Security.edu

Stephanie Brenowitz

Do You Know Where Your Script Kiddies Are Tonight?

A computer systems administrator at Virginia Polytechnic had just gotten his morning cup of coffee and was sitting down to a routine check of his department’s computers when he noticed something was amiss. His computer usually logs the activity of his department’s computers over the weekend–which ones were used, by what users, for how long.

That day his logs were missing. It might seem like a useless technical detail, but to the experienced system administrator, or sysadmin, as they are known, it was very serious. He knew that it was a common ploy of a hacker to destroy the log files so they wouldn’t show that he had entered the system–kind of like wiping his electronic fingerprints before disappearing into cyberspace.

The sysadmin checked, and indeed, there were intrusions into all his department’s computers. Before the day was over, he and others found that more than 100 computers on campus had been infiltrated.

He quickly booted off the invaders by cutting off their access privileges and patched the software hole that had let them in. It was just another day in the life of a sysadmin–computers at any school can be invaded several times a day.

But the 1999 attack stood out to Randy Marchany, senior engineer at Virginia Tech, because the school doesn’t usually have that many computers taken over all at once.

“We were probably being set up as an intermediary for the DDOS attacks that brought down Yahoo and CNN in February,” Marchany said.

DDOS stands for the “distributed denial of service” attacks that shut down many of the country’s popular commercial Web sites by flooding them with useless requests from hundreds of computers. Many of the attacks were launched from university computers that had been hijacked from afar by hackers to mask their identity.

“Because the attack was so large, they had to have been setting up for months beforehand,” Marchany said. “If our sysadmin hadn’t been so alert, you would have seen us all over the news too. But we got out of it early.”

Steve Hansen, computer security officer at Stanford University in Palo Alto, Calif., got much of that publicity–his computers were used in the early stages of the hacker attacks.

“They got in through a forgotten sub-network on a remote campus,” Hansen said. “We had the problem taken care of in less than an hour. We stay on top of them and as a result, the numbers of our break-ins are actually going down. But the number of attempts is up.”

Hackers are not the only security problems that school networks face. Those in charge of directing college computing networks grapple every day with issues such as viruses, password protection, privacy concerns, and the struggle between making a computer safe and making it accessible to the community.

Training Ground

Because of their vast networks and extensive computing resources, universities are prime targets for hackers looking to explore a system or to hide their identity as they invade other networks around the world.

“Almost everyone starts off hacking university computers,” said ytcracker, a 17-year-old from Colorado who hacks in his spare time. “It’s like a training ground because their networks are so extensive and so full of holes. It’s a great place to learn how computers work.”

In order to find a place to get into a network, hackers will launch what is called a “probe” to determine if there are any computers running programs on a campus network that they might invade. Marchany runs a program that tells him how often his computers are being probed.

“In one month, for example, we were probed 2,300 times,” he said. He gets several break-ins a week, and a few every semester that require major repairs.

Despite the fact that there are so many people trolling through university networks at any given moment, they are not after what you might imagine–they aren’t trying to steal grades or Social Security numbers or research.

“Hackers want your computer, not what’s on your computer,” Marchany said. In the last decade grades at his school were changed only twice and only one change was made through traditional hacking. (The other change was made after a teacher left the room without turning off his computer. The student just walked up to the terminal and changed the grade; no hacking skills needed.)

Ytcracker agrees. “I know people who collect up to 200 computers that they’ve taken over,” he said. “They aren’t going to do anything with them. They just like knowing they have them. It’s a power thing.”

Although few universities have had major losses from any one attack, keeping up with them is time consuming. And the rare possibility that networks can be co-opted for more sinister purposes has led President Bill Clinton and the FBI to seek the guidance of Marchany and other experts on how best to protect the nation’s computers.

Alert administrators routinely check in with sites such as http://www.securityfocus.com and http://www.cert.org for the latest known defects in popular software. Then they rush to patch them up before the hackers use that same information to get into their networks.

“It chews up a lot of time, finding intrusions and repairing the damage,” Hansen said.

There are many ways to attempt to keep out the infiltrators. Scott Conti, a network operations manager at the University of Massachusetts at Amherst, said he is changing all of his computers to switched networks as opposed to shared ones. In a shared network, each computer would be able to look inside any other computer on that network, so a compromise of one meant danger for all. But with a switched network, each computer can only communicate with one other computer at a time, limiting the potential damage of an intrusion and increasing the performance of the computer, Conti said.

Marchany employs a large number of automatic lookup tools that keep tabs on what his network is doing. He can tell when his system is being probed, when ports are being accessed, and when traffic is higher than it should be. Such software can be found at http://www.psionic.com and http://www.zonelabs.com.

Some administrators favor a firewall, an electronic screen that keeps outsiders from entering a network, but others find that it blocks out too many authorized users. “Administrators tell me all the time that they won’t be able to contact me from whatever conference they are going to because they will be locked out of their systems,” said computer consultant John Savarese, who communicates with many college professionals over e-mail. “You have to decide whether the firewall is so prohibitive that the network ceases to serve the community.”

“It is possible to keep hackers out,” Marchany said. “We just have to stay on the ball.”

To a user, a password seems like an annoying hurdle one would rather kick down than leap over. To sysadmins, they are one of the best (and most abused) defenses against infiltrators.

Depending on how secure your network is, you may have to type in a half-dozen user names and passwords every time you log on to a computer and attempt to access any type of program. Some programs are so security-conscious that they require a password at several levels, or every time a user wants to access or change confidential data. Many users attempt an end run around the whole process by making their user name something they won’t forget–such as “hello”–and then making their password something equally easy–such as “hello.”

“You have no idea how often I see that,” Marchany said with a chuckle. But if you can guess your password, so can anyone else. And they don’t have to be near your machine to do it–someone on the other side of the country who has gotten into the network can assume that there is at least one person on campus simple-minded enough to have “hello” as a password. Then the intruder can pretend to be you as they roam around cyberspace, leaving your name as a calling card wherever they go.

The best password is one that makes no sense, can’t be decoded by a common key and can’t be easily guessed, experts said. It looks something like this: i5ty78r8g. You can see why administrators say that educating users about the need for better passwords is one of their bigger challenges.

E-mail

Do you have documents in your e-mail that you don’t have anywhere else? Do you save messages for months, years even, because they have important information? And do you throw out the chit-chat that means next to nothing, believing it disappears into thin air when you hit that delete key?

You are not alone, said Savarese, a consultant with Edutech International, which assists schools with their technology needs. He says that more and more, people are treating their e-mail systems as document filers that they can’t live without.

“Schools face a dilemma–they don’t want to purge their e-mail on a timely basis, because people complain that they’ve lost something that they want back,” Savarese said. “But 20 years from now, you are going to have this server with all this e-mail stored up on it that people think they got rid of. Someone is going to mine those old e-mails and come up with things that are really embarrassing-messages you wrote after a few beers that you never meant for anyone else to see.”

Hackers lurking on a system will sometimes read e-mail to get information about hacking further into the system. They install a program called a “sniffer” that sifts through the e-mail looking for key words like “password.”

“The bad guys were sniffing our passwords, but they aren’t able to do that anymore.” Hansen said. Now each user at Stanford has a single sign-on that is encrypted and never distributed over e-mail.

Privacy Issues

Actually, a lot of people can theoretically see your email. Anyone hacking into a system can see it; a system administrator could see it; and if you are suspected of wrongdoing, so can the government.

But if you are worried about a system administrator watching your every move, think again–there’s too much traffic on the Internet for any one person to be targeted.

“The privacy of student information is very important to us,” Hansen said. “What protects privacy is the sheer volume of data–the logs of computer activity, which only shows what computers are on and off, are 700 gigabytes of data per day alone. There is no way we could monitor e-mail or anything else on an individual basis.”

Being able to monitor the traffic–which is to say, the times when a computer is logged on to a network, not necessarily the content of its transactions–is key to keeping a network safe.

At the University of Massachusetts, Amherst, a student lost a private laptop while on campus. Conti was able to get it back by going on the network and tracing where the laptop appeared–on a port in another student’s dorm room.

Another student was being harassed over her computer. “She was terrified,” Conti said. “Every time she turned on her computer, he would make it display obscene images. She called us once while it was happening, and we were able to determine what computer the images were being sent from.”

But Conti said he only intervened because it was a matter of law enforcement conducted in conjunction with the university police.

“It’s not Big Brother,” Conti. “We are not watching what people are doing, especially not at a university. But we have to be able to protect the community and we have a responsibility to maintain security.”

Administrators say that users need to accept the fact that getting on the Internet is like walking into a public park–you give up the right to be left alone all the time.

“People have this idea they are anonymous on the Internet, that sitting there in front of their box they can only see out,” Marchany said. “But they forget that by getting on the Internet, everyone else can look at you.”

Digital Music: A Legal Liability?

Another threat to universities is embodied in the controversy over MP3, a company that has digitally recorded thousands of songs that listeners can download off the Internet onto portable MP3 players. Theoretically, you are only supposed to be able to download MP3 files for which you have paid, but companies such as Napster have created bulletin boards where listeners can easily swap digital recordings with people who have not paid for the right to use them.

In addition to suits filed against the Web sites themselves, the rock band Metallica took the unusual step of including three universities–Indiana, Yale, and the University of Southern California–in the suit for allowing their students access to the music sites online.

Though the suits against the schools were eventually dropped, they raise a more fundamental question about universities–are they merely Internet service providers that have no control over the content their students receive? Or are they obligated to monitor them more closely than would other ISPs? Most administrators say no.

Conti said that while he agrees with the critics of the MP3 technology, he doesn’t think the schools have any obligation to act as copyright police. He said his job at UMass Amherst is providing access to his students, faculty and staff.

“From a legal perspective, they are right,” he said. “But is it our responsibility to enforce the laws? I don’t think so. That has to be up to the music industry or the Department of Justice. That’s not our job.”

He does see the possibility that schools might get involved if using the music technology infringes upon other, more educational uses of the network. “We went to a girl’s room once because she was having problems with her computer,” Conti said. “She had her computer hooked up right to the stereo and was using it as a jukebox. And she’s not the only one.”

Marchany said there isn’t much his university can do beyond posting prominent warnings to students that they may be violating copyright laws. A university systems administrator could, for example, block access to the ports that a particular digital music service uses. But that wouldn’t work for long:

“It’s only a matter of time before they just start changing the ports every day,” Marchany said.

“And these are not the only services that we would have to watch out for. There are tons of them out there and we can’t block everyone.”

Access Considerations

University networks are difficult to police for a number of reasons. For one thing, each network is composed of computers in thousands of offices, labs, and dorm rooms, each of which has often been set up by a different person. And every day, the network changes shape as a student plugs in a new PC he just bought for $500 or a researcher hooks up a new million-dollar supercomputer. Just keeping an inventory of every computer on campus, much less keeping track of all their security needs, could be a full-time job, Conti said.

Another complexity is the very nature of the learning atmosphere at colleges.

“Universities tend to work on the premise that open networks are better,” Conti said. “Collaboration is encouraged in an educational and research environment, so you have to have access to the same computer system. Imposing security on that system is somewhat counter to the ethic of a university.”

Every new password, every new security measure could be locking a member of the college community out of the computer community. Many of the methods that would keep hackers out of a network would also make it more difficult–if not impossible for authorized users to access it from anywhere but on campus.

Most schools have opted to keep their networks open–users can dial up to their department from home, they can read their e-mail from any computer, they can access the research stored on computers around the globe. But that often means more of a capability for unauthorized invaders to dial in, read faculty e-mail, and download their research.

“Universities are more exposed than they realize,” Savarese said. “The trick is to find that balance between security and functionality and most schools haven’t found it yet.”

RELATED ARTICLE: A Short Glossary: Cracking the Hacker Argot

Hacker /n./ [originally someone who makes furniture with an axe] One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. It is better to be described as a hacker by others than to describe yourself that way. Hackers consider themselves something of an elite (a meritocracy based on ability), though one to which new members are gladly welcome. Often used in colloquial speech, mistakenly, to connote cracker.

Cracker /n./ One who breaks security on a system. Coined ca.1985 by hackers in defense against journalistic misuse of hacker. While it is expected that any real hacker will have done some playful cracking and knows many of the basic techniques, anyone past larval stage is expected to have outgrown the desire to do so except for immediate, benign, practical reasons.

Exploit /n./ A flaw or hole in a program that hackers may use to enter a network.

Larual stage /n./ Describes a period of monomaniacal concentration on coding apparently passed through by all fledgling hackers.

lol /phrase/ Used by chatters and e-mailers as shorthand for “laughing out loud.”

Script kiddie /n./ An adolescent computer vandal who, lacking an understanding of code writing, copies prepackaged virus code obtained on the Internet, often using the result to damage Web sites for the fun of it.

Sniffer /n./ A device that allows hackers to determine if there are computers running on a network. It also tells users what program those computers are running, so a hacker can determine what exploits he might use to enter the network.

Sysadmin /n./ Common contraction of system administrator, systems programmer in charge of administration, software maintenance, and updates on a computer or network.

White hat /n./ A hacker who practices his tricks purely for good–as a service to vulnerable systems that are then notified of their exposure and how to fix it. Also known as ethical hacking.

Black hat /n./ A hacker who breaks into systems with malicious intent. He may disable or otherwise ruin programs and he may steal confidential data. See cracker.

Grey hat /n./ A white-hat hacker who employs the tools of a black hat.

Worm /n./ [from `tapeworm’ in John Brunner’s novel The Shockwave Rider.] A program that propagates itself over a network, reproducing itself as it goes. A type of virus. Nowadays the term has negative connotations, as it is assumed that only crackers write worms.

Sources: The New Hacker’s Dictionary by Eric S. Raymond (available online and in print), and the Fort Worth Star Telegram.

Stephanie Brenowitz is a staff writer for the Columbus Dispatch in Ohio. She has also written about education for the Philadelphia Inquirer and the Hartford Courant.

COPYRIGHT 2000 Educational Media LLC

COPYRIGHT 2000 Gale Group