University Times VOLUME 27 NUMBER 11 FEBRUARY 2, 1995 Copyright (c) 1995, University of Pittsburgh Latest attack on the Internet yields no casualties here, CIS says As far as the Office of Computing and In- formation Services (CIS) is aware, no attacks have been made upon Pitt's computer network using the "Internet protocol spoofing" (IP spoofing) or the "terminal hijacking" methods discussed in an advisory issued last week by the federal Computer Emergency Response Team (CERT). Concerns about intruders attacking Pitt's Internet computer network, and the machines attached to it, through IP spoofing or terminal hijacking have surfaced at the University since an article on the method appeared in the Jan. 23 issue of The New York Times. According to Mike Bright, data security officer for CIS's Administrative Information Systems, the type of attacks mentioned in the CERT advisory involve the UNIX system. Numerous computer users at Pitt employ UNIX, so their computers could be vulnerable to an attack using IP spoofing or terminal hijacking. Administrative computers at Pitt, however, do not use UNIX, so are not vulnerable to such attacks, according to Bright. "Not that those [administrative] systems we use are perfect from a security standpoint," he says. "They have their own set of flaws, but UNIX is such a popular system that it receives more than its fair share of attacks." According to Bright, CERT releases advisories on security issues once or twice a month. "There is nothing particularly new or exciting about this individual advisory," he adds. "It is just that somebody at The New York Times picked up on it and did a front page story." In fact, according to a Jan. 25 CIS advisory issued in the wake of the CERT advisory, IP spoofing is not really a new way for intruders to attack a computer network. The method has been discussed in academic papers since 1985. It involves using false return addresses to contact victim computers, which recognize the stolen address as a trusted contact. As explained in The New York Times article, the Internet works by breaking computer messages into groups of digital packets of data, each of which has an electronic envelope that provides addressing information used by special network computers, known as routers, that deliver the data. IP spoofing makes use of a flaw in the design of the network to fool router computers into believing that a message is coming from a trusted source such as a member of the University community with a CIS account. By masquerading as a familiar computer, an intruder can gain access to a protected computer network. According to Jeff Carpenter, systems analyst in Systems and Networks, the IP spoofing and terminal hijacking advisory was issued by CERT because it had noticed a pattern of incidents involving the method at different sites on the Internet. A follow-up article in the Jan. 28 issue of The New York Times reports that there have been at least five known victims of IP spoofing or terminal hijacking since late December. As of October 1994, according to CIS's Carpenter, the Internet is connected to more than 3.9 million hosts and 56,000 domains such as universities, businesses and government agencies around the world, which means the break-ins have been very, very few compared to the number of computers connected to the network. Universities that have been victimized so far, The New York Times noted in its Jan. 28 story, include Loyola University of Chicago, the University of Rochester and Drexel University. The attacks started on Christmas Day when hackers broke into a home computer owned by a computational physicist, a renowned expert in computer network security, who is employed by the San Diego Supercomputer Center. "They [the IP spoofing and terminal hijacking attacks] are actually part of a bigger problem involving the security of machines connected to the Internet as a whole," says Carpenter. "This specific incident does not dramatically change that situation. It has been an ongoing problem for years." When the Internet began in the 1970s, it involved a small group of friends who wanted to share information by computer. Since the people using the system were known to each other, there was no need for security. Consequently, the Internet developed with little or no consideration for security. Carpenter says security has only become a real issue on the Internet over the past five years as more and more people join the network. The Internet is currently doubling in size each year. IP spoofing and terminal hijacking are "fairly sophisticated attacks on the Internet system," according Bright. Even though they have been known for 10 years, they never have been widely used because they are complicated. "There are a lot easier ways to break into people's computers than IP spoofing," says Bright. "You can just walk down the halls and look for the little yellow, sticky pieces of paper hanging on their computers with their password on it, and then log in." In terms of security, Carpenter says the most important thing University users can do to insure that their computer is not compromised is to keep their password confidential. Still, both Bright and Carpenter say, CIS takes all threats to Pitt's computer network seriously and has issued its own advisory (see accompanying story on this page) detailing actions members of the University community can take to counter IP spoofing and terminal hijacking, and increase the security of their computers. "In order for the hijacking to occur as is described in the CERT advisory, your machine has to have been compromised [electronically accessed by an intruder] to begin with," Carpenter says. "That's what the real problem is for the user. Once a machine is compromised, a large number of dangerous problems can occur and the hijacking is just one of those problems." Files in a computer that has been compromised can be revealed, erased, stolen, altered and tampered with in numerous ways. According to Carpenter, how a computer site fares as far as security is concerned depends upon the experience of the people helping management and the users. He says there are cases in individual departments at Pitt where computers have been compromised and in most instances that happened because departments didn't follow the procedures listed in CIS advisories. Bright warns, though, that users should be careful not to make the mistake of thinking that simply because they have the correct software and have followed recommended procedures that their computer will be secure. The only completely secure computer is one that is not connected to a network and never turned on. "Security is a pervasive concept," Bright explains. "It is not just a piece of software in a machine. It's the machine's hardware, the software in it. It's the protocols, the way a machine is used. It's the people who are using the machine, how well do they protect their passwords, the administrative procedures, the physical security of a machine." Besides protecting passwords, among the most important things departments and users can do to make sure their computers are secure is to keep operating versions of software up to date, install security patches [software updates, provided by software vendors, which are designed to help block intruders], and configurate [install patches and set the proper parameters for the software being used] their machines in such a way as to make them more difficult to compromise (see accompanying story on page 4 for details on security patches and configuration). "If an individual user has a machine that has a vulnerability [that has been accessed by an intruder], no matter what level of network security we provide, they are going to have a possible exposure that can be exploited," Carpenter says. Every time an advisory is issued by CERT, CIS evaluates the University's exposure and puts out its own advisory with information relevant to Pitt. Such advisories currently are available on the World Wide Web at http://www.pitt.edu/HOME/Security/Security-Home.html. Members of the University community who feel their computer might have been compromised by someone using IP spoofing or terminal hijacking should contact the CIS helpline at 624-8888 or cis-helpline+@pitt.edu. Computer users at the University also can electronically subscribe to the CIS advisory mailing list by sending a request to security-advisory-request+@pitt.edu. Advisories can be found, too, in the USENET newsgroup pitt.announce.security. Previous CIS advisories are available for anonymous ftp at ftp://ftp.pitt.edu/info/security/pitt-advisories. CERT, which is headquartered at Carnegie Mellon University's Software Engineering Institute, was formed by the Department of Defense in 1988 after the "Morris Worm" incident, when a graduate student at Cornell University released a "worm" onto the Internet that utilized weaknesses in UNIX security to gain access to multiple machines. Concerning computer security as a whole at Pitt, Bright says the fact the University created his position of data security officer eight months ago is an indication that Pitt is serious about computer security. So far, Bright says he is very pleased with what he has seen of Pitt's computer security system. But, at the same time, he cautions: "People want to use machines to share information, to be able to do useful work, and the only truly secure machine is one that you can't log on and can't do anything with. Any time you back off of that you have potential holes. So, are we perfect here at Pitt? No. Are we exposed in various areas? Yes. But we've taken very reasonable business precautions based on risk factors and reasonable cost to keep things safe." --Mike Sajna