A 19-year old University of Alberta student is facing numerous criminal charges after password-harvesting malware was discovered on 304 of the institution’s computers.
Edmonton Police said Wednesday that Yibin Xu has been charged with mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence.
The charges came after the university discovered problems in November after receiving reports from users about performance issues. Police were then notified and an investigation started. News of the charges was only made this week.
The university said it identified 3,323 students and staff whose university passwords were potentially affected. “These were individuals who logged into at least one of the infected computers during the incident timeframe,” Gordie Mah, the university’s chief information security officer, said in a statement. “Everyone whose privacy was identified as potentially at risk was quickly advised of the incident and their passwords have been reset.”
“There has been no indication that any compromised passwords were used,” he added.
Police believe the malware was installed in two incidents between Nov.17 and Dec. 8, 2016. In the first incident, the university’s response team found malware on 287 computers, while in the second incident, the malware was found on 17 computers. According to the university, the computers were in 20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science.
The university said its information services and technology department has since refined existing anti-virus and security controls to protect against the type of malware found.
With their open access in libraries and labs it isn’t easy for universities and schools to secure their PCs, acknowledges Peter Firstbrook, a London, Ont., based Gartner analyst who specializes in end point security — and, he adds, it doesn’t help that universities can have a lot of smart computer science students. University-owned computers probably have some anti-malware software, he said, but these students may be clever enough to find holes in the defences.
For any institution that has public access to computers application control is essential, he said. That includes locking down device configuration, advanced malware protection that alerts administrators if attempts are made to change configuration and patching. Blocking USB ports may not be practical if the institution wants to allow users to download their work, he said, but access control can restrict the ability to auto execute an application from the ports.
There are a lot of defensive tactics academic CISOs can use, said John Kindervag, enterprise security analyst at Forrester Research, including network segmentation to prevent malware from spreading and end point software. “A lot of it is basic hygiene,” he says.
Like Firstbrook, he said one problem is university students like to experiment. Another is that cyber security is seen as a “four-letter word” in the academic world, “with elements of Big Brother.”