IT Security Incidents in the Education Sector

Contemporary educational institutions in the US are now as computerized as any corporation or government agency and, in the case of technologically oriented universities, sometimes to an even greater extent.

Contemporary educational institutions in the US are now as computerized as any corporation or government agency and, in the case of technologically oriented universities, sometimes to an even greater extent. Educational organizations process personal data in a digital form are therefor confronted with the same security problems companies and governmental agencies experience. This article will examine some recent security incidents and their causes.

One of the most sensational stories took place in the Lake Washington School District. In the fall of 2012, the computer virus Goblin (Virus.Win32.Goblin.gen) simultaneously struck a large number of schools’ computers. Because it was just a virus, it did not spread via networks like a worm would do. Rather, it was a polymorphic file infector, which resided in shared sources and infected files with extensions .exe, .dll and .scr (screensavers). Moreover, it tried to download other malicious software from the Internet and tried to transfer some data from infected computers to a remote server.

It was a seemingly unremarkable kind of malware, but it infected 25,000 computers in all 50 schools of the district in the vicinity of Redmond, Washington, which is home to Microsoft’s headquarters. Many Microsoft employees’ children go to those schools, bringing the problem to the backyard of Windows developers.

This was a preventable IT incident too. In 2012, when the Lake Washington School District distributed laptops to all students for use at home and in the classroom, no one thought to include anti-malware protection on these computers. After the virus was discovered and the infection had spread, a school district spokesperson said that antivirus software and firewalls were enabled on all the computers.

A similar case, on a smaller scale, occurred in April 2013 in the Salem School District in New Hampshire. The worm “of an unknown origin” infected the district’s 85 servers and almost brought down the local Internet channels.

Again, the local official interviewed after the malware was discovered: “At the moment we are installing an antivirus and then we are going to check all workstations separately.”

In addition to viruses and other malware, educational institutions are subject to attakcs both from outside and inside.

In the Fall of 2012, a “hacktivist” group named GhostShell published 120,000 disparate data sets, stolen from the bases of major universities. The “hacktivists” had paid unwelcomed visits to the universities’ servers while running a “campaign” under the name Project Westwind. The information this group published included 36,623 unique email addresses, the names of tens of thousands of students, faculty, and staff; and thousands of log-ins, unencrypted passwords, addresses, phone numbers, and very personal gender, date of birth, nationality, ethnicity, and civil status data. Fortunately, credit card numbers and social security numbers were not included in the published information.

What did GhostShell want? They pointed out that their “campaign” resulted from “(inflated) tuition fees, political bias, rigid tutorial rules and unclear employment prospects for graduates,” and claimed to be fighting for the good of people by means of SQL injections.

In January 2013, Mississippi State University (MSU) was the victim of a cyberattack. It’s widely believed that the attack was launched by a hacker named Gevolus, of the Brazilian Cyber Army. The attack resulted in the published passwords, addresses and emails of more than 500 students and teachers, as well as confidential admissions information.


Apparently, Gevolus was simply demonstrating his cybercriminal abilities because there was no clear cause for his activities.

In May of this year, the Chico Unified School District was hit by DDoS-attack, using computers in China, Europe, and the US. What made the cyberattack even more powerful was the fact that the same weblink was used by several government agencies, causing them to lose their Internet access for three days. Administrators of the school district network changed the web address and engaged the broader uplink, but the attacks soon resumed. Apparently, the servers were eventually transferred to an enclosed infrastructure and the criminals responsible for the Chico attack are still unidentified. Unfortunately, there are online instructions about organizing DDoS-attacks, and there are offers to rent the appropriate power for these criminal activities, making unprotected schools particularly vulnerable to attack.

In June 2013, three former students infiltrated Purdue University’s servers with a very clear intention:  they wanted to change their grades. In this incident, the servers were attacked in a new way. The cybercriminals swapped the authorized teachers’ keyboards for identical ones with hardware keyloggers installed.

Less than a year ago, Reddit published a plea from an overwhelmed student system administrator. Apparently, after the departure of his former leader, this young student was entrusted with the management of the infrastructure of a small US college.  The author described his hardware and software as a real patchwork that included a few dozen computers with Windows XP Home Edition and a couple Vista platforms. Some desktops were more than ten years old and they were administered locally by two CentOS virtual machines acting as serves from the save Dell Desktop. The author tried, unsuccessfully, to persuade his authorities to choose Google Drive as a more effective option. He also wrote about the complete lack of backup, as the former system administrator (who worked part-time) kept copies of the system in his off-campus office. Despite these serious challenges, the school administration was seriously considering the introduction of a Bring Your Own Device (BYOD) policy.

After reading the post, half the commenters strongly advised the individual to flee as soon as possible to avoid being blamed when something finally failed.


However, the other half of the commenters provided competent and sometimes extremely witty pieces of advice. One commenter noted: “I spent the last 3 years digging over 20 schools out of the same situations.”

Viruses, break-ins, internal sabotage, DDoS-attacks, and lack of resources- these few examples illustrate how educational institutions experience the same troubles faced by corporations and government offices, and then some. At the same time, these stories demonstrate the lack of appropriate IT security as well. Although there is little in the world to stop a crafty slacker from keylogging his professor’s computer, the damage caused by viruses, worms, and exploitable vulnerabilities in the server are completely preventable if educational institutions invest in cyberprotection.