[ISN] Hackers breach supercomputer centers

From: InfoSec News (isn@private)
Date: Thu Apr 15 2004 - 00:03:52 PDT

  • Next message: InfoSec News: "[ISN] Cisco Admits Security Problem, Issues Stronger Protocol"

    http://www.computerworld.com/securitytopics/security/story/0,10801,92230,00.html
    
    News Story by Paul Roberts
    APRIL 14, 2004 
    IDG NEWS SERVICE
    
    In recent weeks, malicious hackers have infiltrated computer systems
    at universities in the U.S. and worldwide, leading to questions about
    the security of scientific research data, according to an official at
    the National Science Foundation.
    
    The systems were located at universities and research facilities that
    operate high-performance computer centers, including facilities that
    are part of a project funded by the NSF called TeraGrid, said Sangtae
    Kim, director of the Division of Shared CyberInfrastructure at the
    NSF, an independent U.S. government agency.
    
    Supercomputing centers at U.S. universities, including the National
    Center for Supercomputing Applications at the University of Illinois
    at Urbana-Champaign and the Center for Advanced Computing Research at
    the California Institute of Technology, are partners in the TeraGrid
    project.
    
    Systems at TeraGrid partner facilities were hacked, but no systems
    that make up TeraGrid itself were compromised, Kim said.
    
    The NSF doesn't know who was behind the attacks, but the agency
    believes the attacks were part of a much larger action that affected
    high-end systems worldwide, including sites in Europe. Many of the
    compromised systems are connected to university research centers, Kim
    said.
    
    Stanford University's Information and Technology Systems and Services
    (ITSS) group published a security alert on Saturday warning
    researchers about compromises of a number of systems running the Sun
    Solaris and Linux operating systems on the Stanford campus. The
    advisory also noted that the attacks were part of a move against "a
    large number of research institutions and high performance computing
    centers."
    
    The university became aware of the intrusions after users noticed
    discrepancies in the time of their last reported log-in, which
    indicated that their log-in information had been hijacked. Other
    systems began performing poorly or started reporting errors after the
    intruders installed so-called rootkits, or programs that allow the
    malicious hacker to disguise his presence and gather information such
    as usernames and passwords from the compromised system, the ITSS alert
    said.
    
    Attackers gained access to the systems by cracking or sniffing
    passwords from insecure network traffic such as Telnet remote
    communications sessions or from password files on other compromised
    systems, according to the alert.
    
    Once logged onto a system, the attackers looked for systems that
    didn't have up-to-date operating system patches and then used known
    software exploits to elevate their privileges from user to
    administrator (or "root") status.
    
    Other systems fell to hackers because of loose security configurations
    for Network File Service, a way to share files and directories over
    networks or the Internet. Many institutions have applied loose
    security to those shared directories to "facilitate the distribution
    of system management and data processing tasks," the advisory said.
    
    The ITSS group recommended that compromised systems be taken off the
    network and completely rebuilt, with new versions of the operating
    system and up-to-date patches installed.
    
    Universities that cooperate to conduct scientific research are
    particularly susceptible to compromise because of the open nature of
    their missions, according to Jonathan Bingham, president of Intrusic
    Inc. in Waltham, Mass., which sells technology to spot covert and
    illicit activity on computer networks, which it terms "noiseless
    action."
    
    "You've got large groups of individuals trying to access systems from
    all over the world, so universities commonly have portions of their
    network set up almost like the Internet in that access is wide open,"  
    Bingham said.
    
    Malicious hackers can easily gain access to less secure areas of a
    university's network and then listen to network traffic to capture the
    credentials needed to access more sensitive areas, he said.
    
    While some experts raised the specter of massive denial-of-service
    attacks using the hijacked supercomputers, the real threat to the
    TeraGrid project and the universities that got hacked is from
    stealthier behavior, such as quietly leaking sensitive data from
    compromised research machines, Bingham said.
    
    Rebuilding and patching compromised systems will close the holes that
    the intruders used, but it is no guarantee that the malicious hackers
    behind the compromise no longer have access to the sensitive networks.
    
    "Once they're in a network of this size and scope, they're going to
    compromise other systems using stealth techniques that are different
    from the ones they used to get in. Once you figured out [the
    compromise] and know what systems are vulnerable, they're already on a
    different system," Bingham said.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Thu Apr 15 2004 - 02:35:05 PDT