Sitting in a political science lecture with Professor Wendy Schiller, one blogger learned that Brown had legal and functional access to our Brown email accounts. It wasn’t exactly surprising; what was more surprising was that, when he shared this information with a fellow blogger, neither of them had ever given this any thought.
After talking to Dr. Pendse, we went to David Sherry, Chief Information Security Officer, to find out what “30,000 daily attacks on the Brown server” really means.
Before gaining an understanding of the magnitude of the attacks, we first had to understand what phishing attacks are. Phishing comes in the form of spam emails aiming to extract private data and information from accounts on a server. More specifically, they might say your “email account is about to be deleted because your inbox is full. To reset the account, please enter your password here.” Some phishing scams purport themselves to be representing the IRS and even ask for your social security number.
Most phishing attacks are automated; a vast majority are “digital door rattling,” meaning people scanning looking for open ports to exploit. In other words, if they gain access to a Brown account and begin spamming other Brown accounts from this initial compromised account, they gain legitimacy, as one is more likely to open an email from another Brown address.
While some phishing emails aim to directly attack and redirect funds, like faculty’s HR benefits or student’s social security numbers in hopes of opening a credit card under their name and even stealing their identities, many times, exploiting Brown’s network is not the end goal.
“Last year, over 552 million people had their identities stolen”: NYT http://t.co/Nfj9pyHIAi
— Fareed Zakaria (@FareedZakaria) December 3, 2014
“It’s not so much about attacking Brown. It’s about covering their tracks,” Sherry said. Many hackers merely use Brown accounts to hack into other servers.
This is no small issue. Brown’s server is inundated with spam mail; a shocking 90 percent of emails sent to Brown gateway get blocked. An average of 30,000 emails a day are phishing attacks and the number can be as high as 60,000. Sherry stated that a large portion of the attacks originate in North Korea and Nigeria, a nation infamous in the tech world as a hotbed of phishing attacks.
While the 30,000 figure may be shocking, it’s the same at peer institutions and even larger at massive corporations. Sherry came from Citizens Bank to Brown six years ago and said the number of daily phishing attacks was the same there.
While most of the mail gets blocked, that which gets through poses a serious threat. Since July 1, there have been 157 successful phishing attacks, meaning someone on the Brown server accidentally gave their information to hackers. 97 of these attacks have been since September 1. 60 percent of the successful attacks are on undergraduates.
It’s not going away, either. Phishing is extremely lucrative; digital door rattling is cheap, and even one successful hack is more than enough for hackers to break even.
“People don’t have to rob a bank anymore. They can just rob people’s accounts,” Sherry said.
Not only is it lucrative, but there’s nothing that the world’s best IT security force can do about it.
“We can build the most secure architecture the world has ever seen, but if somebody gives away their ID and password, there’s not much I can do for that,” he said.
However, Sherry did warn that no legitimate business, or even Brown, for that matter, will ever ask for your Brown ID and password. Furthermore, there are usually small signs that the sender is not legitimate. Sherry gave an example of a phishing scam that replicated Brown’s Shibboleth URL, except the URL was going to Russia. While a minute detail, seeing that would’ve stopped people from opening the email and falling prey to the scam.
If a student or faculty member gives out their social security number, there’s nothing one can do to retrieve it. Instead, one must undergo a rigorous monitoring process, contacting the social security administration and checking credit reports to make sure someone isn’t opening a credit card under their name.
But, if a Brown account gets compromised, the administration has the ability to go in and reset it. Given that the administration has only accessed a student’s email address three times in the past six years without their consent, the main reason for their access is clearly to protect us from phishing and the like.
Exceptions to this rule only occur when the administration is seriously concerned about a student’s health and well being. The three aforementioned cases were all instances of missing students, in which the administration entered the student’s account only to see whether or not they had sent any emails since the time of their disappearance. If this was the case, Brown contacted Google, our server provider, to find out where the IP address was from so they could potentially locate the student. None of the emails were read.
Protecting our privacy and preventing any abuse of its ability to access our emails is of utmost importance to CIS. “I’m a zealot over this,” Sherry said. “This just won’t happen under my watch, and it all goes through me.”
Video shot by Jokichi Matsubara ’18 and edited by Frida Perez ’17