Ontario Based College Online Network Held Hostage for $65K~ by Hacker

[MoistyMcMoistface]

Quote

"A virus encrypted a significant portion of the school's online network ... hackers held files hostage in exchange for approximately $54,000 or 30 bitcoins " ... " The hack targeted Cambrian's web portals, grade report and student learning management systems where assignments are submitted. "

Local context: The CBC article probably screwed up here and have the USD value of the bit coin but In reality the collage would have to pay out $64895.52 Canadian ( if it comes to that). OUCH. For a institution of this size is a huge amount. They only have less than 10k student enrollment *read aside*. I have a friend who attends this school. The grades are still not out and he is very frustrated. Luckily for the majority for students, the educational year is over as Winter Semester is finished. Although, students are still adversely affected who have courses in the spring-summer semester. Class room teaching computers and media centers brought down from the attack. It is also seeming that the Collage has no interest in paying the ransom 

 

 

A letter from the School IT dep, attempted to quarantine the Viral Malware attack. 

Quote

"Students and faculty at Cambrian College in Sudbury, Ont., are being advised not to use campus computers during the hack"

Article Summary:

- Malware attack by hacker(s)

- Hack targeted the online infrastructure responsible for grades

- School wide campus computer system crippled 

- As of may 5 Grades have still not been released; long overdue 

- Police notified 

- Mass student frustration

- Due dates for assignments are extended

- Summer registration completely derailed

 

Source: 

 

http://www.cbc.ca/news/canada/sudbury/cambrian-college-ransomware-hack-1.4093634

 

Aside: 

- For all you Americans or others; In Canada a "College" is usually (more like legally) defined as an post secondary  institution that deals with Diplomas; usually with a skill related discipline (Trade, Biz Admin). Unlike "universities" that deal with degrees that although can deal with skill related disciplines, are usually associated with STEM, Lib Art, or Social Arts. (i.e Engineers, Scientist, Lawyers). 

- In summary: Universities are what Americans usually call Colleges; The american equivalent  collages are sometimes called Community Collage, or Trade School. 

 

Edited May 6, 2017 by GoodBytes
Fixed formatting

[Kobathor]

and that, my friends, is why you have BACKUPS

[MoistyMcMoistface]

Just now, Kobathor said:

and that, my friends, is why you have BACKUPS

Yea, but what the big issue is that the network is brought down. No grades no semester registration. The class room computers are even down. Its not so much that data is at risk, as much as the school is crippled. 

[Kobathor]

2 hours ago, MoistyMcMoistface said:

Yea, but what the big issue is that the network is brought down. No grades no semester registration. The class room computers are even down. Its not so much that data is at risk, as much as the school is crippled. 

 

They only grade electronically? The professors don't know how to grade?

I don't go to Canadian post-secondary school, so maybe it's common to do zero physical grading. But wouldn't the professors know how to grade papers without the computers?

[Tech_Dreamer]

They'd probably pay em off i guess ?? #Canadians

[MoistyMcMoistface]

27 minutes ago, Kobathor said:

They only grade electronically? The professors don't know how to grade?

I don't go to Canadian post-secondary school, so maybe it's common to do zero physical grading. But wouldn't the professors know how to grade papers without the computers?

1. No, not evrey student live on campus there are hundreds who are E-Learners they cant submit the papers in the first place.

 

2. Not talking about papers we are talking about final grades for the semester.  There is a lot of privacy law here in Canukastan so no your wrong in assuming that profs can just "go back to physical grading". Now that the School spent a fortune setting up there PIPED compliant system that took lots of planing to set up they can't just flip to the old way of giving out information pre-internet at the drop of the hat. You cant just write the students highly private final grades on a napkin!

 

See: https://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act

[MoistyMcMoistface]

Just now, Tech_Dreamer said:

They'd probably pay em off i guess ?? #Canadians

No it looks like the IT dep has got things mostly contained and are just working to restore System functionality. 

[Tech_Dreamer]

Just now, MoistyMcMoistface said:

No it looks like the IT dep has got things mostly contained and are just working to restore System functionality. 

good to hear that

[Kobathor]

2 hours ago, MoistyMcMoistface said:

1. No, not evrey student live on campus there are hundreds who are E-Learners they cant submit the papers in the first place.

 

I guess that makes sense for the people who physically cannot be there.

2 hours ago, MoistyMcMoistface said:

2. Not talking about papers we are talking about final grades for the semester.  There is a lot of privacy law here in Canukastan so no your wrong in assuming that profs can just "go back to physical grading". Now that the School spent a fortune setting up there PIPED compliant system that took lots of planing to set up they can't just flip to the old way of giving out information pre-internet at the drop of the hat.

 

 

Grades are grades.. Privacy laws? What's against the law for students to know their grades? I guess it's for students knowing other people's grades, but even then, I doubt scholars are itching to steal their friend's grades to see how they did. Super weird. 

2 hours ago, MoistyMcMoistface said:

See: https://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act

A law for E-commerce and the protection of online purchases? If they ask for the permission of the student, they wouldn't even be violating those guidelines. Also, I fail to see how disclosing a final grade to a student via email or similar is illegally disclosing personal information. It's not like the professor would throw their credit card information in the email, too..  I think you're blowing it way out of proportion. You might not be, but it seems silly to me.

 

Also, the school would already be in violation of this act, since their system got hacked, and the students' private information is at risk.

2 hours ago, MoistyMcMoistface said:

You cant just write the students highly private final grades on a napkin!

https://en.wikipedia.org/wiki/Straw_man

I never suggested writing their grades on a giant chalkboard in front of a lecture hall. You're just making up silly stuff.

[Beskamir]

Oh hey (iirc) a similar thing happened to the University of Calgary last year.

 

[themctipers]

not as crippled as my school's computers and network speeds

 

few words: upload is 10x faster, we still use iMac G5s.

[NumLock21]

Everyone must really like Arts and Craft to have it name collage.

 

[captain_to_fire]

On 5/7/2017 at 2:47 AM, Kobathor said:

and that, my friends, is why you have BACKUPS

Crypto ransomware can sometimes infect network backups and NAS. 

On 5/7/2017 at 2:42 AM, MoistyMcMoistface said:

Class room teaching computers and media centers brought down from the attack. It is also seeming that the Collage has no interest in paying the ransom 

While an anti-malware app is only as good as the latest signatures, some third party ones have extra features that can detect unwanted encryption and can even roll back malicious actions of unknown crypto ransomware. Examples of which are enterprise versions of Bitdefender and Kaspersky Lab. 

[NumLock21]

The only safe backup is one that's not physically connected to anything.

That means connecting it for backup, once it's done disconnect it.

[captain_to_fire]

5 minutes ago, NumLock21 said:

The only safe backup is one that's not physically connected to anything.

That means connecting it for backup, once it's done disconnect it.

Depending on the cloud storage service, it can sometimes be better than local backups. Assuming what Microsoft says is true, once a file is uploaded to OneDrive, it creates shadow copies of the file that can be later retrieved even after a ransomware infection. 

[SansVarnic]

On 5/6/2017 at 1:42 PM, MoistyMcMoistface said:

Aside: 

- For all you Americans or others; In Canada a "College" is usually (more like legally) defined as an post secondary  institution that deals with Diplomas; usually with a skill related discipline (Trade, Biz Admin). Unlike "universities" that deal with degrees that although can deal with skill related disciplines, are usually associated with STEM, Lib Art, or Social Arts. (i.e Engineers, Scientist, Lawyers). 

- In summary: Universities are what Americans usually call Colleges; The american equivalent  collages are sometimes called Community Collage, or Trade School. 

It is the same in the US. People just don't how to use the proper reference with talking about them.

Universities are made up of colleges. We also have Tech and Vocational Colleges were you get skill related certificates (Non-liberal arts) and 2 year degrees (aka Associates degrees).

[mr moose]

No one should pay ransoms at all.  When you pay the ransom you only encourage them or others to do it more.

[desertcomputer]

On 5/7/2017 at 4:51 AM, Kobathor said:

They only grade electronically? The professors don't know how to grade?

I don't go to Canadian post-secondary school, so maybe it's common to do zero physical grading. But wouldn't the professors know how to grade papers without the computers?

No usually you put the student scores in excel spreadsheets and adds up all the marks and turn it into a grading score such as (A,B,C,D,E,F) or similar. You tried manually converting more than 100 students grades, with around 10 test each.  

 

They do grading but there have to add them all up ... 

[leadeater]

On 5/7/2017 at 6:51 AM, Kobathor said:

They only grade electronically? The professors don't know how to grade?

I don't go to Canadian post-secondary school, so maybe it's common to do zero physical grading. But wouldn't the professors know how to grade papers without the computers?

It's not the act of grading that is the issue it's the recording and distributing of the grade.

 

For example here in my country we have the Ministry of Education and New Zealand Qualifications Authority who are responsible for a lot of things and two of those are certifying a course as being compliant to NZQA level of education it is claiming to be and that all students that have enrolled in the course have their grades recorded in the national database of academic achievement.

 

Every student has a National Student Number (NSN) and our entire academic history is recorded from the last 3 years of high school onward, this information is very important not only for the student but also the educational institute and the government. Academic institutes are funded by the number of enrolled students and their pass rates which those institutes have to report on, the national database serves many purposes one of which allows for reporting on institutional performance and also to make sure students are not defrauding the government by enrolling in more than one institute and claiming multiple student loans or allowances when they are not entitled to.

 

Most countries have similar systems in place.

 

You can't give a student their grade if you can't ensure it's integrity and correctness, if you do and they dispute the grade later and they don't match up who's was correct?

[kirashi]

On 5/6/2017 at 0:53 PM, Kobathor said:

A law for E-commerce and the protection of online purchases? If they ask for the permission of the student, they wouldn't even be violating those guidelines. Also, I fail to see how disclosing a final grade to a student via email or similar is illegally disclosing personal information. It's not like the professor would throw their credit card information in the email, too..  I think you're blowing it way out of proportion. You might not be, but it seems silly to me.

In Canada, our privacy laws are so strict that emails violating the CANSPAM act can result in $10,000 fines. For each email sent. Any business-related or marketing email sent to email addresses controlled by any Canadian resident who has NOT consented to receiving said email is in violation of this act, which closely aligns with the strictness of our Privacy Act. The burden of proof of consent is on the sender of such emails.

 

In this example, disclosing any private information via email is technically a violation of our Privacy Act, unless you've PGP encrypted the email, which we all know the general public has no idea of. This is because email itself travels unencrypted over the internet, relying on the security of 3rd party servers outside of Canada that cannot be guaranteed secure. By using a controlled grading system requiring students and faculty to login to servers maintained by the university, they can fully control the way the data is stored and retrieved. Of course, it won't guarantee it will remain secure, as seen in this exemplary story, but it will keep any breaches subject to Canadian law so that our legal system can resolve any internal or external breaches.

 

However, with permission from the student, they indeed could arrange for other means to disclose their grades, similarly to someone consenting to receive marketing emails from a business. Problem is by the time they get consent from all the students and faculty, then implement a new method for sending said emails, after spending hours re-entering grades, they'll have remediated the existing threat to their existing systems.

On 5/6/2017 at 0:53 PM, Kobathor said:

Also, the school would already be in violation of this act, since their system got hacked, and the students' private information is at risk.

While we should absolutely 100% assume the data has been stolen, as we should in ANY cyber attack, they aren't in violation of the Privacy Act unless it can be proven the data has indeed been stolen. However, you're absolutely right that the private information should be assumed to be at risk until the situation is assessed and they figure out how and to what level the hack has been performed.

[leadeater]

16 minutes ago, kirashi said:

While we should absolutely 100% assume the data has been stolen, as we should in ANY cyber attack, they aren't in violation of the Privacy Act unless it can be proven the data has indeed been stolen. However, you're absolutely right that the private information should be assumed to be at risk until the situation is assessed and they figure out how and to what level the hack has been performed.

Even if proven to be stolen that doesn't mean they are in breach of the act, you're only guilty if found negligent in the care of that private data. Theft is theft and you're not liable for someone else's criminal act unless you also did something wrong. That is no different if someone broke in to the physical vault of academic records using an armored truck and plasma cutters/torches etc.

 

If you made the data as safe and secure as you reasonably could and legally had to it's not your fault if it gets stolen or breached, you can't be infinitely secure and even organizations with many times the IT funding still get breached.

[kirashi]

6 minutes ago, leadeater said:

If you made the data as safe and secure as you reasonably could and legally had to it's your not at fault if it's gets stolen or breached, you can't be infinitely secure and even organizations with many times the IT funding still get breached.

True this. Makes sense, since nothing can be considered 100% secure. This is where a good disaster insurance plan can come in handy, both for the organization and its' users.

[Kobathor]

3 hours ago, kirashi said:

-snip

 

Thanks for the info! Makes a lot more sense now.

[paddy-stone]

On 06/05/2017 at 7:42 PM, MoistyMcMoistface said:

SNIP!

Could you please amend the title, you mis-spelled college and it's messing with my OCD qualities..

 

I did check that this wasn't in fact about a collage in Ontario

 

[leadeater]

1 hour ago, paddy-stone said:

Could you please amend the title, you mis-spelled college and it's messing with my OCD qualities..

 

I did check that this wasn't in fact about a collage in Ontario

 

Damn it you bet me to the joke, was so prepared to do that but then read your second line.