In the wake of the insidious Blaster worm that crippled thousands of Windows-based computers worldwide in August, school technology personnel and Microsoft officials alike were considering how best to protect their systems from future attacks.

Blaster and its many variants attacked a flaw in nearly all versions of the Windows operating system first discovered by a team of Polish researchers in July. Although Microsoft immediately made a patch to fix the flaw available on its web site, many school district computers remained vulnerable when students and teachers returned to classes after the summer break.

In Palm Beach County, Fla., the nation’s 14th-largest school district shut down its computers for more than two days to clean out the infection, said Larry Padgett, its director of network services. The district had to delay a head count that helps assign teachers based on school population.

Schools in Cleveland cautioned parents and students that the summer’s infections might delay the opening of classes, but the district mobilized 120 employees to scrub viruses from nearly 8,000 computers, and schools opened on schedule.

Employees had to work overtime, however, so school personnel could finalize student schedules, set up assignments, and prepare payroll.

“Everything got done, but it did not make for a pleasant opening,” said Peter Robertson, the district’s chief information officer.

Eighteen-year-old Jeffrey Lee Parson of Hopkins, Minn., was arrested Aug. 29 for allegedly launching a variation of the Blaster worm that infected at least 7,000 computers worldwide. At press time, no arrests had been made in connection with the main attack itself. But for schools, the arrest of Parson–who still attended high school at the time–underscores the need to educate students about the serious consequences of cyber crime.

For its part, Microsoft said Aug. 19 it is considering whether to sign up users of future versions of its Windows operating system to a service that automatically downloads and installs software fixes on their computers unless customers specifically opt out of the service.

No decisions have been made, but it is one way the company is considering tightening computer security in the future, said Steve Lipner, director of security engineering strategy for the Redmond, Wash., company.

“We think it would help the safety of a lot more customers if they had the benefit of the patching there [automatically],” Lipner said.

School technology leaders who spoke with eSchool News in the days following the attacks were lukewarm to the idea. But all agreed: Something must be done to simplify the process of ensuring that hundreds of computers across large networks remain protected from future attacks.

‘Protect Your PC’

Besides exploring the idea of automatic updates, Microsoft also has launched a “Protect Your PC” campaign to suggest ways consumers can guard their computers against attacks such as the Blaster worm and its variants.

Although Microsoft had posted a fix for the flaw on July 16, tens of millions of people waited until late in August to install it, Microsoft said, based on downloads from its Windows Update web site. The company decided to accelerate plans to promote security by launching its Protect Your PC campaign, said Amy Carroll, director of product management for Microsoft’s Security Business Unit.

Starting on Aug. 19, the company bought ads in several newspapers telling customers about setting up firewalls, visiting Microsoft’s update site, and buying anti-virus software.

It also has set up a new web site that offers step-by-step instructions for turning on existing security tools in Windows XP and suggestions for buying anti-virus protection. Microsoft is working on a video as well to post on its web site.

In the meantime, the company is encouraging users of the most current versions of Windows to sign up for Automatic Update, in which Microsoft automatically downloads and installs software fixes for them.

Automatic updates–available now for customers with Windows XP-are one way consumers can keep their software patched, said Craig Schmugar of Network Associates’ anti-virus emergency response team. But many customers might resist that option for a variety of reasons, he said.

Network administrators in large companies or school systems might be reluctant to allow automatic downloads, Schmugar said, because the downloads might interfere with how other programs work. Ideally, they would want to be able to test the software before widely deploying it across their enterprise, he said.

Piecemeal approach failing

School technology professionals who spoke with eSchool News largely agreed with Schmugar. Although they expressed frustration with the current piecemeal approach to network security-applying software patches as they are announced–they said they weren’t sure automatic updates are the answer, either.

James Ross, technology coordinator for the 500-student St. Elmo Community Unit School District in Illinois, estimated that it took him close to six hours to update only the servers and mission-critical machines in his district’s two schools and single administration building with the latest Windows patch. “Good thing I was mostly caught up to start with,” he said.

But Ross said he would be concerned about network traffic becoming clogged if all the computers in his district were downloading patches automatically at the same time.

“If [Microsoft] could make it so the downloads happen in the background, not every machine [downloads a patch] at the same time,… and I don’t have to administer some complicated patching schedule, [then it] would be great,” he said of the idea.

Frustrated with the amount of time it took to download and install Microsoft patches after the Blaster attack, the Plano Independent School District in Texas set up a dedicated server to automate the process of updating its 26,000 desktop and 2,500 laptop computers.

Jim Hirsch, the district’s associate superintendent for technology, calls the solution a good compromise between Microsoft’s automatic download proposal and the need for schools to test patches before they are installed. The solution consists of a standard Windows 2000 server that hosts and delivers carefully selected Microsoft patches to the district’s computers, he said.

“There are occasions when Microsoft updates render educational software unusable,” Hirsch explained. With an in-house server delivering Microsoft updates to the district’s computers, however, officials can test and control which patches get installed.

“It will allow us to distinguish between Microsoft patches we want and Microsoft patches we don’t want,” Hirsch said. “We think this is a better solution than sending Microsoft patches we don’t want to every machine.”

With its in-house Software Update Server, the district also can control when Microsoft patches are installed by assigning times for different groups of computers to log in and check for updates. Not only does this help manage the district’s bandwidth, but it means that teachers don’t have to worry that their classroom computers will download and install updates automatically during class time.

Better solutions needed

Plano’s solution might address concerns about automatic updates, but it still involves a great deal of time to test each patch before distributing it to the district’s computers. Given the complexity involved in keeping software patches up to date, many ed-tech professionals say they are looking for better solutions to the challenge of network security.

Toward this end, a growing number of schools are turning to a solution made by Austin, Texas-based TippingPoint Technologies, whose UnityOne intrusion prevention system reportedly eliminates the need for schools to download and install the latest software patches on their computers.

UnityOne sits at the edge of a school system’s network like a firewall and inspects all network traffic that passes through. Using information about the latest software vulnerabilities from the SANS Institute, TippingPoint creates “virtual” software patches by tailoring UnityOne’s filter to guard against the vulnerability. All computers that reside behind the appliance are protected, TippingPoint says.

The device “was effective at blocking the Blaster worm,” said Mike Phillips, chief information officer for the Texas Tech Health Sciences Center. “By the close of business [Aug. 12], UnityOne had blocked over 9,000 external Blaster attempts.”

Charlie Reisinger, director of technology for the Penn Manor School District in Pennsylvania, said his district takes a different approach by running a mixed-platform network with Macintosh, Windows, and Linux machines. “Since Macs and Linux computers are immune to Windows viruses, we knew that at least half of our computers would not be affected,” he said.

The Blaster worm demonstrates that the number and intensity of Windows-related viruses will only continue to get worse, Reisinger said.

“Most schools simply do not have the time or personnel to keep up with an endless stream of patches and security holes,” he said. “Imagine if we had to take our automobiles in for a patch or fix with the frequency that we do for our computers.”

He concluded: “It’s getting to the point that any district running an exclusively Windows network does so at its peril. Alternatives to Windows, such as Linux and Macs, are looking better all the time.”

See these related links:

Microsoft’s “Protect Your PC” campaign

TippingPoint Technologies

New computer virus clogs eMail in-boxes
As if the Blaster worm that infected computer systems worldwide in mid-August wasn’t bad enough, a new strain of a virulent eMail virus spread quickly across the internet Aug. 19, causing fresh annoyance to computer users worn out by the previous week’s Blaster. At least one internet security firm called the virus the fastest eMail outbreak ever circulated.

The virus, which clogged tens of thousands of computer networks worldwide, underscores the need for school technology professionals to warn all computer users in their communities–including teachers, students, and parents–of the dangers of opening suspicious eMail attachments.

MessageLabs, which scans eMail messages for viruses, said that within 24 hours it had scanned more than 1 million copies of the “F” variant of the “Sobig” virus, which was blamed for computer disruptions at businesses, colleges, school districts, and other institutions worldwide.

The previous record was “Klez,” with about 250,000 copies spotted during its first 24 hours earlier this year, MessageLabs chief technology officer Mark Sunner said Aug. 21.

There have been faster outbreaks on the internet, but those circulated through networking functions built into Windows operating systems.

The “Slammer” worm struck more than 75,000 computers in just 10 minutes in January, with the number of infected computers doubling every 8.5 seconds, according to researchers at the University of California and other institutions. It went on to infect hundreds of thousands more.

eMail viruses like Sobig can hit the same computer multiple times, so the number of infections are not directly comparable.

Sunner said the latest virus was able to spread so quickly because it essentially had eMail software built in. Previous ones relied on existing software packages like Microsoft’s Outlook and did not spread as quickly among users of rival eMail software.
Sobig did not physically damage computers, files, or critical data, but it tied up computer and networking resources, forcing networks like the University of Wisconsin-Madison to shut down outside access to its eMail system Aug. 20.

“We were removing 30,000 bad eMails an hour,” said Jeff Savoy, an information security officer at the school.

Regarding the Sobig virus and similar attacks, internet security firm Symantec Corp. has posted the following advice on its web site:

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP (file transfer protocol) server. If these services are removed, blended threats have less avenues of attack, and you have fewer services to maintain through patch updates.
  • If an attack exploits one or more network services, disable–or block access to–those services until a patch is applied.
  • Always keep your patch levels up to date, especially on computers that host public services and are accessible through the firewall.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps limit damage when a computer is compromised.
  • Configure your eMail server to block or remove eMail that contains file attachments that are commonly used to spread viruses, such as “.vbs,” “.bat,” “.exe,” “.pif,” and “.scr” files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train students and employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the internet unless it has been scanned for viruses. Simply visiting a compromised web site can cause infection if certain browser vulnerabilities are not patched.