Massive USC security failure could wreak digital havoc

A stunning lapse in cybersecurity protocol allows anybody to send fake emails from any usc.edu address — containing any content, to any person.

Morning, Trojan reporters successfully sent mail from the real addresses of USC President Carol Folt, Provost Andrew Guzman, and the school’s public relations team.

USC’s IT department said it was previously aware of vulnerabilities in its email protocol — but not the full extent until it was contacted for this story. It is actively working to resolve the problem, a spokesperson said, adding that it is a violation of the school’s Acceptable Use Policy to spoof emails.

The cyberattack, known as spoofing, exploits vulnerabilities in esoteric mail protocol that the layperson is likely unaware of. But given abundant online resources, it is relatively easy to learn to spoof even with a limited technical background.

The results could be dangerous.

In tests, Morning, Trojan reporters found that spoofed emails are often indistinguishable from their real counterparts. Google profile photos transfer to the spoofs and recipients can reply to the sender’s legitimate inbox.

It is theoretically possible to spoof emails from any USC address, including university departments, student clubs, and the Department of Public Safety. Spoofs can land in inboxes of any email domain — not just usc.edu addresses.

It is sometimes possible to detect a spoof by examining the header, which is a hidden section of code at the top of the email. But the results are not consistent.

Morning, Trojan reporters successfully spoofed emails on USC servers while connected to home WiFi networks. Spoofers do not need access to a legitimate USC email account to initiate an attack, either.

That means bad actors could initiate attacks regardless of proximity or affiliation to USC, though the school’s IT department said it was working rapidly to fix the problem on Sunday afternoon.

Morning, Trojan held publication of this story for 48 hours to give USC time to patch some of the most egregious security vulnerabilities. A spokesperson said to forward any suspicious mail to [email protected], which can verify whether the content is real.

The results aren’t always perfect. In some instances, Gmail appeared to identify the spoofs as spam, but they still landed in the recipient’s inbox.

That’s likely because of specific configurations in USC’s servers that ensure mail from important addresses does not go unseen, though a USC spokesperson did not respond when asked if that’s the case.

Spoofs do not appear in the victim’s “sent” tab, and spoofers cannot access a victim’s inbox.

In an interview, Sandra Taylor — USC’s chief information and security officer — said the IT department will roll out a feature that flags suspected spoofs with banners in Gmail inboxes.

Roughly half of the school’s staff email addresses already have the feature but few students and faculty do, Taylor said. On Sunday morning, she said it’ll take seven to 10 days to implement the warnings in every inbox; later that evening, a spokesperson said the rollout should be done within 48 hours.

Taylor said the university has long been aware that its email system is vulnerable to spoofing.

“We've known it’s an outdated technology,” she said.

The problem is that much of the university’s infrastructure, like printers and older security cameras, relies on the archaic protocol, she said. It will be a mammoth task to overhaul the system.

Patching vulnerabilities has already disabled some of those devices, Taylor said, though the IT department is working to get them back online.

When asked why USC has not already patched a vulnerability that it has — in part — known about for years, Taylor cited the school’s Acceptable Use Policy that bans spoofing, and the alerts that appear in a limited number of staff inboxes.

“We had these other layers while we were chipping away at these devices,” Taylor said.

The IT department is working at an accelerated pace to fix the problem now, she said, adding that while spoofing is a “serious” problem, her department also regularly fends off sophisticated attacks from foreign actors and cybercriminals.

“A lot of times our eyes are on that,” Taylor said.

USC is not the only U.S. university with glaring cybersecurity vulnerabilities. A viral Twitter thread earlier this week showed that the Massachusetts Institute of Technology suffers from many of the same security lapses, although spoofers need access to a real mit.edu address to execute an attack.

A student in 2013 attempted to cancel classes at MIT with a universitywide spoofed email, though that evidently did not convince the university to fix the problem.

“We were alerted to an email security concern and immediately engaged our information technology and cybersecurity teams,” a USC spokesperson said. “The university is always diligently working to protect campus systems and data.”

Reach us at [email protected].