Editor’s Note: The author of this post, Jack Ochs, is currently Vice President, Strategic Planning & Analysis for the Publications Division of the American Chemical Society. He serves on the COUNTER Executive Committee and chairs the International Association of Scientific, Technical & Medical Publishers (STM) Public Affairs Committee. He also serves on STM’s Copyright Committee and is an Ex Officio member of the Executive Board. Prior to joining the ACS, he served in sales, editorial, strategic planning, and management positions with Simon & Schuster, Scholastic, and Prentice-Hall.
In a recent Scholarly Kitchen post, University of Utah Associate Dean for Collections & Scholarly Communication Rick Anderson wrote about the unintended consequences of sharing passwords or falling prey to phishing schemes to gather university network credentials that enable illegal pirate operators like Sci-Hub to offer illicit access to licensed scholarly publications.
The American Chemical Society (ACS) could not agree more.
Over the past two months, ACS has experienced the effect of compromised university network credentials and servers used to launch a significant increase in sophisticated sustained theft of ACS copyrighted journal articles. These activities have ranged from single instances that attempted massive article downloads to hundreds or thousands of simultaneous robotic user sessions crafted to download hundreds of articles apiece. The perpetrators of these attacks are cunning enough to test and adjust their penetration methods based on the security and usage monitoring tools they encounter. As a consequence, we are revising our own network capabilities and protocols regarding how we detect, respond and prevent these incursions and are urging our academic partners to review their campus cybersecurity protocols, as well as their internal response and investigation procedures. In addition, ACS is urging victimized institutions to preserve any and all evidence related to these violations of academic IT security. Although ACS, like other scholarly publishers, is most certainly aware of and alarmed by what has been stolen, an even more immediate concern for our university partners should be to determine how their own networks and resources have been compromised. For a number of reasons, publishers and universities are in this fight together.
First, universities and publishers have increasingly concluded that network violations, like the ones ACS’ academic partners recently experienced, are the work of international cyber criminals. Unfortunately there is no reason to expect that once such individuals gain access to university IT systems they will stop with scholarly articles. University servers contain troves of intellectual property and other potentially lucrative information such as university patents, faculty and student social security numbers, email addresses, and other personal and institutional financial and health records, including tax information that can lead to identity theft.
Second, the consequences to universities of not securing this information are potentially catastrophic. As noted among the many comments to Rick Anderson’s informative post, non-compliance with U.S. regulations concerning health and student records alone could jeopardize a school’s federal funds. Given that scholarly communication is a global enterprise, the compromise of university networks around the world also puts many entities at risk of violating data protection regulations and liability for associated penalties – not to mention legal claims by individuals alleging their personal information is not adequately safeguarded.
Third, compromised university security systems and their users are also potentially exposed to ransomware, an unfortunate new risk of operating in today’s web environment. Think this will never happen? Just this month, after futile efforts to crack the ransomware that had infected them, the University of Calgary paid hackers $20,000 (Canadian) to restore access to data that those hackers had turned into the digital equivalent of gibberish. The university reported that more than 100 of its computers had been affected, and cautioned that the decryption keys they received “do not automatically restore all systems or guarantee the recovery of all data.”
Finally, those who deem illegal pirate operators like Sci-Hub to be above using the stolen journal access credentials they possess to also steal university intellectual property and confidential information should bear in mind that the hackers who we believe directly or indirectly assist those operators certainly seek to exploit rather than protect personal data: i.e., there is every reason to believe that such individuals are intent on using stolen credentials for their own personal benefit, or are willing to aid others in raiding universities for valuable information.
Case in point: a hacker known only as “Peace_of_Mind” was profiled in a recent WIRED Magazine interview. “Peace” sells data on the dark web, where a “store” page of fenced credentials has a 100-percent user satisfaction rating, with feedback such as “A+++” and “…follows up with your questions and delivers promptly.” Peace’s selection of ill-gotten goods includes 167 million user accounts from LinkedIn, 360 million from Myspace, 68 million from Tumblr, and 71 million from Twitter – overall, more than 800 million compromised usernames and passwords in total and growing. “Peace” has boasted that stolen data are used for hackers’ own purposes first and then sold to others, with new data sales available every week. Our guidance to our global user community is this: please take seriously any advice to change your personal password(s) on these and other social media sites, and consult with your IT professionals on best practices for password maintenance and security at your institution, to help minimize your exposure to such identity theft.
We at the ACS have been grateful for the cooperation we have received and continue to benefit from as we partner with our customers and relevant law enforcement authorities to pursue more detailed investigation of the recent occurrences of piracy that have affected our professional society. Serious as these thefts are, the consequences to ACS and other scholarly publishers are just a fraction of the risks facing universities that remain exposed to unchallenged infiltration of their campus network systems. In that vein, ACS will be seeking to instigate high-level consultations within the scholarly publishing and university communities to address our shared global cybersecurity concerns. We welcome participation in that dialog.
Discussion
9 Thoughts on "Guest Post: The American Chemical Society on the Shared Cybersecurity Concerns of Universities and Publishers"
Stanford had a serious network breach in mid 2013(1), and responded more rapidly than I’d seen the University respond to anything but life-safety issues: two-factor authentication was imposed almost immediately (about two months, as I recall) and as disruptive as it was to get used to it, it was mandatory for access to the network. (After about a month of pulling out my cell phone every time I wanted to log in to the network, I was used to it.)
I would think that two-factor authentication would pose a significant barrier to the kind of incursions that Jack has written about in this post. I have no evidence yet one way or another on that. If others do, please contact me about that!
I had thought that many other institutions had done something similar to Stanford, and that two-factor authentication was common among, say, the top 100 research institutions (ARL libraries or Carnegie tier measurement). But I don’t know of any reliable study or survey of status or plans. Does anyone? EDUCAUSE, the higher-ed technology leaders’ group, has a security sub-group that might have such information.
I will ask one of the HighWire-hosted journals if they would be able to survey their editorial board members (who are mostly at universities of course) about implementation of two-factor authentication, if there is no EDUCAUSE survey available.
In looking into two-factor implementations at universities (Google “two factor authentication” and the name of any university), I found that some of them had made it optional (so an individual would choose enhanced security) or required only when accessing certain applications (student data, employee data). This won’t help with the situation Jack is writing about.
(1)
http://www.cnet.com/news/fbi-probes-network-breach-at-stanford/
http://abc7news.com/archive/9184555/
http://www.stanforddaily.com/2013/09/23/online-security-breach-prompts-further-security-measures-amidst-uncertain-details/
In the case illustrated above, it appears that the publisher (ACS) was able to detect that the universities’ systems were compromised, yes? I don’t get the impression that the university knew about it. Most of us have an abuse monitoring protocol that shuts down IP addresses if too many downloads happen too quickly. All of us get to determine that threshold, I presume there are discussions happening all over the place about tightening the threshold. This in and of itself will be an administrative burden to the publisher and the universities if legal activity is more likely to trigger an abuse monitor.
I understand that there are sensitivities to sharing too much information publicly, as the hackers can use that information against us, but I would like to know more about what to look for in our systems. Beyond the blunt force tool of the abuse monitoring, information about how the hackers behaved in the system would be helpful to know.
I have been really shocked when people (some librarians) brush off the possibility that Sci-Hub in particular would sell the credentials being collected. I assume this is an inevitable conclusion.
It is also possible that Sci-Hub’s credentials store could itself be stolen (rather than ‘sold’). I’m not saying “likely”, but it could be attractive to others.
It’s also likely that Sci-Hub’s credential store is not its own, as Library Genesis has an unknown role in this. These credentials are probably traversing a lot of systems, and we’re only seeing the tip of the iceberg.
Angela – thanks for your comment. In answer to your questions:
ACS was able to detect that excessive downloading was occurring before the institutions affected were aware that their systems had been infiltrated. We contacted the institutions involved and asked them to investigate. The short summary about those investigations is that neither ACS nor the compromised institutions can tell much about the source of the problem until they analyze their system’s data. And while we would agree that tightened automatic abuse monitors could be an administrative burden for publisher and universities, we think the cost of letting episodes like those we’ve seen over the last several weeks go unaddressed will be far greater for both.
Would someone please make sure that Sci-Hub’s Elbakyan sees this post? At the recent UNT conference where she was interviewed and I asked her if she could give us assurances that access passwords were not being misused, she flatly denied that such passwords could be used for anything other than accessing journal articles. What are we to make of such a denial? Either she is simply lying and knows she is wrong, or she is delusional?
All three of those scenarios are entirely possible.
Examining publisher log files against our new IP Registry, we will be able to see if usernames and passwords have been compromised. We are talking with STM about a solution also. Publishers should sign up to the new registry and help us create a solution for the whole industry. Stopping the flow of new papers will impact Sci-Hub greatly. Andrew Pitts; PSI and The IP Registry
