College administrators across the country appealed to students and faculty members last week to change the way they log on to their computers after security experts announced that tens of thousands of passwords had been stolen by hackers on the Internet.
The Computer Emergency Response Team Coordination Center, a federally financed unit responsible for security on the Internet, issued the alert after a rash of break-ins. The Internet, a worldwide web of computer networks, is used by an estimated 20 million people.
Officials at Bard and Mary Washington Colleges, Harvard and Rice Universities, the University of California at Berkeley, and the University of Texas Health Science Center at Houston confirmed that their computers had been attacked in the last two months.
Security experts said hundreds of Internet computers had been affected -- including those at dozens of colleges -- but they declined to identify them. Institutions that fall victim to attacks often shun publicity because they want to avoid embarrassment and because they are afraid they may become targets for other hackers.
Some administrators, still unsure last week whether their computers had been attacked, were looking through their systems for evidence of intruders. The Federal Bureau of Investigation is searching for the culprits.
Computer administrators in higher education had varying opinions about what the event would mean to the future of the Internet. While none suggested that their institutions would permanently disconnect from it, several said universities might need to rethink what kinds of data should be stored in computers that are connected to the network. Others were puzzled by all the hullabaloo because they said that battles with “crackers” -- a name given to mean-spirited hackers -- were part of business as usual on the Internet.
Computer-system administrators at some colleges and universities said they were forcing users to change passwords on systems under their control and encouraging the users of other systems on their campuses to do likewise.
Jack McCredie, vice-provost for information systems and technology at the University of California at Berkeley, explained that it was impossible for administrators in his position to order everyone to comply because system operators in academic departments and laboratories often run their own little fiefdoms outside the reach of computer-center directors. “We’ve got 16,000 computers here connected to the network that we know about. There’s nobody in charge of all of them,” he said.
Some administrators said simply asking users to change passwords would prove futile.
“Getting students to change their passwords is like spitting into the wind,” Ray L. Rawlins, associate director of computer services at Utah State University, said with a laugh. “Professors are even worse.”
Others acknowledged the problem and said the easiest way to solve it was to make it impossible to reuse passwords, thereby forcing people to use a new password for each log-in. Several technological solutions currently exist and will probably soon be used on a wide scale.
One system involves the use of a device, similar in appearance to a credit card, that generates a new password every time the user inserts it in a computer. Administrators noted, however, that such solutions would make using the Internet more cumbersome and expensive than it is now.
The advisory from CERT described how crackers had used a flaw in the “SENDMAIL” program on computers using the UNIX operating system to gain control of computers. It also said that crackers had set up “Trojan Horses” on computers to compile lists of users’ passwords. A Trojan Horse is a program inserted into a computer by a cracker. The program looks innocuous but can cause mischief.
The advisory focused on passwords that may have been gathered using tools like telnet, but many system administrators said they were afraid passwords throughout their systems had been compromised.
The advisory was greeted with derision by a substantial portion of the computer cognescenti, who discuss computer security on the Internet in USENET newsgroups such as “comp.security.unix.” Some argued that CERT had waited far too long to issue the advisory after reports of problems first began to surface in October (The Chronicle, November 17, 1993). Others said the alert was totally unnecessary. “This is exceedingly far from a new threat,” said one.
Others, however, said CERT’s warning had been needed because the Internet environment had been evolving.
Eugene H. Spafford, associate professor of computer sciences at Purdue University and an expert on security matters, said the problem was almost certainly old news to people who run computers for a living. “They say, `Oh, this is obvious, everybody knew this,’ and it turns out the majority don’t have a clue,” Mr. Spafford said.
In recent years, Mr. Spafford said, the share of computers attached to the Internet and administered by computer professionals has declined. Today, a system administrator is most likely a professor or graduate student who performs routine administrative tasks out of necessity and who has little if any background in computer science. Frequently such people are in charge of a dozen or so computers in their department and spend only a small fraction of their time working on computer issues. They don’t see alerts or participate in discussions about security because they never look for them.
Ross E. Bergman, a graduate student in the psychology department at Harvard, is a good example. He’s in charge of a group of department computers. “I’m not paid for administering these machines,” he said. “I do it in my spare time. Somebody in the lab has to do it.”
While Mr. Bergman kept the machines up and running, he did not keep track of bugs that were being found in the software his computers were using -- bugs that were announced on the Internet newsgroups. “It never occurred to me to go looking for a group with security announcements,” he said. “I figured if something happened, somebody would let me know. Unfortunately, I found out after the fact.”
Last month a cracker came in through the network and destroyed data in many of the psychology department’s computers. Although data stored on the department computers are copied on tapes or disks on a regular basis, three weeks had passed since the last copies were made. Researchers were unable to restore nearly a gigabyte of data, close to the amount of information in a full-size encyclopedia.
“I never even heard of CERT until a little while ago,” said Mr. Bergman, who thinks he may represent a sizable portion of the people responsible for computers attached to the Internet. “As powerful computers become more accessible to people who know less about security -- people who just need the computer as a tool -- I think we’re going to run into this problem more and more.”
Officials at CERT defended themselves against charges that they had waited too long to alert Internet users to the problem, and that they had blown the problem out of proportion when the announcement was eventually made.
L. Dain Gary, manager of CERT operations, acknowledged that the techniques used by the crackers had been known for nearly a decade, and that attacks using these methods had been under way since last summer.
Mr. Gary said, however, that CERT had been prompted to act by a sudden and dramatic increase in the number of incidents using the methods in the past few weeks, and by evidence that more than one individual was using the techniques.
Many of the newest crop of invaders were clumsy, leading investigators to conclude that a person or group had assembled and distributed a do-it-yourself kit that would let even a relatively unsophisticated computer user exploit the flaws.
Critics of CERT faulted the organization for practicing “security through obscurity,” meaning that it relies partly on keeping a lid on problems it knows about until computer programmers can come up with repairs. Representatives of CERT acknowledged that they usually know a lot more than they let on, but said they avoid broadcasting information about problems until a repair is available from a computer manufacturer so that the problem is not advertised to crackers.
Opponents of CERT’s policy said such secrecy leaves them vulnerable to attack because it denies them the opportunity to make many repairs on their own. In addition, they said, the crackers already know about the flaws and share information freely with one another.
Purdue’s Mr. Spafford, who worked with CERT on its latest advisory, said he thought CERT could do a better job on some things, such as revealing the names of computer manufacturers that refuse to build patches for defective machines. But in general, he said, he understood the need for withholding some information.
“With some of the vulnerabilities that are discovered, it is clearly damaging to the community as a whole to give too many details about how it can be exploited,” he said, “so sometimes it helps to not disclose all the details right away. Unfortunately, there are some people who don’t understand that, or who believe that their own personal needs outweigh the needs of everybody else.”
Mr. Spafford said, however, that some computer administrators take secrecy too far. Businesses tend to be the least forthcoming, he said, noting that their failure to discuss attacks against them can be “to the detriment” of all Internet users.
Mr. Spafford said he thought it might be good for Internet users to get scared once in a while by things like the latest CERT advisory. “People are rushing to hook up to this National Information Infrastructure with no real clear idea of the implications and the risks of such a system,” he said, in a reference to the national “data highway” that the Clinton Administration wants to see built.
Berkeley’s Mr. McCredie agreed and said the growing pool of Internet users should be made aware of security risks associated with connecting to the network.
“There’s more financial data on here than there’s ever been before,” he said. “And some faculty and department heads are discovering, for example, that e-mail can be read by other people. As these incidents become much more publicized and much more evident, I think it is true that people will re-examine the level of core, security-sensitive business that they conduct on the net.”
But he said the Internet had become such a powerful tool in higher education that it would be difficult for any institution that had used it in any serious way to walk away from it.
“I’m under the impression, and it may be naive, that the security measures that we take on the data that matter -- student records, financial records -- are very strong,” he said. “It is good for people to re-examine what should be on the net. But by and large, we continue to make the tradeoff. While it is true that there’s a certain risk in connecting that stuff to the Internet, we take that risk so that we can do business better.”
* Change passwords as frequently as possible.
* Avoid writing down a password.
* Do not cooperate with anyone who orders you to use a specific password. “Crackers” occasionally call users at random and impersonate administrators of their local computer systems. Report such incidents in person to local system administrators.
* Never include your password in electronic mail unless you are using an encryption program to scramble your messages. Electronic mail can be read by others as it travels through the network.
* Passwords should never be actual words. Crackers can run dictionary programs that try every word in the language until the password is found. (Until recently, some security experts advised that selecting memorable foreign words was relatively safe, but the sophisticated cracker is now armed with dictionaries from a multitude of languages.)
* Do not choose passwords that consist of nicknames, birth dates, names of spouses or children, or other information that might be known to a cracker.
* The passwords that are hardest to crack consist of jumbles of letters, numbers, and punctuation marks. Some punctuation marks, though, should not be used on some systems. One useful strategy for creating memorable passwords involves using the first few letters of each word of a phrase or book title, much like military abbreviations. The password “AMHERDIC” could be made from The American Heritage Dictionary, for example. But don’t build a password out of a phrase that you use to sign your electronic mail.
* Whenever possible, use a telephone and a modem to dial directly into a remote computer rather than using the telnet command through the Internet. The telephone system is much more secure than the Internet.
An archive of advisories from the Computer Emergency Response Team Coordination Center -- including the latest release, CA-94:01 -- may be obtained using anonymous file-transfer protocol (FTP) to reach CERT.ORG.
The notices are in a directory called: /pub/certadvisories. Current advisories can also be found on the USENET system of bulletin boards under COMP.SECURITY.ANNOUNCE.
CERT can be contacted by writing to CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University, Pittsburgh 15213-3890. A 24-hour hotline, (412) 268-7090, may be used to report potential problems or to ask for help. CERT’s electronic-mail address is CERT@CERT.ORG.