Hackers Target University Databases
Dave Dittrich is not happy: A software pirate has hacked into computers at the University of Washington and installed a file-sharing program on one machine.
It means one-stop shopping for stolen software and plenty of headaches for Dittrich, the university’s computer security expert.
Lawyers for the software publisher are sending threatening e-mails, and Dittrich must clean up the mess. The lawyers do not worry him. Getting outgunned again by the hackers--that bugs him a lot.
“The tools these days for intrusions are pretty much automatic,” Dittrich said. “A system can be fully compromised in about a minute.”
It’s becoming more prevalent for novice hackers to hone their skills amid a higher education culture known for lax security and free exchange of ideas.
“They’re good practice grounds because their vulnerabilities are usually pervasive and their monitoring is usually woefully inaccurate,” said Richard Power, editorial director at the Computer Security Institute. “It’s kind of like hacking with training wheels.”
University computer systems also attract experienced hackers. Huge hard drives make it easy to store illicit software, and fast Internet access affords the perfect staging ground for devastating attacks on corporate Web sites.
Larger universities also offer other enticements.
“There’s a lot of sensitive information that can be gleaned from a university that’s not classified in any way,” Power said. “You couldn’t get it with a frontal attack on a military weapons lab research facility. But you may get it indirectly by going through university research labs.”
For the hacker looking to get a credit card in another person’s name, there is plenty to glean from university student databases.
“A lot of universities use your Social Security number to track you in their databases,” he said.
Many security attacks on companies are first tried on universities, where hackers can practice in relative anonymity. One example was the February 2000 assaults on eBay, CNN.com and other Web sites. Hacked university computers --and many others--were used to send an overwhelming number of messages to the Web sites, making them inaccessible to customers.
The tool used in that attack was “tested and developed on university networks [and] aimed at university systems,” Dittrich said.
Among the prime targets are universities with world-class computer science programs, such as Purdue and Stanford.
“The university computing center is very strapped for resources, and most of the groups are on their own,” said Steve Hare, managing director of Purdue’s computer security research group. “You have some good groups that have high security awareness, and some others that are just barely getting by and get hacked frequently.”
David Brumley, a member of Stanford’s computer security team, said hackers break into one of the school’s computers each day, on average.
“We might have a slow week, then turn up with 20,” he said.
Joel de la Garza, a security investigator with Securify in Silicon Valley, said universities cannot lock down their computers in the same way a company could.
“Universities are in an interesting position because they typically have to provide an academic research network. They want to maintain a marketplace of ideas in digital form,” de la Garza said. “The attackers know this.”
In the past two years, as computer attacks have become more of a problem, more universities have taken steps to counter the threat, de la Garza said.
Compromised college computers have become a form of hacker currency in a “digital black market.”
In chat rooms, hackers will trade “.edu” university computers--a reference to the last three letters of their Internet address--for “.mil” addresses denoting hacked U.S. military computers.
“Most people will give a lot of ‘.edu’s for ‘.mil’s,” de la Garza said. “But a lot of kids are getting smarter and not wanting to get the ‘.mil’s because you’ll get raided. A university will tolerate certain things. The military doesn’t.”
