Anda di halaman 1dari 9

CMJ25607

Eccleton
FeatureStory
GVSUCyberAttack
GrandValleysBannerSelfServiceSystemFacesCyberAttack

Ifreakedout,saidMirandauponfindingoutherpersonalinformationmighthavebeen
breachedduringacybersecurityattackonGrandValleyStateUniversitysBannerSelf
ServiceSystem.

Inarapidlyevolvingdigitallandscape,securitybreachesarebecomingalltoocommon
forusernetworksandprivateorganizations.

Hackerstargetingthesenetworkswiththousandsuponthousandsofusersareusingrobot
drivenmethodstotargetweakusernamesandpersonalidentificationnumberstogain
accesstosensitivefinancialinformationandsocialsecuritynumbers.

Theserobotsrunautomatedscriptsinanattempttoguessthelogininformationneededto
accessthepersonalaccountsofusers.

MirandaHolmes,aGrandValleystudent,wasoneofthosedirectlyaffectedbythecyber
attackthattookaimattheuniversitysBannerSelfServiceSystemonOct.3.

TheVicePresidentofEnrollmentDevelopmentatGrandValley,LynnMcNamaraBlue,
sentthefirstemailtothestudentsfollowingtheattack.

Bluehadalsoservedasprovostanddeanforacademicservicesandinformation
technologyattheuniversity.

IntheemailsenttoMirandafollowingtheattackitstatedthatsomestudentaccountshad
beenhackedandthatshewasrequiredtoresetherBannerpasswordandsecurity
information.

TheBannerSelfServiceSystemisusedbytheuniversitytomanagebothacademicand
administrative/financialinformation.

InthewakeoftheattackMirandawasnotifiedthatGrandValleywasnotsuretowhat
extentheraccounthadbeenbreached,butitwaspossiblethatthelastfourdigitsofher
socialsecuritynumber,directdepositinformationtoherbank,andaddresshadbeen
retrievedbyhackersduringtheattack.

ImmediatelyfollowingthisnewsMirandacalledEquifaxtoputawatchonhersocial
securitynumberthathadpotentiallybeentaken,andcalledherbanktoletthemknow
thatinformationmayhavebeencompromisedaswell.

InafollowupemailonOct.5,Blueinformedthestudentsthatthesecurityteamhad
lockedover21,000Banneraccountsasaresultofthecyberattackandanongoing
investigationwasunderwayteamedwithlawenforcementtofindoutexactlywhathad
occurred.

Duringtheinvestigationitwasfoundthatfraudulentphonecallswerebeingplacedto
studentsandparentsstatingtheyowedmoneytotheuniversityandweretryingtoobtain
personalinformationoverthephone.

Leadinguptothefraudulentphonecallreports,theFBIreleasedamediaadvisoryfrom
theirWisconsinheadquarterstothepublicwithinformationonwhattodoiftargetedbya
phonescam.

TheadvisorywassharedwithGrandValleystudentsalongwithinformationregarding
theBannerattacktokeepstudentspostedoncurrentthreatstotheirsecurity.

ThehackerswereusingU.S.governmentcalleridentificationtoscamcollegestudents
intopayingthousandsofdollarsinfalsemoneyowedonstudentloans,delinquenttaxes,
andoverdueparkingtickets.

TheFBIurgedtargetsofthisscamtonotifytheirbankinginstitutions,contactthethree
majorcreditbureausandrequestanalertontheirfiles,contactlocallawenforcement,
andfileacomplaintthroughtheInternetCrimeComplaintCenteratwww.IC3.gov.

AftertheinvestigationGrandValleysentanotificationtotheaffectedstudentswhose
accountshadbeenbreachedtoinformthemthatthesectionsofBannercontaining
sensitiveinformationwasnotaccessedduringtheunauthorizedsessions.

InathirdemailtothestudentbodyofGrandValleysentbyBlue,newpreventative
measureswerebeingimplementedtohelpsafeguarduserinformationonBannerSelf
Services.

Thenewchangestopreventfuturerobotattacksconsistedofanadditionalquestionat
logintoproveyouarenotarobotusingacaptchacode,requiringstrongerpassword
credentials,emailingstudentswhentheirPINchanges,strengtheningsecurityquestions,
andrequiringmultiplesecurityquestions.

Accordingtocaptcha.net,ACAPTCHAisaprogramthatprotectswebsitesagainstbots
bygeneratingandgradingteststhathumanscanpassbutcurrentcomputerprograms
cannot.

Byrequiringstrongerpasswords,GrandValleycanhelpstudentstoguardtheirBanner
accountswithanadditionallayerofsecurity.

TheUnitedStatesComputerEmergencyReadinessTeampublishedanarticleonthe
officialwebsitefortheDepartmentofHomelandSecurityexplainingtheimportancein
havingastrongpassword,howtheusercancreateasafepassword,andhowtoprotect
themoncetheyhavebeenchosen.

TheEmergencyReadinessTeamstatesthatusingpasswordsbasedonpersonal
informationthatareeasytoremembercanbedangerousandmakeitveryeasyfor
hackerstocrackthem.

Onepopularmethodusedbyhackersiscalledadictionaryattack,whichattemptsto
guessPINsbasedonwordsusedinthedictionary.

Duringthepasswordcreationprocess,themorevariablesusedtheharderitwillbeforthe
hackerstoinfiltrateyouraccount.

Methodstocreatingastrongpasswordinvolvestringingtogetheraseriesofwordsand
usingmemorytechniquesormnemonicstohelpdecodethephrase.

Thebestpasswordsincludebothuppercaseandlowercaselettersincombinationwith
numbersandspecialcharacterstoaddadditionallayersofsecuritytothem.

Whenastrongpasswordhasbeencreatedtheusermustkeepitsafe,andcreateseparate
passwordsforalloftheiraccountsincaseahackerisstillabletoobtaintheir
information.

Nevershareyourpasswordsoverthetelephoneoremail,ashackerswillhidethemselves
behindcalleridentificationorfalseemailaccountstotrickusersintosharingtheir
usernamesandpasswords.

Passwordsshouldnotbestoredorsavedinpubliccomputersandtheusershouldalways
logoutofanyaccountsthatcouldbephysicallyaccessedbyothers.

Dinopass.com,passwordsgenerator.net,andlastpass.comare3websitesthatwillgenerate
randompasswordsfortheuserthatmeetthecriteriadescribedbytheEmergency
ReadinessTeam.

Anexampleofastrongpasswordis!RF6GF9tj427.

Byfollowingtheseprecautionaryproceduresuserscanmakeitverydifficultforhackers
togettheirhandsontheirpersonalinformationbyguessingtheirpasswordsthroughthe
useofrobots.

ThemorningofNov.17theBannerSelfServicenetworkwentofflineagainaround5
a.m.andcontinuedtocutoutthroughoutthemorningforunknownreasons.

AnotherstudentaffectedbythebreachinsecuritywasjuniorTedRider.

ThemorningaftertheattackRiderwenttothelibrarytostudyandwasdeniedaccessto
hisaccount.

Heimmediatelycalledtheinformationtechnologyhelpdeskregardinghisaccountwhere
hewasguidedthroughthenecessarystepstoregainaccessandchangehisPIN.

Ridersaid,Iwasnotifiedduringtheordealbutdidntthinkitwouldhappentome.

Ashackerscontinuetofindwaystobreakpastnetworksecuritywallsitisimportantfor
userstounderstandtherearesecuritymeasurestheycancarryoutontheirownto
minimizerisktothemselvesandtheirpersonalinformation.

WhenMirandawasaskedabouttheattemptedcyberattacksituationasawholeshe

responded,IfeltprettyupsetaboutthesituationbecauseIalwaysthoughtGVwas
invisibleandwhenmyaccountgothacked,itwaskindofarealitycheckthatthings
happenandyouhavetoprotectyourowninformationandbeproactiveinfixing
mistakes.

Afterchangingherpasswordtomakeitmoredifficulttocompromiseandwiththe
implementationofthenewcaptchacode,Mirandastilldidntfeelherinformationwas
100percentsafe.

Imkindofworriedaboutthishappeningagain,butIchangedmypasswordandmadeit
moredifficult,soitshouldbebetter.Butitisalwaysaworryonceithappensonce.
Mirandaconcluded.