Every single day, the University of Oslo receives several millions of e-mails. 85 to 90 percent of these are junk mail.

However, junk mail is not the university´s biggest problem when it comes to IT. 200 attempts at password fraud a year, poorly maintained web sites and three to four million SSH Brute force attacks every day all make up a much larger threat than junk mail.

Password fraud

Most students and staff by the University of Oslo have at some point received an e-mail requesting their user names and passwords, signed the university´s center for information technology (USIT). These e-mails are always fake.

– With time, it seems to be an increase in the amount of various attempts at password fraud. We notice that more of them are translated into good Norwegian, or made especially to strike users from the University of Oslo, says chief engineer of USIT Espen Grøndahl.

USIT handled 200 fraud attempts in 2009, and about 30 users fell for the fraud. These users´ accounts were frozen, as to avoid abuse until the passwords were renewed.
Despite the fact that the attempts of fraud have become more professional and more determined, the users have become better at recognizing these e-mails as fraud.

Poor maintenance

One of the largest threats of security at the university today might be the poorly maintained web applications that are available on websites connected to the university servers. USIT has little or no control over the maintenance of these applications, and the security is therefore decreased.
There have been incidents where applications have been used to get access to the university’s servers. The hackers have so far been content with distributing junk mail, but it can get worse.
– If hackers through these applications get their hands on an account with large access to the university network, they can cause great damage. They can also get access to information that should not get out in the open, and information that is sensitive, says Grøndahl.

Automatic burglary attempts

Another form of attack is the so-called SSH Brute force attempt. These are automatic attempts at guessing passwords to standard users from lists of names that are available online. Usually there are three to four million attempts at SSH Brute force towards the university.
– It is like if a burglar tries to feel if a door is locked, and then moves on. In one or two cases such attempts slip through, but in these cases the user has chosen an easy password that can be found in English dictionaries, says Grøndahl.

Well secured

Large institutions are difficult to secure since there are many computers in use and many users. Even the police have experienced this, when they March 12th last year were attacked by the virus Conficker, that knocked out several thousand machines.
IT director Lars Oftedal thinks, however, that the IT security by the university is highly sufficient.
– The incident with the police cannot occur with us. We focus largely on security, a well-functioning operation system for office machines. We also supervise a lot and we have virus controls on all our machines, and we have a pretty good overview on which applications are in use, but we wish to become better in this field.

Earlier, illegal file sharing could give you a temporary expulsion from the University of Oslo´s network. That is not how it is anymore.

Espen Grøndahl by USIT says that they have since 2008 noticed a marked increase in complaints concerning file sharing. The main reason is that the copyright industry to a larger degree uses automatic warning systems. These are, however, not always reliable.

Nonsense

– Five years ago, all the complaints we received were legitimate, but now there is a lot of nonsense, says juridical supervisor at USIT, Walter Martin Tveter.
USIT received a complaint from the people sitting on the copyright to the comic book character Iron Man. They claimed there was a file on the university’s servers that they had the copyright to. After closer inspection, it turned out to be a PDF-file with the words “Iron Man” in the title.

Trusts the users

When USIT receives a complaint concerning file sharing, they inform the users in question via email. They also ask for feedback concerning the university´s IT regulations, and questions on whether the regulations have been read and understood. Tveter calls this a passable solution.
– We notice an increase in complaints, based on, among other things, received complaint and increased usage of the line. Many people probably consider a warning less scary discouraging than expulsion from school. But seeing how the copyright industry acts, it seems impossible to trust their complaints. Five years ago, the complaints we received were probably true, but nowadays we see that much of it is incorrect.