Cyber Viruses Infect Schools Across Nation
As schools prepared for a new year, waves of attacks by computer viruses temporarily shut down educational computer networks and Web sites, disrupting some school business and costing scarce budget dollars as technicians scrambled to fix the resulting problems.
|View the accompanying table, "Software Intruders."||
Districts across the country had to suspend e-mail delivery, the scheduling of students' fall classes, and other functions surrounding the start of school. Web sites full of opening-day announcements went dark; those that were open greeted parents with virus warnings and instructions for installing "patches," or software code to correct the flaws that a virus exploits.
"Just the sheer amount of effort and talent that was wasted in this latest series of attacks, you couldn't measure," said James Hirsch, the technology chief for the 52,000-student Plano, Texas, schools.
In Plano, a virus infected 2,800 school laptop computers, which lacked the latest updates to virus-protection software. It spread from the laptops to the district's computer network, forcing the district to shut off some essential computer services, such as a system that monitors building-security systems throughout the district.
Mr. Hirsch and other educational technology experts said the recent global outbursts of computer viruses and worms—which also affected computers in businesses, government agencies, and homes, causing an all-time record for damage, according to virus experts—couldn't have come at a worse time for schools.
And the troubles may not be over, as experts were predicting that a widespread attack by a new version of one of the viruses, called Sobig, would occur this week.
A virus is harmful software code that is appended to another, apparently harmless, software file; it is often activated when a user innocently clicks on an infected file attached to an e- mail message. A worm, equally malicious, can spread by itself, over an open network connection, by exploiting a software flaw.
The spate of recent viruses and worms, of several basic types with multiple variants, brought computer networks to their knees by overloading them with thousands of signals, or "pings." The intruders exploited flaws in widely used operating systems and Web-browser software designed by the Microsoft Corp.
In addition, they are sometimes equipped to install "backdoors" or "Trojan horses" on the computers they infect, an arrangement that later allows the attacker to control the computer remotely without needing a password.
Computer viruses and worms can spread relentlessly to any computer on a network, when technicians and ordinary users fail to take precautions. Standard tools such as firewalls and anti-virus software defeat these attacks, but not if, as often happens in schools, those defenses are not updated frequently, or if users bypass them by bringing in laptops or computer disks from home.
Few computer users have the skills to spot these software flaws and build totally new viruses and worms. But virus "toolkits" that have become widely available on the World Wide Web allow people with ill intentions and much less skill to launch their own potent knock-offs.
That's apparently what happened with the Nachi, a worm also called Welchia, that was first detected in early August and the Blaster worm.
On Aug. 29, federal prosecutors in Seattle arrested Jeffrey Lee Parson, a Minnetonka, Minn., high school student, and lodged a felony charge against him for allegedly developing and releasing the "B variant" of the Blaster worm. Analysts discovered that the variant had infected thousands of computers and had attacked Microsoft's "Windows Update" Web site.
In court documents, federal investigators claimed that Mr. Parson admitted to creating the worm variant.
Mr. Parson, 18, who lives with his parents and attended Hopkins High School, made no plea at the hearing and was released in lieu of a $25,000 bond and placed under house arrest. He will be arraigned in Seattle on Sept. 17.
Eileen Harvala, a spokeswoman for the Hopkins school district in Minnetonka, said Mr. Parson is currently attending a different school.
Meanwhile, three worms almost caused the postponement of the opening of the 75,000-student Cleveland public schools because the district network was prevented from processing student schedules, said Alan Seifullah, the district's spokesman.
"It was reinfecting the machines before we had finished cleaning them," said Peter Robertson, the district's chief information officer. "We had to take each and every machine off the network and disinfect and update it before we reattached it."
In Cleveland, more than 6,000 of the district's 30,000 computers had to be patched, "and many others had to be looked at machine by machine," Mr. Robertson said. To ensure that schools opened on time on Aug. 28, an assorted crew that varied between 30 and 100 district personnel, student interns, and hired and loaned temporary workers spent three days combing through 130 district buildings to install fixes.
Ironically, school systems with newer equipment were often the most vulnerable, as were districts that have switched to personal computers from Macintosh computers, which were not affected by this round of attacks.
New Computers Vulnerable
The 21,500-student Vancouver, Wash., school district had phased out most of its Macs, said Linda Turner, the director of information and technology services. "This summer we brought in 3,000 brand-new PCs—that's a 'gotcha,' as well as a good thing," she said.
The "gotcha" meant that, after being infected by Nachi/Welchia, the district network had to be turned off for a day, 10 college students who had been summer hires were recalled to aid district technicians, and the various systems were slowly restarted before classes began last week.
At the 1,240- student Watertown Senior High School in Watertown, S.D., officials in mid- August issued 1,400 new laptops to students and teachers to kick off the school's "learning with laptops" program. But as soon as students logged in on the first day of school, Aug. 25, the network was flooded with messages generated by the Welchia worm.
Technicians first installed patches on the machines automatically over the network. But a program on each laptop that was meant to remove viruses and other unauthorized programs whenever the laptop was turned on actually eliminated the patch. A team of 20 technicians, computer teachers, and administrators had to collect all the laptops and spend two days patching them.
Layers of Defense
Companies that make anti-virus software say that because of the growing number of viruses and worms, organizations need to apply several layers of defense against them.
The biggest difficulties that schools face can be the result of a deliberate choice, said Larry Rogers, a senior member of the technical staff at the CERT Coordination Center, a federally financed group at Carnegie Mellon University in Pittsburgh that studies Internet vulnerabilities. He noted what security experts are fond of saying: The most secure computer system is one that is turned off.
The problem is that the requirements for ultimate security are diametrically opposed to those for open access to information, Mr. Rogers said.
"The challenge in the educational environment," he said,"is providing an educational environment."
In short, schools don't want their cyber padlocks to prevent students and teachers from discovering new things, he said, "including visiting places they can wander into by accident."
To balance those priorities, Mr. Rogers said, schools should study the connection between their "two businesses"—the business of running operations and securing district information and communications, and the business of giving people access to information.
"It isn't quite the case that never the twain shall meet, but they should meet in clearly defined places," he said.
Some school districts that were only minimally affected by the recent attacks were well served by outside organizations that provide their technology services.
For example, in New York state, the Lower Hudson Regional Information Center used "many lines of defense" to keep viruses and worms out of 45 districts that use the center to access Internet services and maintain an electronic gateway for routing e-mail, said Mike Stepowski, the center's manager of telecommunications.
"We caught pretty much all the Sobig virus and Blaster; 9,000 or 10,000 e-mails were infected per day," Mr. Stepowski said.
The nonprofit center, one of 12 in the state's Board of Cooperative Educational Services system, also updated the virus protection automatically for 25,000 school computers.
Networking experts say more consolidation of defenses against viruses and worms may be needed in the future as they become more destructive.
Microsoft, for its part, has acknowledged that there are security vulnerabilities in its products, and says it will identify, investigate, and remedy security vulnerabilities "when they occur," according to a document on the Microsoft TechNet Web site.
Coverage of technology is supported in part by the William and Flora Hewlett Foundation.
Vol. 23, Issue 2, Pages 1, 14Published in Print: September 10, 2003, as Cyber Viruses Infect Schools Across Nation