who hasn’t clicked “later” in response to an alert that a software patch is available? “We’re all guilty of it. We’re all too busy and we keep pushing it off,” Hudson said.

While Microsoft patches frequently, a new area of opportunity appears to be in web browsers such as Google or Firefox or in common software such as Adobe’s Photoshop and PDF reader and writer programs, he said.

“If you have those applications and don’t patch them, there are vulnerabilities in them,” he said. “It’s good business for hackers.”

Exploitations in applications lead to the ability to install code that then could install keyloggers — which can record every keystroke, including usernames and passwords  — on either a personal or University system, he said.

Better scams

Walton noted that while users are aware of the dangers of phishing scams, hackers are responding by creating more believable-looking scams. “Personally, I probably get four or five inquiries a month [from Pitt users], asking, ‘Is this a scam?’ That surprises me the most,” Walton said.

Hudson cited a recent example in which hackers directed victims to input personal information on a site designed to look like Verizon’s — right down to the company logo and a web address only one character different from the legitimate site.

“It would have fooled most people who were in a rush to do something,” he said. “They’re getting very clever.”

Password protection

Plans are in the works at CSSD to increase password security for faculty and staff.

By the end of the spring term, it’s likely that faculty and staff will be required to change their University computing account passwords twice a year, as students currently must do.

Walton said her staff is working to make the transition with as little disruption as possible. “We don’t take these things lightly. We know people have difficulty remembering their password,” she said, adding that of the more than 112,000 calls last year to CSSD’s help desk, the No. 1 request was assistance with a forgotten password.

Digital certificates

As always, in the case of sensitive email content, it’s best to err on the side of caution.

“Once it’s sent you’ve lost control of it,” Hudson said. “Don’t put anything into the email you don’t want out there.”

However, if confidential information such as research data, personnel information or contracts must be sent by email or web form, either within or beyond the University, it may be appropriate to obtain a digital certificate to encrypt the transmission, Hudson said.

“We’re seeing more and more cases where a digital certificate is appropriate. If you do have to send confidential information between two people on a constant basis, by having that, it’s a great start on security,” he said. University computer users can apply for digital certificates at accounts.pitt.edu.

Laptop theft

While students are more at risk for laptop theft, each year 20-25 faculty and staff members have laptops stolen, Walton said. Most students have their laptops protected using LoJack theft-recovery software, but Pittsburgh campus faculty and staff don’t use the corresponding ComputracePlus in similar numbers, she said.

ComputracePlus not only can help locate a laptop; users also can use it to delete data from the missing machine.

Walton said there is no risk of accidentally erasing data — in order to remove data remotely, the police, the software vendor and two CSSD staffers must be involved.

CSSD staff will install and register the software for Pittsburgh campus employees. The process typically takes about a half-hour, Hudson said. Appointments may be made by contacting the technology help desk.

What’s at risk?

Walton said the University is focusing systematically on increasing controls around its computing systems. “All of our centralized systems at our Network Operations Center have the highest level of security there,” Walton said. And departmental firewalls can limit the spread of damage. Still, she said, “All it takes is one person having a computer hacked with sensitive information that they shouldn’t have on it” to be problematic.

Hudson’s team evaluates suspected computer viruses in its forensics lab to determine whether and when the machine was compromised, as well as how far the damage might have spread.

Unlike TV cybersleuths, his staff need more than a few clicks to find the answers within malware that often is complex, he said.

In the case of a suspected infection, his team takes images of the system, then evaluates the code to discover what the malware really is doing. “It’s not always obvious,” he said, noting that it could be encrypted or changeable over time so patterns of activity can’t easily be discerned. “It can take days and days and days depending on the specific issue.”

Hudson said, “People collaborate all day long, so there’s always a big inconvenience factor,” noting that the pain can spread beyond the affected employee to his or her colleagues.

An infected computer should be rebuilt from the ground up, Walton said, noting that removing malware often isn’t sufficient to prevent further problems.

Hudson agreed. “Unless you can truly track down what that malware did, the best thing you can do is cut your losses and rebuild. Then you know you have a clean machine.”

Beyond correcting the issue on the computer, he said it’s important to mitigate what caused the problem in the first place. Usually it’s a matter of education or one of education and technology, he said.

“This is the power of malware: It’s not just the potential loss of confidential data, it’s the productivity loss. And if it happens to be not a workstation, but a server, that compounds the issue for a department significantly.”

—Kimberly K. Barlow