Campus Web site servers attacked

IUS Horizon

IU Southeast’s web servers experienced a malicious attack on Aug. 5 that brought down the school’s Web site for a week.

Larry Mand, vice chancellor of Information Technology, said the attack was a SQL injection attack. SQL stands for sequential query language, a database language.

Mand said the IT department began working on the problem immediately.

“We tried to gather as quickly as we could a panel of experts to deal with the crisis that included members of our local web team and outside experts,” Mand said.

The panel included members from UITS, the IT Security Office, IUS network and Web teams and representatives from an outside firm, Robert Half Technology.

A basic temporary Web site was put up on Friday, Aug. 8 and another version was put up on Aug. 11 to direct visitors to core functions like Onestart, Oncourse and e-mail. These services were not affected by the attack.

“They don’t run on our Web site. Those are major information systems that are presented using the Web,” Mand said. “They aren’t actually part of the site.”

The Web site went back online at 4 p.m. on Aug. 15.

IUS Web site“When they released it again and exposed it to the Internet, it was no longer vulnerable,” Mand said.

Mand said this is the first major attack the IU Southeast servers have been hit by.

“We’ve never had the Web site out of service for any significant amount of time at all,” he said.

He said there were several reasons the attack was so successful.

“One of the reasons our site was successfully attacked was that it is so functional,” Mand said.

He said the click-through functionality of the site and its reliance on databases made it vulnerable to the attack. He said that was why a flat-page Web site was put up temporarily.

“Flat-page Web sites were not vulnerable to this attack because they didn’t have databases behind them,” he said.

He said the fully functional Web site could not be put back online until all of its vulnerabilities had been fixed because the attack was still coming after the initial trouble.

“They reset the servers and they were immediately attacked again,” Mand said.

Another reason the attack was successful, Mand said, was that it targeted a specific software that IU Southeast’s site happens to use.

“It was a conjunction of two or three circumstances,” Mand said. “It was sort of the perfect storm, I guess you could say.”

Mand said hiring Robert Half Technology was the only out-of-pocket expense, but there was a large expense of manpower from the members of the team fixing the problem.

“They worked long hours all through the weekends and into the nights identifying vulnerabilities, their locations in our databases, removing them and creating additional defenses against later attacks,” Mand said.

Lee Staton, director of Media Service, said hiring the firm only cost a few hundred dollars because their services were not used extensively.

Mand said the attack was a global attack not directed specifically at IU Southeast’s servers.

Staton said the IT Security Office is working closely with law enforcement, but Mand said it is unlikely they will be able to find the source of the attack.

“It’s unlikely we’ll ever be able to pin that down and it would likely be of limited value, because it’s likely from offshore.”

He said the attack looked like it was coming from China, but could be someone bouncing the attack off of servers in China to make the country look bad.

Staton said extensive work was done to make the site more secure against future attacks.

“Once we had the attack, we said we want to be that much safer,” he said.

He said changes were made in the way parts of the site like Web forms are coded, and software was used to help deny attackers from getting in to the site, and to try to identify other potential weaknesses.

“We were trying to beef up the front door with one program and then using the other program to try to get rid of the vulnerabilities,” Staton said.

Mand said the added defenses will help, but they are not impenetrable.

“It’s much less likely something like this will happen again, but it’s never certain,” he said.

“Hackers are out there looking for holes that haven’t been identified and patched,” Mand said. “There’s  no way to anticipate that.”

“It was a devastating attack and it exposed a problem that we obviously weren’t prepared for,” Mand said. “We learned a lot from recovering from it and we are certainly in better shape than we were before.”

Staton said he was pleased with the response to the crisis.

“I have never worked with a group of people where everybody came together like the different departments involved did, both here and in Bloomington,” he said.

Staton said when he considered what could be done better next time, he couldn’t think of much.

“The only thing I know we could do differently is that we had to build a temporary Web site,” he said. “It would have been nice to have that ahead of time.”

He said that this is now taken care of, because they will keep the temporary site they made after this attack to use in the future.