On Feb. 7, 2000, the first wave of distributed denial-of-service (DDOS) attacks hit Internet portal Yahoo Inc. During the next few days, other high profile Web sites – including eBay Inc., Buy.com Inc., Amazon.com Inc., ETrade Group Inc. and CNN.com – were knocked off the Net by millions of packets coming from thousands of far-flung computers.
But, the stage was set for those high-profile attacks back in the summer of 1999. That’s when university systems began finding software agents – tools planted by hackers to launch future denial-of-service attacks – hidden on unprotected machines inside their sprawling networks. In August of that year, a preliminary DDOS incident took down several hundred hosts at universities.
So it wasn’t a huge surprise that, when the full-scale DDOS assault happened in February, many attacks could be traced back to computers tucked away in research departments at Stanford University, the University of California at Santa Barbara, the University of Washington, Oregon State University and James Madison University, to name a few.
“Why were universities so involved in these attacks? Because they’re naked,” said Stephen Northcutt, head of the SANS Institute’s Global Incident Analysis Center in Bethesda, Md. “They’re sitting out there on the Internet with no firewalls or anything.”
So naked are many of these university computers that the problem caught the attention of Jeffrey Hunker, who was director of the critical infrastructure outreach program at the National Security Council (NSC) during the Clinton administration.
“Universities were a major contributor to the DDOS attacks. They’ve always been a major contributor to security problems. This is clearly an area which I believe the [Bush] administration should tackle,” Hunker said.
Kurt Bryson, a forensics investigator at New Technologies Inc. in Gresham, Ore., said securing computers at universities is complicated by a number of factors: lack of money, transient students who run (and tinker with) the machines and zero accountability. University IT departments don’t have responsibility for securing the research machines – and it’s not clear who does have that responsibility.
“In many universities, there’s really no way for IT staff to know what machines are out there, especially in the research areas,” said Randy Marchany, coordinator of a computer security center for Virginia universities, which he operates out of Virginia Polytechnic Institute and State University (Virginia Tech) in Blacksburg, Va.
Hackers have long considered university systems their playground, according to a 28-year-old East Coast hacker who goes by the handle “Yetzer-Ra.” The research computers have the Internet access and processing power to do most anything hackers want them to do – and often they sit unsupervised and unused.
FUNDING EXCLUDES SECURITY
Typically, the computers themselves were obtained with grants from U.S. science agencies that are more interested in advanced research than computer security.
“Researchers are given money by the National Science Foundation [NSF] and the National Institutes of Health to buy computers to conduct research. But they can’t use that money for system administrators or security manpower. They can only use that grant money for equipment,” explained Dave Dittrich, a senior security engineer at the University of Washington in Seattle. Dittrich was one of the first people to discover denial-of-service agents lurking in university networked systems.
When researchers get these government-funded computers, they plug them in, replete with all their default passwords, vulnerable services, unpatched programs and listening ports. Student researchers reconfigure the machines, add and delete a lot of software and then move on, leaving the machines to other students, or in some cases, to no one.
Last summer, Hunker called the NSF to discuss changing the grants process so that agencies could fund computer security, too. But an NSF spokesperson responded that it’s not up to the granting agency to ensure that systems are properly secured.
A White House Office of Management and Budget (OMB) memo acknowledges that securing and managing computer equipment is up to the grantees. But the OMB document doesn’t say who should hold the grantees accountable – or how.
Clamping down on researchers could chill the very innovation the grant programs are trying to foster, said George Strawn, executive officer of the NSF’s Computer, Information Science and Engineering Directorate in Arlington, Va.
“First of all, great things happen in our distributed universities when you get rid of some of the bureaucracy tied to IT support. It unleashes a lot of creativity,” said Strawn, who comes from a university systems background.
“The research universities helped build the Internet,” he continued. “Now they’re working on Internet 2. And new protocols, like the IT infrastructure to support full-motion video and telepresence, are coming out of these universities, too. A firewall would pretty much kill that kind of innovation.”
However, Strawn acknowledged there are downsides to bad security at the university level. One is the legal liability to Web businesses that get hacked from university computers. Another is the fact that intellectual property – the government-funded research itself – could be stolen. So his department is working with Educause, a Washington-based nonprofit association of 1,800 universities, to address the problem.
Last July, Educause formed a task force on systems security that’s disseminating to university IT departments some tactical guidelines for DDOS detection, prevention and response. Educause has several security working groups, including a fast-hit program to try to get universities to at least address the top 10 vulnerabilities and an awareness committee to educate nontechnical university officials and research faculty.
“We’ve been well aware of the security problems at universities and colleges – and the fact that higher education was implicated in the DDOS attacks,” said Mark Lukor, an Educause vice president. “Every one of those 1,800 campuses involved in our program is working on their own campus security now, so you’re already starting to see some change. But it’ll probably take a year or two to educate everyone.”
Plus, universities themselves are forming Computer Incident Response Centers. Virginia Tech has started to keep track of the machines on its network by charging a US$5 “port fee” for any new computer plugging in to the network. At the time of the new connection, an administrator is assigned oversight for that machine.
These are steps in the right direction and will reduce the risk of universities wreaking havoc on Internet neighbors such as Seattle-based Amazon.com, said observers. But academia has a long way to go to eliminate its role as the weakest link in the security chain.
Universities are already worried about a new type of distributed attack that could be launched from academic systems, said Tedd Heberlein, a computer security research consultant at the University of California at Davis.
“We’ve had FTP attacks raging through the university system for the past three months,” he said. “And my guess is these attacks are or will be forming the backbone for some sort of future distributed attacks.”