Share |

Rutgers Uses Inadequate and Outdated Cyber Security Practices

Administration Under Fire For Long Wait Before Acknowledging Repeated Attacks
Rutgers OIT
Rutgers University refuses to answer any questions about its cybersecurity practices. Charlie Kratovil

NEW BRUNSWICK, NJ—Rutgers University's computer networks are vulnerable due to their inadequate and outdated security practices.

The university refuses to confirm or deny whether this is true, or whether such weaknesses helped facilitate recent "cyberattacks" launched against it.

The FBI is now investigating the distributed denial of service (DDoS) attacks against Rutgers, which lasted from Friday, March 27 through Monday, March 30.

The attacks kept students and faculty from accessing several online learning tools, as well as email and any other service that required logging in.

According to the server test page at the Qualsys SSL Labs website, Rutgers University's www.rutgers.edu internet domain recieves a "B" ranking due to numerous security weaknesses.

New Brunswick Today knows of no suggestion that these particular weaknesses may have facilitated the recent DDoS attacks, but does question whether the known weaknesses indicate a broader pattern of weak security, and whether such a pattern may have facilitated the recent DDoS attacks.

The weaknesses found by Qualsys include, among others, vulnerable obsolete technology like “RC4”, and failure to support updated technologies such as Transport Layer Security (TLS) 1.2, or even the older, outdated TLS 1.1.

Instead, all users connecting to the server are forced to use the original TLS 1.0 protocol, which dates back to 1999, a time when the cybersecurity landscape was far more simplistic.

"The server supports only older protocols, but not the current best TLS 1.2," reads the Qualsys report.

In many cases, Rutgers uses a "cipher" method called "RC4" that Microsoft, over a year ago, recommended should be totally disabled and never used at all.

"Use of RC4 in TLS and SSL could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions," reads Microsoft Security Advisory #2868725, published in November 2013.

So-called "man in the middle" (MITM) attacks are ones where hackers trick both networks and their users.

An MITM attacker intercepts traffic between a network and a user. The attacker, in communications with the user, impersonates the network. The attacker, in communications with the network, impersonates the user.

The attacker can pass information back and forth between the user and the network, in such a way as to deceive both to think they are communicating directly with each other, instead of indirectly through an attacker.

The attacker, for example, might present the user with a screen simulating the online banking login screen for the user’s bank. The user might think he is logging into his trusted bank, when in fact, he is passing his secure banking password directly to the attacker’s simulation.

The attacker can then use this password to open a real login session on the bank’s website, to get further information needed to continue deceiving the user. The attacker can pass information back and forth, so that the entire session completes without either the user or the network ever detecting the attacker’s involvement as middleman.

The attacker could then, at a later date, use the user’s secure banking password to drain the user’s bank accounts, or to obtain other information useful in further attacks against either the user or the bank.

MITM attacks are only one example of a broad spectrum of security vulnerabilities created or worsened by weak security practices.

"Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications," reads a Microsoft "call to action" from the same day.

"Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance."

Rutgers refuses to confirm or to deny whether the RC4 and TLS issues exist at all, or might be indicators of broader problems with the school's cybersecurity practices.

Don Smith, the university's VP of Information Technology and CIO, declined to speak with New Brunswick Today about the school's cybersecurity protections.

Smith has been with the university since 1979 and earns a $225,029 annual salary, according to public records

"Don has asked me to refer you to someone else," said a secretary for Smith, who forwarded us to a "media relations" employee.

"The university has implemented new safeguards in the wake of the DDoS incident," said the university spokesperson. "We do not discuss our network security measures."

Subsequent Qualsys scans show Rutgers still uses RC4, still fails to support TLS 1.2 and 1.1, and still continues other security weaknesses leading to its unchanged grade of “B” from Qualsys.

New Brunswick Today was not the first to publicize inadequate cyber security at Rutgers.

New Jersey’s Office of the Comptroller, in response to widespread bad publicity about financial practices within the University’s athletics department, released its January 19, 2011 report auditing contracting and selected financial management practices of Rutgers.

The audit, while it focused on deficient financial practices, did warn of deficient cyber security for the university-wide Rutgers Integrated Administrative System (RIAS), which is used to manage the University’s financial resources and personnel.

U.S. Government cyber security programs teach that large organizations should not exclusively rely on outside criticism or actual cyber attacks to reveal security weaknesses.

Instead, the government says they should have ongoing internal procedures constantly reviewing, improving, and updating cyber security, so as to anticipate evolving threats and to prevent attacks before they happen.

Rutgers refuses to say if it has any such procedures. 

The University also appears to have had some advance warning of the most recent attack, in the form of a much smaller DDoS attack earlier in the month.

New Daily Targum coverage suggests the recent attacks may be related to the previously undisclosed March 4 DDoS attack, which was then kept quiet both by the newspaper and the Rutgers administration.

"A while back you had an article that talked about the DDoS attacks on Rutgers," the alleged attacker wrote to the Targum on March 4, referencing a November 19 DDoS attack.  "I'm the one who attacked the network."

"This might make quite an interesting story," the attacker continued.  "I will be attacking the network once again at 8:15PM EST. You will see sakai.rutgers.edu offline."

The Targum notified the university's Office of Information Technology and said that Rutgers CIO Don Smith asked them to wait before writing about it.

Three weeks passed before a third attack, this one the largest yet.

Rutgers students were outraged as the university remained silent while internet problems plagued the on-campus computer network for an entire weekend, and those off-campus saw outages in certain services lasting even longer.

Various parts of the Rutgers website, including the main homepage, were down intermittently throughout the attacks.  The Sakai online education software was unavailable to some for as long as four days.

The university remained virtually silent about the attacks for more than 48 hours, save for a few postings on Rutgers-owned Twitter accounts with relatively small followings.

And when the school finally did come clean, and admit they were suffering from an attack, they had little to say about what had happened.

Rutgers would only say that they had not detected any "breaches" of "confidential information," in a four-sentence email to students that came more than 48 hours into the problems.

Sophisticated attackers who do breach a target’s confidential information can sometimes prevent that target from detecting the breach.  For example, attackers may alter security logs to cover their tracks.

Rutgers refuses to answer any questions about the extent of its ability to determine whether or not confidential information was breached, either during the recent DDoS attacks, or at any other time.

DDoS attacks do not inherently involve theft of or damage to data, but they can serve as a cover or a diversionary tactic while data are stolen on damaged.

While media reports have indicated the attacks were coming from China and Ukraine, the alleged attacker has claimed to be a local person attacking through control over hacked machines in numerous countries.

Some internal emails show that the Rutgers University Police Department is involved in the investigation.

DDoS attacks manipulate two or more computers to send large numbers of messages to a target network which may be incapacitated by its inability to process certain types of abnormal or heavy traffic.

In an interview, the alleged hacker has claimed to control a “bot-net” consisting of more than over 80,000 machines from an entity which doesn’t own them but took control of them by hacking.  The alleged attacker claims to have used this massive bot-net to attack Rutgers.

According to an October 2014 article on NJ.com, Rutgers University Vice President Bruce Fehn announced plans to spend $300,000 on an outside cybersecurity firm.

The university did not answer a question about whether or not a firm had actually been hired.