Share |

Rutgers Computer Networks Crippled by Hacker AGAIN

Cyber-Attack Takes Down Key Rutgers Servers For Second Time in a Month
Only Cash Sign
A sign at a Livingston campus shops tells customers with credit cards that they can't be accepted due to a "network outage." Daniel Munoz

NEW BRUNSWICK, NJ—Since about 10:21am on April 27, many of the computer networks at Rutgers University have been experiencing outages, apparently the result of yet another cyber-attack on the university.

Students were outraged to find that several services were not working, including wireless internet access, several online learning tools, and even the ability to accept credit and debit cards at some on-campus stores.

It couldn't come at a worse time for students and teachers who depend on access to online learning tools like Sakai and eCollege to prepare for final exams, papers, and projects.

And it's just days before the deadline for many high school seniors across the country decide which college they will attend in the fall.

Administrators were also forced to postpone scheduled class registration for the Fall semester, which is done through an online system that requires the use of the Central Authentication Server (CAS), a critical server affected by the attack. 

The latest incident marks at least the fourth time that Rutgers has sufferred from a distributed denial of service (DDoS) attack this school year.

Previous attacks on November 19 and March 4 had minimal impacts, but another one that lasted for four days, beginning on March 27, affecting a wide variety of university services and shattering confidence in the university's cybersecurity practices.

As we reported shortly thereafter, Rutgers uses outdated and inadequate cybersecurity practices and officials refused to answer any questions about them.

As the March 27 attack played out, the university did not use its major digital tools for information sharing, such as the @RutgersU Twitter account and the school's official Facebook page to notify users of the problems.

Instead, only selected employees received vague notices about "security scans" on the first day of the attacks, and the school was largely silent for much of the weekend.

"The university is running security scans on many of its networks.  It seems to be causing a number of disruptions to services," read the email from Chief Information Officer Don Smith.

Students and most other users were left in the dark until well into the third day of network outages.

On March 29, the school finally admitted it had been hacked, and the Daily Targum subsequently revealed that Rutgers had been aware of a similar attack weeks earlier, but it was kept under wraps.

This time around, the university was somewhat more forthcoming with confirmation of technical difficulties, though they still have not publicly acknowledged whether or not the outages were the result of a deliberate attack.

"The #Rutgers network is experiencing technical difficulties. We are working to resolve it and will post updates. Thank u for your patience," the university tweeted at 1:11pm.

Then at 6:01pm, the university provided a timetable for another update, but no new information: "OIT staff are working on it. Next update tomorrow at 8:30 am."

"We apologize for the continuing inconvenience," Rutgers Information Technology posted on their Facebook page, also promising a new update at 8:30am on Tuesday, April 28.

The alleged hacker has an online presence as well, apparently using the Twitter account @ogexfocus.  That user has successfully has predicted when many of the outages would occur, and taken responsiblity for them.

The individual behind that account gave an interview to a local web designer during the March 27-31 attacks, saying that he or she was being paid $500/hour to initiate the DDoS attacks and was not a Rutgers student.

"When I stop getting paid – I’ll stop DDosing lol," wrote the alleged hacker.  "I’m hoping that RU will sign on some ddos mitigation provider. I get paid extra if that happens."

But the user has been largely quiet since the prior attack came to an end, posting "bye internet" on March 30 before going silent.

Weeks later, the user returned to Twitter with the phrase: "i am not dead" on April 24, and "I had nothing to do with the network issues over the past 2 weeks," on April 25. 

Rutgers had recently hired a Kansas-based Fishnet Security to a six-figure consulting contract to help improve the security practices at the school.

"Rutgers retained a firm (Fishnet) to assist in evaluating and developing security practices to govern the management of sensitive data," said spokesperson EJ Miranda.

"The agreement was awarded in January, 2015 for $307,000," said Miranda.  "They began work in February to assist the university in evaluating and developing security practices to govern the management of university data."

The attacker felt that it was not money well spent, according to a tweet published on the day of the most recent atatck.

"Maybe if a fraction of the money ($300,000) supposedly spent on Cybersecurity was actually spent on Cybersecurity, this wouldn't be so easy."