Stanford's Linux Supercomputers Compromised
A sophisticated password sniffing program called 'John the Ripper' is behind the attacks, but officials don't see coordinated effort.
Malicious hackers using sophisticated password-sniffing techniques have compromised multi-user Linux and Solaris computers that run academic supercomputer centers, according to an advisory issued by the Stanford University's IT Systems and Services (ITSS) unit.
Stanford said the unknown attacker (or group) gains access to a machine by cracking or sniffing passwords and uses a variety of exploits to escalate local user accounts to root privileges.
"The attacker appears to be deliberately targeting machines in academic and high performance computing environments, rather than attacking systems indiscriminately," the ITSS said. It urged students to report instances of sluggishness and quality degradation.
Chris Wysopal, vice president of research and development at security firm @Stake, said academic supercomputer networks in the U.S. are common targets for both lone wolf Black Hat hackers and small groups of skilled attackers.
"These high-performance supercomputers are always going to be a target for attackers, because they have great CPU power that they can use to do things like crack passwords and crack crypto," he told internetnews.com. "They have lots of bandwidth, so if they want to do a denial of service attack against some target, they can do it. If you look back four years ago to when Yahoo! and Amazon and eBay were knocked off the Internet, they traced back a lot of the machines that were part of the [distributed denial of service] network to high-performance academic machines."
Stanford's security unit discovered the malicious hacks because users found that the login information had changed or logins from unusual locations. In particular, the university said system administrators should look for multiple failed logins coming from more than one user's ID or coming from outside the research location.
Other signs of server compromises include unexpected errors generated when a computer reboots.
Stanford's ITSS urged users of Solaris or Linux computers ensure systems are running the most recent kernel versions and all security relevant patches.
According to the alert, the attackers use a password decoding application called "John the Ripper" to compromise the systems. "The attacker is knowledgeable about Kerberos as well as other authentication systems, and has been observed running dictionary attacks against Kerberos passwords, as well as local password databases," it added.
In cases where the target machine is running known vulnerable versions of an OS or an application, the attacker is able to "get root." With root privileges, the attacker can replace core utilities and applications on the victim machine, usually with the intention of capturing more usernames and passwords, and making it easier for himself to access the machine at a later time, the school explained.
"Given the sophistication of these attacks, and the difficulty involved in removing rootkits and illicit access mechanisms, we strongly recommend that compromised hosts be taken off line and completely rebuilt, including a fresh install of the operating system and application of all relevant patches."
Wysopal praised the university's security department for putting together such a comprehensive report of the events, saying its a great educational document other administrators should look at to see how these types of attacks happen.
"It drives home the fact that everyone needs to be vigilant about patching, everyone needs to be vigilant about their system configuration and it doesn't matter what operating system you have," he said.
A news report from the Washington Post's online site suggested it was a concerted attack on "as many as 20 institutions" in recent weeks. The report linked networks from the National Center for Atmospheric Research, the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, the San Diego Supercomputer Center at the University of San Diego, California, and the TeraGrid project operated by the University of Chicago.
Both Wysopal and Mike Higgins, a former operations division director at the Center for Information Systems Security Program (CISSP) and creator of the first Defense-Wide Computer Emergency Response Team (DOD-CERT), think the attacks might be a coincidence, given the attractiveness of high-performance computer networks in general.
"Yes, we have seen slow systematic probing of systems for years now, however we have not seen any link between the reported activity and the systems that we monitor," Higgins said in an email interview. "American universities have historically been a favorite target of hackers."
Higgins said universities could face potential liabilities for any attack launched from an exploited network that disabled online activities such as online banking. Companies in the past have been affected in this way, they just aren't publicized, he said.
"The country as a whole is making progress to properly secure our networks and systems," he said. "For example, [Health Insurance Portability and Accountability Act] and Graham-Leach-Bliley Acts are the policies that lay the foundation for securing America's data. If you were to compare the 'State of the Internet' to the 'State of the Hack,' we are not where we need to be, but we are moving in the right direction."