Slashdot Mirror

← Back to Stories (view on slashdot.org)

In Survey of American Universities, MIT Scores Worst In Cybersecurity

Posted by timothy on from the damn-statistics-and-what-they-don't-say dept.

An anonymous reader writes: In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list. In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators. That might not seem intuitive, but according to the linked article, it's not purely mistaken. Some of that low ranking can be chalked up to things like intentional security holes created in the course of researching vulnerabilities, but some of it comes from "exposed passwords, old legacy systems, and a bunch of administrative subdomains that seem to have been forgotten about," as well as pockets of malware.

47 comments

  1. Is this proportional to the number of systems? by Lumpio- · · Score: 1

    I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account. Not reading the actual TFA because it requires me to register or something dumb like that.

    1. Re:Is this proportional to the number of systems? by The-Ixian · · Score: 2

      Well, the summary does state "In a cybersecurity survey of 485 large colleges and universities"

      Which would at least imply that their targets were all of a similar size...

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:Is this proportional to the number of systems? by hey! · · Score: 4, Interesting

      I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account.

      That might have been true fifteen years ago, but really these days computers are ubiquitous everywhere. I think it's more likely to do with two things: an early embrace of computers combined with an almost uniquely dysfunctional administrative culture that makes change even harder than it would be most places. It's what comes from taking a group of people who are used to being right when everyone around them is wrong and make them run a large, complex institution. The results are astounding, sometimes in a good way but by no means always.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    3. Re:Is this proportional to the number of systems? by FranTaylor · · Score: 3, Interesting

      laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess. But the professors and grad students are 100% focused on their theses and projects and they really didn't care about anything as long as they could get their work done, so it was all very very sloppy. I always felt that they needed much more structure and I am really surprised that it seems like nothing has changed there.

    4. Re:Is this proportional to the number of systems? by Anonymous Coward · · Score: 5, Interesting

      So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.

      My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise. Sure, it's secure as @#$*, but also Orwellian and ignorant as @#$* also.

      That is, if you want to have an institutional culture that's built around "hey! take this stuff and play around with it without any restrictions" you can't also be saying "hey! don't do that!" to every thing they do.

      My guess is something like that is going on.

    5. Re:Is this proportional to the number of systems? by LaurenCates · · Score: 3, Interesting

      Sounds to me like that's probably the attitude in a high-performance, high-pressure environment ("policies get in the way of getting work done"), and if the culture hasn't changed since your time there, then the attitude has only scaled up with the complexity of the system.

      Not a knock on you, of course, and I hope you don't take it that way. You still have to rely on the user base to be the last lines of security within a system.

      --
      Some people don't believe in fairies. I don't believe in The Patriarchy.
    6. Re:Is this proportional to the number of systems? by Anonymous Coward · · Score: 0

      guess what, if you as a research organization had choose between allowing graduate students
      to do unimpeded work vs conforming to the support personnel's vision of how things should be
      run, what would you choose?

      the right answer is to try to do something which makes the systems easier to manage
      without asking someone to go through a multi-month security review before they
      can deploy research code

      i can't think of anything more counterproductive in a research environment than a firewall. its
      actually just security theater.

    7. Re:Is this proportional to the number of systems? by Austerity+Empowers · · Score: 1

      I bet a place like MIT just has many times the IT systems of most other places, and they didn't take that into account. Not reading the actual TFA because it requires me to register or something dumb like that.

      As I think anyone who has ever done IT to support an engineering or software team would attest, supporting these teams is about like herding cats. We all want to use whatever technology we know, that does the function we want it to do. We will not tolerate anything Microsoft or Oracle (mostly because we use Linux or OS X and they don't always play well), and we want the latest bleeding edge features we saw on that guys website out there. IT will try all sorts of things, from outright bans, to sandboxes, to cameras over our desks...but we are a security nightmare. I can imagine that a place like MIT would be the worst possible place to try to lock down, since there are people actively looking for ways to break networks and software as a means of education (and it's a good thing, kind of). The absolute only thing that keeps a reign on the chaos in the corporate environment, is the very real chance we may screw up and cost real money, so some of us try hard to only break IT rules when we feel there's no other option. At a school? Hah.

      I guess I see an article like this and assume it's an example of a healthy educational environment for technology majors.

    8. Re:Is this proportional to the number of systems? by FranTaylor · · Score: 2

      i can't think of anything more counterproductive in a research environment than a firewall. its
      actually just security theater.

      If you let people set up their own systems, you are gonna get nasty local packet storms from misconfigured systems, firewalls keep the stuff from taking over the whole campus network - voice of experience here

    9. Re:Is this proportional to the number of systems? by Archangel+Michael · · Score: 2

      No security is better than bad security. Bad Security is false security, where no security doesn't.

      If everyone knows the system isn't secure, then they take all the steps needed to be secure by themselves.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    10. Re:Is this proportional to the number of systems? by FranTaylor · · Score: 1

      If everyone knows the system isn't secure, then they take all the steps needed to be secure by themselves.

      No, they don't do anything at all. When you are up to your eyeballs in your master's thesis you don't care about security or backups or clean clothing or deodorant or any of those things. You expect someone else to do it for you, but guess what? Due to budget cuts, there is nobody tasked to make backups or update systems. Welcome to university life.

    11. Re:Is this proportional to the number of systems? by Solandri · · Score: 1

      So... I'm at another university and have another take on this, which is that freedom and security are often inversely related.

      My university is pretty locked down when it comes to security, and it's also annoying as @#(! if you need to do anything creative or nonstandard research-wise.

      That's how I remember it. When I was at MIT, there wasn't really a centralized IT administration per se. I mean sure there was for the general campus-wide network and the public computer labs. But if your research lab wanted a block of IP addresses, it got it and was free to administer it any way it wanted. IT delivered the network access you requested, then got out of the way so you could do whatever it is you thought you needed to do with it. Once you got the IP block (or even a single IP address), it was your network, not IT's.

    12. Re:Is this proportional to the number of systems? by mlts · · Score: 1

      I have encountered a wide spectrum of administration styles, from "unless it has an IT sticker on it, has all the corpware and can be managed by domain GPOs, it doesn't get near a Wi-Fi AP or a switch" to "Here is your subnet/subdomain in DNS, if something happens, don't blame us."

      Some autonomy is good. If a network is isolated from everything else [1], with an IDS/IPS watching the exit traffic just in case there is an infection, someone can be notified if it wasn't part of a test, then if the segment gets pwned, the damage is limited. Ideally, there should be some protection in place so it doesn't fall to the uni's IT department to send notes to the profs that their network segment and boxes on it belong to some organization out of Lower Elbonia, or ransomware doesn't destroy work being done for a grant. However, it is a tough balance. Turn the screws too tight, nothing gets done,

      [1]: Really isolated, so there isn't a chance of island-hopping.

    13. Re:Is this proportional to the number of systems? by AthanasiusKircher · · Score: 1

      laissez-faire has been the status quo for networking at MIT for decades. The attitude seems to be that "policies" just get in the way. I was a sys admin there a long time ago, there were no firewalls, no nothing. We didn't have DHCP. We got IP addresses for the systems and we hardcoded them. Of course it was a mess.

      Yes, and much of that is still the same. MIT has the entire 18.x.x.x block. There are plenty of direct IP addresses to give out to every single computer on campus, and I believe that's still the case.

      If you have a look at the Ars Technica story on this report, they identify major components of the ranking, which include things like:

      Network security: a score based on the number of vulnerable services running directly exposed to the Internet, based on a scan that audits version numbers of exposed software and open ports on those systems correlated with a database of known exploits, according to SecurityScorecard Chief of Research Alex Heid.

      Hacker chatter: a score based on the frequency with which the school was mentioned in hacker forums, and amount of user credentials, e-mail addresses and other breached data circulating on those forums over the observed period.

      Password exposure: the degree to which students, faculty, and employees are using weak passwords). This score was in part based on the user credential data discovered in hacker chatter."Our signals and sensors found 6 credentials for accounts associated with student and employee email discovered in 4 data leaks," SecurityScorecard reported.

      In other words, they dropped MIT to the bottom of the list because they have most computers and systems on actual IP addresses connected directly to the internet, and because hackers apparently talk a lot about hacking into MIT. (Well, duh!) Oh... oh my goodness -- they found SIX (count 'em SIX!) credentials for user accounts on the internet!!

      Now, what does this actually mean in terms of ACTUAL security? Well, the scorecard also notes:

      And saving MIT from an overall failing grade, however, were the school's A grades in Web application security, the health of its DNS records, and the quality of its endpoint security.

      In other words, they actually secured their applications and systems. They're just downgraded mostly because every student-owned Raspberry Pi with an actual real IP address counted against their score and because hackers apparently like talking about hacking into MIT.

      Except, of course, if every computer is actually exposed directly to the internet, then every computer is responsible for its own security -- which means that hacking into one system does nothing to compromise MIT's larger IT structure... it just gets access to one student's computer or whatever. And frankly, most people at MIT are smart enough to secure their own systems.

      Does this "report" detail any actual breaches to major systems or data at MIT? It doesn't sound like it. So what precisely is the security flaw here? Giving direct internet access to thousands of students and faculty (along with the freedom that goes with that)?

      I don't know what things are like there right now, but as of a few years ago, the sysadmins at MIT would generally just keep an eye on weird network traffic and events, and if your system was doing something bad, you'd just get your access shut down temporarily (and receive a notice telling you what was going on and what you needed to do to restore access).

    14. Re:Is this proportional to the number of systems? by Kierthos · · Score: 1

      I know a guy who works for the local university IT department, and at the beginning of every semester, there's the hassle of ensuring minimum security/virus protection protocols on all the new computers and laptops (and probably tablets too) that students bring to campus.

      You'd be surprised by the number of students who get a case of the chapped ass over installing the mandated virus protection before using the university's network.

      --
      Mr. Hu is not a ninja.
    15. Re:Is this proportional to the number of systems? by barbariccow · · Score: 1

      mandated virus protection before using the university's network.

      Your university makes them install Linux?

    16. Re:Is this proportional to the number of systems? by sribe · · Score: 1

      My guess is something like that is going on.

      The network is extremely open by design (ref: Aaron Schwarz), as is the physical campus.

  2. Misleading by Anonymous Coward · · Score: 1

    Their whole network's just a honeypot, as Aaron Swartz found out.

  3. Honeypots? by Anonymous Coward · · Score: 0

    Does MIT have more honeypots?

  4. This reminds me of Our Savior, Richard Stallman! by Anonymous Coward · · Score: 0

    This reminds me of what Wikipedia's page about Richard Stallman says:

    When MIT's Laboratory for Computer Science (LCS) installed a password control system in 1977, Stallman found a way to decrypt the passwords and sent users messages containing their decoded password, with a suggestion to change it to the empty string (that is, no password) instead, to re-enable anonymous access to the systems. Around 20% of the users followed his advice at the time, although passwords ultimately prevailed. Stallman boasted of the success of his campaign for many years afterward.

    Can anyone shed any light on if that actually happened as described at Wikipedia?

  5. Re:This reminds me of Our Savior, Richard Stallman by FranTaylor · · Score: 3, Interesting

    It was common knowledge that rms's password on mit-mc was rms. I think a lot of people learned macsyma by using rms's account.

  6. culture? by Anonymous Coward · · Score: 0

    maybe that disappeared a long time ago.

    but there used to be a pervasive attitude that computers were tools that everyone should have access to.

    and maybe having to justify every open port to some career paranoid who feels personally responsible
    for judging the moral character of every bit on the network is contrary to the spirit of free investigation that a place like
    MIT is trying to foster

    just a thought

  7. Apples and Oranges by MarkvW · · Score: 1

    The difference is that when their shit breaks, they can fix it.

    1. Re:Apples and Oranges by The-Ixian · · Score: 1

      Except that you can't recover data once it is stolen...

      Being able to fix a problem is not the point.... any monkey can fix a hacked computer by wiping it and re-installing the OS. It is the data that is important...

      --
      My eyes reflect the stars and a smile lights up my face.
  8. Occupational Therapy by PopeRatzo · · Score: 1

    n Survey of American Universities, MIT Scores Worst In Cybersecurity

    That's because MIT is trying to prepare students for the corporate environment. It's job training, really.

    --
    You are welcome on my lawn.
  9. OBVIOUSLY by fluffernutter · · Score: 1

    ..they are so brilliant that they can just simply work around the impact of any kind of attack. Duh.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  10. Security only where it really matters? by chipschap · · Score: 4, Interesting

    As an MIT alum, I'm gratified that the postings here didn't turn into a giant attack on MIT. Heaven knows the place is far from perfect, but I did get an outstanding education that stood me well in the course of a long career.

    Although this is purely anecdotal, some people I talked to tell me this. There's a lot of freedom at MIT (and there always has been), and the emphasis is on breakthrough creativity. So for the most part security issues, strict rules, locking things down, etc., all take a back seat.

    But there are a few systems--- just a few--- that are highly protected and known in the culture to be strictly off-limits. Have we heard of major data breaches and MIT student data being stolen on a large scale? I haven't. I suspect it's because the emphasis is on security in those few places where it really matters.

    Can someone who is currently at MIT comment on this? As I said, this is anecdotal and could be dated and/or inaccurate.

  11. Don't waste time downloading the "Full Report" by chazchaz101 · · Score: 1

    It's more of a sales pitch than a report. They make you give them an email address and then only give you meaningless highlights and the results in vaguely explained categories for the top 10 schools.

  12. Honeypot by Anonymous Coward · · Score: 0

    MIT is a massive honeypot.
    It gives attackers and security researchers a false sense of accomplishment. ;)

  13. Just like Alpha Centauri by Anonymous Coward · · Score: 0

    Just like alpha centauri and the university of the planet. -2 to probe team actions due to academic networks.

  14. Project Athena by Anonymous Coward · · Score: 0

    I'm not surprised. I attended MIT last decade, and the computing experience was dismal. I was there before MIT's own horribly written Scheme implementation was finally abandoned.

    Basically, some nerds there created Project Athena, which morphed into MIT's own half-baked Debian derivative that nobody cared to keep up-to-date. The computer labs were dark, dingy, and ancient; I felt like I had to take a long hot shower after using them.

    However, the printer paper and printers were basically free, and it was damn fun to set up your buddy's account to spam the rest of the lab users with Zephyr messages whenever he logged in...

    ... I think I'll take a shower...

  15. It is a tech college of course it will by mt2mb4me · · Score: 1

    Look, you are going to attract the people who will bring back doors with them. They try out all sorts of stuff that then gets defunded, or the guy leaves and doesn't clean up. The thing is, when they find a new problem, they have they guys there to figure it out too. I would bet the actual systems (financial and acemdemic) are tighter than fort nox. But, it is an engineers playground, So everything is covered in beer and Mtn Dew.

  16. Not surprising by Anonymous Coward · · Score: 0

    I currently go to MIT. Pretty much every computer connected by ethernet is given its own public facing IP address with no firewalling whatsoever. As a consequence, at least in my department, nearly every single office computer is set up with SSH access. Not everyone here is an IT expert, so a large majority of these computers aren't well defended.

    The cluster I do work on has at one point been used as a spam relay. No one noticed until IT started sending us complaints. I've heard that around 2-3 student systems get hacked a year in my department, and we're one of the smaller ones.

    If you know what the hell you're doing, and you have the time to do it, it's a nice system. Probably only 1 in 50 qualify for that though.

  17. what happened to guest @ ai.mit.edu? by Anonymous Coward · · Score: 0

    or was it gnu.ai.mit.edu?

    you know, the box rms liked to let anyone login to to run crack...

    1. Re:what happened to guest @ ai.mit.edu? by CronoCloud · · Score: 1

      ai.mit.edu has ssh access open


      [CronoCloud ~]$ ssh ai.mit.edu
      The authenticity of host 'ai.mit.edu (128.52.32.80)' can't be established.
      RSA key fingerprint is SHA256:s2JBWJC3Mg1/fNR2qEZQk1Nr8szla0NZ9leWLO/E1aA.
      RSA key fingerprint is MD5:0f:59:9d:f4:cf:52:be:19:f6:51:87:63:91:a6:af:ff.
      Are you sure you want to continue connecting (yes/no)? yes
      Warning: Permanently added 'ai.mit.edu,128.52.32.80' (RSA) to the list of known hosts.
      Password:

      prep.ai.mit.edu still runs an ftp server.

      I figure MIT is the sort of place that keeps legacy gopher/archie/veronica/telnet or whatever servers open administered by some bearded member of the old Unix Priesthood.

    2. Re:what happened to guest @ ai.mit.edu? by Anonymous Coward · · Score: 0

      You mean you don't run an FTP server? Wow!
      I suppose your file transfer needs are satisfied by 140 character tweets?

    3. Re:what happened to guest @ ai.mit.edu? by CronoCloud · · Score: 1

      yes there's a need for FTP but MIT doesn't need to run one on every subdomain they have! For example:

      http://prep.ai.mit.edu/pub/gnu...

      ftp://aeneas.mit.edu/pub/gnu/

      http://prep.ai.mit.edu/pub/gnu...

      ftp://aeneas.mit.edu/pub/gnu/c...

      and don't forget:

      ftp://rtfm.mit.edu/pub/

    4. Re:what happened to guest @ ai.mit.edu? by mu51c10rd · · Score: 1

      Not everyone runs FTP. There are much better, secure alternatives. You can use Dropbox-like ones like Owncloud, or use sftp variants instead of straight ftp. Even webdav secured with SSL and backend authentication is better than FTP.

  18. Re:Happy 9/11 by Anonymous Coward · · Score: 0

    "could have happened on it's own."

    it's means it is.

    " murder 3000 of its citizens "

    There, that wasn't so hard, was it?

  19. It's on purpose by Anonymous Coward · · Score: 0

    They have a history of encouraging hacking, leaving weak systems at home is just a way to do so. Too bad they are not protecting their hackers anymore.

    1. Re:It's on purpose by Anonymous Coward · · Score: 0

      Aaron Swartz wasn't an MIT anything, let alone an MIT hacker.

  20. Not surprising by mu51c10rd · · Score: 1

    I am guessing the nature of MIT lends itself to having lots of odd and end networks around. I would hope whomever runs the segment that contains administration is at least securing their network (student data, financial data, financial transactions, grading, etc.).

  21. Been that way awhile by Anonymous Coward · · Score: 0

    When applying for grad school their official application system did not and would not allow one to use encryption. They ask for your personal information including social security number. The only point where any encryption took place in the browser is when they handed you off to another service to pay the application fee with your credit card.