University of Alberta student charged in password malware incidents

A 19-year old University of Alberta student is facing numerous criminal charges after password-harvesting malware was discovered on 304 of the institution’s computers.

Edmonton Police said Wednesday that Yibin Xu has been charged with mischief in relation to computer data, unauthorized use of computer services, fraudulently intercepting functions of a computer system and use of a computer system with intent to commit an offence.

The charges came after the university discovered problems in November after receiving reports from users about performance issues. Police were then notified and an investigation started. News of the charges was only made this week.

The university said it identified 3,323 students and staff whose university passwords were potentially affected. “These were individuals who logged into at least one of the infected computers during the incident timeframe,”  Gordie Mah, the university’s chief information security officer, said in a statement. “Everyone whose privacy was identified as potentially at risk was quickly advised of the incident and their passwords have been reset.”

“There has been no indication that any compromised passwords were used,” he added.

Police believe the malware was installed in two incidents between Nov.17 and Dec. 8, 2016. In the first incident, the university’s response team found malware on 287 computers, while in the second incident, the malware was found on 17 computers. According to the university, the computers were in 20 classrooms and labs in the Library Knowledge Commons, Computing Science Centre and in the Centennial Centre for Interdisciplinary Science.

The university said its information services and technology department has since refined existing anti-virus and security controls to protect against the type of malware found.

With their open access in libraries and labs it isn’t easy for universities and schools to secure their PCs, acknowledges Peter Firstbrook, a London, Ont., based Gartner analyst who specializes in end point security — and, he adds, it doesn’t help that universities can have a lot of smart computer science students. University-owned computers probably have some anti-malware software, he said, but these students may be clever enough to find holes in the defences.

For any institution that has public access to computers application control is essential, he said.  That includes locking down device configuration, advanced malware protection that alerts administrators if attempts are made to change configuration and patching. Blocking USB ports may not be practical if the institution wants to allow users to download their work, he said, but access control can restrict the ability to auto execute an application from the ports.

There are a lot of defensive tactics academic CISOs can use, said John Kindervag, enterprise security analyst at Forrester Research, including network segmentation to prevent malware from spreading and end point software. “A lot of it is basic hygiene,” he says.

Like Firstbrook, he said one problem is university students like to experiment. Another is that cyber security is seen as a “four-letter word” in the academic world, “with elements of Big Brother.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now