All Faculty, Staff Asked To Help Defeat Web Attacks
Posted: September 2, 2003 at 1:00 am, Last Updated: November 30, -0001 at 12:00 am
Editor’s note: Joy Hughes, vice president for information technology, wrote this column to keep the university community updated on the recent e-mail problems at George Mason.
To help restore the university’s network system, all computer users and system administrators need to do the following:
- Check each machine you are responsible for to see if it is running Windows 2000, Windows NT, or Windows XP. If so, you need to patch it so that worms can’t get in. To get the patch for your machine, go to itusupport.gmu.edu/removaltools.asp. Download the patch that matches the Windows system that the machine is running. Note: the system will send you the usual warning notice before downloading the file. Go ahead and download, then double-click the downloaded file to execute it.
- Check every machine you are responsible for (not just the machines running Windows 2000, Windows NT, and Windows XP) to make sure the anti-virus software is up to date. Get it up to date and keep it up to date every day.
- The anti-virus software will tell you if the machine has the Blaster worm, the Welchia worm, or the sobig-f virus. If the machine has any of these infections, go back to the removaltools web page. Download the appropriate removal tool, and double-click on the downloaded file to execute it.
If you need help getting or automating anti-virus software or downloading the patch or removal tools, work with your department’s technology coordinator. You can find out who your coordinator is by clicking here.
If you have ever connected a remote access server (RAS) to the network, disconnect it immediately.
Context and Answers to Questions about the University’s Strategies to Fight Cyberattacks
Context: The university’s e-mail traffic slowed to a snail’s pace starting on Tuesday, Aug. 26, because of the hundreds of thousands of messages in the mail queues that had been generated by the sobig.f virus or in response to infected messages. The Information Technology Unit’s (ITU) e-mail staff worked with the big Internet service providers, such as AOL and MSN, to change the way their mail came in to our servers in order to improve the load balancing on the servers. The e-mail staff also worked with the vendor of its WebShield product to temporarily change the nature of that product in order to get the queues moving.
Then on Friday, Aug. 29, a denial of service attack launched from machines at Cornell University and Georgia Tech brought the network almost to a standstill. The network engineers worked with the engineers at Internet2 to shut off the attack, but it took much of Friday to get back to “normal.” Unfortunately, “normal” is not all that good, given that the network is being bombarded with internal traffic from worm infected machines as the worms look for unprotected machines to infect.
ITU’s network staff had proactively locked the front door to the network in early August so that the Blaster type worms could not get in. But people in the university are letting the worm in through back doors. Students, for example, have brought infected machines to campus and plugged them in to the network. ITU’s support center staff worked all of move-in weekend cleaning the machines of new students, but hasn’t yet been able to reach all of the students. Some faculty members returning to campus have plugged infected laptops into the network. And some departments and individuals have installed remote access servers (RAS) in order to get around the university’s dialup policy. A RAS provides a back door to the network for worms.
Attacks and infections like these interfere with faculty teaching and research and negatively impact staff and student productivity. Everyone in the university using a computer can be affected by the actions of just one person. For example, if one person plugs an infected laptop into the network, the worm can be propagated to every unprotected machine on the network. The network then slows down, interfering with the productivity of the faculty member whose machine is not infected or even vulnerable to infection
Answers to Questions:
- How can I stop the spread of viruses?
First, make sure all the machines you are responsible for have anti-virus software installed. Windows users can visit the ITU Support Center web site and click “downloads” to get more information. If your machine is not already set up to automatically run an update to your anti-virus program every day, please set it up to do so. Contact your department’s technology coordinator for assistance. Also, do not ever open attachments that you were not expecting. Most viruses are embedded in attachments to e-mail.
- Why do I need anti-virus software when the university has anti-virus software on the e-mail servers?
Worms, such as the Blaster worm that has caused so many network problems, do not come in to the university through e-mail. They probe the Internet looking for ways to get into machines, usually through “holes” in an operating system. If a worm infects your machine, your anti-virus software will alert you. Also, not all e-mail comes into the university through the front door. Some comes in through department mail servers and is never checked for viruses. Some viruses are not spread through e-mail, but rather through infected disks.
- Is e-mail delivery a lot slower because the university is virus checking each e-mail that comes in through the front door?
Ordinarily, the delay is imperceptible. But when a virus, such as sobig.f, generates extraordinary numbers of phony e-mail messages, checking each one for a virus does slow things down. Returning each infected message to the sender along with a note that says “this message has a virus” takes time, particularly if the sender is at Mason because that means there is one more message coming in to the university. So mail delivery is degraded when a virus similar to the sobig one is unleashed. This is why some Internet Service Providers refuse to check incoming mail for viruses, although many, including AOL, do check incoming mail for viruses. Mason’s e-mail department has been working with the vendor of the protective software to modify its behavior to speed up the process. This strategy has worked. There are six mail queues; the smallest had 25,000 messages waiting to be delivered on Friday and the largest had 100,000. By Monday morning, these queues had been reduced to 5,000 or below.
- How do I know who my technology coordinator is?
- How can I close the door to the worms?
Patch all vulnerable machines (Windows 2000, Windows NT, Windows XP). Go to itusupport.gmu.edu/removaltools.asp. Download the patch, then double-click on the downloaded file to execute it. If your anti-virus software says you have the worm, you need to get rid of it. Download the removal tool, then double-click on the downloaded tool to execute it. Even as you read this, the worm on your machine is infecting other machines.
- The patch remedy doesn’t seem very proactive. Are there other strategies?
Windows users may notice that every once in a while, a message flashes on the screen telling them that it’s time to update Windows. If you keep Windows updated, the machine will always have the necessary patches. The Windows Update site can be confusing and frustrating until you get used to it. Your technology coordinator can help you.
- Are there machines other than staff desktops we should be worried about?
Departments should also check for infection on the machines in their computer labs and their inventory of loaner machines. Everyone who brings a machine to campus to plug into the network needs to make sure it is not infected, that its virus protection is up to date, and, if it’s a Windows machine, that it has been patched.
- What is the university doing to protect the network from infected machines in the residence halls?
ITU staff, with the help of the Office of Housing and Residence Life, has been educating the students about the need to clean up their computers. On move-in weekend, a team of student helpers and ITU’s support center staff sanitized the computers brought in by new students, as well as some computers brought in by continuing students. On Monday, school started so the ITU staff had to direct their energies to the support of the classroom. For a few days it appeared that the education campaign coupled with sanitizing the computers of new students had solved the problem. By Aug. 28, however, infected traffic from the residence halls was escalating and affecting the robustness of the network. ITU arranged to make 1500 copies of “clean-up” CDs so that students could easily clean up their own machines. The Office of Housing and Residence Life is working with the students to ensure that all machines are cleaned and protected by Wednesday evening, Sept. 3, so that the residence hall networks will not need to be taken down. The education campaign will continue.
- A previous announcement said that the network engineers were scanning the network for infected machines and machines that hadn’t been patched and then removing them from the network. Why hasn’t this stopped the worm?
Scanning for infected machines is part of the network protection strategy. But, it is labor intensive and often doesn’t identify the culprit down to the machine level, but rather just identifies a cluster of machines, one or more of which may be infected. Machines will keep getting infected as long as the back doors remain open. Scanning for unprotected machines is also being done. This is a different process and has to be performed one network segment at a time. The network engineers are working around the clock and we’ve had to send some of them home after working 30-hour shifts with no rest. To stop these infections we need everyone who has a computer connected to the network or is about to connect one to a network to first make sure it is free of viruses and worms and has the appropriate security patches installed. It is also essential that people close back doors to the network.
- What is a RAS?
A RAS is a remote access server, which works as a back door to the network. Some departments and individuals have installed a RAS in order to get around the university’s remote access policy. Worms and other infections can easily get into the university’s network through the RAS. All RAS owners must immediately disconnect the RAS from the network in order to protect the community.
- If I know someone has connected a RAS to the network but he/she won’t remove it, what can I do to protect the community?
Connecting such a machine to the network is a violation of the Responsible Use of Computer Policy. System administrators have both the right and the responsibility to remove such devices. Report the RAS to your supervisor for action. If you feel no progress is being made, call (866) 468-1706–Internal Audit’s number to confidentially report fraud, waste, and abuse.
- What is a “denial of service” attack and why are other schools attacking Mason?
A denial of service attack happens when a hacker takes over a machine and installs code that launches millions of e-mails or queries to a particular site. The heavy traffic soon clogs the site and often brings down the network hosting the site. Machines can be taken over if they are not set up to block such takeovers. The system administrator for the machine needs to make sure that it is installed properly so that the machine is protected from such attacks. Individual users should turn off their machines at night or when otherwise not in use for long periods.
It is likely that the hackers who took over the machines at Cornell and Georgia Tech are not associated with these universities. We do not know why these hackers directed those machines to attack Mason.