88 comments

[ 3.2 ms ] story [ 168 ms ] thread
I am sympathetic to companies that keep backups of their data, but don't have comprehensive plans to restore that data after an attack. A company that plans properly might be up-and-running within a day or two, but getting to that point isn't easy.

But getting to the point of needing to shut down entirely because of a ransomware attack seems like negligence. If your data is that vital to you, you really ought to have some backup of it.

They got back up and running, but don't have enough enrollment to keep the doors open. The ransomware attack is just part of the reason - in addition to COVID - but it might have been a major factor in them not getting enrollment to the point where they could survive.
One hell of a way to avoid your CS exam.
A tragedy

That needs to happen

The humanizing done about how its was something like an HBCU and weathered other calamities is sad, should also be a wakeup call to other organizations

I don't know why this was down voted, but I agree, that this tragic shutdown makes it clear that Ransomeware affects the real world.
ransomware is a necessary evil
Ransomware won't affect legislation until really influential players get hacked ruthlessly. And even then they'd pay to ensure others don't know they've been hacked.

The "we need more victims to change everyone's minds" is a strawman.

Nations should lessen the penalties for white-hat and even grey-hat hackers who report their findings. They should have strong protections; they are helping all of society and national security. Instead, we have politicians and executives who make legal threats to cover their mistakes and everyone suffers for it. I have this view because I have personally walked away from security problems I've discovered simply by pressing F12, I don't want the legal hastles and costs.

Sadly, I think we're more likely to see pressing F12 become illegal, meanwhile society will lament that half the country's personal data is leaked on a weekly basis and ransomware runs rampant.

> Nations should lessen the penalties for white-hat and even grey-hat hackers who report their findings.

Digital Good Samaritan laws.

There's an overlap between privacy, civil liberties, and anti-discrimination concerns where laws that can be selectively enforced get disproportionately applied to any and all groups that have 'isms' attacking them.

I confess that while I used to spend quite a deal of time thinking about this class of problem, I haven't done much of it recently, so the following is a mix of potentially outdated thoughts and speculative nonfiction.

If you have the privilege to be outside of any or all of those groups, I feel like it falls on us to speak up to ensure that other people are okay, and Good Samaritan laws can be problematic in this respect, because it's too easy to convince a jury to deny 'those people' standing.

I wondered in another response if some sort of self-reporting system would better serve this space. Possibly 'feature-parity' with other citizen-action laws where community policing and reporting are carried out. The latter closes out a learning opportunity however because you're identifying and reporting a suspicion of an issue and allowing The Authorities to look into it. "We will take it from here." doesn't afford you the opportunity to become part of 'we'.

Perhaps there's precedent with confidential informant laws, and we need to reframe white hat hackers under that umbrella.

> Nations should lessen the penalties for white-hat and even grey-hat hackers who report their findings.

you mean increase the rewards?

In America they are aggressively prosecuted
No, I mean they need stronger protections. Knowing that I would probably prevail and get justice after spending 10s of thousands of dollars on lawyers was not enough protection for me to speak up about what I saw after pressing F12, and I suspect I'm not the only one who simply chooses to keep quiet and let the world burn. Give me stronger legal protection if you want my help.
Having better ways to telegraph your intentions is, as far as I'm aware, still an issue, and I would support improved/expanded methods of 'escrow' for this sort of work.

Way back in college, I talked myself into doing a white-hat hack of a service another student was running that I valued highly. He had used software with a rather nasty CERT advisory outstanding. My attempts failed, which meant he had patched his system, probably at the firewall. I shrugged and went on with life.

Or at least I tried to, because the next day I got an email from him telling me that he saw what I did and if I ever pulled shit like that again he'd report me to the Dean's Office. For the time, the university had some pretty sophisticated auditing tools to backtrack problems including shenanigans of this sort and because I was doing something 'good' I had just accessed his system straight from my dorm room (I found out shortly after that even if I had attempted to remote in he still would have been able to send that email).

I offered an "apology" that was about what you'd expect from a 20 year old white male: all excuses and rationalization. It hadn't quite sunk in yet that this distinction between black and white hat existed solely in my brain. I don't even think I bothered to tell my roommate what I was planning to do. I had zero alibi because I was impulsive. I never did anything like that again. If memory serves, I told him I'd never do something like that again (which means it was sinking in a little bit), and that has been largely true.

In hindsight, I was such an earnest kid that any decent lawyer could have would have been able to get me off with a warning, that would have saddled me with debts that would have fucked up my 20's, even if we had gotten a good rate through a family friend. I'd probably have still failed a background check on the piece of software that I worked on in my 30's that is and probably will remain one of the mantelpieces of my career.

The Venn diagram of people with a suspicious enough mind to think of trying what I did and the personality that would keep them out of big trouble is very narrow. But to your point, the circles for aptitude, desire, and history are pretty small. As it turns out, I didn't enjoy being a low-bus-number person responsible for the security of the system, so I now fall outside of the 'desire' circle. These days I'm content to help people sort out/select auth libraries, configure CA certs, and occasionally talk trash about cryptocurrency. I have enough other interests that I'm probably booked out until after retirement.

Way back in college, I talked myself into doing a white-hat hack of a service another student was running that I valued highly.

"White hat" describes someone acting on behalf of the owner of the system being tested. It sounds like you acted on your own and thus were grey hat hacking. I only bring this up because it has different ramifications, legal, social, and otherwise.

It sounds like they weren't in a great financial situation to begin with. Definitely a tragedy to have everything down for three months and to find out afterwards that you're not going to have enough money to stick around next year.

I wonder what the ransom was and if they paid it.

Side note: Planet Money had an interesting segment on insurance claims for things like cyber attacks last week, it's worth giving a listen.

Cyber insurance premiums are skyrocketing YoY due to ransomware attacks based on conversations with clients. Overall, it’s still a challenge to demonstrate the value of defending against them (reducing attack surface, real backups and data recovery plans, phishing exercises to see who is click happy and what their privileges have access to, etc) to folks who don’t understand the risk this poses.

Like driving without insurance, it works until it doesn’t.

The point they made was some insurance companies consider state sponsored cyber attacks as "acts of war" under their terms and not covered in their policies. It was part of a larger segment on how insurers do or don't insure catastrophic events, like pandemics or war.
Cyber providers are becoming much more savvy and are starting to decide that self-service 'yeah we are totally doing this' self-assessment checklists aren't sufficient. I have around 20 financial institutions on my client list and 11 of them have had their first hands-on penetration test in the past year.

A year ago they would just send a laptop with Nessus on it and then sign off on a risk sheet full of the usual llmnr/nebios/kerberoast/smb1 vulns because they didn't know what it meant. Now they will pop your domain administrator and refuse your renewal or jack your rates until you get a followup pentest demonstrating that those vulns have been resolved.

The posting on the colleges website paints a much bleaker picture. The ransomware attack certainly didn't help but the school was already near shutting down due to huge drops in enrollment from covid and expenses related to implementing remote learning. It's not like they were just doing fine and didn't think to spend money on IT resulting in an untimely demise they were on the way out and also happened to get hit by ransomware during that. I wouldn't be surprised if they weren't doing particularly well prior to either of those issues even.

I wouldn't be surprised if there were multiple other things they should have been doing to lower operational risk but couldn't realistically do given their situation.

Of course. If the college was otherwise doing well, they would be able to get a loan to smooth over a rough patch.
Don't assume loans are that simple. Everyone assumes they're that simple. They're deadly, it's the compound interest, the intrinsically runaway loan, the situation Hell is based on. It leads to gambling and prostitution for example. All sins.
> It leads to gambling and prostitution for example.

That took a wild turn. Does allowing ice fishing on Lake Michigan also lead to prostitution?

I borrowed $10 from a friend for lunch once and within a year I was having to give out handjobs by the waterfront just to pay off the interest.
I believe you. I mean I know you think you're making stupid-sounding shit up, but you are not. There are real loans like that. There's extra steps in between, the loan shark has game. But borrow $10 from the wrong guy and it will get worse. It can absolutely be that slippery.
I... do not believe the university is particularly likely to fall down that path.
How did we end up at a point where we are this reliant on the internet?

Any truly critical system should not be connected to the public internet. Computers with internet connections are for sending email and reading Wikipedia. Any data critical to your organization should be accessed from separate terminals connected via LAN. No VPN, that's still the internet.

Do that, and unless you're the CIA you will never be hacked. You can even run Windows XP if you feel like it.

The internet is the root of the problem, and it's time we start realizing that some things shouldn't be online.

The problem is that much (not all) the business important data is involved the public internet. Take this school for example - prospective students applied online. One could imagine sneaker-netting the application data to an airgapped network, but that introduces its own costs and risks.

Email (or other messages systems like slack) are one of primary tools of business, facilitating communication within an organization. You can't do that well with an air-gapped network, except to make that network really leaky.

I totally get it, but the internet hasn't been around that long. How did we handle this 30 years ago?

I imagine students applied via snail mail, and then someone manually entered the information into a database. There's no reason to go back to paper applications, and that database should absolutely be digital—but I think we could do a lot more manual entry.

25 years ago: carefully hand-write half-page essays on pre-printed application forms, attach $50 checks for application fees, beg your mother to drive your procrastinating self to the downtown post office by 5pm on December 31.

Start receiving long-awaited envelopes around Spring Break, and speculate on whether said envelopes were thin because they contained simple rejection letters, or because the desired financial aid details would follow the next week.

Having worked in healthcare up until very recently I can assure you a bunch of unpatched XP machines connected via LAN will still be rampantantly infected regardless if they have access to the internet. Wannacry was just absolutely rampant on these systems for years. At the same time the publicly inbound accessible servers in the DMZ never had an issue because we were actually able to manage the security controls on those.

The LAN is a much more used attack vector than the internet. It has nothing to do with some hacker sitting there banging at your door users just share files and reuse devices as part of their day to day effort. The instant someone in the college brings in a compromised USB, intentionally or unintentionally, all of the isolation in the world from the internet doesn't save you from ransomware.

Why did those machines have uncovered USB ports?
Which machines?

The medical device? They didn't, WannaCry would spread over the LAN to the systems silently then when the vendor came to do maintenance on a system or an upgrade they would become a transport vector between sites.

Generic? Because limiting college computers to only be able to work on what you can type into each one you visit makes them relatively useless and creates a much larger burden than managing security.

Full internet isolation is an underrated solution for critical systems. And it doesn't mean the students or staff themselves can't use the internet via mobile devices or school-issued netbooks -- only that the critical data systems themselves aren't accessible online.

Another helper technology that's underused is data diodes, which prevent two-way connections but allow one-directional data flows, such as security updates for a lab full of workstations, or in the other direction, allowing internet monitoring of a source-of-truth or sensor while preventing internet tampering.

Unfortunately, distributed orgs can't as easily benefit from air gaps and data diodes, but they're effective tools when your physical boundaries align with your security boundaries such as in a lab or around a campus.

Hey, I actually have experience with that school! I did some consulting with them about a decade ago.

The ransomware attack certainly didn't help, but it is wildly misleading to say, or even imply that caused them to shut down.

The actual reasons:

(a) They filled a niche that didn't need to be filled anymore. They used to absorb students from other local universities (ISU, UIS, UIUC). Those schools have realized the value of helping their own students be successful, leading to declining enrollment.

(b) They were previously a community college, and began awarding bachelor's degrees. They were then fighting in a weight class way above what they were used to, and never really got their feet under them (to use some mixed metaphors).

(c) They were expensive for the quality. They gave a good education, but had zero connections to business and industry to justify the cost.

(d) They had a pipeline from Chicago's south and south-east side that has recently been sniped by large state schools, leading to a decline in enrollment.

For context, I worked with them on enrollment management and declining enrollment a decade ago.

Greatly appreciate the context. Closures like this are rarely (if ever) as one dimensional as the public announcements make them appear to be.
> enrollment management

What would be a comparable industry perspective to the way colleges fight over tuition generators (students)? Oil companies fighting over oil fields?

Any industry which has clients that pay for a service, I guess.
The difference is that (some) colleges are also motivated to get you to apply so they can reject you, because it makes them look more exclusive.
Don't some financial service businesses operate on similar principals.
Like Amex Centurion cards? They're definitely exclusive (or fake-exclusive) but I haven't seen them actually advertise rejection rates like colleges sometimes do.
Large purchase, most customers choose one and leave the market, many possible consumers, seasonal.

Residential solar or real estate agents?

The crazy thing to me about higher ed is that there's large loans and everybody qualifies. We'd probably get a better skills/job match by including the major in interest rate calculations.

> We'd probably get a better skills/job match by including the major in interest rate calculations.

This brings up the hairy issue that all education should not be focused on eventual income generation. We still need our English, History, and other majors out there in the real world even if we don't expect them to make a great ROI on their degrees. Their contributions to society are still worthwhile.

I think a policy that incorporates the major into the interest rate would drive universities to cut less profitable programs, and MAYBE lower tuition for those majors.

I think my approach to change the system would be to put a cap on the maximum loan that the government will back, and have that cap be influenced by major. This would be similar to the conventional loan situation for mortgages.

> We still need our English, History, and other majors out there in the real world even if we don't expect them to make a great ROI on their degrees.

I agree, but getting them from an expensive private school is a luxury.

> I think my approach to change the system would be to put a cap on the maximum loan that the government will back, and have that cap be influenced by major. This would be similar to the conventional loan situation for mortgages.

Some kind of cap is a really good idea. Especially if that means state schools are covered, but not the entire 80k/year of a private one.

The way student loans are difficult to discharge in bankruptcy means a lot of kids make a mistake they'll spend the rest of their life trying to get away from.

> This brings up the hairy issue that all education should not be focused on eventual income generation.

Why would anyone in the middle or lower income class spend money on a college degree that was not geared toward increasing their income?

There is a reason that journalism graduates predominantly come from wealthy families.

There are legions of starving artists that are probably better qualified to answer that than me :)
Marketing pepsi versus coke maybe? It's all sales if you boil it down (sadly).

Actually, in my opinion, one of the main problems in higher education today is that the value proposition of the actual education and student experience is secondary to the ability to market. In other words, new programs are presented by faculty (or rarely staff because of politics) and administration will immediately ask how this can be sold to increase enrollment (read: revenue). In other words, what is best for students, in terms of experience and employment outcomes, will always take a backseat to what is flashy and looks good in a brochure.

Well that is the problem with everything, right?

When Profit is the system's main incentive, it can be easy for decision makers to start viewing "profit" as an input rather than an output.

Education is a unique industry and market on to itself. I worked in a part of it, and edu is just different than real business.

You have government funding, both for research and education.

You have tuition and fees, which students pay but there are student loans and grants etc.

You have endowments.

You have alumni and donor funding.

You have schools that develop technology and own profitable patents.

Sports is its own topic that I don't know enough about to comment on.

Oil wells last more than 4 years. Most of these colleges have effectively no endowment and not close to enough state funding. Maybe leasing cars or code boot camps?
> Lincoln College is scheduled to close its doors Friday, becoming the first U.S. institution of higher learning to shut down in part due to a ransomware attack.

In the first paragraph it's saying in part.

The article also details other challenges they face. We'll never know if they would have found a way to address these challenges and survive long-term had this not happened.

(comment deleted)
I totally buy that it wasn't the only reason but it is a possibility that an already fragile institution would be brought down by such an attack, if not this one then some other one.

Some constructs are on the edge and kicking them may cause them to collapse. It probably will only change the timing but it is still the kick that is the first order cause of the collapse.

Plenty of institutions are being hit with a perfect storm, two years of COVID and associated rules probably didn't help either.

It was likely the final straw, but certainly if that is all it took for the institution to collapse they were going to fail soon regardless.

A college or three have failed every year for the past 5 years or so. There will be more until populations of college age students starts to grow again. Most small colleges are extremely vulnerable.

Size and endowments offers some protection to large and wealthy schools.

> Those schools have realized the value of helping their own students be successful

Are they helping them in any way other than marking what would previously have been a failing grade as a passing grade instead?

"Fortunately, no personal identifying information was exposed."

How can they know this?

> How can they know this?

No insights on that, but this is more the way I read such statements:

This is their report of what they know.

Common sense dictates that this does not mean much as we normally only know a fraction of what is.

However it might also be a sign that they are not yet aware of much at all as it is that overly unspecific.

Maybe the database that was stolen had none? I know my old community college just used a pin for everything. Maybe all the data tracks to this pin and then another database contains the pin to real name/info mapping? Hopefully personal information at a college has stricter regulation.
In this case the pin is the person identifying date. If such a database system was used at place and in time of the incident, it is known how many individuals are affected and what data got out.

It is just not known which individuals in specific.

Should be common to send a notice to all individuals then and explain the details so those who are affected do know and can act.

They might have outsourced their enrollment system like a lot of smaller colleges to the vendor (e.g. Empower, Jasmine) and not have had the information on servers that were compromised.
The headline is clickbate. According to the article it says it closed due to COVID and the attack.
Yes, but at the same time, an experienced consumer of headlines should parse this syntax as "Illinois college to shut down. Illinois college hit by ransomeware attack, as well." (i.e., despite weaving the two things together, causation isn't actually claimed).

I don't like it, but it's been the nature of the headline game since long before clicks.

Whoever sold the vulnerable software should be liable for damages.
How about whoever wrote it?
“Lincoln College was a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections,” the school wrote in its announcement. “All systems required for recruitment, retention, and fundraising efforts were inoperable."

How is this possible? There's literally not a second copy of the data anywhere? The people working in the admissions office didn't have a printout and they had absolutely no idea what the numbers looked like? It's one thing to have all the videos for online classes get locked up in a ransomware attack, but this simply cannot be true.

We were looking at "cyber insurance" for our college and found out that we would be disqualified because every network connected device (even those on isolated networks) needs to have 2FA. Well, we have a network connected CNC machine at it has no provision for it. Another institution has the same machine and was denied. They tried every a lot of gyrations but got nowhere. Even a previous security audit would not help.

I get the feeling this is one of those rules setup to make sure they don't deal with small institutions with small IT departments or they really don't know how much the cost of insurance to them will be.

That rule would apply to larger IT depts too, though, right?
I would imagine they are in a better position to negotiate and have the resources to make strict rules the insurance company would like.
> We were looking at "cyber insurance" for our college and found out that we would be disqualified because every network connected device (even those on isolated networks) needs to have 2FA. Well, we have a network connected CNC machine at it has no provision for it.

How enforceable is this? Why could you not just leave that machine out of your inventory?

Well, if something goes wrong and we do an insurance claim, they would take a look and not pay our claim. I am not quite good enough to hide the CNC machine. Ask any homeowner how good these folks are at avoiding paying claims.
would be so easy for some random billionaire to cut them a check
It wouldn't be easy. It seems like they were providing a sub-par education at >$30k per year.

https://lincolncollege.edu/file/471/21-22%20Undergraduate%20...

Math runs out at calculus. No computer science. Very few programs which would translate to real careers.

Reforming a school like this is much more than cutting a check. It's a worthwhile project, but it's a major undertaking.

Would be so easy for the US government to turn community colleges into 4 year colleges and make them part of them part of the basic curriculum, should students want to continue their education for free, while allowing private universities to remain just like private primary schools. Our population shouldn't have to rely on the whims of billionaires while our government wastes billions on no-bid contracts, ridiculous military spending and domestic spying programs... I apologize for my rant =)
No that totally makes sense. It would be a small fraction of the defense budget. And having an educated and informed populace is just what we need to remain competitive globally.
My thoughts immediately went to a hypothetical ethical question. Suppose that a ransomware threat actor saw the NBC story, felt bad that this happened to Lincoln, and offered to make (anonymously) the "transformational donation" mentioned in the story, while making clear that the source of funds was ransom received from other victims. Should Lincoln accept the money?

(In other words, there's a yin and yang situation in which the ransomware threat actor happens to have a philanthropic arm.)

Rephrased more generally, is it ethical to accept donations arising from criminal enterprises?

I think most people would say that the answer is no. This topic has been widely discussed on HN with regards to the MIT Media lab accepting money from Epstein.

Agreed! It demonstrates how dramatically the answer changes depending on exactly how you ask the question. Suppose Lincoln could get $50 million (with those funds ultimately sourced from a criminal enterprise) in each of four different scenarios. I asked 8 people locally and here's how many would take the money.

(A) The government tracks down the ransomware guy, seizes his assets, and decides that $50 million is Lincoln's fair share to reimburse Lincoln's losses (8 of 8 would take the money).

(B) Lincoln tracks down the ransomware guy, takes him to court, and wins a civil judgment of $50 million (8 of 8 would take the money).

(C) Lincoln tracks down the ransomware guy, their lawyers show proof of Lincoln's losses and how much they could potentially win in a civil trial, and the parties agree to a $50 million out-of-court settlement (7 of 8 would take the money).

(D) A ransomware criminal proactively contacts Lincoln, the criminal won't comment on whether he had any role in harming Lincoln (and Lincoln doesn't know either), but the criminal offers to donate $50 million to Lincoln anyway (2 of 8 would take the money).

Another attack made possible by cryptocurrencies.
> The ransomware attack certainly didn't help, but it is wildly misleading to say, or even imply that caused them to shut down.

I wrote a Blackmirror fanart script based on Hackers using Ransomware to threaten Universities to write down student debt, I got to Act II before I left it. I want to spend more time writing this year, but so far I have spent way too much time on HN than creative writing and that is unfortunate.

> For context, I worked with them on enrollment management and declining enrollment a decade ago.

What measures did they take? And what expertise cold you lend them to counter this?