The Computer Breach

This post is about a serious breach of computer security that occurred in the last weeks of term last year, affecting thousands of UAlberta users, including me. This post has been created by drawing from numerous sources, including mass emails, news reports, and official blog posts and news releases. There are, however, still unanswered questions that I will explore, and some of the implications of this event.

The Breach
Between November 17 and December 8, 2016, a breach of computer security occurred on the UAlberta North Campus. A forensic analysis determined that 287 computers in 20 classrooms and labs in the Knowledge Commons, CSC, and CCIS had keylogger malware installed on them. This breach was detected on November 22, 2016, and potentially compromised the security of 3,323 passwords belonging to students, staff, and faculty. A further investigation by EPS and the UAlberta IST forensic team determined that another 17 computers were affected, potentially putting another 19 people’s passwords at risk.

The Notifications
A total of 3,304 students, staff, and faculty who had logged into the affected computers during this period were notified of this breach by mass email on November 23, 2016, sent by the Chief Information Security Officer (CISO) of the Office of the Vice-Provost and Associate Vice-President (Information Services and Technology).This message confirmed most of the above information and recommended a course of action that included changing our passwords and monitoring our accounts for suspicious activity. After changing my password, I replied to that email, asking for more information about the malware; I sent the same message again on December 1, 2016 because I did not receive a reply to my first message. I got a reply from the CISO on December 7, 2016 that assured me that no actual information had been obtained due to the workings of the security software (more on this below). The delay in responding was for security reasons, because the investigation was still underway.

So imagine how badly I was freaking out the morning of December 19, 2016, when I wasn’t able to log in to check my email. Or any UAlberta account. My first thought was that the attacked had not only taken my old password, but the keylogger was running on the computer I used to change my password in November. I immediately called IST, where there was an uncharacteristically long delay. The thought, “I have a bad feeling about this” kept racing through my mind. This, however, just turned out to be a mandatory password reset for everyone who had potentially been exposed to the malware; in case you ignored the previous advice to change your password, you were now being forced to change it. Er, no advance warning or anything?

All along, information about this breach was hard to come by. In fact, I’ve gotten much information from articles by CBC Edmonton and the Edmonton Journal, and only rarely from official UAlberta sources. Finally, on January 5, 2017 there was a positive gusher of information sent in an email, as well as posted to the IST blog. I suspect the timing was not a coincidence: the Edmonton Journal had just published an article about the security breach in that day’s newspaper.

The Accused/The Charges
According to news reports, the accused is 19-year-old UAlberta student Yibin Xu. Xu was not named in any official announcements from UAlberta. A search using the UAlberta Directory did not turn up any matching person. Perhaps this student’s status as a student--or, at the very least, their UAlberta computing privileges--were revoked. According to EPS, Xu has been charged with mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence.

Xu was to appear in court on January 10, 2017. I have not been able to find any information about Xu’s plea on this date.

The Protection
UAlberta classroom and lab computers are protected by antimalware software, including Zemana Anti-Keylogger. In the email I received directly from the CISO, there were “blank logger output files resulting from the encrypted inputs” making this incident, technically, a potential breach, not an actual breach. This makes me feel a bit better. However, I have not been able to obtain the name of the malware. Although this might seem like an, er, academic exercise, it’s important for at least three reasons. 1) I want to be sure that all of my anti-malware specifically includes the signature for the malware that I potentially encountered, 2) I would like to know more exactly how the malware works and (more importantly) how it spreads, and 3) whether this was existing malware used by a script kiddie or (much more seriously) custom malware deployed by the accused, specifically tailored to penetrate the UAlberta defences.

The Implications
The last point is important. Why would someone go to 304 different computers, installing keylogger malware on each one? Aside from the time investment required to craft, modify, or at least obtain the malware, how long would take it take to load this software on all those computers? Did Xu have to go to each computer, installing the malware from a thumb drive (which would not require any identifying logon or authentication). Say it takes 30 seconds. That’s a time investment of over 2.5 hours. It’s not clear whether the harvested data would be automatically uploaded, but that’s the most likely scenario. Then, however, you have to sift through all of that data looking for someone logging in. That’s got to take a while, too.

Here are three plausible reasons to go through all this trouble. First, just to prove it could be done. Yeah, malware writers do things for dumb reasons like this; bragging rights. But bypassing commercial anti-malware software doesn’t have to be done on campus, where you’re risking quite a lot for not very much. Thrill of the chase? Maybe, but I doubt it. Virus-writing has come a long way since those early days of macho competition.

Second, a desperate need. You’re failing courses badly. You need some kind of “competitive advantage.” If only you could log into your fellow students’ account, you might be able to steal their lab reports, computing science assignments, and more. While you’re at it, you could also grab some instructors’ credentials. Maybe log in to their accounts at the end of term and...tweak your grades. (Hey, David Lightman did it in War Games!) But isn’t that a lot of work for very little reward and high downside risk? Wouldn’t it be better to spend all that time, say, studying? If you get caught, you’ll be tossed out of university, stuck with a criminal record, and face potential jail time. (If the accused is a foreign student, they may be deported and not welcomed back.)

So that leaves the third possibility: What if the accused is working on behalf of someone else, like a criminal organization or even a nation state? China and Russia are known to have been behind state-sponsored malware attacks. I don’t think I want to know how many criminal groups are happily writing ransomware and other nasty shit--witness recent attacks on Carleton University and the University of Calgary last year.

I’ve been hit by malware before. Once, years ago, my computer contracted the Chernobyl virus, which managed to bypass Norton Internet Security. I actually had to bring my computer in for service to kill that one off--one of the few times I’ve ever had to pay someone to fix my computer. (If I ever see Chen Ing-hau, remind me I owe him a punch in the face.) Another time, my office computer was somehow infected with a rootkit, which took many frustrating hours to remove. Now, I’m armoured to the teeth with firewalls, anti-virus, anti-malware, anti-keylogger software, which do NOT give me any false sense of security. I continue to abide by best practices. But none of us need the worry and hassle of malware on university computers. As far as I’m concerned, they oughta throw to book at Xu.

Lastly, I know I’ve tossed many brickbats IST’s way. They’ve deserved them. But this time, I offer a bouquet: Nice job. Detecting this serious problem in 5 days, and managing to identify the culprit (sorry, accused) means that we at UAlberta don’t end up in the same situation as UCalgary. Because nobody wants to end up like Calgary. (Sorry, couldn’t resist.)

Why aren't you studying?


Find It