Supercomputer hacks highlight ed security challenge

Openness vs. protection issues arise

BOSTON - The recent intrusions on supercomputers at leading U.S. research universities highlight a growing problem: college campuses struggling to maintain academic openness while protecting staff and students from Internet-borne viruses and malicious hackers.

Schools are being pinched by a steady stream of worms and viruses, tough federal information-privacy regulations and lawsuits targeting student file swappers. In response, colleges are investing in a wide range of security technology and looking at ways to lock down campus networks, all without stifling students and faculty, according to interviews with leading information technology staff at a number of universities.

With large, heterogenous networks and a diverse user population of students, faculty and staff, colleges and universities have become rich targets in recent years for malicious hackers, viruses and worms, according to one IT security expert. "Universities are an extreme example of what businesses are facing," said John Bingham, president of Intrusic Inc., a security technology company in Waltham, Massachusetts.

According to a security advisory released by Stanford University on April 10, attackers hijacked user names and passwords for multiuser Linux and Solaris machines, often by sniffing information when users connected to those machines from other compromised systems. Attackers also took advantage of shared folders, which were loosely secured by the universities to make it easier to manage systems and share data processing tasks between machines, the advisory said.

Many campus networks are designed to serve as Internet service providers, facilitating access for users, rather than protecting information assets, like more closed and segmented corporate networks, Bingham said.

That is a problem that IT staff at Boston College (BC) are weighing, according to David Escalante, director of computer policy and security at the college in Chestnut Hill, Massachusetts. "Our current network is architected ... to pass information from A to B as quickly and efficiently as possible -- from student to student, or faculty to student, to the Internet, wherever" he said. Unfortunately, that architecture also amplifies the effects of malicious network activity caused by worms and viruses, he said.

Wayne State University faced a similar problem on September 11, 2003, when six compromised machines on the campus network launched a coordinated denial of service (DoS) attack that flooded the campus network with traffic and prevented communication to or from the university, said Patrick Gossman, director for academic technologies at the Detroit, Michigan university.

IT administrators had to shut down entire parts of the campus network and work for more than a week to recover from the attack. IT staff at the university don't know how the DoS programs got installed on the campus network. And, despite an official investigation from the U.S. Federal Bureau of Investigation, university officials still don't know who was responsible for the attack, Gossman said.

Part of the challenge faced by universities comes from a new generation of mobile and tech-savvy students, according to administrators. "You've got people bringing laptop computers that are infected on campus, and its hard to detect those unless something goes wrong," Gossman said.

BC is encouraging students to move to portable laptop computers, which can be carried back home over break and during summer recess, Escalante said. Unfortunately, that mobility also increases the machines' exposure to Internet threats, through unprotected home Internet connections, Escalante said. "Students are leaving and coming back to campus six times a year for a week or more and we don't know what their computers are doing when they're gone," he said.

At the same time, institutions like BC have been reluctant to use network firewalls to block malicious traffic, fearing that such products would also prevent legitimate activities and research by other members of the university community, Escalante said. "People at research institutions want to be able to do whatever they need to in order to complete their research. There's a historical attitude on the part of higher education and higher ed networking to support that," he said.

To combat malicious activity without squelching other network traffic, IT staff at BC are putting tougher demands on students to clean up compromised machines, and have begun using home-grown tools to quarantine infected systems and prevent them from accessing the rest of the campus network, he said.

"We used to say 'You've got a problem with you computer, please do something about it.' Now we're saying "You've got a problem, do something about it or your computer will stop working,'" Escalante said.

BC is also considering deploying intrusion prevention systems (IPS), such as those made by Top Layer Networks Inc. and Foundry Networks Inc., which can look deep inside network traffic and spot malicious behavior or denial of service attacks, while letting legitimate traffic through. "We're hopeful that (IPS) will block things we know are bad, but not everything else in the world, so people can continue to do research," he said.

A similar balancing act between security and academic freedom has to be struck when dealing with the problem of unsolicited commercial ("spam") e-mail, as well as viruses and worms that often hide in e-mail messages, IT administrators said. The University of Georgia processes around 900,000 incoming e-mail messages each day, frequently flagging more than 60,000 virus-infected messages from that traffic, said Stan Gatewood, chief information security officer at the University in Athens, Georgia.

A complex system of more than 150 separate e-mail servers on campus complicated the job of protecting the University from those inbound threats, he said. The University began using a secure messaging product by Mirapoint Inc. in May, 2003, consolidating three departments on Mirapoint's messaging platform, which provides traditional groupware features like Web-based e-mail access, group calendars, address books and to-do lists with integrated antispam, antivirus and content filtering.

Still, the University is treading carefully as it tries to stem the tide of junk mail and viruses. "One person's junk mail is another person's academic freedom," Gatewood said.

Almost every IT administrator interviewed for this story mentioned the need to manage the demands of different interest groups on campus as a major challenge. "You need to build consensus," said Gatewood. "The adage 'Build it and they will come' doesn't work well in higher ed. There are committees on campus that we need to court, legal and internal auditors to ...check for compliance, an executive management team, a security and ethics committee."

So many competing groups can make it difficult to implement new policies quickly, he said. "In the military, if you have more brass it's done. (In education) you have to run it up the flagpole and see who salutes," he said.

Tight budgets of IT administration and a diversity of users also forces colleges and universities to put a premium on security products, such as appliances, that are easy to manage, that can consolidate multiple functions in a single box, and that make provisioning different kinds of users simple, said Robert Mahowald, research manager at IDC.

IT security products for mail and the network perimeter are also helping college campuses address a raft of new privacy laws that affect on-campus activities, as well as persistent legal pressure from the private sector over illegal activity on campus networks, IT administrators said.

"One of my real concerns right now is our ability to keep up with the increasing numbers of state and federal laws that we have to be aware of," said Gossman of Wayne State. "There's a lot you have to do with privacy and confidentiality, and noncompliance carries with it liability."

Colleges and universities have long had to contend with the Family Educational Rights and Privacy Act of 1974. Today, they are also wrestling with the implications of new laws such as the Health Information Privacy and Accountability Act of 1996, which governs student, faculty and employee health information, and Gramm-Leach-Bliley Act of 1999, Gatewood said.

IT staff at Wayne State are addressing those regulatory issues and also fielding around six complaints a week from the from the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) about illegal hosting of copyrighted material on the university's network, Gossman said.

The combination of legal, regulatory and security pressures facing college and university networks is forcing many institutions to turn to many of the same technologies that corporations have long used to protect their network assets.

In recent years, Wayne State has deployed a network firewall by NetScreen Technologies Inc. and intrusion detection system (IDS) technology to spot threats in inbound network traffic. IT staff are also scanning within the university network to spot open communications ports on systems that may pose security risks or signal compromise, Gossman said.

"If we didn't have IDS to stop the port scanning and a firewall, we'd have a lot more problems than we have today," he said.

The University of Georgia is also using IDS at the network perimeter and, like BC, is looking at IPS technology. Administrators have also deployed desktop firewalls and antivirus protection, Gatewood said.

To squelch out illegal downloads of copyrighted materials and preserve campus network bandwidth, many colleges and universities, including BC and Wayne State to use so-called "packet shaping" technologies that cap the amount of bandwidth students can use during certain hours.

To make it easier to control virus and worm outbreaks within the campus networks, many colleges and universities are also segregating student dorms onto "untrusted" residential networks that are distinct from the "trusted" campus network containing critical administrative systems, Escalante said.

Despite the growing pressure on campus networks, most IT administrators interviewed for this article said that there has been a sea change in thinking about IT security in recent years.

"Just the fact that (colleges and universities) accept IT security is a big deal. I remember a time when it was not accepted or wanted or needed. Now it's received with open arms," Gatewood said.

Copyright © 2004 IDG Communications, Inc.

How to choose a low-code development platform