[HN Gopher] Illinois college, hit by ransomware attack, to shut ...
___________________________________________________________________
Illinois college, hit by ransomware attack, to shut down
Author : danso
Score : 165 points
Date : 2022-05-09 15:59 UTC (7 hours ago)
(HTM) web link (www.nbcnews.com)
(TXT) w3m dump (www.nbcnews.com)
| GreedCtrl wrote:
| The college in question is Lincoln College.
|
| This is somewhat confusing because there is a college called
| Illinois College. Because of this news, they are accepting
| transfers from Lincoln for all students in good academic
| standing: https://www.ic.edu/news/04-4-2022/illinois-college-
| extends-b...
| protomyth wrote:
| We were looking at "cyber insurance" for our college and found
| out that we would be disqualified because every network connected
| device (even those on isolated networks) needs to have 2FA. Well,
| we have a network connected CNC machine at it has no provision
| for it. Another institution has the same machine and was denied.
| They tried every a lot of gyrations but got nowhere. Even a
| previous security audit would not help.
|
| I get the feeling this is one of those rules setup to make sure
| they don't deal with small institutions with small IT departments
| or they really don't know how much the cost of insurance to them
| will be.
| gowld wrote:
| That rule would apply to larger IT depts too, though, right?
| protomyth wrote:
| I would imagine they are in a better position to negotiate
| and have the resources to make strict rules the insurance
| company would like.
| duped wrote:
| It sounds like they weren't in a great financial situation to
| begin with. Definitely a tragedy to have everything down for
| three months and to find out afterwards that you're not going to
| have enough money to stick around next year.
|
| I wonder what the ransom was and if they paid it.
|
| Side note: Planet Money had an interesting segment on insurance
| claims for things like cyber attacks last week, it's worth giving
| a listen.
| toomuchtodo wrote:
| Cyber insurance premiums are skyrocketing YoY due to ransomware
| attacks based on conversations with clients. Overall, it's
| still a challenge to demonstrate the value of defending against
| them (reducing attack surface, real backups and data recovery
| plans, phishing exercises to see who is click happy and what
| their privileges have access to, etc) to folks who don't
| understand the risk this poses.
|
| Like driving without insurance, it works until it doesn't.
| duped wrote:
| The point they made was some insurance companies consider
| state sponsored cyber attacks as "acts of war" under their
| terms and not covered in their policies. It was part of a
| larger segment on how insurers do or don't insure
| catastrophic events, like pandemics or war.
| jabroni_salad wrote:
| Cyber providers are becoming much more savvy and are starting
| to decide that self-service 'yeah we are totally doing this'
| self-assessment checklists aren't sufficient. I have around
| 20 financial institutions on my client list and 11 of them
| have had their first hands-on penetration test in the past
| year.
|
| A year ago they would just send a laptop with Nessus on it
| and then sign off on a risk sheet full of the usual
| llmnr/nebios/kerberoast/smb1 vulns because they didn't know
| what it meant. Now they will pop your domain administrator
| and refuse your renewal or jack your rates until you get a
| followup pentest demonstrating that those vulns have been
| resolved.
| toomuchtodo wrote:
| Seeing the same at fintechs. "We're compliant." "Prove it."
| anonymousDan wrote:
| Good!
| amelius wrote:
| Another attack made possible by cryptocurrencies.
| bachmeier wrote:
| "Lincoln College was a victim of a cyberattack in December 2021
| that thwarted admissions activities and hindered access to all
| institutional data, creating an unclear picture of Fall 2022
| enrollment projections," the school wrote in its announcement.
| "All systems required for recruitment, retention, and fundraising
| efforts were inoperable."
|
| How is this possible? There's literally not a second copy of the
| data anywhere? The people working in the admissions office didn't
| have a printout and they had absolutely no idea what the numbers
| looked like? It's one thing to have all the videos for online
| classes get locked up in a ransomware attack, but this simply
| cannot be true.
| hsnewman wrote:
| The headline is clickbate. According to the article it says it
| closed due to COVID and the attack.
| hunter2_ wrote:
| Yes, but at the same time, an experienced consumer of headlines
| should parse this syntax as "Illinois college to shut down.
| Illinois college hit by ransomeware attack, as well." (i.e.,
| despite weaving the two things together, causation isn't
| actually claimed).
|
| I don't like it, but it's been the nature of the headline game
| since long before clicks.
| pledess wrote:
| My thoughts immediately went to a hypothetical ethical question.
| Suppose that a ransomware threat actor saw the NBC story, felt
| bad that this happened to Lincoln, and offered to make
| (anonymously) the "transformational donation" mentioned in the
| story, while making clear that the source of funds was ransom
| received from other victims. Should Lincoln accept the money?
|
| (In other words, there's a yin and yang situation in which the
| ransomware threat actor happens to have a philanthropic arm.)
| Invictus0 wrote:
| Rephrased more generally, is it ethical to accept donations
| arising from criminal enterprises?
|
| I think most people would say that the answer is no. This topic
| has been widely discussed on HN with regards to the MIT Media
| lab accepting money from Epstein.
| zamadatix wrote:
| The posting on the colleges website paints a much bleaker
| picture. The ransomware attack certainly didn't help but the
| school was already near shutting down due to huge drops in
| enrollment from covid and expenses related to implementing remote
| learning. It's not like they were just doing fine and didn't
| think to spend money on IT resulting in an untimely demise they
| were on the way out and also happened to get hit by ransomware
| during that. I wouldn't be surprised if they weren't doing
| particularly well prior to either of those issues even.
|
| I wouldn't be surprised if there were multiple other things they
| should have been doing to lower operational risk but couldn't
| realistically do given their situation.
| solveit wrote:
| Of course. If the college was otherwise doing well, they would
| be able to get a loan to smooth over a rough patch.
| daniel-cussen wrote:
| Don't assume loans are that simple. Everyone assumes they're
| that simple. They're deadly, it's the compound interest, the
| intrinsically runaway loan, the situation Hell is based on.
| It leads to gambling and prostitution for example. All sins.
| feoren wrote:
| > It leads to gambling and prostitution for example.
|
| That took a wild turn. Does allowing ice fishing on Lake
| Michigan also lead to prostitution?
| daniel-cussen wrote:
| Does ice fishing as you describe involve debt?
| aphexairlines wrote:
| Whoever sold the vulnerable software should be liable for
| damages.
| pc86 wrote:
| How about whoever _wrote_ it?
| chadash wrote:
| I am sympathetic to companies that keep backups of their data,
| but don't have comprehensive plans to _restore_ that data after
| an attack. A company that plans properly might be up-and-running
| within a day or two, but getting to that point isn 't easy.
|
| But getting to the point of needing to shut down entirely because
| of a ransomware attack seems like negligence. If your data is
| that vital to you, you really ought to have _some_ backup of it.
| spankalee wrote:
| They got back up and running, but don't have enough enrollment
| to keep the doors open. The ransomware attack is just part of
| the reason - in addition to COVID - but it might have been a
| major factor in them not getting enrollment to the point where
| they could survive.
| taraskuzyk wrote:
| One hell of a way to avoid your CS exam.
| pm90 wrote:
| would be so easy for some random billionaire to cut them a check
| blagie wrote:
| It wouldn't be easy. It seems like they were providing a sub-
| par education at >$30k per year.
|
| https://lincolncollege.edu/file/471/21-22%20Undergraduate%20...
|
| Math runs out at calculus. No computer science. Very few
| programs which would translate to real careers.
|
| Reforming a school like this is much more than cutting a check.
| It's a worthwhile project, but it's a major undertaking.
| UnpossibleJim wrote:
| Would be so easy for the US government to turn community
| colleges into 4 year colleges and make them part of them part
| of the basic curriculum, should students want to continue their
| education for free, while allowing private universities to
| remain just like private primary schools. Our population
| shouldn't have to rely on the whims of billionaires while our
| government wastes billions on no-bid contracts, ridiculous
| military spending and domestic spying programs... I apologize
| for my rant =)
| pm90 wrote:
| No that totally makes sense. It would be a small fraction of
| the defense budget. And having an educated and informed
| populace is just what we need to remain competitive globally.
| Wowfunhappy wrote:
| How did we end up at a point where we are this reliant on the
| internet?
|
| Any truly critical system should not be connected to the public
| internet. Computers with internet connections are for sending
| email and reading Wikipedia. Any data critical to your
| organization should be accessed from separate terminals connected
| via LAN. No VPN, that's still the internet.
|
| Do that, and unless you're the CIA you will never be hacked. You
| can even run Windows XP if you feel like it.
|
| The internet is the root of the problem, and it's time we start
| realizing that some things shouldn't be online.
| jacobr1 wrote:
| The problem is that much (not all) the business important data
| is involved the public internet. Take this school for example -
| prospective students applied online. One could imagine sneaker-
| netting the application data to an airgapped network, but that
| introduces its own costs and risks.
|
| Email (or other messages systems like slack) are one of primary
| tools of business, facilitating communication within an
| organization. You can't do that well with an air-gapped
| network, except to make that network really leaky.
| Wowfunhappy wrote:
| I totally get it, but the internet hasn't been around that
| long. How did we handle this 30 years ago?
|
| I imagine students applied via snail mail, and then someone
| manually entered the information into a database. There's no
| reason to go back to paper applications, and that database
| should absolutely be digital--but I think we could do a lot
| more manual entry.
| elevation wrote:
| Full internet isolation is an underrated solution for critical
| systems. And it doesn't mean the students or staff themselves
| can't use the internet via mobile devices or school-issued
| netbooks -- only that the critical data systems themselves
| aren't accessible online.
|
| Another helper technology that's underused is data diodes,
| which prevent two-way connections but allow one-directional
| data flows, such as security updates for a lab full of
| workstations, or in the other direction, allowing internet
| monitoring of a source-of-truth or sensor while preventing
| internet tampering.
|
| Unfortunately, distributed orgs can't as easily benefit from
| air gaps and data diodes, but they're effective tools when your
| physical boundaries align with your security boundaries such as
| in a lab or around a campus.
| zamadatix wrote:
| Having worked in healthcare up until very recently I can assure
| you a bunch of unpatched XP machines connected via LAN will
| still be rampantantly infected regardless if they have access
| to the internet. Wannacry was just absolutely rampant on these
| systems for years. At the same time the publicly inbound
| accessible servers in the DMZ never had an issue because we
| were actually able to manage the security controls on those.
|
| The LAN is a much more used attack vector than the internet. It
| has nothing to do with some hacker sitting there banging at
| your door users just share files and reuse devices as part of
| their day to day effort. The instant someone in the college
| brings in a compromised USB, intentionally or unintentionally,
| all of the isolation in the world from the internet doesn't
| save you from ransomware.
| Wowfunhappy wrote:
| Why did those machines have uncovered USB ports?
| zamadatix wrote:
| Which machines?
|
| The medical device? They didn't, WannaCry would spread over
| the LAN to the systems silently then when the vendor came
| to do maintenance on a system or an upgrade they would
| become a transport vector between sites.
|
| Generic? Because limiting college computers to only be able
| to work on what you can type into each one you visit makes
| them relatively useless and creates a much larger burden
| than managing security.
| vmception wrote:
| A tragedy
|
| That needs to happen
|
| The humanizing done about how its was something like an HBCU and
| weathered other calamities is sad, should also be a wakeup call
| to other organizations
| rediguanayum wrote:
| I don't know why this was down voted, but I agree, that this
| tragic shutdown makes it clear that Ransomeware affects the
| real world.
| r00fus wrote:
| Ransomware won't affect legislation until really influential
| players get hacked ruthlessly. And even then they'd pay to
| ensure others don't know they've been hacked.
|
| The "we need more victims to change everyone's minds" is a
| strawman.
| 0des wrote:
| ransomware is a necessary evil
| Loughla wrote:
| Hey, I actually have experience with that school! I did some
| consulting with them about a decade ago.
|
| The ransomware attack certainly didn't help, but it is _wildly_
| misleading to say, or even imply that caused them to shut down.
|
| The actual reasons:
|
| (a) They filled a niche that didn't need to be filled anymore.
| They used to absorb students from other local universities (ISU,
| UIS, UIUC). Those schools have realized the value of helping
| their own students be successful, leading to declining
| enrollment.
|
| (b) They were previously a community college, and began awarding
| bachelor's degrees. They were then fighting in a weight class way
| above what they were used to, and never really got their feet
| under them (to use some mixed metaphors).
|
| (c) They were expensive for the quality. They gave a good
| education, but had zero connections to business and industry to
| justify the cost.
|
| (d) They had a pipeline from Chicago's south and south-east side
| that has recently been sniped by large state schools, leading to
| a decline in enrollment.
|
| For context, I worked with them on enrollment management and
| declining enrollment a decade ago.
| benatkin wrote:
| > Lincoln College is scheduled to close its doors Friday,
| becoming the first U.S. institution of higher learning to shut
| down in part due to a ransomware attack.
|
| In the first paragraph it's saying _in part_.
|
| The article also details other challenges they face. We'll
| never know if they would have found a way to address these
| challenges and survive long-term had this not happened.
| [deleted]
| jacquesm wrote:
| I totally buy that it wasn't the only reason but it is a
| possibility that an already fragile institution would be
| brought down by such an attack, if not this one then some other
| one.
|
| Some constructs are on the edge and kicking them may cause them
| to collapse. It _probably_ will only change the timing but it
| is still the kick that is the first order cause of the
| collapse.
|
| Plenty of institutions are being hit with a perfect storm, two
| years of COVID and associated rules probably didn't help
| either.
| etempleton wrote:
| It was likely the final straw, but certainly if that is all
| it took for the institution to collapse they were going to
| fail soon regardless.
|
| A college or three have failed every year for the past 5
| years or so. There will be more until populations of college
| age students starts to grow again. Most small colleges are
| extremely vulnerable.
|
| Size and endowments offers some protection to large and
| wealthy schools.
| haggy102 wrote:
| Greatly appreciate the context. Closures like this are rarely
| (if ever) as one dimensional as the public announcements make
| them appear to be.
| abirch wrote:
| There are many of these colleges that are going under. Their
| competitive advantage was that not everyone could go to the top
| Tier schools so they provide an expensive education. Especially
| when you see what you can do with Bloom Tech (fka Lambda
| School)
| toomuchtodo wrote:
| https://hechingerreport.org/analysis-hundreds-of-colleges-
| an... (Analysis: hundreds of colleges and universities show
| financial warning signs)
|
| https://tuitiontracker.org/fitness/
| tmp_anon_22 wrote:
| > enrollment management
|
| What would be a comparable industry perspective to the way
| colleges fight over tuition generators (students)? Oil
| companies fighting over oil fields?
| nsv wrote:
| Any industry which has clients that pay for a service, I
| guess.
| astrange wrote:
| The difference is that (some) colleges are also motivated
| to get you to apply so they can reject you, because it
| makes them look more exclusive.
| newsclues wrote:
| Don't some financial service businesses operate on
| similar principals.
| astrange wrote:
| Like Amex Centurion cards? They're definitely exclusive
| (or fake-exclusive) but I haven't seen them actually
| advertise rejection rates like colleges sometimes do.
| cheriot wrote:
| Large purchase, most customers choose one and leave the
| market, many possible consumers, seasonal.
|
| Residential solar or real estate agents?
|
| The crazy thing to me about higher ed is that there's large
| loans and everybody qualifies. We'd probably get a better
| skills/job match by including the major in interest rate
| calculations.
| nanidin wrote:
| > We'd probably get a better skills/job match by including
| the major in interest rate calculations.
|
| This brings up the hairy issue that all education should
| not be focused on eventual income generation. We still need
| our English, History, and other majors out there in the
| real world even if we don't expect them to make a great ROI
| on their degrees. Their contributions to society are still
| worthwhile.
|
| I think a policy that incorporates the major into the
| interest rate would drive universities to cut less
| profitable programs, and MAYBE lower tuition for those
| majors.
|
| I think my approach to change the system would be to put a
| cap on the maximum loan that the government will back, and
| have that cap be influenced by major. This would be similar
| to the conventional loan situation for mortgages.
| Loughla wrote:
| Marketing pepsi versus coke maybe? It's all sales if you boil
| it down (sadly).
|
| Actually, in my opinion, one of the main problems in higher
| education today is that the value proposition of the actual
| education and student experience is secondary to the ability
| to market. In other words, new programs are presented by
| faculty (or rarely staff because of politics) and
| administration will immediately ask how this can be sold to
| increase enrollment (read: revenue). In other words, what is
| best for students, in terms of experience and employment
| outcomes, will always take a backseat to what is flashy and
| looks good in a brochure.
| shuntress wrote:
| Well that is the problem with _everything_ , right?
|
| When Profit is the system's main incentive, it can be easy
| for decision makers to start viewing "profit" as an input
| rather than an output.
| newsclues wrote:
| Education is a unique industry and market on to itself. I
| worked in a part of it, and edu is just different than real
| business.
|
| You have government funding, both for research and education.
|
| You have tuition and fees, which students pay but there are
| student loans and grants etc.
|
| You have endowments.
|
| You have alumni and donor funding.
|
| You have schools that develop technology and own profitable
| patents.
|
| Sports is its own topic that I don't know enough about to
| comment on.
| thaumasiotes wrote:
| > Those schools have realized the value of helping their own
| students be successful
|
| Are they helping them in any way other than marking what would
| previously have been a failing grade as a passing grade
| instead?
| Buttons840 wrote:
| Nations should lessen the penalties for white-hat and even grey-
| hat hackers who report their findings. They should have strong
| protections; they are helping all of society and national
| security. Instead, we have politicians and executives who make
| legal threats to cover their mistakes and everyone suffers for
| it. I have this view because I have personally walked away from
| security problems I've discovered simply by pressing F12, I don't
| want the legal hastles and costs.
|
| Sadly, I think we're more likely to see pressing F12 become
| illegal, meanwhile society will lament that half the country's
| personal data is leaked on a weekly basis and ransomware runs
| rampant.
| FrenchDevRemote wrote:
| > Nations should lessen the penalties for white-hat and even
| grey-hat hackers who report their findings.
|
| you mean increase the rewards?
| bowsamic wrote:
| In America they are aggressively prosecuted
| munificent wrote:
| _> Nations should lessen the penalties for white-hat and even
| grey-hat hackers who report their findings._
|
| Digital Good Samaritan laws.
| hinkley wrote:
| There's an overlap between privacy, civil liberties, and
| anti-discrimination concerns where laws that can be
| selectively enforced get disproportionately applied to any
| and all groups that have 'isms' attacking them.
|
| I confess that while I used to spend quite a deal of time
| thinking about this class of problem, I haven't done much of
| it recently, so the following is a mix of potentially
| outdated thoughts and speculative nonfiction.
|
| If you have the privilege to be outside of any or all of
| those groups, I feel like it falls on us to speak up to
| ensure that other people are okay, and Good Samaritan laws
| can be problematic in this respect, because it's too easy to
| convince a jury to deny 'those people' standing.
|
| I wondered in another response if some sort of self-reporting
| system would better serve this space. Possibly 'feature-
| parity' with other citizen-action laws where community
| policing and reporting are carried out. The latter closes out
| a learning opportunity however because you're identifying and
| reporting a suspicion of an issue and allowing The
| Authorities to look into it. "We will take it from here."
| doesn't afford you the opportunity to become part of 'we'.
|
| Perhaps there's precedent with confidential informant laws,
| and we need to reframe white hat hackers under that umbrella.
| hinkley wrote:
| Having better ways to telegraph your intentions is, as far as
| I'm aware, still an issue, and I would support
| improved/expanded methods of 'escrow' for this sort of work.
|
| Way back in college, I talked myself into doing a white-hat
| hack of a service another student was running that I valued
| highly. He had used software with a rather nasty CERT advisory
| outstanding. My attempts failed, which meant he had patched his
| system, probably at the firewall. I shrugged and went on with
| life.
|
| Or at least I tried to, because the next day I got an email
| from him telling me that he saw what I did and if I ever pulled
| shit like that again he'd report me to the Dean's Office. For
| the time, the university had some pretty sophisticated auditing
| tools to backtrack problems including shenanigans of this sort
| and because I was doing something 'good' I had just accessed
| his system straight from my dorm room (I found out shortly
| after that even if I had attempted to remote in he still would
| have been able to send that email).
|
| I offered an "apology" that was about what you'd expect from a
| 20 year old white male: all excuses and rationalization. It
| hadn't quite sunk in yet that this distinction between black
| and white hat existed solely in my brain. I don't even think I
| bothered to tell my roommate what I was planning to do. I had
| zero alibi because I was impulsive. I never did anything like
| that again. If memory serves, I told him I'd never do something
| like that again (which means it was sinking in a little bit),
| and that has been largely true.
|
| In hindsight, I was such an earnest kid that any decent lawyer
| could have would have been able to get me off with a warning,
| that would have saddled me with debts that would have fucked up
| my 20's, even if we had gotten a good rate through a family
| friend. I'd probably have still failed a background check on
| the piece of software that I worked on in my 30's that is and
| probably will remain one of the mantelpieces of my career.
|
| The Venn diagram of people with a suspicious enough mind to
| think of trying what I did and the personality that would keep
| them out of big trouble is very narrow. But to your point, the
| circles for aptitude, desire, and history are pretty small. As
| it turns out, I didn't enjoy being a low-bus-number person
| responsible for the security of the system, so I now fall
| outside of the 'desire' circle. These days I'm content to help
| people sort out/select auth libraries, configure CA certs, and
| occasionally talk trash about cryptocurrency. I have enough
| other interests that I'm probably booked out until after
| retirement.
| dfxm12 wrote:
| _Way back in college, I talked myself into doing a white-hat
| hack of a service another student was running that I valued
| highly._
|
| "White hat" describes someone acting on behalf of the owner
| of the system being tested. It sounds like you acted on your
| own and thus were grey hat hacking. I only bring this up
| because it has different ramifications, legal, social, and
| otherwise.
| nope96 wrote:
| "Fortunately, no personal identifying information was exposed."
|
| How can they know this?
| edgyquant wrote:
| Maybe the database that was stolen had none? I know my old
| community college just used a pin for everything. Maybe all the
| data tracks to this pin and then another database contains the
| pin to real name/info mapping? Hopefully personal information
| at a college has stricter regulation.
| hakre wrote:
| In this case the pin is the person identifying date. If such
| a database system was used at place and in time of the
| incident, it is known how many individuals are affected and
| what data got out.
|
| It is just not known which individuals in specific.
|
| Should be common to send a notice to all individuals then and
| explain the details so those who are affected do know and can
| act.
| protomyth wrote:
| They might have outsourced their enrollment system like a lot
| of smaller colleges to the vendor (e.g. Empower, Jasmine) and
| not have had the information on servers that were compromised.
| hakre wrote:
| > How can they know this?
|
| No insights on that, but this is more the way I read such
| statements:
|
| This is their report of what they know.
|
| Common sense dictates that this does not mean much as we
| normally only know a fraction of what is.
|
| However it might also be a sign that they are not yet aware of
| much at all as it is that overly unspecific.
___________________________________________________________________
(page generated 2022-05-09 23:01 UTC)