From the issue dated March 15, 2002
|
|
|
The Growing Vulnerability of Campus NetworksAs attacks increase, colleges face tough, expensive challenges in keeping intruders outBy FLORENCE OLSEN The days when computer hacking was no more than an inconvenience to colleges
On top of national-security concerns, the volume and intensity of security incidents on campus networks are growing at a pace that raises questions about the adequacy of security precautions. Virus infections, unsecured software, and a shortage of people who know how to make computers safe on the Internet are converging to make campus networks a particularly alluring target for hackers, and now, some experts worry, terrorists. Michael A. McRobbie, vice president for information technology at the Indiana University System, says colleges have a well-deserved reputation for lax network security. As a result, he says, they risk increased insurance costs and expensive lawsuits. Attacks on networks to collect passwords, gain access to unauthorized data, install malicious code, or share bootleg movies are wasting crucial public resources and reducing productivity, Mr. McRobbie said in a stinging critique delivered last year to the annual meeting of Educause, the educational-technology consortium. In a time of increased national-security concerns, he said, pressure is mounting on colleges to gain better control of their computer networks, or risk losing federal grant money for research. Taking Responsibility "In the present climate of cyber-threats," Mr. McRobbie added in his speech, "somebody in the university has to step forward and take responsibility for trying to remediate these threats and to translate what the risks are." Recognizing the problem, some colleges report that they are tightening security on their networks. Congress has proposed more money for research and education to help institutions improve the security of their networks. Software vendors, too, have reacted to the crisis: Microsoft, whose products are frequently targets of viruses, worms, and other destructive agents, in January announced a campaign aimed at making all of its software more secure. According to Garland Elmore, technology dean of Indiana University-Purdue University at Indianapolis, a wave of viruses and computer-cracking attempts about four years ago was aimed at centrally located servers, the best-protected ones on campuses. Those threats were thwarted. Since then, he says, attempted computer and network-security violations have become more frequent and have affected more people -- "now we're getting these kind of attacks all over the institution." And colleges have not yet seen the worst of it, he predicts. One example is Nimda, an Internet worm, which hit colleges especially hard last fall -- clogging networks and taking control of infected computers. At Indiana, where Mr. McRobbie is also chief information officer, security technicians found 600 computers on its networks that had the security hole that leaves computers open to attack from Nimda. The technicians were able to block most of the unsecured machines from other parts of the network until someone patched the holes. Some smaller colleges were not as prepared to respond. After Nimda hit Central Wyoming College, which has 600 campus computers, officials closed down the college on a Friday to let its staff of eight technicians start cleaning up the mess. It took a week. Viruses propagate more quickly these days, because there are more high-speed networks to carry them. About 50,000 viruses exist today, and that number could double by 2004, Mr. McRobbie says. As viruses and worms have become increasingly complex and damaging, the computers that students bring to campus have been among the hardest hit. College technicians help faculty and staff members install antivirus software, but students often are on their own. Gordon D. Wishon, chief information officer and associate vice president at the University of Notre Dame, says students there are given free antivirus software and tips on its use. But many of them fail to configure the software to be updated as new viruses are created and propagated, he notes. Security breaches are clearly on the rise. The CERT Coordination Center at Carnegie Mellon University, which coordinates emergency responses to computer-security problems, recorded more than 52,000 incidents in 2001, each one involving as many as thousands of sites, including those on college campuses. By contrast, only about 22,000 incidents were reported in 2000. 'Script Kiddies' One type of automated attack has become increasingly worrisome and time-consuming for colleges, says Robert E. Mahoney, a senior network engineer at the Massachusetts Institute of Technology. "Script kiddies," as the attackers are called, use scripts -- easily executed programs -- to break into unsecured computers. Such automated attacks can easily let a 15-year-old control more computers than he knows what to do with, Mr. Mahoney says. "We've seen certain scenarios on Internet relay chats where they are traded just like baseball cards -- ' I'll trade you 10 machines at MIT for some machines at the University of California.'" Last March, MIT itself may have narrowly escaped becoming the launching point for a cyberattack on computers elsewhere. One night, someone on the Internet gained access to 33 computers in several research labs at MIT. Technicians noticed the invasion the next morning, after a security weakness had been discovered in the Solaris operating system. They found that a hacker had already exploited the flaw, leaving the computers open to be used in a "zombie" attack. Zombies -- machines that have been infected with attack programs -- are ordered by remote control to barrage other computers on the Internet with electronic messages. The technicians thwarted any potential damage when they pulled the computers offline and replaced the operating systems with clean versions. Indiana's Mr. McRobbie says the method is favored by adolescent hackers, who amass "armies of hundreds, if not thousands, of zombies that they can wake up and use for denial-of-service attacks." Such attacks slow down or completely halt legitimate traffic that tries to enter or leave a Web site. Two years ago, a 17-year-old hacker nicknamed Mafiaboy, from Montreal, received a criminal sentence for his role in attacks on Amazon.com and eBay. He had turned research-lab computers at several California universities into zombies and ordered them to attack the companies' Web sites. But his case was exceptional. While security managers might discover that a certain account on a particular machine was involved, rarely do they learn whose hands were on the keyboard. Fear of Lawsuits Colleges could be subject to costly negligence lawsuits if their computers are used in future attacks, or if sensitive information about students is stolen from campus computers, some experts say. Tracy Mitrano, policy adviser and director of computer law and policy at Cornell University, says courts may find colleges liable for an attack that used their machines, because campus officials should have known that unsecured networks were open to attack. Campus networks are more vulnerable to attack than, say, corporate networks, because colleges need open networks for collaboration and access to information. It's rare for a college to have a strong firewall around its network. Such firewalls, because they block all but a few approved outsiders from gaining access, tend also to block collaborative researchers from other institutions. The vulnerabilities of campus networks "come from a good place, if you will," Ms. Mitrano says. United Educators, a member-owned insurance company for colleges, says it does not yet offer a cyber-risk policy, even though that is one of the insurance industry's hot new areas for insuring clients. Instead, the company is advising its members to develop policies that will help reduce their networks' security risks. "Don't rely on insurance as a substitute for risk management, because risk management really is your front-line protection, even in the event of a lawsuit," says Frank Vinik, a United Educators risk manager. College officials say they control only some of the conditions needed to promote better network security. Most software is sold with its security features turned off. Technical managers say they are overwhelmed by the number and complexity of advisories warning them of security flaws that require them to install software patches and updates. Administrators also say that students and faculty and staff members have all come to expect convenient access to information on campus servers, even when the users are miles away from the campus. Furthermore, the promise of improved network security in the form of digital certificates and a public-key infrastructure has been slow to materialize. Daniel A. Updegrove, vice president for information technology at the University of Texas at Austin, says his biggest nightmare is knowing that only part-time or no systems administrators at all are available to control access to many student-owned and research-lab computers on the campus, or to keep up with security patches and updates. "So many computers within a university are managed casually," he adds, "that it's extremely hard to know who on the Internet has bona fide access to any of these computers." Who Has Access? He worries especially about research computers that have become obsolete. Such computers, purchased with grants, may have operating systems -- Solaris 2.0 or SunOS 4.1.1, for example -- that are no longer supported by the vendors that made them. Universities, researchers, and grant-making agencies "have systematically underinvested" in the protection of research computers, Mr. Updegrove says, and nobody wants to acknowledge that many general-purpose machines in campus labs are so outdated that they can no longer be secured. But then, he notes, most universities do not have budgets to pay for researchers' hardware and software, much less to pay full-time salaries for systems administrators in those labs. Typically, graduate students receive part-time salaries out of research grants to maintain lab computers. Campus computing officials say they are hopeful that government money may help solve some of these problems. HR 3394, a computer-security bill that has passed the U.S. House of Representatives and has been referred to the Senate, authorizes $878-million for undergraduate and graduate education and research on the best ways to protect computers and networks from viruses, criminal hackers, and, as emphasized by the bill's sponsor, terrorists. "In the longer term, we need cost-effective ways to build systems that don't have security holes," says Carl E. Landwehr, director of the new trusted-computing program at the National Science Foundation, which supports research on more-secure computer systems. Considerable work in software engineering in the past 20 years has produced some knowledge about how to build systems with strong security, he says, but the computer industry hasn't succeeded in building those techniques into systems that most people buy. A high priority, he says, should be figuring out "how to build systems that don't require so much manual configuration and so much expertise on the part of systems administrators to keep them in a secure state." If the Microsoft Corporation sticks to its new and, some say, belated security campaign, it would almost certainly mean that the company could not release new software as frequently as it does now; it takes more time to build secure software. Some Microsoft users in academe say that might not be such a bad thing. "It's the Microsoft environment that we're all scrambling to correct," says Cornell's Ms. Mitrano. In a recent memo to employees about security flaws in Microsoft products, the company's chairman, Bill Gates, acknowledged that it "can and should do better." Progress at Virginia Tech Virginia Tech is ahead of the curve in making its computers and networks more secure. Other institutions are now using some of the tools and procedures that its security experts helped to develop. Technology managers there say they have spent the past seven or eight years trying to come to grips with network vulnerabilities -- and the time spent on security-awareness seminars and using security tools seems to be paying off. In the past six months, only two or three attacks against the network have been successful, says Randy Marchany, who runs Virginia Tech's new security lab. While the number of attempted attacks on the network has increased sharply in the past couple of years, he says, the number of successful attacks has stayed constant. The university's security technicians use the same scanning tools that hackers use to find security holes on networks. If the tools detect a computer that has been "compromised," technicians immediately take that machine off the network. Most colleges do not use such tools, because they require someone skilled to interpret the results. Besides, for many institutions, a decision to scan people's computers -- even if only to find vulnerabilities -- goes against the grain. At Virginia Tech, all computer platforms -- including those for scientific instruments -- and their software configurations are also tested and rated as to whether they are secure enough to be put onto the network. This past year, Virginia Tech also stepped up efforts to improve the skills of systems administrators. Last fall, more than 300 such staff members, from Virginia Tech as well as other colleges in Virginia and neighboring states, attended a free, three-day seminar on computer security and forensics given by Virginia Tech and the SANS Institute, an organization for network administrators and security officers. Informal user groups and casual seminars set up to raise security awareness are also useful. At least, Mr. Marchany says, he sees better results from those activities than from what he calls "central directives." "If you put out a memo and say, 'This is what you should do,' that doesn't work. But if I say, 'Hey, I'm offering a class,' and in the class I tell them what I would have told them in the memo, it works." Such training seems likely to grow in importance. Last August, Virginia Tech spent $100,000 on four servers equipped with filters to remove viruses from e-mail coming into and leaving the university network. It was money well spent, Mr. Marchany says: "Sometime in November, we intercepted our millionth virus." NETWORK INCIDENTS AT ONE UNIVERSITY Many colleges are reporting increases in hacking, illegal acts, or other destructive incidents involving their computer networks. One research university, which asked not to be identified, provided the following data, showing the changes in the kinds of incidents commonly experienced in 1999 and 2001. Figures reflect incidents reported in the month of December for the two years. Commercial use of the campus network Definition: Use of university Web pages to sell products or services 1999 : 1 2001: 0 Definition: Unlicensed or unauth-orized copying of copyrighted materials 1999 : 2 2001: 1 Definition: "Flood" of messages released with the intention of slowing or stopping other network traffic 1999 : 1 2001: 1 Definition: Failure to protect the privacy of students' personal information 1999 : 0 2001: 1 Definition: Financial scheme to defraud victims, such as a chain letter 1999 : 5 2001: 2 Definition: Writing a program to gain unauthorized access to a computer 1999 : 6 2001: 6 Definition: Conduct that is unwelcome or intimidating to the victim 1999 : 0 2001: 1 Definition: Excessive nonacademic use of the network for downloading or transferring large files 1999 : 0 2001: 13 Definition: Harmful software programs, such as viruses, that destroy files, steal passwords, or otherwise cause damage 1999 : 0 2001: 42 Definition: Use of university computer to relay mail from one address outside of the university to another outside address 1999 : 3 2001: 3 Definition: Hostile Internet searches for open "doors," or ports, through which intruders gain access to computers 1999 : 5 2001: 12 Definition: Mass mailing of unsolicited or unwanted e-mail 1999 : 17 2001: 30 Total, December 2001: 112 SOURCE: Chronicle reporting http://chronicle.com Section: Information Technology Page: A35
|
Copyright © 2002 by The Chronicle of Higher Education