University computers a prime targets for hackers

[InfoSec News <isn () c4i org>]

http://www.cnn.com/2001/TECH/internet/06/01/hacking.colleges.ap/index.html

June 1, 2001

WASHINGTON (AP) -- Dave Dittrich is not happy: A software pirate has
hacked into computers at the University of Washington and installed a
file-sharing program on one machine.

It means one-stop shopping for stolen -- and now free -- software, and
plenty of headaches for Dittrich, the university's computer security
expert.

Lawyers for the software publisher are sending threatening e-mails,
and Dittrich must clean up the mess. The lawyers do not worry him.
Getting outgunned again by the hackers -- that bugs him a lot.

"The tools these days for intrusions are pretty much automatic,"
Dittrich said. "A system can be fully compromised in about a minute."

It's becoming more prevalent, where novice hackers hone their skills
amid a higher education culture known for lax security and free
exchange of ideas.

"They're good practice grounds because their vulnerabilities are
usually pervasive and their monitoring is usually woefully
inaccurate," said Richard Power, editorial director at the Computer
Security Institute. "It's kind of like hacking with training wheels."

University computer systems also attract experienced hackers. Huge
hard drives make it easy to store illicit software and fast Internet
access affords the perfect staging ground for devastating attacks on
corporate Web sites.

A hacker's paradise

Larger universities also offer other enticements.

"There's a lot of sensitive information that can be gleaned from a
university that's not classified in any way," Power said. "You
couldn't get it with a frontal attack on a military weapons lab
research facility. But you may get it indirectly by going through
university research labs."

For the hacker looking to get a credit card in another person's name,
there is plenty to glean from university student databases.

"A lot of universities use your Social Security number to track you in
their databases," he said.

Many security attacks on companies are first tried on universities,
where hackers can practice in relative anonymity. One example was the
February 2000 assaults on eBay, CNN.com and other Web sites. Hacked
university computers -- and many others -- were used to send an
overwhelming number of messages to the Web sites, making them
inaccessible to customers.

The tool used in that attack was "tested and developed on university
networks (and) aimed at university systems," Dittrich said.

Regular attacks

Among the prime targets are universities with world-class computer
science programs such as Purdue and Stanford.

"The university computing center is very strapped for resources, and
most of the groups are on their own," said Steve Hare, managing
director of Purdue's computer security research group. "You have some
good groups that have high security awareness, and some others that
are just barely getting by and get hacked frequently."

David Brumley, a member of Stanford's computer security team, said
hackers break into one of the school's computers each day, on average.

"We might have a slow week, then turn up with 20," he said, adding
that many of the compromised computers are used to store copyright
material.

Joel de la Garza, a security investigator with Securify in Silicon
Valley, said universities cannot lock down their computers in the same
way a company could.

"Universities are in an interesting position, because they typically
have to provide an academic research network. They want to maintain a
marketplace of ideas in digital form," de la Garza said. "The
attackers know this, and they attack universities with high-speed
Internet connections."

In the past two years, as computer attacks have become more frequent
and severe, more universities have taken steps to counter the threat,
including creating computer security offices, de la Garza said.

Attacks on universities are so common that compromised college
computers have become a form of hacker currency along with credit card
numbers and pirated software in a "digital black market."

In chat rooms, hackers will trade ".edu" university computers -- a
reference to the last three letters of their Internet address -- for
".mil" addresses denoting hacked U.S. military computers.

"Most people will give a lot of '.edu's for '.mil's," de la Garza
said. "But a lot of kids are getting smarter and not wanting to get
the '.mil's, because you'll get raided. A university will tolerate
certain things. The military doesn't."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.