Trojans and other malware have been discoverd at City College of San Francisco, with some stories indicating the malware has been in place for over 10 years. I suspect (hope?) that this is a misquote, and that the speaker meant to say that malware has been a problem during that period! I have not found any information positively confirming the duration of the infection, but the original article appears to imply that the malware was present for over 10 years. Why was this not detected earlier, how did it manage to remain in place for so long?
It appears as is the case in many educational institutions, budgets are tight, interest is low, and apathy runs high. Passwords went unchanged for at least as long as the infection, security controls were extermely lax, and even after filtering controls were brought in, demand for access to highly questionable material was often approved if minimal pressure was applied. As a result, a keystroke logger is among at least 7 flavors of malware found operating within the network, and is known to have stolen personal banking information and other data from at least one individual, and potentially hundreds of thousands of students, faculty and administrators. The college employs 3,000 employees, and hosts about 100,000 students every year.
The college identified the infection in late November 2010 after it noticed that there were gaps in server logs located in the campus computer lab. An AP story about the incident indicates that at 10:00 PM every day, the malware would troll through the network looking for data to send overseas. During the investigation, the IT department saw communication with many foreign countries, including Russia and China. There has been only one confirmed case of personal banking information being captured in this incident that I am aware of.
Upon learning of the breach, the college contained the incident by closing off the infected computer lab, removing the affected server from service, and scanning desktop computers for malware. Many desktops were found to also be infected. The college community was notified by e-mail on Jan. 13. The IT department has since reconfigured the campus firewalls, improved password security controls, updated and created new security protocols, is developing a network segmentation strategy, and is preparing to install new security hardware.
It will be interesting to see what the fallout is regarding how many users are actually impacted by this breach, if there is any way to figure all that out. What’s on your network?