1. November 2021 | Magazine:

Attacks without rules

“Attackers on IT systems do not have to play by any rules. Where the ice cover is thin, that’s where they break through,” says Prof. Konrad Rieck. We spoke with the head of the Institute of System Security about hacker attacks on universities and the research perspective. “Attacks usually start at the weakest element, and that can basically be anywhere: In the computers, the internet services, in emails or documents that we open. The attack surfaces are immense. Because where we are open, we are also vulnerable. And a university is a very, very open institution.”

Criminal, Highly Professional Gangs

Many users do not realise that viruses and the like are not just codes programmed by young people for fun. Rieck explains: “For several years now, we have been dealing with criminals who act in a highly professional manner and with a division of labour when it comes to attacks on universities. Some break in, others search for data, and others then sell the data. This can be one group at a time, or several groups cooperating. As in real life, there are gangs. And there are customers who pay for data. Then the criminals specifically look for universities from which they can get valuable data.”

Picture credits: Markus Hörster, Claudia Hurtig/TU Braunschweig

Rieck distinguishes three categories: The criminal exploitation of personal data, espionage on research data, and blackmail. “Anyone who gets hold of employees’ or students’ data can use their address or date of birth to obtain access codes for certain systems, for example, and then go shopping in online shops at their expense. An example of blackmail: if our personnel data were suddenly encrypted, it would certainly be worth a lot to the university to regain sole access to it – although, of course, blackmailers should not be paid as a matter of principle.”

Protecting what is valuable

Rieck looks at the possibilities for protecting universities and other institutions. Of course there are technical solutions, he says, which the TU Braunschweig also uses extensively: virus scanners, for example, in every Windows system and firewalls for every network, plus the short-cycle creation of backups. Problems are quickly solved in the Gauß-IT-Zentrum. But there is a constant arms race between the developers of security systems and those of the malware that circumvents them. It is not possible to protect all data equally well in an institution as large as TU Braunschweig.

“So we first have to sort out what is valuable and what is not so important. To do that, you have to think carefully.” Among the most important treasures of a university are its research know-how as well as a lot of personal data, which includes important examination results, for example. Access data to its own IT services and those of third parties should also be treated with high priority.

The right bait leads hackers to the target

If you had the technology under control, there would still be people who click away security warnings or carelessly disclose access data. “That’s human, we’re all susceptible to it, you just have to use the right bait,” says Rieck. For example, if you have an appointment with a colleague, it is very likely that you will open emails that appear to come from that sender. This could happen to him too. That is why it is important for him to raise awareness.

Keyword Decentralisation

The systems of another university, which recently fell victim to a hacker attack, were first penetrated from a decentralised computer. Personal data was stolen and presumably sold. At TU Braunschweig there are also a number of computers that are maintained by institutes and facilities themselves for various reasons. This means that software can be used individually and easily for research and teaching. Rieck’s own Institute of System Security, for example, also operates decentralised IT systems with special research tasks.

It is precisely these computers that the Gauß-IT-Zentrum has difficulties protecting. At the same time, however, decentralised computers must be able to talk to central IT applications. “So it is possible that there is already malware somewhere in the institutes, unnoticed, that can attack the central systems from there,” says the expert.

Everybody is important

There are practically no workplaces that are not threatened by malware. “Everybody is important,” explains Rieck, “even those who may think they don’t have any particularly relevant data. If malware strikes on your own PC, you have to paralyse it and then you may not have a working device for weeks. Or even worse: the whole team could be affected. That would be fatal.”