[ISN] ..Hacking on the Rise, Colleges Seek Ways to Handle Attacks

From: mea culpa (jerichoat_private)
Date: Mon May 04 1998 - 22:55:01 PDT

  • Next message: mea culpa: "Re: [ISN] Are Biometrics Hashable?"

    May 8, 1998
    
    With Computer Hacking on the Rise, Colleges Seek Ways to Handle Attacks
    
    Campus systems face both malicious incidents and pranks that escalate
    unintentionally
    
    By KELLY McCOLLUM
    
    In the past few months, malicious hackers have crashed hundreds of P.C.'s
    in university computing labs, drowned campus networks in worthless data,
    and coated college Web pages with digital graffiti. It's enough to make an
    institution consider unplugging its network. 
    
    But saner heads have prevailed. The consensus among network administrators
    seems to be that while skilled hackers might try to crack campus networks
    once in a while, most hacking incidents that affect colleges and
    universities are the work of novices who don't realize how much damage
    their electronic mischief can cause. Still, experts say, administrators
    are asking for trouble if they don't keep a close eye on their networks
    and make some basic technical and administrative preparations for dealing
    with hackers. 
    
    During the first week of March, computer users on at least 25 campuses and
    at several government research laboratories saw scores of their desktop
    computers crash, almost in unison. An as-yet-unidentified attacker, or
    perhaps a group of attackers, had exploited a weakness in the Windows 95
    and Windows NT operating systems to crash thousands of machines nationwide
    by overloading them with digital information. Such invasions are known as
    denial-of-service attacks, and while they may not cause permanent damage
    or compromise private information, they can make individual computers or
    whole campus networks temporarily unusable. 
    
    Security experts say attacks like those are increasingly common because
    the programs used to initiate them are being distributed publicly on the
    Internet. Anyone with a basic knowledge of the Unix operating system,
    which is used in most campus computer networks, can launch an attack from
    his or her workstation.  In a few cases, the programs have even been
    incorporated into World-Wide Web pages -- with one mouse click, a Web
    surfer can start crashing computers. 
    
    "You used to need a whole bag of clues in order to do any of this stuff,"
    says Roger Safian, Northwestern University's information-security
    coordinator. "But not any more." 
    
    The most-common security problems, he says, are caused by people who are
    "just interested in exploring and playing." As these amateur hackers try
    different things on the network, they can inadvertently cause major
    damage. 
    
    In addition, Mr. Safian says, "there's the fear of a bad guy breaking into
    a machine and destroying everything." News reports and movies have helped
    to popularize such fears, he notes, even though attacks that aim to wipe
    out someone's hard drive are relatively rare. "But it's very common for
    someone to break into a machine and make a mistake, and by making that
    mistake, cause something to go wrong." 
    
    Some attacks stem from on-line disputes in chat rooms or e-mail, says
    Richard Parker, director of academic computing at Harvey Mudd College. But
    for the most part, he says, the people who attack colleges and
    universities do so just to show that they can. Truly sophisticated
    attackers are likely to want a tougher challenge than breaking into a
    campus network. "Citibank's a much better target,"  he says. "They have
    lots of money." 
    
    College networks may offer little that is of monetary value for hackers,
    but there are nevertheless prizes that a serious attacker might be eager
    to steal, says Eugene H.  Spafford, a computer-science professor at Purdue
    University who is director of its research program in computer security.
    He says intellectual property, such as scientific data and
    academic-research results, could attract hackers, as could licensed copies
    of expensive software packages. Some institutions, he adds, may keep
    information such as credit-card and Social Security numbers on their
    networks as part of on-line registration systems. But, it's "relatively
    rare" for attackers to go after such information, he says. Most security
    experts suggest that any data worth stealing be kept on computers that are
    not accessible via the Internet. 
    
    Sophisticated attackers who are looking to steal information will often
    use a technique known as "packet sniffing." The hacker installs a program,
    or "sniffer," that surreptitiously monitors information as it flows across
    the network. The program can record anything typed by a user, including
    passwords, e-mail messages, and credit-card numbers. The attacker can then
    retrieve the information and use the sniffed passwords to gain higher
    levels of access or break into other parts of the network, stealing other
    information or vandalizing Web pages. 
    
    In an attack in March on a network at the University of Colorado at
    Boulder, a student at the university stole passwords and passed them to an
    Israeli hacker via an Internet chat room. The student had obtained the
    passwords using a packet sniffer, and the hacker later tried installing
    similar programs in an attempt to gain greater access to the network. 
    
    Colleges and universities have found that students are often involved in
    security incidents, accidental or otherwise. To minimize attacks,
    administrators say, campus policies can be as important as digital
    security measures. 
    
    Many institutions don't have clear policies defining and prohibiting
    computer crimes, says Purdue's Mr. Spafford. By making it clear that
    computer attacks are serious offenses with serious consequences, he says,
    administrators can discourage students who might otherwise try to see what
    they can get away with on the network. 
    
    Some colleges have no problem catching offenders but don't have procedures
    in place for punishing them, Mr. Spafford adds. At Purdue, by contrast,
    students who run afoul of computing policies go through the standard
    campus judicial process, which -- for serious offenses -- could end with
    the students' being handed over to the police. 
    
    Educating students about the campus network can help prevent them from
    getting into trouble, says Mr. Parker, of Harvey Mudd.  Students there are
    taught enough about the network to insure that they don't misuse it
    accidentally, he says. They also learn about on-line behaviors that,
    although they may seem harmless, can cause serious damage. "If you educate
    your users about the downsides of activities like this, you'll ultimately
    reduce the number of such actions," says Mr.  Parker. 
    
    And by publicizing the ways that its network is monitored, he says, Harvey
    Mudd discourages students from even trying some things. The "mail-bomb
    detector," for example, is a program that alerts administrators if anyone
    on campus tries to send more than 100 e-mail messages in an hour. The
    detector is aimed at preventing a common Internet attack that involves
    sending thousands of messages to a target's computer, clogging its
    connection and inbox. With the detector program, system administrators can
    stop a large mailing while they check on whether the sender is actually
    attempting an attack. Preventing attacks, says Mr. Parker, is "an
    obligation of the institution." 
    
    The Harvey Mudd network is also configured to prevent people on the campus
    from using "I.P.  spoofing," with which an attacker can disguise his or
    her computer with the address of another machine, even one on another
    network or another campus. A disguised address would help a hacker launch
    some attacks more easily -- and more anonymously. 
    
    Using such a disguise, someone set off a sequence on March 17 that jammed
    the network on the University of Minnesota's Crookston campus. The
    attacker or attackers had fooled each of a large number of computers on
    the Internet into sending a small parcel of digital information to a
    single computer on the campus. When those bits came flooding in by the
    thousands, they overwhelmed the campus network. 
    
    Don Medal, director of computing services at Crookston, says university
    networks by their nature cannot be completely secure. Corporate or
    military organizations, he says, "can wall their people off, tell them
    they can't run particular software, or say that people can't come into the
    system from outside." But a university cannot place such limits on its
    users, he says. "Unfortunately, that interferes with our educational
    role." 
    
    Because campus networks often lack tight security, sophisticated hackers
    sometimes use them as steppingstones for attacks on other targets. By
    routing information through many systems, an attacker can cover his or her
    tracks, making it difficult for investigators to find out where the attack
    originated. 
    
    Many institutions cooperate with computer-security organizations, such as
    the CERT Coordination Center, at Carnegie Mellon University, and FIRST,
    the Forum of Incident Response and Security Teams. Those organizations
    collect reports of security incidents, distribute advice and suggested
    repairs for security flaws, and work with software makers to improve
    security. Many universities also have their own offices for coordinating
    computer security. 
    
    One problem, says Northwestern's Mr. Safian, is getting professors and
    researchers who maintain their own networked computers to report security
    incidents. "If your machine gets broken into and you can keep it quiet so
    nobody knows, you'll take that route, more than likely. I think a lot of
    people feel that if they get more people involved, somehow that's going to
    reflect badly on them." But by trying to fix a problem themselves, he
    says, users can make a situation worse, or destroy evidence that could
    help technicians trace an attack. 
    
    At the institutional level, some administrators fear that reporting
    security incidents might only make matters worse.  Crookston's Mr. Medal,
    for example, says publicity about an attack might invite other hackers to
    try similar attacks. And many system administrators "are also embarrassed
    to admit they got hit," he says. To encourage institutions to report
    incidents, security organizations like CERT keep the names of affected
    institutions strictly confidential. 
    
    As it is, not all institutions even put a high priority on precaution. "A
    lot of times, security ends up as an afterthought," says Mr. Safian.
    "Unless you assign it and give time and equipment and resources to do it,
    it's not going to happen." 
    
    But recovering from even one security incident can be costly -- in
    salaries paid to technicians, in time lost by students who can't gain
    access to network services, and in damage done to an institution's public
    image.  Such costs easily justify the expense of preventive measures, says
    Mr. Safian, who coordinates network security at Northwestern by himself.
    "You don't have to have a staff of hundreds. One good person can do an
    awful lot." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:37 PDT