Conficker infected communal PCs used by students at Oxford Brookes University on Thursday, leaving sysadmins with a difficult clean-up job. A statement (extract below) by the University explains that the attack affected desktops and servers, prompting a decision to temporarily suspend student access to pooled computer rooms …
...to protect against Conficker has been available from Microsoft as an automatic security download since last October. Why are these infections still even possible?
suspend access to computer rooms
They had to suspend access to computer rooms and visit each computer in turn to clean up conflicker. Like, what ever happened to the ease of remote update Windows platform. You do realize that you are displaying a flash advert for WIndow and SuSE in the middle of that article.
What the UNI should do is run diskless workstations that load a clean OS image from a server. That way, on, the next reboot, the system is restored to a pristine state. Amy updates can be applied to the image on the server and are automatically rolled out to each workstation. That way, they wouldn't have to visit each workstation in turn to upgrade or clean off 'computer viruses'.
"Computer Services Vacancy (Wheatley). Computer Services require an early riser to fill the pooled room printers with paper and check pooled room computers on the Wheatley Campus, during the semester"
No, I don't want to mind your computers for a McDonalds wage ..
Frankly there's no need for such harsh actions. They can safely continue to do as they are as long as they brought up to scratch in the first place, and kept that way. These colleges and universities have their own technical staff - if they are not keeping their network and subsystems up to date, they shouldn't be doing that job; being able to Facebook and play World of Warcraft at the same time is not a skill these establishments want to be looking for in their recruitment process.
"No, I don't want to mind your computers for a McDonalds wage .."
So you quote some of the advert, but not the rest. This is a student job for one hour before the start of class. They pay £7.40 for this hour. I think most students would be quite happy getting £7 for an hour putting paper in printers and switching on computers. I mean, in most universities the students are expected to do that themselves anyway.
Last month a couple of our classrooms got infected. Fully patched XP SP3.
A few cleaners like Stinger for conficker didn't even detect it. Some like Sophos detected it, claimed to have cleaned it, but after a reboot it was back. The first thing I found that could remove it was Trend's Housecall 7 beta. Once the classroom server was clean I just re-imaged the student workstations.
I think there must be a new version that attracts a different hole then the first version.
Rounders it isn't. ... in the Cavalier Business Environment of AI Pirated Concepts.
"The Patch......to protect against Conficker has been available from Microsoft as an automatic security download since last October. Why are these infections still even possible?" .....By Jon Thompson 2 Posted Saturday 3rd October 2009 11:07 GMT
The Patch against exactly what in Conficker, Jon? A Fart in a Cupboard springs Immediately to MInd.
"No, I don't want to mind your computers for a McDonalds wage .. .... By Anonymous Coward Posted Saturday 3rd October 2009 11:20 GMT
:-) For a King's Ransom though would IT be a Noble Just Cause feeding Computers New Information for Beta CyberIntelAIgent Covers for Core Source Providers/RAW Loaded Loders.
And Cosmic Fuel Brokers that Play Cricket Hard Ball with ZerodDayTraders.
Are Global Operating Devices a Concept or NEUKlearer Flash Architecture Reality for TARP Rat Funding [IARPA SkunkWorks TransFusion] ...... which is a No-Brainer Question around these Parts.
Does the Made in China. Top Eastern Quality Eternally Guaranteed sticker Confuse the Consumer Mind and Befuddle Capital Markets?
I can't say I am surprised
I was on a course recently, and we were talking about security and the banning of private unencrypted USB keys in all our organisations - except for the guy from Brookes, who said they couldn't ban them as the students use them all the time, but they kept their virus checker signatures up to date.
Welcome to the real world. Prevention is better than cure.
IT staff to lazy to get out of bed in the morning
"So you quote some of the advert, but not the rest", DavCrav
"Two positions are available, one for 5 days per week and the other for 7 days per week .. You will be required to complete your duties before 9am Monday to Friday and during the mornings over weekends for the 7 days per week position"
Requiring the students to get out of bed before 2:00 PM, that's most cruel and unusual ...
How about they, check the printer the night before and configure wake-on-LAN on the computers.
@ Jon Thompson
"The patch ...to protect against Conficker has been available from Microsoft as an automatic security download since last October. Why are these infections still even possible?"
The patch plugs the flaw that lets it spread over the network (which couldn't happen if they configured the built in XP firewall correctly DOH!!!), if users are allowed to logon to stations with admin rights then it can be infected from a USB stick. I haven't managed to infect a PC logged on as a basic restricted user so they must allow their users power user or admin access (FAIL).
Having worked with students...
Not one of you have thought of the idea this was a deliberate infection?
A couple of points...
amanfromMars 1: That's just a non sequitur with random capitals.
Tom 35: How come only a couple of machines were infected?
Reality of University computing
I feel overwhelmingly obliged to defend some previous ex-colleagues. (Not from Brookes)
I used to work for a Uni with 22,000 students. The network was run and managed by 2 blokes whose bosses had no idea what they did. They weren't always helpful, but you could see that they were trying hard to keep a huge open network running with minimal resources.
Universities are NOT corporations. So the network guys used to run a relatively open network. You can't ban everyone from P2P networks, as some of your researchers may well be working in that field. You can't lock down ports left right and centre as the variety of research and IT requirements is just to high to be so dictated to. And students want/need to be able to access computers whenever they need them, either on their own laptops(with out of date virus checkers), via wifi, ethernet, through pool rooms, the libraries, etc. There's just a huge variety of requirements in an academic environment.
The trust goes both ways. The people supporting students may well have strong views about internet access, and are likely to give them a lot more freedom than most corporate environments might offer. But with that comes some degree of responsibility to protect the network.
But its a bit naff to criticise a Uni IT department for a security breach like that. Hell, if you don't like it then go and offer to fix it for crap money the staff are probably on. (And no, support staff don't get massive holidays like academics). Alternatively, maybe all academic networks ought to be locked down as tightly as many corporate ones, and then you'd have the right to criticise the network staff.
And the other thing about spam and viruses. The writers of these disruptive bits of code don't realise how much time is wasted in dealing with this shite. And how much time is taken away from doing genuinely useful things, like helping research groups who may well be working in medical, developing world technologies, cures for malaria, etc. If you're faffing around with Conficker, then you're not building a database for an 'cure for AIDS project.'
God, I've got all annoying.
Oh come on
Conficker? Well over a year after the patch? After all the press?
So: Computers weren't patched. Meaning Auto-patch was turned off. Why?
So: AV program was either absent or not patched. Why?
So: IT department not monitoring PCs. Why? Politics, penny-pinching or incompetence?
Epic fail, that college!
Same here, fully patched, found by accident when testing a conficker scan tool. Adjusting McAfee virusscanner to scan all exstendions and disable autorun prevented new infections.
@ AC / suspend access to computer rooms
Funnily enough when I worked there in the early 90's that EXACTLY what they had in the pooled rooms: RM Nimbuses booting centrally managed copies of DOS/Windows 3.1 via the MCA bus from LAN Manager servers!
Ah how times change eh?
IT staff to lazy to get out of bed in the morning
"How about they, check the printer the night before and configure wake-on-LAN on the computers."
I do like it when those with only narrow experience of their own little IT world offer superior opinions on some else's. The Wheatley campus is remote from the main Uni one, and the because these are students and not 9-5 company employees the pooled rooms are 24 hours access, and on deadline days are often busy throughout the night!?
Brookes Computer Services has a long history of employing students part-time. It works out well for everyone: the full-time staff get willing and often eager and intelligent assistance, and the students get some cash and something of an introduction to the real-world of IT!
The role will be checking over the machines, rebooting any duff ones, and generally prepping the room ready for the beginning of the next day. Any serious problems would be reported to the Computer Services techies, who can then remote investigate or hot-foot it over there (on the intersite bus most likely! :-D).
University networks must be some of the toughest to lockdown - you have multiple forces pulling in all directions unlike a business environment where proper decrees can be made.
You have -
Smartarse students wanting to screw with everyrhing and be more 1337 than anyone else or wanting to limewire/torrent their music and vids, but leaving vulnerabilities along the way
People connecting their own hardware riddled with diseases to the networks
No budget to speak of
Academic staff throwing hissy fits if they can't get their file easily and may have to *shock* type a password, or being deliberately pompous and obtuse about using a keyfob/smartcard (professional career academics can be bloody nightmares pandered to in their ivory towers - anyone working with them will have experienced having to metaphorically bend over and take it thanks to some snotty prof throwing a strop)
Some network members being ancient and pretty much unsupportable, but kept alive as some lab somewhere *must have* a commodore pet to drive some laser or other...and with a lack of homogenity(?) comes support and protection nightmares. There will be copies of Win98 connecting periodically, you just know it.
Cheap staff may not be, erm, industry-grade let's say. There are many great technicians working in Unis, but they may not be as fresh as some guy who has to stay current for weekly contracts, for instance, as they have to clean printers as well as install expert systems as well as DBA the admissions system written by some bloke a decade ago - on Ingres.
I would hate to try to support that network, even without the politics of upsetting the primadonna academics.
I can't believe it.
I don't believe the Wheatly halls are still going. When I was there in the mid 90's the tower block was on the verge of being knocked down; it was such a mess. I also worked for a while in the IT department (summer job) for a bit. The staff there (apart from one or two people) were generally clueless and lazy. If you pay peanuts, you get monkeys! Speaking of peanuts, yes, the extra money came in very handy. I didn't have wealthy parents and was living on a student loan/grant (grants still existed back then for a few years while I was studying). I could get merrily tipsy in the SU and maintain my Golden Virginia habit on a tenner. Happy days ;).
On one side of the coin, maybe, but give it a flip and be amazed at the Options.
"amanfromMars 1: That's just a non sequitur with random capitals." .... By Jon Thompson 2 Posted Saturday 3rd October 2009 18:51 GMT
In Deed, indeed it is not, Jon Thompson 2 but it can be as well and the Post Servers to Embedded and Currently Charged HyperRadioProActive Virtual Facilities ....... Enhanced Enrichment Plants of the NEUKlearer Energy Kind.
Intellectual Property Power Control of Mass Fabrications for Harvesting Talent and Wealth, which on Dodgy Shaky Flakey Communications Lines, is a Battle, but when Virtualised, a Doddle/Walk in the Park/ Hot Cool Operation for Mobilisation is Holywood CaliPhormication on its Best Behaviour.
Fixing the Big Picture from the Top Down Dismisses All Lower Struggles to Succeed with the Placement of Success with the Bigger Pictures Exposed and Shared. The Mind Games Played to Control Life in the Universe. And that is done with a SMART Release of Novel Information not a Gathering of Staid Intelligence.
@ amanfromMars 1
The file could not be read as the language interpreter could not be found.
Back to the future
Thankfully, when I last worked in a university (in the UK) we still only had Teletypes on Telex spec links, and were buying PDP-11s for stand-alone use in various departments. But I had seen the future, on a trip to the USA in 1971, including a visit to a UCLA campus that was running a monster 360/91 and a high speed terminal network.
Re: amanfrommars 1
oH Do sHut uP
RE: A couple of points...
Waite a minute.. You actually read what a git from mars types????
Re: Reality of University computing
"Universities are NOT corporations. So the network guys used to run a relatively open network. You can't ban everyone from P2P networks."
I don't really get it.
1) Have these people never heard of network segmentation? I'm not a linux advocate but this is one area that it really shines for those too skint to deploy serious deep packet hardware. Totally not difficult to deploy or maintain. Surely ensuring students are not plugging into the "corpnet" is a no brainer?
2) Patch management? Come on guys! Would once a month hurt anybody? To get servers infected with Conficker there must be something seriously wrong here! Hum.. or do I sniff an out-of-support NT server lurking somewhere?
3) I thought it was common practice to use file screens to block nasty extensions on mapped shares where they should not be.
4) Do these people not even disable autorun in GP?
5) I'm not really sure how to get out-of-date AV software, most products have centralised management and alerting that spam you when the defs are even a day out-of-date or there is an infected/out of contact PC. And the excuse "oh I didn't get the alerts" is not an excuse either as most of these products send reports on a daily/weekly/monthly rate. "Humm... I didn't get a report today, then I must not be getting the alerts..." use brain, go investigate AV server.
These "IT" guys are either incompetent or negligent, I'm amazed this has only just happened (or rather been outed by the press). They have had a year to get this dealt with, but for some reason they have not.
We are all seriously overstretched at the moment, I don't know anyone who hasn't lost most of thier team but we just have to pickup the slack and just get on with it, even if that does mean not going home some nights just so you can get the routine stuff done. And you can't even resign because there's no bloody jobs!
Way too many
posts from arm chair admins whose criticism boils down to "if only *I* was charge, this could never have happened." yeah, right.
If you have any responsibility of anything of importance (which in many of the above I doubt), that is an astonishingly complacent attitude, and you WILL get bitten on the arse by something nasty sooner or later.
To respond to the points raised above, in no particular order (any one from Brookes please correct me if I'm wrong):
1) No student gets gets any privileged rights any any of Brookes' machines.
2) USB sticks are indispensable as both students and staff frequently need to work on material off campus. The alternative would be to allow access from the rest of the internet, or maybe encourage more people to plug their own hardware into the network. Which option is more secure ?
3) Pooled PCs boot from the network, and reboot every time a student logs out.
4) No-one has access to anything without uid and password, and more sensitive systems have extra layers of security, which have not been affected.
5) I don't know what the policy is regarding patching, but given the regular reports of disastrous patch tuesdays, it's probably a bit conservative.
6) As others have correctly pointed out the computing needs of a university are quite different from corporate IT requirements (cos ones a university and ones a corporation see ?).
7) The timing of the story is correct.
8) And finally, to all the disaffected ex-students using this discussion to take a pop at Brookes - tough. You should have worked harder, got better results, got a job, and you'd have less time to waste trolling on The Register.
To clear some things up....
Ok, some perspective from a current Brookes viewpoint.
There is no admin access for students.
All machines ARE fully patched.
All machines run up to date virus checkers, these themselves actually check for updated signatures every five minutes (excess yes but thats how it is)
The IT staff here were incredably quick, to put this in perspective, I came accross around two to three pooled PC rooms closed, out of... well, have a look through the brookes site for their pooled computer room lists, they have alot of PC's and PC rooms.
The systems DO re-image on reboot I believe, and on logoff runs a script to wipe the C drive and return to previous state.
I dont have any extra knowledge on the nature of the outbreak or the way it came about but it was certainly isolated, the main reason for disruption was thanks to their efforts to prevent it spreading.
And to those who recall Wheatley as a bit run down, it has lost the tower block, has a fansastic new tech block, has had some re-development work and is a fantastic higher education institution.
That was me...
"And to those who recall Wheatley as a bit run down, it has lost the tower block, has a fansastic new tech block, has had some re-development work and is a fantastic higher education institution."
Glad to hear it. As I said, it's been well over a decade since I last visited (during a summer ball if I remember!).
Amanfrommars is a bot I recon.
stringing together various sentances found on the user comments section.
unfortunately, some of you show how new you are around here. AMFM is a icon on el Reg, to the point the Alien Icon was named after him orignally. While you may think it's random words strung together, there is a meaning there... and if you start to find yourself understanding what he's saying, it's time to go find a new hobby.
As for the story? Institutions of Higher Edumacation are notorious for being hard to secure. From Ivory Tower types who don't understand that they may be in danger, to radicals trying to be a danger, to the occasional package from Ted Kaczynski that blow up when you try to open them. The fact is that Uni's are targets for miscreants and will always be so.
aside from dumbnuts that don't care about the system because it's not their responsability, and people looking for a career that ends in being Bubba's "wife" that infect all of every day life.