Page Two

By Dennis Fisher  |  Posted 2004-04-26 Print this article Print

The flaws through which the attackers gained access to the Stanford machines have been public for some time, with patches available for all the flaws.

After gaining access to an unprivileged account on a given machine, the attackers exploited one of several operating-system-level vulnerabilities to escalate their privileges to root, according to an analysis of the incidents posted on Stanford Universitys Web site. From there, the attackers typically install a root kit on the compromised host and set up the machine for future intrusions by adding their own key to the list of valid keys for Secure Shell, a tool used to establish secure sessions for remote administration.

The attackers compromised machines at Stanford; the National Supercomputing Center for Energy and the Environment, in Las Vegas; the San Diego Supercomputer Center; and some locations of the TeraGrid, a distributed network of supercomputing centers. Stanford and SDSC officials said they detected the compromises quickly, and there was no permanent damage.

But, just as in Stolls story, unsuspecting users and poor security practices appear to be at the heart of the supercomputing center break-ins.

"Its just déjà vu. They start with a password compromise, which leads to a password attack, then root, then a root kit and so on," said Mark Rasch, chief security counsel at Solutionary Inc., based in Omaha, Neb., and a former United States attorney who prosecuted the Hannover Hackers. "These are sophisticated users who should know better. The silicon is fine. Its the carbon we have to deal with," Rasch said.

The recent attacks caused some affected facilities to shut down several machines and conduct laborious investigations and cleanup procedures. Afterward, SDSC security personnel pored over the SDSC user database, seeking accounts with weak, easily guessable passwords. Those users were required to change their passwords. Thats a good policy, Rasch said, but its on the late side.

"All of these countermeasures are very effective ways of closing the barn door now that the horse is out," Rasch said. "If this guy is smart, he was creating accounts that arent root, that they havent found yet. This could just be preparatory activity."

Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel