May 8, 1998 With Computer Hacking on the Rise, Colleges Seek Ways to Handle Attacks Campus systems face both malicious incidents and pranks that escalate unintentionally By KELLY McCOLLUM In the past few months, malicious hackers have crashed hundreds of P.C.'s in university computing labs, drowned campus networks in worthless data, and coated college Web pages with digital graffiti. It's enough to make an institution consider unplugging its network. But saner heads have prevailed. The consensus among network administrators seems to be that while skilled hackers might try to crack campus networks once in a while, most hacking incidents that affect colleges and universities are the work of novices who don't realize how much damage their electronic mischief can cause. Still, experts say, administrators are asking for trouble if they don't keep a close eye on their networks and make some basic technical and administrative preparations for dealing with hackers. During the first week of March, computer users on at least 25 campuses and at several government research laboratories saw scores of their desktop computers crash, almost in unison. An as-yet-unidentified attacker, or perhaps a group of attackers, had exploited a weakness in the Windows 95 and Windows NT operating systems to crash thousands of machines nationwide by overloading them with digital information. Such invasions are known as denial-of-service attacks, and while they may not cause permanent damage or compromise private information, they can make individual computers or whole campus networks temporarily unusable. Security experts say attacks like those are increasingly common because the programs used to initiate them are being distributed publicly on the Internet. Anyone with a basic knowledge of the Unix operating system, which is used in most campus computer networks, can launch an attack from his or her workstation. In a few cases, the programs have even been incorporated into World-Wide Web pages -- with one mouse click, a Web surfer can start crashing computers. "You used to need a whole bag of clues in order to do any of this stuff," says Roger Safian, Northwestern University's information-security coordinator. "But not any more." The most-common security problems, he says, are caused by people who are "just interested in exploring and playing." As these amateur hackers try different things on the network, they can inadvertently cause major damage. In addition, Mr. Safian says, "there's the fear of a bad guy breaking into a machine and destroying everything." News reports and movies have helped to popularize such fears, he notes, even though attacks that aim to wipe out someone's hard drive are relatively rare. "But it's very common for someone to break into a machine and make a mistake, and by making that mistake, cause something to go wrong." Some attacks stem from on-line disputes in chat rooms or e-mail, says Richard Parker, director of academic computing at Harvey Mudd College. But for the most part, he says, the people who attack colleges and universities do so just to show that they can. Truly sophisticated attackers are likely to want a tougher challenge than breaking into a campus network. "Citibank's a much better target," he says. "They have lots of money." College networks may offer little that is of monetary value for hackers, but there are nevertheless prizes that a serious attacker might be eager to steal, says Eugene H. Spafford, a computer-science professor at Purdue University who is director of its research program in computer security. He says intellectual property, such as scientific data and academic-research results, could attract hackers, as could licensed copies of expensive software packages. Some institutions, he adds, may keep information such as credit-card and Social Security numbers on their networks as part of on-line registration systems. But, it's "relatively rare" for attackers to go after such information, he says. Most security experts suggest that any data worth stealing be kept on computers that are not accessible via the Internet. Sophisticated attackers who are looking to steal information will often use a technique known as "packet sniffing." The hacker installs a program, or "sniffer," that surreptitiously monitors information as it flows across the network. The program can record anything typed by a user, including passwords, e-mail messages, and credit-card numbers. The attacker can then retrieve the information and use the sniffed passwords to gain higher levels of access or break into other parts of the network, stealing other information or vandalizing Web pages. In an attack in March on a network at the University of Colorado at Boulder, a student at the university stole passwords and passed them to an Israeli hacker via an Internet chat room. The student had obtained the passwords using a packet sniffer, and the hacker later tried installing similar programs in an attempt to gain greater access to the network. Colleges and universities have found that students are often involved in security incidents, accidental or otherwise. To minimize attacks, administrators say, campus policies can be as important as digital security measures. Many institutions don't have clear policies defining and prohibiting computer crimes, says Purdue's Mr. Spafford. By making it clear that computer attacks are serious offenses with serious consequences, he says, administrators can discourage students who might otherwise try to see what they can get away with on the network. Some colleges have no problem catching offenders but don't have procedures in place for punishing them, Mr. Spafford adds. At Purdue, by contrast, students who run afoul of computing policies go through the standard campus judicial process, which -- for serious offenses -- could end with the students' being handed over to the police. Educating students about the campus network can help prevent them from getting into trouble, says Mr. Parker, of Harvey Mudd. Students there are taught enough about the network to insure that they don't misuse it accidentally, he says. They also learn about on-line behaviors that, although they may seem harmless, can cause serious damage. "If you educate your users about the downsides of activities like this, you'll ultimately reduce the number of such actions," says Mr. Parker. And by publicizing the ways that its network is monitored, he says, Harvey Mudd discourages students from even trying some things. The "mail-bomb detector," for example, is a program that alerts administrators if anyone on campus tries to send more than 100 e-mail messages in an hour. The detector is aimed at preventing a common Internet attack that involves sending thousands of messages to a target's computer, clogging its connection and inbox. With the detector program, system administrators can stop a large mailing while they check on whether the sender is actually attempting an attack. Preventing attacks, says Mr. Parker, is "an obligation of the institution." The Harvey Mudd network is also configured to prevent people on the campus from using "I.P. spoofing," with which an attacker can disguise his or her computer with the address of another machine, even one on another network or another campus. A disguised address would help a hacker launch some attacks more easily -- and more anonymously. Using such a disguise, someone set off a sequence on March 17 that jammed the network on the University of Minnesota's Crookston campus. The attacker or attackers had fooled each of a large number of computers on the Internet into sending a small parcel of digital information to a single computer on the campus. When those bits came flooding in by the thousands, they overwhelmed the campus network. Don Medal, director of computing services at Crookston, says university networks by their nature cannot be completely secure. Corporate or military organizations, he says, "can wall their people off, tell them they can't run particular software, or say that people can't come into the system from outside." But a university cannot place such limits on its users, he says. "Unfortunately, that interferes with our educational role." Because campus networks often lack tight security, sophisticated hackers sometimes use them as steppingstones for attacks on other targets. By routing information through many systems, an attacker can cover his or her tracks, making it difficult for investigators to find out where the attack originated. Many institutions cooperate with computer-security organizations, such as the CERT Coordination Center, at Carnegie Mellon University, and FIRST, the Forum of Incident Response and Security Teams. Those organizations collect reports of security incidents, distribute advice and suggested repairs for security flaws, and work with software makers to improve security. Many universities also have their own offices for coordinating computer security. One problem, says Northwestern's Mr. Safian, is getting professors and researchers who maintain their own networked computers to report security incidents. "If your machine gets broken into and you can keep it quiet so nobody knows, you'll take that route, more than likely. I think a lot of people feel that if they get more people involved, somehow that's going to reflect badly on them." But by trying to fix a problem themselves, he says, users can make a situation worse, or destroy evidence that could help technicians trace an attack. At the institutional level, some administrators fear that reporting security incidents might only make matters worse. Crookston's Mr. Medal, for example, says publicity about an attack might invite other hackers to try similar attacks. And many system administrators "are also embarrassed to admit they got hit," he says. To encourage institutions to report incidents, security organizations like CERT keep the names of affected institutions strictly confidential. As it is, not all institutions even put a high priority on precaution. "A lot of times, security ends up as an afterthought," says Mr. Safian. "Unless you assign it and give time and equipment and resources to do it, it's not going to happen." But recovering from even one security incident can be costly -- in salaries paid to technicians, in time lost by students who can't gain access to network services, and in damage done to an institution's public image. Such costs easily justify the expense of preventive measures, says Mr. Safian, who coordinates network security at Northwestern by himself. "You don't have to have a staff of hundreds. One good person can do an awful lot." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:37 PDT