Go to the FreeLists Home Page Home Signup Help Login 		 



[cybercrime-alerts] || [Date Prev] [05-2002 Date Index] [Date Next] || [Thread Prev] [05-2002 Thread Index] [Thread Next]

University systems a haven for hackers

  • From: alerts@xxxxxxxxxxx
  • To: cybercrime-alerts@xxxxxxxxxxxxx
  • Date: Thu, 02 May 2002 21:09:32 -0400
* this message via http://techPolice.com *


 University systems a haven for hackers
By Robert Lemos
Staff Writer, CNET News.com
May 2, 2002, 4:20 PM PT
http://news.com.com/2100-1001-898084.html

VANCOUVER, British Columbia--College is intended to nurture the quest for 
knowledge, but many universities are also unwitting breeding grounds for 
hacking and online piracy.
In a presentation here at the CanSecWest security conference, David Dittrich, 
senior security engineer with the University of Washington, said university 
politics and a lack of emphasis on computer security have made college networks 
rife with online piracy and hacking.

The networks "are a real fertile ground," Dittrich said in an interview after 
the presentation. "There is a responsibility that the universities are not 
meeting."

While some universities have good security checks in place, the majority of 
academic networks are tempting targets for hackers because of their lack of 
security, abundance of bandwidth and overworked administrators.

At the University of Washington, for example, Dittrich, two other security 
engineers and several network engineers have to deal with network outages, 
compromised computers, rogue libraries of pirated media and software, and 
students who can't get online to get their homework done because of all of the 
illicit traffic.

Responding to recent complaints from two students that their computers were 
exhibiting strange behavior, Dittrich and the other engineers found that at 
certain times of day, the university's bandwidth was being overwhelmed by 
sudden spikes in usage.

He found that a handful of computers on the network had been compromised and 
that a distributed database of pirated software and movies had been installed.

This time, nine systems on the network had more than 520GB of pirated software 
and movies stored on them, including the just-released "Scorpion King." That 
was just this week; in total, more than 70 systems have been found to have been 
used for digital piracy and so-called distributed denial-of-service (DDoS) 
attacks. The files could be accessed only through Internet chat 
"bots"--automated programs--that would allow only those in the know to download 
the files.

Such piracy is not always set up by outside hackers, Dittrich said. Several of 
his server investigations have revealed that students have been hosting the 
pirated software. In fact, a snapshot of the traffic on the network showed that 
37 percent of the data consisted of transfers by the file-sharing program 
Kazaa, and another 15 percent belonged to another file-sharing program, 
Gnutella.

The problems are not new.

In 1999, Dittrich had to clean up nearly 80 Solaris systems and 40 Linux 
systems that had been compromised and on which online vandals had installed 
DDoS tools. In 2000, 200 systems had been hit with the Code Red worm and 
another 150 or so with the Nimda worm.

"It's not large percentage-wise," he said, "but it is large in number."

In all, thousands of the university's 50,000 systems could be vulnerable to one 
of the dozens of flaws commonly exploited by online vandals. That multiplies 
when the systems are used to scan other, non-university systems. Four systems 
owned by PowerBot, a Swiss Army Knife of hacker utilities, automatically found 
9,000 systems last summer outside the university that were vulnerable to the 
attack used by Code Red.

The problems are not isolated to the University of Washington. Right after 
Dittrich's talk, another administrator approached him asking for advice because 
her network is wide open to exploitation.

The fear, she said, was that if the school's computers were used to attack 
another company, that company might sue for damages. The security administrator 
asked that she and her college not be identified.

Such problems may continue until a lawsuit is brought against a university or 
the various academic departments in the university get serious about security, 
Dittrich said.

"Not everyone hears the message," he said, especially when nothing happens to 
the universities in the way of punishment if they don't secure their systems.





--
This was sent to you from http://theMezz.com
To Subscribe/Unsubscribe go to http://techPolice.com




[ Home | Signup | Help | Login | Archives | Lists ]

All trademarks and copyrights within the FreeLists archives are owned by their respective owners.
Everything else ©2008 Avenir Technologies, LLC.