Stanford Investigates Theft of Passwords

Computer specialists at Stanford University, stung by the theft of 5,000 passwords, are investigating Internet service providers in Canada and Sweden for connections to the hacker attack.

Most of the stolen passwords were from student accounts, said Stephen Hansen, the campus computer security officer. The theft, discovered last week, occurred between Oct. 11 and Oct. 26. The hackers logged on through Internet service providers in Sweden and Canada, although they may have been based in other countries.

Hansen declined to name the providers for fear of jeopardizing the investigation. The information collected will be turned over to the FBI, which is aware of the incident but has not launched an investigation, Hansen said.

The hackers were apparently able to break into the university system because a new security program had been improperly installed on about 5% of Stanford’s computers. The hackers planted a “sniffer” program that detects when people are logging on and saves their passwords into a file. The breach was discovered by a system administrator.

“We thought we were secure,” Hansen said. “We followed all the best procedures, but we forgot about human error.”

System administrators have sent e-mails to the 5,000 violated users, advising them to change passwords on their accounts. Almost all did so within two days, and only about 200 accounts had to be frozen.

Hansen said the hackers did not use any of the passwords. He added that Chelsea Clinton, daughter of the president and a student at Stanford, uses her own e-mail account with special security features.

“Most students didn’t think it was such a big deal,” said Jim Peng, a student computer consultant.

Hansen said he didn’t know what motivated the hackers, although he suspects that they intended to hand out the accounts to other users. Within hacker culture, dispensing stolen accounts endows a cyberspace cowboy with instant status. The accounts are usually given to people who want to foist pirated software or stage a hostile takeover of Internet chat channels, starting what Hansen calls a cyberspace “turf war” between virtual gangs.

Since last December, Stanford has been encouraging its students to install a free software package called Kerberos, which increases security on passwords. Those who used it were protected from the recent attack.

Now officials will probably work faster to require all students to install it, Hansen said. Technicians are also regularly making security checks.

High-profile universities like Stanford are relatively attractive targets for hackers. Hansen said he sometimes sees up to 10 account invasions per month. But the latest break-in was the largest password theft in campus history.

Even so, it was small compared to a recent incident in which a hacker harvested about 48,000 passwords by breaking into accounts at UC Berkeley and other campuses around the world.

Berkeley administrators discovered in June that the hacker had broken into campus systems through a math department computer. Like the Stanford incident, the hacker had accessed the Internet through a Swedish Internet provider.

Hansen said he doesn’t know of any connection between the two break-ins, and the FBI is still investigating the Berkeley violation. There is typically a break-in per day into one of the 36,000 Berkeley computer accounts, said Jack McCredie, associate vice chancellor for information systems and technology.

“Universities are an attractive target because they’re a very open environment,” McCredie said. “It’s an ongoing problem, but it’s one of those unintended consequences of the cyber age.”