http://www.computerworld.com/securitytopics/security/story/0,10801,92230,00.html News Story by Paul Roberts APRIL 14, 2004 IDG NEWS SERVICE In recent weeks, malicious hackers have infiltrated computer systems at universities in the U.S. and worldwide, leading to questions about the security of scientific research data, according to an official at the National Science Foundation. The systems were located at universities and research facilities that operate high-performance computer centers, including facilities that are part of a project funded by the NSF called TeraGrid, said Sangtae Kim, director of the Division of Shared CyberInfrastructure at the NSF, an independent U.S. government agency. Supercomputing centers at U.S. universities, including the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign and the Center for Advanced Computing Research at the California Institute of Technology, are partners in the TeraGrid project. Systems at TeraGrid partner facilities were hacked, but no systems that make up TeraGrid itself were compromised, Kim said. The NSF doesn't know who was behind the attacks, but the agency believes the attacks were part of a much larger action that affected high-end systems worldwide, including sites in Europe. Many of the compromised systems are connected to university research centers, Kim said. Stanford University's Information and Technology Systems and Services (ITSS) group published a security alert on Saturday warning researchers about compromises of a number of systems running the Sun Solaris and Linux operating systems on the Stanford campus. The advisory also noted that the attacks were part of a move against "a large number of research institutions and high performance computing centers." The university became aware of the intrusions after users noticed discrepancies in the time of their last reported log-in, which indicated that their log-in information had been hijacked. Other systems began performing poorly or started reporting errors after the intruders installed so-called rootkits, or programs that allow the malicious hacker to disguise his presence and gather information such as usernames and passwords from the compromised system, the ITSS alert said. Attackers gained access to the systems by cracking or sniffing passwords from insecure network traffic such as Telnet remote communications sessions or from password files on other compromised systems, according to the alert. Once logged onto a system, the attackers looked for systems that didn't have up-to-date operating system patches and then used known software exploits to elevate their privileges from user to administrator (or "root") status. Other systems fell to hackers because of loose security configurations for Network File Service, a way to share files and directories over networks or the Internet. Many institutions have applied loose security to those shared directories to "facilitate the distribution of system management and data processing tasks," the advisory said. The ITSS group recommended that compromised systems be taken off the network and completely rebuilt, with new versions of the operating system and up-to-date patches installed. Universities that cooperate to conduct scientific research are particularly susceptible to compromise because of the open nature of their missions, according to Jonathan Bingham, president of Intrusic Inc. in Waltham, Mass., which sells technology to spot covert and illicit activity on computer networks, which it terms "noiseless action." "You've got large groups of individuals trying to access systems from all over the world, so universities commonly have portions of their network set up almost like the Internet in that access is wide open," Bingham said. Malicious hackers can easily gain access to less secure areas of a university's network and then listen to network traffic to capture the credentials needed to access more sensitive areas, he said. While some experts raised the specter of massive denial-of-service attacks using the hijacked supercomputers, the real threat to the TeraGrid project and the universities that got hacked is from stealthier behavior, such as quietly leaking sensitive data from compromised research machines, Bingham said. Rebuilding and patching compromised systems will close the holes that the intruders used, but it is no guarantee that the malicious hackers behind the compromise no longer have access to the sensitive networks. "Once they're in a network of this size and scope, they're going to compromise other systems using stealth techniques that are different from the ones they used to get in. Once you figured out [the compromise] and know what systems are vulnerable, they're already on a different system," Bingham said. _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Thu Apr 15 2004 - 02:35:05 PDT