More frequent cyber incidents at TU Delft

Lees originele stuk in het Nederlands

The growing number of cyber threats that put pressure on staff resources meant that security efforts were limited or not carried out at all in 2016 and 2017. This year, IT will catch up on its plans with the help of two extra FTEs for security and two FTEs for a new privacy team. This was revealed in the ‘Jaarplan Informatiebeveiliging TU Delft 2018’ (2018 TU Delft information security annual plan).

One of the measures to be taken is to use external automatic monitoring of cyber activity and threats.  On top of this, the department will watch for attempts to hack, attack and install malware and viruses. IT will also find ways to further prevent phishing and spam activities (120 reports every month). Should people click on links in these mails, they will be better protected.

Data leaks

Further, IT will equip more TU Delft laptops with disk encryption to avoid data leaks in the case of loss or theft of the laptops. “If people have sensitive information on their laptops, they can already check with the Service Desk if they can have their disk encrypted,” said IT Lead Architect & Security Officer, Marthe Uitterhoeve. In autumn, IT will launch awareness raising campaigns about issues such as security and privacy.

The ‘Jaarverslag Informatiebeveiliging TU Delft 2017’ (2017 information security annual report) lists a number of security and privacy incidents. These include the following.

• Phishing

Phishing is an increasing problem. In the second half of 2017, there were between 100 and 450 mails every month despite the transition to a new email filtering system. These misleading emails that ‘fish’ for confidential login information or get readers to click on links or attachments are becoming more difficult to recognise because they appear more authentic.

The APT28 hacker group launched a serious phishing attempt on TU Delft at the end of October. It had registered a domain name containing the word ‘tudelft’ to phish for login details. An email filter prevented the phishing. TU Delft purchased a domain name monitoring service.

According to Uitterhoeve, a phenomenon that is happening in universities around the world is spearphishing. This is when targeted fake emails are sent to individuals that look as though they are sent from an acquaintance. “Researchers are targeted if their area of work is interesting for corporations or states,” says Uitterhoeve. “According to news items in March this year, several universities in Europe were attacked. The hackers try to steal your intellectual property, for example.”

• CEO fraud

This is a type of spearphishing that targets boards and are often requests for rapid payment. Financial staff receive a fake email from someone in the board who requests money to be transferred to an account quickly. In October, an attempt was foiled on time and the case was reported to the police.

• Data leaks

The privacy information of about 300 students was unintentionally exchanged when a lecturer connected a design app, Sketchdrive, to Brightspace. The system was immediately halted. A report of the data leak was submitted to the Dutch DPA and the students were informed accordingly. Sketchdrive may now only be used after explicit approval of the students. TU Delft is working on a processing agreement with Sketchdrive.

• Copyright

There were a few hundred copyright incidents, mostly caused by students offering licenced material to other students through apps. The number of incidents has reduced sharply since May. TU Delft disconnected the devices of the relevant students from the rest of the network for a week, and if they repeated the act, for longer.

• Ransomware

Holding information hostage until a ransom is paid (usually in Bitcoin) occurred 11 times in 2017. In three cases, the files could be encrypted. TU Delft never pays for the decryption of university data. Instead, it installs the back-ups and provides assistance in reinstalling computers in case of private systems.

The outbreaks of the WannaCry (12 May) en Petya (27 June) ransomware around the world did not infect any TU Delft system. During the WannaCry outbreak, TU Delft’s detection systems observed 10 false positive infections, but these were traced to curious students.

How can ransomware be avoided? Be alert for phishing mails; always make back-ups; and update software on time. Preferably use SURFdrive – the SURF cloud – which you can use using your netID. If your computer still becomes infected with ransomware, never pay but reinstall your laptop and load a back-up.

• Blackmail emails

In the first three months of 2017, several staff members and students received blackmail emails in which they were threatened with exposing them in intimate videos. Many reports were made across the country. The sender claimed to have hacked the computer through an advertisement on a porn website. The webcam then supposedly took videos of the victims visiting a porn website. They were then threatened that the images would be published unless they paid EUR 500 in Bitcoin. The victims reported the incidents to the police.