Hackers going to universities

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

March 6, 2000

Hackers going to universities BY MICHAEL CLARK and AKWELI PARKER, Staff Writers, The Virginian-Pilot Copyright 2000, Landmark Communications Inc.

It happened to Yahoo; it can happen to you.

Hackers, those nefarious nabobs, shut down Yahoo, eBay, CNN and other well-known Web sites last month with distributed denial-of-service attacks, or DDoS, which bombard e-commerce Web sites with bogus requests.

Ahhhh, the cyber horror!

But digital dilemmas are serious business, and they aren't reserved for the Web's glamour sites. Universities are particularly vulnerable. And any business with an e-presence is being forced to beef up its systems, to protect itself from hackers and the high cost of coming up lame.

Hackers gave it the old college try at James Madison University in Harrisonburg. Not long after the Yahoo hack-attacks, the school's computer technicians discovered that 16 student-owned PCs with Windows operating systems had been hacked. They'd been infected with a variant of the DDoS hacker tool that got to Yahoo.

Only the JMU PCs weren't being shut down, they were shutting down something else. They were infected with a ``zombie code'' that lets hackers take over computers and do a DDoS on something else.

Once reserved for multi-user operating systems such as Unix, hack attacks now trouble Windows PCs, said Gary Flynn, JMU security engineer.

``Today's personal computer is no longer the stand-alone machine it once was,'' Flynn wrote in an online report of the incident, at (www.jmu.edu/info-security/engineering/issues/wintrino.htm).

The hackers used a ``Back Orifice remote control'' device, which is simply a tool that can run PCs from afar.

JMU computers weren't hurt in the hack. Hosting hackers, consciously or not, won't necessarily damage a computer. The coeds didn't even know they'd been duped.

In any similar attack, Old Dominion University students wouldn't know they'd been duped either, said Rusty Waterfield, the school's director of networking services.

``The kids with the computers probably had no idea,'' Waterfield said. ``The hackers probably said, `Hey, let's look at the jmu.edu domain.' ''

From there, they scanned the machines, looking for what services were running, what vulnerabilities they could exploit.

In that way, all schools are vulnerable.

``What you're seeing is that universities are popular targets for hackers,'' Waterfield said. ``They have lots of computing power and large pipes to the Internet.''

A DDoS attack might use 50 to 60 machines across a network, he added.

ODU sees lots of hack attempts.

But there are no silver-bullet fixes for universities that support and promote collaborative research around the globe. Waterfield said the only answer is vigilance and preparation.

``If we believe that it's a real threat, we'll cut service off from machine or machines to the network,'' he said.

Launching a university- or Yahoo!-paralyzing DDoS assault takes a lot of coordination and effort, but the basic mechanics of such attacks are becoming easier to master.

New, user-friendly versions of the hacking software such as Tribe Flood Network and Trinoo came out late last year, just in time to wreak holiday havoc.

So-called ``white hat'' hackers say such programs exist as a public service: To teach network administrators that their systems are naked to intruders. (That's right, we said ``naked''!) Laying the assault programs out in ``the wild'' of the Internet gives computer security people a chance to poke, prod and see how the cyberweapons work.

But of course not everyone who is fascinated with the programs has such altruistic objectives for them.

To paraphrase the National Rifle Association, ``programs don't crash networks -- socially inept, technically adept losers do.''

Whatever the motivation for the attacks, private industry recognizes that it needs to clean up its act. Late last month, a bunch of Internet service providers, industry professionals and businesses got together to form the Alliance for Internet Security.

``DDoS attacks are a public health problem,'' said Alliance Chair Peter Tippett. ``The first step is for each of us to clean up our own back yards -- ensuring that our systems cannot be used as attack agents.''

Credit for forming the alliance goes to Reston-based computer security firm ICSA.net, which stepped up to the cyberplate when others merely chewed tobacco on the bench.

Alliance members make brute-force denial attacks harder by reconfiguring routers and firewalls, beefing up electronic filters and adopting more stringent e-security practices.

Hackers aren't your only worry. If you've worked in an office anything like ours, you're painfully aware that equipment sometimes locks up just because it's old and crotchety. If it only causes an internal crisis, you might be able to force workers to stay late until the problem is fixed.

But what if your computer network provides crucial links to suppliers, customers and other outside folks who need reliable access to your system?

In that case, such foul-ups face increasing legal liability, whether they result from hacking or garden-variety system crashes.

With business-to-business e-commerce going mainstream, the phrase ``you'll have to wait -- our computers are down,'' becomes as unacceptably lame as ``the check's in the mail.''

Companies that do a lot of electronic commerce will hear more from their e-partners.

``What kind of security do you have in place, what kind of recovery system do you have in place, because that affects me,'' said Debby Colquhoun, assistant vice president at the Norfolk office of international insurance firm Marsh USA Inc.

Marsh creates customized insurance policies for companies based on their vulnerability to hackers, programming bugs and crashes, and how much damage would result if they did suffer ``an occurrence.''

Occurrences cost time -- which is money, after all -- and Internet time is even more money, so many companies will regard it as a personal affront to their bottom lines if a crippled partner causes lost revenue, Colquhoun said.

``They're going to look for some sort of compensation.''

http://www.pilotonline.com/business/bz0306tec.html

-- Martin Thompson (mthom1927@aol.com), March 06, 2000


Moderation questions? read the FAQ