[ISN] Princeton a hacker target, Symantec survey finds

From: InfoSec News (isn@private)
Date: Wed Oct 12 2005 - 21:03:00 PDT


Mark Stefanski
Princetonian Contributor
October 12, 2005

Princeton had the second-highest percentage of computers controlled by
hackers among cities worldwide between Aug. 24 and Sept. 23, according
to a recent Symantec Monthly Security Update, though OIT security
officer Anthony Scaturro disputed the findings.

The security update ranked Princeton second only to Cambridge, UK, in
its report on hacker-controlled computers, also called bots. It
attributed these two college towns' unusually high percentage of bots
to an influx of users - returning and new faculty and students 
connecting to the school networks.

"Education was the number one target because [universities] are mini
service providers, serving in some cases 10,000 students," said Dean
Turner, senior manager at Symantec Security Response. "There's often
more money spent on building infrastructure and less time or money
paid to security precautions, which is also a concern with small
businesses, enterprises and users themselves."

Princeton's bot problem, according to the Symantec report, is
daunting. As of September, the town was home to seven percent of the
world's bots, well ahead of Seoul, which ranked third with three
percent. New York City, the American city with the next-highest
ranking, came in 12th with one percent of the world's bots.

Symantec compiled the rankings based on information from 120 million
computers running its antivirus products. Since bots themselves are
difficult to detect, Turner said Symantec had to look for activity
indicative of bots, which yields only an estimate of their prevalence.

But Scaturro said he thinks the ranking is not just an estimate but
outright inaccurate, since the origin of such attacks, often carried
out under false addresses, is difficult to pinpoint.

Though Scaturro said he generally agreed with Symantec's ranking of
the most frequent types of attacks, he said he didn't believe the
ranking of the town as the second-biggest hub of bot activity was at
all reflective of the University.

"The intrusion prevention system sees attacks going both ways,"  
Scaturro said. "If we were to look at our numbers [of attacks] going
out, they would be very low. I think the figures are flawed. I can't
say that definitively until I could review [Symantec's] method of
determining the source of each attack."

If anything, Scaturro added, the University should have a low density
of bots because of its early adoption of an intrusion protection
system, which intercepts and examines every message entering or
exiting the University.

"Anything that is a known attack that is coming out of our machines we
are dropping at the front door and preventing from going out," he
said. "That should skew our ranking down."

The results are also suspect, Scaturro noted, due to the University's
record of safe computing habits, including regular system security
updates. It is unlikely that the density of bots in the rest of town
could make Princeton the most bot-ridden city in the U.S.

Symantec did not respond to Scaturro's concerns about the validity of
its report.

Hackers typically gain control of computers by infecting them with
trojans, which execute a malicious code almost always unbeknownst to
the computers' owners. Infected computers then become bots,
communicating through backdoor channels with other bots and the
hacker, who coordinates their activity.

"[Bots are] zombie machines," Turner said. "They are machines that
have been compromised by an attacker and are sort of sitting there
waiting for commands from a remote attacker. They do the botmaster's

Hackers often use the bots to bombard websites' servers with useless
requests to the extent that the servers are either too busy to handle
regular Internet traffic or shut down altogether. Bots also allow
online criminals to assume a new identity - that of the bot computer's
owner - and thereby lower the risk of getting caught.

However damaging a bot can be, it is easy to prevent a computer from
becoming one. Turner said he recommends antivirus software, a firewall
and intrusion detection software. He added that emails should be
opened with caution, since only an email that is opened can release a

By taking these precautions and actively addressing the problem,
Princeton can further reduce its susceptibility to bots, Turner said.
"Users become educated, and they become aware of the fact that they
need an antivirus program and safe computing habits," he said.  "It's
part of the University's job, part of our job as a vendor and part of
the student's job. Once word gets out we would expect that, if
appropriate measures are taken, this [bot problem] will drop off."

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Wed Oct 12 2005 - 21:27:16 PDT