Cyber security issues hit too close to home
By Carolyn Levin
As anyone who has advised a college newspaper knows, you never really get a vacation, even during the summer months when you publish less and may not be paid. Which is why, when I returned from a week away in early August (during which I really, truly tried to disconnect), I was not altogether surprised to discover that our newspaper website had been infected with a virus.
And, not just any little virus. When I opened the site on my first day back, just to take a look while starting to plan for the fall semester, the entire screen went red, with a warning notice, “ZEUS VIRUS DETECTED.”
Nothing subtle about that.
I immediately contacted our incoming editor-in-chief, who had just finished a summer internship and was also trying to disconnect before school began. Another observation – there’s no disconnecting for an editor-in-chief either.
The editor-in-chief called our website hosting company, with little success.
Perhaps they need a call from a grown-up,” one of my colleagues said. I then spent several hours on phone calls with support representatives at the hosting company, all located in the Philippines.
The first support representative told me that we needed to log into our WordPress account and install all the updates, which it turned out, we may not have been doing. Then, he informed me that we needed to update our hosting platform, for an additional fee. And, finally, he recommended installing “siteblock software” that we could use to scan our website anytime, for an additional $4.99 a month. We did all that, increasing our hosting costs by approximately $60, and the virus remained on the site.
For a week, we tinkered and experimented, to no avail. The next call I made to the hosting company was even more sobering. A different support representative in the Philippines
informed me that it is usually business sites that are targeted with such serious viruses, and that this must have been “intentional.” Someone was trying to infect our files, he surmised.[1] The hosting company, luckily, had backed up our site, because the students, unbeknownst to me, had not. The hosting company kept the backed up files for seven days. So, we then tried to wipe out our entire site and replace it with the seven day old back up. But, sadly, the virus remained.
The only solution at this point, according to the hosting company technician, was to hire a web developer or programmer to diagnose what scripts on the site were infected and to “sanitize” the site. The problem was now beyond the capabilities of the hosting company. No software that they had could fix it. “You need a human to detect the code,” my new friend in the Philippines told me.
Before spending a large sum of money that we didn’t have to hire an outside web developer, two colleagues on campus (a professor of digital art & design and the manager of our digital art & design labs) generously offered to assist.
Using a relatively inexpensive site cleaning program called WordFence[2], they attempted to “clean and sanitize” our WordPress site[3]. Although we thought that this process would take two days, we were apparently put in a queue with others who had similar problems. I checked our site every day, and continued to receive the red screen with the “This site has been reported as unsafe” message.
So, two weeks before classes were set to begin, our website remained down. The cleaning and sanitizing process was finally performed the week before the fall semester began. And then, lo and behold, I received an email notifying me that “the Security Services Team has completed the cleanup of your site,” along with a Malware Removal Report, detailing all we did wrong and the key steps we need to take in the future to secure our website.
The site cleaning service had worked! The newspaper website was up and running, virus free.
To protect the site now that it had been fully “sanitized,” we purchased a DropBox account, where all of our archives would be placed if we were again infected.
The experience of the Pioneer is a cautionary tale for college newspapers. What can advisers do to avoid the headache that plagued the Pioneer this August? Here are some suggestions, in no particular order of importance, advice compiled from all those who assisted us during this past month:
- When those updates arrive from WordPress or from your hosting company, make sure the students install them. The latest updates help keep viruses at bay.
- Change your passwords – frequently. Apparently, we were still using a password from 2014. This meant that many former students, and maybe their roommates, ex-roommates, friends, ex-friends, still possessed the password. This is not a good thing.
- Back up your site. The Pioneer had not been backed up every week, possibly in years. This must be part of the online editor’s job responsibilities.
- When those updates arrive from WordPress or from your hosting company, make sure the students install them. The latest updates help keep viruses at bay.
- Change your passwords – frequently. Apparently, we were still using a password from 2014. This meant that many former students, and maybe their roommates, ex-roommates, friends, ex-friends, still possessed the password. This is not a good thing.
- Back up your site. The Pioneer had not been backed up every week, possibly in years. This must be part of the online editor’s job responsibilities. If the cost of a DropBov account is not within your budget, copy the archives and secure them in a second location.
- Keep the files on your layout computers organized and labeled. If, for some reason, the site is not being backed up, you can look to your layout computers for archives. The files on the Pioneer layout computers, we discovered, unusable. Layout editors should be charged with organizing all PDFs, by date, so that they are readily accessible if a virus hits the site.
- Have at least two online editors, preferably a senior and a sophomore. Doing it right is a time-consuming job, and should not be the responsibility of just one student.
- Know the name of a knowledgeable web developer or programmer, preferably one on campus, who is willing and able to assist in a crisis.
- Hacking a website is a serious federal offense under the Computer Fraud and Abuse Act, and violators can and do get sentenced to serious prison time if they are found and prosecuted.
Frank LoMonte, former director of the Student Press Law Center and now director of the Brechner Center for Freedom of Information at the University of Florida College of Journalism and Communications, cautioned, “If your site gets hacked, you should always consider alerting the computer crime unit at the nearest FBI office, as they have a good deal of expertise in that field and they take hacking seriously.”
As the Pioneer staff learned this summer, it’s important for every news organization to make regular backups of essential content and use a reliable hosting arrangement with tech support.
About the Author: Carolyn Schurr Levin, an attorney specializing in Media Law and the First Amendment, is a professor of journalism and the faculty adviser for the student newspaper at Long Island University, LIU Post. She is also a lecturer and the media law adviser for the Stony Brook University School of Journalism. She has practiced law for over 25 years, including as the Vice President and General Counsel of Newsday and the Vice President and General Counsel of Ziff Davis Media.