The Quad: UCLA’s cybersecurity system needs an upgrade

For all the think pieces popping up in light of the election about how insulated college campuses are, there’s one thing all that fuzzy, warm protection can’t stop: a cyber attack.

Over a month ago, someone hacked into 76 different universities’ websites and embedded random webpages with links to a gambling site. Earlier this month, a man was arrested after he accessed the ability to reset students’ email passwords at Pace University. In this age of “the internet of things,” he was able to reset the passwords of multiple accounts, including students’ Facebook and iCloud accounts. With access to sensitive information and perhaps even financial details, this man did exactly what you would expect a 29-year-old from Arizona to do – he searched the accounts for nudes. If someone more serious were to hack into UCLA students’ emails, their intentions might be a little more sinister.

As a result, two weeks ago, U.S. Attorney for the Southern District of New York Preet Bharara issued an ominous warning on Twitter, calling the Pace University hack a “wake-up call for universities” to improve their cybersecurity.

[Related: Read more about the ‘internet of things’]

UCLA appears to be in safe hands at the moment. UCLA IT Services carries out weekly scans of systems in order to detect any vulnerabilities and sometimes partners up with departments to do ad-hoc scans of their individual servers. And it seems it’s doing its job well enough – there haven’t been any hacks of any UCLA servers. But our school isn’t devoid of its own vulnerabilities when it comes to the security of its services – especially its email services.

For example, someone with sufficient expertise could use a low-level program like Telnet, which is a protocol that allows you to remotely use a network computer, to connect with a UCLA mail server and communicate with an email client, essentially typing out the commands to do so. This is akin to what a mail application actually does when you send an email.

From here, the attacker could spoof an email, creating a fake sender address that appears to be from a trusted source. But if you send an email to a recipient address ending with ucla.edu, the email gets forwarded to g.ucla.edu, which is the email that UCLA students use. Essentially, one could send an email from an address like [email protected] – which is not the chancellor’s email – to a student, and the email would go through without verification from the server.

Oddly enough, this is expected behavior from the server since the email is originating from campus. According to Vasken Houdoverdov, information security analyst for IT Services, most mail servers work like this and email spoofing could be done with a normal server as well. Michael Story, interim chief information security officer for IT Services, added that if a student were to impersonate the chancellor and send an email, then IT Services would be able to track the IP address back to the sender.

However, this raises questions about how the university would respond if someone spoofed an email using a virtual private network, which enables you to access a network from a location different from where the user is located. This would limit the IT department’s ability to locate the source.

Moreover, locating the sender once an email has already been sent could be futile if he or she already did damage. For example, someone could send a fake email to students during an emergency and even perpetuate a hoax. Considering that during the campus lockdown, someone spread a rumor on Facebook about four shooters spread across campus carrying out a planned attack, we know there is plenty of potential evil to go around. Since several students actually believed that ridiculously fake rumor, freaked out and spread it further, we know that there is also plenty of gullibility here as well.

Moreover, there is also the possibility of convincing phishing attempts. Back in July, someone sent out emails to students from the innocuous-sounding [email protected], asking them to change the password to their webmail account. The admin.ucla.edu address adds a convincing touch to the phishing, at least before the sender’s below-par grammar skills in their email body gave them away.

One way to avoid this would be by using a relatively new system called Domain-based Message Authentication, Reporting and Conformance, which is based upon Sender Policy Framework, a system that is already in existence to verify an email’s sender. DMARC goes a step further in preventing an email from being spoofed. An email that fails to pass DMARC verification can either be quarantined or outright rejected. And UCLA, which prides itself as being at the forefront of information technology, would do well to implement a mail authentication system for its own server.

IT Services might think that the ability to spoof emails to g.ucla.edu addresses is normal for now, but that doesn’t exactly inspire confidence in students, who expect top-of-the-line security for their college careers. And with cyber attacks and phishing attempts only bound to increase, the IT department should seriously consider making improvements in its security.