If the recent compromises of Unix and Linux machines at supercomputing centers and research universities around the country do nothing else, they should prove once and for all that there is nothing new under the sun.
To security world veterans, the pattern of attacks likely sounds eerily familiar. It is nearly identical to the methods and tactics used by the “Hannover Hackers,” who broke into Unix machines at the Lawrence Berkeley National Laboratory in Berkeley, Calif., and several other universities and military facilities in 1986. Cliff Stoll, then a volunteer system administrator at the Berkeley lab, tracked the intruders for months, eventually bringing in the FBI and CIA, and chronicled his adventures in a book, “The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage.”
Now its all being played out again, 15 years later. After years of advances in security technology and techniques, well-trained professionals still have a difficult time defending their networks from the unwanted attentions of determined crackers. Stolls story had the Cold War intrigue of a John le Carré novel, ending in the discovery of a German spy ring and the conviction of six people. Its unlikely this latest episode has similar roots, but the lessons are the same.
In fact, intrusions at Stanford University were discovered through virtually the same means that Stoll used to hunt the Lawrence Berkeley Lab crackers: failed log-on attempts and systems running slower than usual.
The most recent attacks, which occurred over an indeterminate period this spring and involve dozens of machines at several high-performance computing centers, took advantage of a handful of known vulnerabilities in Solaris and Linux and provided the intruders with full access to the virtually unlimited computing resources these centers possess. There was nothing innovative or even remotely original about the attackers methodology; they began by using the oldest of cracking techniques: password sniffing.
The flaws through which the attackers gained access to the Stanford machines have been public for some time, with patches available for all the flaws.
After gaining access to an unprivileged account on a given machine, the attackers exploited one of several operating-system-level vulnerabilities to escalate their privileges to root, according to an analysis of the incidents posted on Stanford Universitys Web site. From there, the attackers typically install a root kit on the compromised host and set up the machine for future intrusions by adding their own key to the list of valid keys for Secure Shell, a tool used to establish secure sessions for remote administration.
The attackers compromised machines at Stanford; the National Supercomputing Center for Energy and the Environment, in Las Vegas; the San Diego Supercomputer Center; and some locations of the TeraGrid, a distributed network of supercomputing centers. Stanford and SDSC officials said they detected the compromises quickly, and there was no permanent damage.
But, just as in Stolls story, unsuspecting users and poor security practices appear to be at the heart of the supercomputing center break-ins.
“Its just déjà vu. They start with a password compromise, which leads to a password attack, then root, then a root kit and so on,” said Mark Rasch, chief security counsel at Solutionary Inc., based in Omaha, Neb., and a former United States attorney who prosecuted the Hannover Hackers. “These are sophisticated users who should know better. The silicon is fine. Its the carbon we have to deal with,” Rasch said.
The recent attacks caused some affected facilities to shut down several machines and conduct laborious investigations and cleanup procedures. Afterward, SDSC security personnel pored over the SDSC user database, seeking accounts with weak, easily guessable passwords. Those users were required to change their passwords. Thats a good policy, Rasch said, but its on the late side.
“All of these countermeasures are very effective ways of closing the barn door now that the horse is out,” Rasch said. “If this guy is smart, he was creating accounts that arent root, that they havent found yet. This could just be preparatory activity.”
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: