Beating the Big Bad Bugs
Hopkins’ pool of IT brains battle to stay one step ahead of computer virus attacks

Spam Busters The good news: Since May, the same engines that scan for viruses at Hopkins have also been searching for spam. Most spam should contain the subject line: “[JHSPAM–ALERT].” You can set your e-mail system to automatically send those messages to a separate folder before they reach your inbox (go to nts.jhmi.edu/es/spam/ to learn how). The bad news: Although the engines did tag 2.6 million messages as spam in July alone, they’re not perfect, because determining what is and isn’t spam is a lot more ambiguous than the criteria for viruses. How to help: Be selective about giving out your e-mail address. And be sure to look at all messages that arrive in your inbox marked as spam in case a legitimate message, or false positive, is tagged mistakenly. To report a false positive or spam that hasn’t been marked, contact abuse@jhu.edu. For more information on spam, go to spam.abuse.net/faq or www.symantec.com/spamwatch/tips.html.

Today’s blizzard of viruses and worms, coupled with the growing volume of spam, is enough to bring a complex, corporate computer network to its knees. In last few months, however, Hopkins’ computer security experts have managed to stave off some of the biggest threats that have come our way.

Take the case of “Sobig.F,” a virus that was so big, so fast and so annoying that last August, it breached address books nationwide and generated infected messages to everyone in them. At its height, it spawned 73 percent of all e-mail on the Internet. “Normally, about 60,000 infected messages would arrive at Hopkins’ door in a given month,” says Ben Reynolds, who runs Johns Hopkins Medicine Center for Information Systems’ (JHMCIS) central e-mail services. “But with Sobig, we were seeing somewhere around 35,000 an hour.”

The increase in malicious attacks over the last five years prompted Hopkins’ chief network officer, Mike McCarty, and his network and telecommunication services group to install virus protection systems at the e-mail relays, where messages first arrive. With these virus scanners, special software filters out and dumps messages that carry contaminated attachments before they reach recipients’ computers.

But just as you wouldn’t lock your front door and not your windows, protecting the relays isn’t enough. So McCarty’s group also provides users with live-update virus scanning software on their individual workstations and protects about 500 of the University’s and Hospital’s 1,000-plus servers, the devices that provide services and applications to individual computers. Earlier this year, the desktop computing team automated the way Groupwise users can refresh their Microsoft security updates. Now, users simply restart their computers at the end of the day and leave them on. The system applies updates overnight, and users then restart their computers again in the morning for the updates to take effect.

“There’s a continual effort to keep protection current,” says Reynolds. “The day before Sobig was released, Symantec and other virus-protection software companies knew about it and were working to get an updated virus pattern file, keeping us informed by pager alerts at every stage. We had the protection in place the next morning before most people had a chance to open their e-mail.”

While Reynolds’ group secures e-mail systems, Dean Zarriello’s team protects the network from worms, which attack computer operating systems. The group uses firewalls, an intrusion-detection system, and a virtual private network to encrypt data transferred in from off campus, according to Eric Ratliff, the team’s senior systems software engineer. The group also constantly scans the network for vulnerabilities and participates with federal and commercial alert-monitoring services.

Still, it’s not an easy task to safeguard such a sprawling beast. More than 30,000 users function on several e-mail systems and every operating system, from Windows to Unix to Mac. Even trickier, not everyone is supported by Hopkins’ centralized IT services. Many departments opt to manage and protect their own servers. Keeping track of all of this, says McCarty, “is like trying to develop a map of the solar system.”

That’s why the Institutional Computing Standards Committee (ICSC), consisting of representatives from these independent departments and McCarty’s group, meets monthly to coordinate IT efforts across all of Hopkins. The ICSC finds ways to reach those who don’t have any local-area network (LAN) support, such as a new Web site where any Hopkins user can access virus updates (see box, “Safeguarding Your Workstation”).

The meetings are also a forum for sharing successes and failures. Liz Olver, manager of the Department of Medicine’s network computer services, reports that the department fared well in the rash of viruses and worms that hit Hopkins over the summer, suffering only four compromised PCs out of more than 1,000. On the recommendation of Eric Kuhn, the network’s LAN/WAN architect, the department had installed a software update services server last year that keeps customers’ operating systems current. “It’s unusual to make an investment in something that might pay off only rarely,” says Stuart Ray, an associate professor in Infectious Diseases who now is well-versed in virtual viruses. “But without this server, secondary clinical systems and essential data would have been much more vulnerable.” The departmental servers can store a terabyte (1,000 gigabytes) of information, allowing for secure file-sharing and nightly back-ups that are periodically sent offsite to protect data from being lost in an attack.

Despite the recent successes, however, Reynolds remains concerned about reaching those individual users who aren’t aware of the importance of regular virus protection updates. “We’re hoping that people will receive our broadcast e-mail messages and wonder, Shouldn’t my PC be managed a bit better?”

-LR

Safeguarding Your Workstation Don’t save important documents to your hard drive (C drive), but rather to your department’s network server, which is backed-up daily. Treat with suspicion any unexpected attachment, even if it’s from someone you know. (It could be a virus replicating itself through that person’s address book.) If you can’t identify an attachment, delete it. If you can identify the attachment and need to open it, scan it first using a reliable, up-to-date anti-virus program. Use an anti-virus program regularly to keep your system protected, and keep the program updated weekly. For the latest updates, visit Hopkins’ anti-virus site at www.jhu.edu/anti-virus/ and the Microsoft patch site at nts.jhmi.edu/alerts/alert.detail.cfm?aid=256. (On your home system, open Internet Explorer, click on “Tools,” then “Windows Updates,” then “Scan for Updates” and apply all critical updates and patches. Visit windowsupdate.microsoft.com and www.symantec.com for additional updates and information.) If your Hopkins system does become infected, contact security@jhmi.edu or your LAN administrator immediately.