The University of Iowa computer systems flagged suspicious activity last week, and UI officials said the incident appeared to be related to a new computer bug called Shell Shock.
The bug could potentially allow attackers to remotely take control of a user’s computer. Businesses and institutions, such as the UI, which run on servers, are the most vulnerable to the bug.
Last week, the U.S Computer Emergency Readiness Team, a branch of the Department of Homeland Security, published an alert that a critical vulnerability had been discovered in computer systems such as Linux and OS X.
Jeff Vossenkemper, the IT security officer at the UI Health Care Information Systems, said he became aware of the vulnerability on Sept. 25 when he came into work and received the alert from the Computer Emergency Readiness Team.
Vossenkemper said he immediately alerted the Unix admins, an operating system, to review its systems before he began working to scan and “patch” the university’s computers.
“Some of our systems, because of the contracts we have set up with various venders, we have to contact them first to make sure [the patches] won’t break their systems,” he said.
Although the system is currently unharmed, work is not done, said Steve Fleagle, the UI associate vice president for Information Technology Services.
As more attackers try to exploit Shell Shock, and vendors work to create bigger and better patches, the university is working to keep its systems safe, he said.
“Shortly after the vulnerability was identified, [the first patch] turned out to not be complete, so for many systems we had to actually apply a patch to patches,” Fleagle said. “Until they find another vulnerability, we think that the systems we’ve patched are up to date.”
Vossenkemper said patient records at the UI Hospitals and Clinics were not vulnerable at any time before or during the process.
“The university’s network is sort of like our ISP, you first have to get through them to get to us,” he said. “Then once you get to us, we have a series of firewalls in place, and there are only certain pieces of our infrastructure that are visible to the outside world. Then behind that a few layers is the patient-care system.”
Douglas Jones, a UI associate professor of computer science, said Shell Shock’s danger isn’t so much what it can do but that it existed for 20 years in a “legacy system.”
A legacy system, Jones said, is any previous or outdated system or program.
These old programs, some of them developed in the 1960s, often have widely known flaws and drawbacks, but instead of moving to newer and better existing systems, Jones said they are instead patched up with “spit and baling wire.”
“These legacies are huge, so huge that replacing them is almost inconceivable,” he said. “They don’t exhibit uniform engineering quality and are instead cobbled together from bits and pieces that have accumulated over the decades.”
Because of the program’s complexity and size, Jones said vulnerabilities such as Shell Shock and Heartbleed, the security bug discovered earlier this year, are often almost impossible to detect and fix before they cause trouble.
“What we have inherited from the previous generation is a extraordinarily valuable and also an extraordinary liability,” he said.