Howard University Announces Ransomware Attack, Shuts Down Classes On Tuesday

An anonymous reader quotes a report from ZDNet: Howard University announced on Monday that it has been hit with a ransomware attack, forcing the school to shut down classes on Tuesday, according to a statement from the prominent HBCU. The school said that on September 3, members of their technology team noticed "unusual activity" on the university's network and shut it down in order to investigate the problem. They later confirmed it was a ransomware attack but did not say which group was behind the attack.

"The situation is still being investigated, but we are writing to provide an interim update and to share as much information as we safely and possibly can at this point in time, considering that our emails are often shared within a public domain," Howard University said in a statement. "ETS and its partners have been working diligently to fully address this incident and restore operations as quickly as possible; but please consider that remediation, after an incident of this kind, is a long haul -- not an overnight solution." The school has contacted law enforcement and is working with forensic experts on the issue. They claim there is "no evidence of personal information being accessed or exfiltrated" but noted that the investigation is ongoing. The school was forced to cancel all classes on Tuesday in order to address the issue and the campus is only open to essential employees. Even the campus Wi-Fi is down. They noted that some cloud applications will remain accessible to students and that they will continue to update students and faculty at 2pm each day.

"This is a moment in time for our campus when IT security will be at its tightest. We recognize that there has to be a balance between access and security; but at this point in time, the University's response will be from a position of heightened security," the school added. "This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data. We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University's and your personal data from any criminal ciphering. You will receive additional communications from ETS over the course of the next few hours and continuing into the next few days, especially surrounding phishing attempts and how to protect your data online beyond the Howard University community."

Lame

[Aighearach]

We recognize that there has to be a balance between access and security

If you're willing to sacrifice security in order to allow access, then of course you're going to get p0wned.

You're not actually supposed to give enhanced access without authentication, so this is a false dichotomy. It is supposed to be inconvenient to access things that would allow a ransomware attack. This isn't the 1980s with computer applications all sharing the same global memory pool.

Re:

[Ostracus]

An institution dedicated to the spirit of openness and the spirit of security are opposing forces.

Re:

[Aighearach]

I was talking about IT, what are you talking about?

Re:

[sabbede]

And yet their doors all have locks. You can have openness and security, so long as you don't mistake permissiveness for openness. You can be open and still require people get permission for access to specific resources. If the college of medicine has an fMRI, access probably isn't on a first-come first-serve basis. That isn't contrary to the spirit of openness, it's necessary in order to make sure the students who need it for their studies aren't blocked by people who just want to see what their brain l

Re:

[ubergeek65536]

Any access can be enhanced access with the right exploit.

Re:

[Aighearach]

False.

That's a bare assertion containing an absolute; it didn't even have a chance at being correct!

Next time, try including a viable idea with your dumb assertion. And maybe if you try to use some words of explanation, you'll figure out on your own how much needed to even loosely support the claim.

Re:

[ubergeek65536]

Banks get hacked, Facebook and Yahoo get hacked, even the CIA got hacked. They employ some of the best security experts on the planet.
Nothing is completely safe.

Re:

[Aighearach]

Another argument premised on an absolute.

Yes, everybody knows that nothing is perfectly safe, nothing has perfect security, etc.

Everybody knows that, you're not being insightful or know-y by making that claim.

My bank hasn't been hacked. Maybe your bank has been. Is it luck? Or are there differences in security practices?

What is the point you're arguing? You were offering a defense of Howard University by claiming that "any access can be enhanced access with the right exploit."

I pointed out that isn't true.

Re:

[jabuzz]

Yes not so easy when redeploy is several PB of research data. I could probably redeploy the OS on my HPC in a day from backup. That is apart from the clustered file system. That would take a couple of weeks.

Re: Lame

[Kelxin]

No, they don't employ the best security in the world. They balance the cost of being violated against their insurance and find the cheapest labor to meet the "minimum bar" so that their insurance will think that they're actually trying and will pay out when they do get hacked. Businesses in this day get hacked out of sheer negligence.

Re:

[Aighearach]

IN OTHER WORDS. They are saying that they are INCREASING SECURITY and REDUCING ACCESS AT THIS MOMENT.

False. You're extrapolating technical details from public statements. The people making the public statements do not even understand the technical details. Those are general characterizations that somebody made in order to make people feel better.

Re:

[gweihir]

That is BS. People need to be able to work and that always means some reasonable degree of exposure and access. Also, this is not about unauthenticated access. It is about really bad software (I am looking at you, Microsoft), that is exceptionally hard to secure _with_ authenticated access. Abysmally stupid ideas like HTML-Emails or automatic opening of attachments did create nice opportunities for criminals in the past and now the criminals have gotten more sophisticated.

Re:

[Aighearach]

"Being able to work" does not need to imply, "has remote access that can affect the entire system."

You really really want to argue with me, but you undercut your attempt by pointing at MS. You may simply have sysadmin experience, and so don't understand that your complaints about the software support my point. You can have the same access to "getting work done" without having access to encrypting all the data. There are lots of steps that can be taken to limit access to the range of work that might need to

Re:

[gweihir]

Nope. You do not understand how such an attack works today. It is not an one-step process. What happens is that attackers compromise a user, escalate privileges and then move laterally. The last two steps can be repeated several times. And each time, a vulnerability is used, of which "modern" computer systems have way too many. That means in each step one of the "limits" you so naively propose is _already_ in place, but can be circumvented. The "system" is compromised only at the end of that process, in MS

Windows?

[innocent_white_lamb]

What do you suppose the chances are that their network was a bunch of Microsoft Windows machines?

I don't imagine there'd be any takers for bets against that....

Every time I read this sort of article I wonder why so many large companies and organizations still run their stuff on Windows when there are so many secure and usable solutions out there that actually give the system administrator control over what's installed and what traffic is going where.

Re:

[geekmux]

I wonder why so many large companies and organizations still run their stuff on Windows when there are so many secure and usable solutions out there that actually give the system administrator control over what's installed and what traffic is going where.

#1: The business desktop, still runs on Windows. You can attempt to dispute, ignore, or dismiss that statement all you want, but you'd be wrong.

#2: Secure and usable solutions? Oh you mean like a centralized desktop management system that enables SysAdmins to remove local admin rights in favor of pushing and managing all software deployments from a central location in an automated manner using limited Domain Admin service accounts?

In other words, why do you think products like Solarwinds and Kaseya were ta

Re:

[innocent_white_lamb]

Solarwinds and Kaseya were targeted, millions (billions?) of dollars of damages resulted, and there's still no move to migrate away from a proven-insecure operating system.

How much of a wake-up call is needed?

Re:

[geekmux]

Solarwinds and Kaseya were targeted, millions (billions?) of dollars of damages resulted, and there's still no move to migrate away from a proven-insecure operating system.

How much of a wake-up call is needed?

Talk to your middle schools through colleges. There is a reason Windows is still the dominant business desktop, and that is due to brainwashing that starts very young. Not to mention I've yet to find a business that can get away from Excel, no matter what multi-million dollar ERP nightmare is tracking the business. MS Excel might as well be the fresh ground coffee in every financial degree. Bean counters and bean suckers can't live without either.

The day Microsoft stops dominating business is the day cy

Re:

[sabbede]

Uh, no? Windows is the dominant business desktop because of businesses, not schools.

Take a look at what computers schools are actually buying if you don't believe me - https://hechingerreport.org/la... [hechingerreport.org]

Re:

[geekmux]

Uh, no? Windows is the dominant business desktop because of businesses, not schools.

Take a look at what computers schools are actually buying if you don't believe me - https://hechingerreport.org/la... [hechingerreport.org]

First off, your article is from 2018 and from a technology perspective, that might as well be ancient history. If the destruction of Microsoft was "actually" happening, then I haven't seen jack shit regarding the evidence of it.

Lastly, it's going to take a hell of a lot longer to convince American Business that they can thrive and survive on the alternatives (Linux/OSX). Remember this is highly political, (as in Donor Class status), which is even more justification to understand such change does NOT happe

Re:

[sabbede]

Okay, well find a more recent report that shows otherwise. You probably won't, because schools tend to have very tight budges and chrome devices are the cheapest available. Now was I trying to say MS is being destroyed, just that your argument that Windows was so popular because of the education system didn't hold water. And it still doesn't. If anything, the causal arrow goes the other direction, with schools teaching students on the platform they'll most likely need to know for work. Or would if budg

Re:

[geekmux]

...If anything, the causal arrow goes the other direction, with schools teaching students on the platform they'll most likely need to know for work.

Really? And what work platform would that be today, specifically?

You can stop pretending that some other OS is the dominant platform for desktops in business. Middle schools might have "tight" budgets. By the time you get to the influential age of high school and college, you're going to find Microsoft OS, with parents buying the hardware, not schools.

And when Adobe had a stranglehold on marketing, Apple was dominant. That's hardly the case anymore, as you can easily find companies who are Apple-free

Re:

[geekmux]

Uh, no? Windows is the dominant business desktop because of businesses, not schools.

Take a look at what computers schools are actually buying if you don't believe me - https://hechingerreport.org/la... [hechingerreport.org]

American Business and their hiring filters, have basically per-determined that you better have experience with Microsoft OS and specifically MS Office. Otherwise, you're probably not getting hired. And that experience often comes from education, which is the entire reason companies like Microsoft spend billions to ensure their products remain in schools today.

To put it another way, outside of IT support, take a look at how often employers are asking potential hires about their experience with Linux or OSX

Re:

[geekmux]

Solarwinds and Kaseya were targeted, millions (billions?) of dollars of damages resulted, and there's still no move to migrate away from a proven-insecure operating system.

How much of a wake-up call is needed?

Products like Solarwinds and Kaseya were targeted because of the rather massive benefit to hackers to be able to distribute malware very effectively with those types of central-management/administration products.

I kind of doubt any other OS connected to those products in that way would have fared much better. OSX isn't exactly immune to malware, and regardless if your "god" level account is called Domain Admin or Root, you're still able to play "god" and wreak havoc en masse with these types of products.

Re:

[jabuzz]

A number of Linux based HPC systems where compromised last year. A mix of the use of cluster fuck that is SSH keys (you see users don't fucking protect them with passphrases you as an admin have no way of knowing and well you get the picture) and a lack of patching.

Re:

[gweihir]

In other words, why do you think products like Solarwinds and Kaseya were targeted...

Indeed. The sad fact of the matter is that he whole Microsoft ecosystem is deeply broken and deeply vulnerable. It is just fundamentally insecure architecture everywhere with tons of patches on top that cannot really fix the fundamental flaws. MS basically relies on software not having flaws. As that is (at least at present) a goal that cannot be reached, MS crap will remain insecure and much of the industry takes its clues from MS and is not much better.

Any good engineer knows that redundancy is the key to

Re:

[sabbede]

Are you surprised that most attacks target the most popular platform? If Linux dominated it would be the most heavily targeted and people would be saying the same things about it that you're saying about Windows. And it isn't like there aren't ransomware strains that target *nix systems out there already.

As for your claims about Windows administration, I really don't see a whole lot of validity to them. You're saying I can't do things that I in fact do.

Why cancel all classes?

[b0s0z0ku]

Most instructors have their slides and notes on their personal laptops, so can just plug HDMI into a projector. There's also nothing wrong with skipping the Powerpoints and PDFs and just lecturing using a whiteboard, as almost everyone did until about 10 years ago. Did this also affect some type of critical building systems?

Re:

[Aighearach]

What about students who require a special accommodation that is provided via their network services? They can just fall behind?

Re:Why cancel all classes?

[aardvarkjoe]

So you have the choice of "a large majority of students get the benefit of extra instructional time" and "nobody gets any extra instructional time", and you pick #2? How progressive of you.

Re:

[Aighearach]

That's right, deal with it. Why do you need special privileges? And why do you have a right to "extra" time? Like, bonus points? For what? Why are you so deserving of that?

Are you worried you're not studious enough to make up the missed classes on equal footing with the other students? As in, a special accommodation?

Re:

[aardvarkjoe]

That's right, deal with it. Why do you need special privileges? And why do you have a right to "extra" time? Like, bonus points? For what? Why are you so deserving of that?

No. Accommodations that lift people up are one thing. Sabotaging people -- which is what you want to do, in the form of canceling scheduled classes that will help people -- in the name of "equal footing" is pure stupidity.

Re:

[Aighearach]

If having a level playing field makes you feel like you were sabotaged, you're asking for a really big accommodation for your disability.

Perhaps the school already offers student counseling services, and they can provide you with the necessary mental health support to accept this?

Re:

[aardvarkjoe]

If having a level playing field makes you feel like you were sabotaged, you're asking for a really big accommodation for your disability.

I kind of wonder why you think that this mode of obtuse argument and personal attack is clever and whether you think that it would convince anyone to support your position.

While it may be worth debating the point of where the line lies between accomodating students with disabilities and sabotaging those without, you're obviously not worth having the conversation with.

Re:

[Aighearach]

I kind of wonder why you think that this mode of obtuse argument and personal attack is clever

I wonder why you think I would want to be "clever" or why I would care what you think about it?

Here is what I care about: The very small percent of intelligent replies. The rest of you can fuck off, honestly.

Re:

[Anonymous Coward]

Dude, you're coming off like a super arrogant pedant. Maybe, when you read something you think is fundamentally flawed, just pass it by. It can't be healthy to be this argumentative with everybody.

Re:

[RobinH]

Do you understand that there are other countries out there competing with us, who aren't stupid enough to hold back the bulk of their population just to make sure a couple stragglers don't have to catch up? Those countries are going to overtake and smoke us. Thinking like this is ridiculous and self-destructive. They tried this equal outcomes crap throughout the 20th century all over the world. It was called Marxism, and every country that tried it failed miserably. Please, for the love of humanity, le

Re:

[RobinH]

Yes, that's what progressivism has become, not making sure we pull everyone along with us, but hammering any nail that sticks out, including 99% of the nails if there's one that's a bit lower.

Re:

[Random361]

What about students who require a special accommodation that is provided via their network services? They can just fall behind?

No, I think the thought was that since they can't reasonably provide that special accommodation at this time, they kind of just have to deal with it. The other students shouldn't necessarily have to suffer from that. I fully understand your point, but I think it's a little more complex than that. And this is from someone who had a physical disability for about a year and was one of those people that fell into the "special accommodation" group. (And I realize that is worlds away different from feeling like y

Re:

[sabbede]

By a whole day? Yeah, I think they'll manage.

Re:

[Ostracus]

Covid-19 [youtube.com] and climate change are making education [youtu.be] harder.

Re:

[geekmux]

Did this also affect some type of critical building systems?

Yes, apparently critical thinking was disabled about 10 years ago, in favor of mindless educators who are incapable of thinking "out of the box" to use a simple analog teaching device instead of insisting they need to stream their job from the intertubes.

One would think teachers in classrooms would WANT to justify their in-person existence these days. Amazon Education is coming for your ass otherwise, and there's not a damn thing your "tenure" is going to do to protect you.

Re:

[gweihir]

It is not that. It is that a lot of teachers (regardless of level) are not really good. I believe, if really needed, I could teach my lectures with nothing but the students taking notes and me talking. Sure that would result in a significantly different experience, but it would still work. I believe every good teacher can do something similar. As to having to move from slides on a computer to white/blackboard with very little notice, I have done that several times. I always have a printed copy of my slides

Re:

[sabbede]

What's the old saying? Something like, "the best classroom is a log with a teacher sitting on one end and a student sitting on the other"?

Did Harvard throw out all their dry-erase markers and chalk? Is there some reason math, physics, biology, geology, history, anthropology, economics, or almost any other field can't be taught without computers involved? I mean, that's how all my classes were from kindergarten through grad school. There was a film course in there that used a VCR (because that's how o

Re:

[radarskiy]

"Most instructors have their slides and notes on their personal laptops, "

Who the fuck would be using their personal equipment for work? Who the fuck would be letting them use their personal equipment for work? Most importantly, in the middle of a security incident who the fuck would want to bring thier personal equipment into the middle of it?

Re:

[sabbede]

Yeah, I was wondering that myself. That seems like a problem in the administrative offices, not the classrooms.

Now, I realize that the university system's primary focus is now on supplying administrators with cash, but they could at least pretend that they're still interested in education as well.