Hackers breach supercomputer centers

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,92230,00.html

News Story by Paul Roberts
APRIL 14, 2004 
IDG NEWS SERVICE

In recent weeks, malicious hackers have infiltrated computer systems
at universities in the U.S. and worldwide, leading to questions about
the security of scientific research data, according to an official at
the National Science Foundation.

The systems were located at universities and research facilities that
operate high-performance computer centers, including facilities that
are part of a project funded by the NSF called TeraGrid, said Sangtae
Kim, director of the Division of Shared CyberInfrastructure at the
NSF, an independent U.S. government agency.

Supercomputing centers at U.S. universities, including the National
Center for Supercomputing Applications at the University of Illinois
at Urbana-Champaign and the Center for Advanced Computing Research at
the California Institute of Technology, are partners in the TeraGrid
project.

Systems at TeraGrid partner facilities were hacked, but no systems
that make up TeraGrid itself were compromised, Kim said.

The NSF doesn't know who was behind the attacks, but the agency
believes the attacks were part of a much larger action that affected
high-end systems worldwide, including sites in Europe. Many of the
compromised systems are connected to university research centers, Kim
said.

Stanford University's Information and Technology Systems and Services
(ITSS) group published a security alert on Saturday warning
researchers about compromises of a number of systems running the Sun
Solaris and Linux operating systems on the Stanford campus. The
advisory also noted that the attacks were part of a move against "a
large number of research institutions and high performance computing
centers."

The university became aware of the intrusions after users noticed
discrepancies in the time of their last reported log-in, which
indicated that their log-in information had been hijacked. Other
systems began performing poorly or started reporting errors after the
intruders installed so-called rootkits, or programs that allow the
malicious hacker to disguise his presence and gather information such
as usernames and passwords from the compromised system, the ITSS alert
said.

Attackers gained access to the systems by cracking or sniffing
passwords from insecure network traffic such as Telnet remote
communications sessions or from password files on other compromised
systems, according to the alert.

Once logged onto a system, the attackers looked for systems that
didn't have up-to-date operating system patches and then used known
software exploits to elevate their privileges from user to
administrator (or "root") status.

Other systems fell to hackers because of loose security configurations
for Network File Service, a way to share files and directories over
networks or the Internet. Many institutions have applied loose
security to those shared directories to "facilitate the distribution
of system management and data processing tasks," the advisory said.

The ITSS group recommended that compromised systems be taken off the
network and completely rebuilt, with new versions of the operating
system and up-to-date patches installed.

Universities that cooperate to conduct scientific research are
particularly susceptible to compromise because of the open nature of
their missions, according to Jonathan Bingham, president of Intrusic
Inc. in Waltham, Mass., which sells technology to spot covert and
illicit activity on computer networks, which it terms "noiseless
action."

"You've got large groups of individuals trying to access systems from
all over the world, so universities commonly have portions of their
network set up almost like the Internet in that access is wide open,"  
Bingham said.

Malicious hackers can easily gain access to less secure areas of a
university's network and then listen to network traffic to capture the
credentials needed to access more sensitive areas, he said.

While some experts raised the specter of massive denial-of-service
attacks using the hijacked supercomputers, the real threat to the
TeraGrid project and the universities that got hacked is from
stealthier behavior, such as quietly leaking sensitive data from
compromised research machines, Bingham said.

Rebuilding and patching compromised systems will close the holes that
the intruders used, but it is no guarantee that the malicious hackers
behind the compromise no longer have access to the sensitive networks.

"Once they're in a network of this size and scope, they're going to
compromise other systems using stealth techniques that are different
from the ones they used to get in. Once you figured out [the
compromise] and know what systems are vulnerable, they're already on a
different system," Bingham said.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org