[FAIR USE FOR EDUCATION AND RESEARCH PURPOSE ONLY]

NASA site removes online roadblock JPL beefs up cyber-security after attacks from Brazil

By Alan Boyle MSNBC March 17  NASAs Jet Propulsion Laboratory opened its Web site to Brazilians again Friday after beefing up its computer security measures. Access from Brazil had been blocked for days, as a stopgap measure to counter a wave of computer attacks from that South American nation.

THE BLOCKING MANEUVER came amid a wave of concern about new techniques for attacking remote computers  including the "zombie attacks that brought down a series of heavy-duty Web sites last month. The Jet Propulsion Laboratory, a NASA center managed by the California Institute of Technology, ranks as one of the Internets most popular sites  with extensive resources on robotic space exploration and images of other worlds. Its also a prime target for computer intrusions: Attrition.org, a security-oriented Web clearinghouse, says JPL servers have been compromised at least seven times in the past year.

JPLs ban on Brazilian data traffic was first brought to light Tuesday by Geovani Balbino, a network analyst at the Bank of Brazils office in Brasilia. Balbino said he noticed more than two weeks ago that he was no longer able to gain access to the JPL site, even though other NASA sites were unaffected. Im just a space enthusiast, he told MSNBC, so every day I check those sites. SITES COMPROMISED Balbino said he traced the path that his packets of data were taking and found that they were blocked at the final jump to JPL. He went so far as to correspond with the laboratorys network personnel, and said he was finally told that Brazilian traffic was blocked because attacks from numerous sites in Brazil had compromised computer security at JPL.

JPL spokesman Frank ODonnell confirmed Tuesday that data traffic from Brazil  Latin Americas most populous country and the Internets 19th-ranked top-level domain  was blocked. From time to time, when JPL security people detect hacker activity emanating from a particular part of the world, or particular subnets, they will block access until they get the situation resolved, he told MSNBC. He emphasized that such blockages are temporary, remaining in effect only until more thorough security measures can be taken. The block on access from Brazil was lifted as of noon ET Friday, he said. There should now be complete access to our public servers as usual, ODonnell said. What is making these attacks possible? Hackers have become more sophisticated and have developed programs that automate such attacks. The programs direct tens or hundreds of computers around the world to send traffic to a specific site simultaneously. That allows hackers to overwhelm some of the most prominent sites already designed to handle large amounts of traffic. Security experts became aware of the tools last fall. Patrick Taylor, vice president of risk assessment for the Internet Security Systems in Atlanta, said the tools allowed people with lower degrees of skills to execute sophisticated attacks. How do hackers use so many computers in their attacks? They can secretly plant their attack programs in other people's or company's computer systems by exploiting those systems' security weaknesses. The programs remain dormant until the appointed time of attack. When hackers route the program through someone else's computer, it makes them harder to trace.

What can sites do to prevent such attacks? Little, according to Mark Zajicek, a team leader at the CERT Coordination Center at Carnegie Mellon University. He said the focus instead must be on increasing security of other computers so that they cannot be commanded to launch such attacks. Once a site is targeted, one recourse is to trace the traffic back to the third-party computers and alert their administrators. The process can take hours. Why can't sites block the bad traffic? Even the process of determining whether traffic is legitimate uses precious computing time. A site's Internet service provider might be able to stop some bad traffic, but it comes from various locations and often carries fake return addresses, making it difficult to sort to good from the bad.

Why are these attacks occurring? Attorney General Janet Reno said Wednesday that while a motive had yet to be determined, "they appear to be intended to interfere with and disrupt legitimate electronic commerce." There is no evidence that hackers gained access to the sites' internal data. But Randy Sandone of Argus Systems Group Inc. in Savoy, Ill., warned that denial-of-service attacks might one day be used as a decoy. While security personnel are busy trying to block traffic, a hacker might try to gain access to sensitive data.

Is this the work of one person? Investigators have yet to determine whether a single person is behind all the attacks. Analysts say that after Yahoo! was hit Monday, other sites might have been targeted by copycat hackers. SOURCE: Associated Press

He declined to provide further details on the computer attacks or the security measures, saying that if you give out too much detail ... it could potentially provide information to people with an interest in hacking, he said. Blocking traffic from an entire network or country isnt as extreme a measure as it may sound, said Mark Zajicek, daily operations team leader at the CERT Coordination Center. In general, that is something thats quite often done, usually to give the system administrators more breathing space and limit the traffic that might be coming from a particular source, Zajicek told MSNBC. The Pittsburgh center, which is part of the Pentagon-funded Software Engineering Institute at Carnegie Mellon University, serves as a national clearinghouse for computer security issues. Although Zajicek couldnt comment specifically about JPLs actions, he said its very easy to block traffic on a per-domain, or per-site or per-host basis. As far as how effective it is  it depends, he said. Some attacks involve spoofing the source of the assault, so that an attack appearing to come from Brazil actually originates somewhere else. The newer distributed denial-of-service attacks are exactly those kinds of attacks that this reaction (blocking domains) is not effective against, he said. ODonnell said he was not aware that JPL servers were involved in last months distributed computer attacks, but he said the organization was on guard. Computer security is a subject thats taken seriously here, and obviously there can be many avenues of attack, such as the recent denial-of-service attacks on some of the commercial sites, as well as other modes, he said. Its always a bit of a challenge because there are a large number of computer hosts at a large technical organization like JPL.

Zajicek, meanwhile, declined to comment on whether would-be intruders have targeted NASA computers. In general, the attacks can span the entire demographics of the Internet. ... The intruders were trying to find any host that had high bandwidth to the Internet, Zajicek said. You could find those in all different types of organizations.

http://www.msnbc.com/news/382240.asp?cp1=1#BODY

-- Martin Thompson (mthom1927@aol.com), March 20, 2000