[ISN] University computers a prime targets for hackers

From: InfoSec News (isnat_private)
Date: Fri Jun 01 2001 - 15:35:54 PDT

  • Next message: William Knowles: "[ISN] Why Hotmail could spread viruses even faster than Outlook"

    June 1, 2001
    WASHINGTON (AP) -- Dave Dittrich is not happy: A software pirate has
    hacked into computers at the University of Washington and installed a
    file-sharing program on one machine.
    It means one-stop shopping for stolen -- and now free -- software, and
    plenty of headaches for Dittrich, the university's computer security
    Lawyers for the software publisher are sending threatening e-mails,
    and Dittrich must clean up the mess. The lawyers do not worry him.
    Getting outgunned again by the hackers -- that bugs him a lot.
    "The tools these days for intrusions are pretty much automatic,"
    Dittrich said. "A system can be fully compromised in about a minute."
    It's becoming more prevalent, where novice hackers hone their skills
    amid a higher education culture known for lax security and free
    exchange of ideas.
    "They're good practice grounds because their vulnerabilities are
    usually pervasive and their monitoring is usually woefully
    inaccurate," said Richard Power, editorial director at the Computer
    Security Institute. "It's kind of like hacking with training wheels."
    University computer systems also attract experienced hackers. Huge
    hard drives make it easy to store illicit software and fast Internet
    access affords the perfect staging ground for devastating attacks on
    corporate Web sites.
    A hacker's paradise
    Larger universities also offer other enticements.
    "There's a lot of sensitive information that can be gleaned from a
    university that's not classified in any way," Power said. "You
    couldn't get it with a frontal attack on a military weapons lab
    research facility. But you may get it indirectly by going through
    university research labs."
    For the hacker looking to get a credit card in another person's name,
    there is plenty to glean from university student databases.
    "A lot of universities use your Social Security number to track you in
    their databases," he said.
    Many security attacks on companies are first tried on universities,
    where hackers can practice in relative anonymity. One example was the
    February 2000 assaults on eBay, CNN.com and other Web sites. Hacked
    university computers -- and many others -- were used to send an
    overwhelming number of messages to the Web sites, making them
    inaccessible to customers.
    The tool used in that attack was "tested and developed on university
    networks (and) aimed at university systems," Dittrich said.
    Regular attacks
    Among the prime targets are universities with world-class computer
    science programs such as Purdue and Stanford.
    "The university computing center is very strapped for resources, and
    most of the groups are on their own," said Steve Hare, managing
    director of Purdue's computer security research group. "You have some
    good groups that have high security awareness, and some others that
    are just barely getting by and get hacked frequently."
    David Brumley, a member of Stanford's computer security team, said
    hackers break into one of the school's computers each day, on average.
    "We might have a slow week, then turn up with 20," he said, adding
    that many of the compromised computers are used to store copyright
    Joel de la Garza, a security investigator with Securify in Silicon
    Valley, said universities cannot lock down their computers in the same
    way a company could.
    "Universities are in an interesting position, because they typically
    have to provide an academic research network. They want to maintain a
    marketplace of ideas in digital form," de la Garza said. "The
    attackers know this, and they attack universities with high-speed
    Internet connections."
    In the past two years, as computer attacks have become more frequent
    and severe, more universities have taken steps to counter the threat,
    including creating computer security offices, de la Garza said.
    Attacks on universities are so common that compromised college
    computers have become a form of hacker currency along with credit card
    numbers and pirated software in a "digital black market."
    In chat rooms, hackers will trade ".edu" university computers -- a
    reference to the last three letters of their Internet address -- for
    ".mil" addresses denoting hacked U.S. military computers.
    "Most people will give a lot of '.edu's for '.mil's," de la Garza
    said. "But a lot of kids are getting smarter and not wanting to get
    the '.mil's, because you'll get raided. A university will tolerate
    certain things. The military doesn't."
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jun 04 2001 - 05:26:13 PDT