To veterans of the security world, or of the high-tech industry in general, the pattern of attacks likely sounds eerily familiar. It is a near-identical copy of the tactics used by the Hannover Hackers of West Germany, who broke into Unix machines at Lawrence Berkeley Laboratory and several other university and military facilities in 1986.
Cliff Stoll, who tracked the intruders for months as a volunteer system administrator at the Berkeley lab—eventually bringing in the FBI and the CIA—chronicled his adventures in a book, "The Cuckoos Egg."
Now its all being played out again, nearly two decades later. After years of advances in security technology and techniques, well-trained professionals still have a difficult time defending their networks from the unwanted attentions of determined crackers. Stolls story had all of the Cold War intrigue of a John Le Carre novel, ending in the discovery of a German spy ring and the conviction of six people. Its unlikely this most recent episode has similar roots, but the lessons are the same.
In fact, the intrusions at Stanford University were discovered through virtually the same means that Stoll used to hunt the lab crackers: failed log-on attempts and systems running slower than normal.
The most recent attacks, which occurred over an indeterminate period of time this spring and involve dozens of machines at several high-performance computing centers, took advantage of a handful of known vulnerabilities in Solaris and Linux and provided the intruders with full access to the virtually unlimited computing resources these centers possess. There was nothing innovative or even remotely original about the methodology of the attacker, who began by using perhaps the oldest of cracking techniques: password sniffing.
After gaining access to an unprivileged account on a given machine, the attacker exploited one of several OS-level vulnerabilities to escalate his privileges to root, according to an analysis of the incidents posted on the Web site of Stanford University, one of the victim institutions.
From there, the attacker typically installs a rootkit on the compromised host and goes about setting up the machine for future intrusions by adding his own key to the list of valid keys for SSH, a tool used to establish secure sessions for remote administration.
The attacker was able to parlay his success and compromise machines at Stanford, the National Supercomputing Center, the San Diego Supercomputer Center and some locations of the TeraGrid, a distributed network of supercomputing centers. Officials at Stanford and SDSC said they detected the compromises quickly and that no permanent damage was done.
But just as in Stolls story, unsuspecting users and poor security practices appear to be at the heart of the supercomputing center break-ins.
"Its just déjà vu. Its the same thing. They start with a password compromise, which leads to a password attack, then root, then a rootkit and so on," said Mark Rasch, chief security counsel at Omaha, Neb.-based Solutionary Inc. and a former U.S. Attorney who prosecuted the Hannover Hackers. "These are sophisticated users who should know better. The silicon is fine. Its the carbon we have to deal with."