This Week's Issue
News Opinion
Arts & Entertainment Comics
Sports Intramurals

Online Features
Speak Your Mind!
Planet of Sound
Archives / Search
About:
About the Yale Herald
About YH Online

Hacked!

By Carl Bialik and Ayon Nandi

"There is no [computer] security system at Yale in general."

After his department's Sun workstation computers had been shut down for two weeks because of a security breach, Professor Jeffrey Park, the director of undergraduate studies in geology, had lost confidence in Yale's computer security system.

While students enjoyed spring break, the staff of the geology department raced to rebuild its computer systems and reinstall operating systems after a security breach was discovered in early March. Meanwhile, Information Technology Services (ITS), the controlling authority for Yale's electronic network, had shut down the department's network access. This action left geology professors without vital communication and information tools. Time normally spent on research was wasted as the professors tried to fix the problem.

"A lot of time and effort was diverted into discussing the computer problem and trying to solve it," Professor Jonathan Lees said.

From Yale to the Pentagon?

The security breach that led to the geology department's system-wide shutdown occurred months earlier, "perhaps in November," Lees said. At that time, according to Park, a hacker used the insecure account of Robert Oglesby, GRAD '90, now a professor at Purdue University, to enter the Yale geology department's system. According to Information Security Officer H. Morrow Long, an account is insecure if the password can be easily determined. This can result if the user is seen when typing in the password or if the password can be guessed, either because it is too short, too common, or too personal.

Oglesby was not aware that he still had an active computer account at Yale, let alone whether it was his account that had been hacked into. "I have not used any computer accounts at Yale in at least 4 years so if I still have accounts they are dormant one [sic] of which I am unaware," Oglesby wrote in an email to Yale Herald Online.

The hack seems to have been a preliminary step in a larger attack, and it is likely that Oglesby's account was chosen simply because it was hackable, and not because of his affiliation with Purdue. "We do not know if the Purdue computers were used to invade us or if, once we were invaded, the students account were [sic] then used to invade Purdue," Lees wrote in a recent email. The hacker used the geology department's computer system as a starting point for attacks on computers in Atlanta, Geor. Since he covered his tracks and changed the dates of the files he altered, the exact date of the hacks and the identity of the hacker will be difficult to determine.

It is not unusual for someone to hack into an academic department's system only to break into another system afterward. Long said, "Usually, when an academic machine is broken into, [the hacker] wants to use it as an intermediate machine for later attacks." Those later attacks may be on bigger targets, such as military or company networks.

Indeed, this February, two teenagers allegedly launched a large-scale attack on universities (including Princeton and M.I.T.), and government and military networks, including the Pentagon. Long explained that this attack was different from the current Yale hack in that the former crashed computers but did not infiltrate the targeted systems, which the Yale hacker succeeded in doing.

'Love' is the Answer

It took a little bit of luck, or the whimsical side of the hackers, for that infiltration to be discovered.

Lees, who was in charge of the computers in question, was the first to report the problem. On Valentine's Day, a computer named "love" started acting up. "I thought, 'A computer named 'love' acting up on Valentine's Day... It must be a hacker's idea of a joke,'" Lees said.

Had he not noticed the parallel between the computer's name and the date, Lees said that he probably would not have called the security experts at ITS. He did, however, and ITS security found that the department's network had indeed been compromised.

'Clean it out to keep them out'

JULIA TIERNAN/YH
H. Morrow Long is ITS's lone Information Security officer

Long would not comment on the specifics of the geology department hack. He did say that when he is contacted about a security breach, he first tries to "gauge the severity of the breach." He then records all information for possible investigations, after which he advises the administrators of the hacked systems to "clean it out to keep them [the hackers] out." In other words, Long advises that computers' hard drives be erased and that all software be reinstalled.

Geology professors said that Long looked over the affected computers and submitted a long list of suggestions to the department. They were advised to update their Unix system, Solaris, with the latest version, which includes patches that should make it un-hackable.

Long had discovered that the geology department's system was susceptible because it was antiquated. It had not been updated with routers, patches, and hardware that would increase its security. So, during the two weeks that geology's computers were shut down, the geology professors brought in an outside consultant that helped them upgrade their computers to newer operating systems. However, the geology department still lacks some of the hardware that it needs to increase security.

Long said that outdated software and hardware, as well as negligence, make many departments susceptible to security breaches. One major source of danger is Internet protocols (programs like telnet, ftp, and finger that allow a computer to be reached from the Internet) that are turned on by default and open the door for hackers to attempt attacks. Long said, "These features are often not set at the most draconian level." Also, older programs tend to be less secure, and Long said that academic departments are not as responsible as they should be about upgrading software frequently. Long also advises hardware additions, especially firewalls, which function like security guards to a network by determining who enters and restricting all traffic to one port of entry.

'We were 'bad, bad, bad'.'

But professors in the geology department said that Long offered many criticisms and not much help.

"Long...suggested many hardware fixes...but ITS has not offered any help to [improve] that situation," Park said. He added that ITS, upon hearing of the security breach, "shut down our IP address [the address by which their computer system is identified on the Internet]...because we were 'bad, bad, bad'."

Professor Lees also expressed disappointment with the help ITS and Yale provided. "I was disturbed by the way Yale handled the problem.... We were not provided with much help. They [Yale, ITS] required the department to do much of the work," he said.

Keeping One Step Ahead

One problem is Yale's lack of computer security manpower. Long is Yale's lone Information Security officer. He said he must rely on other people to cooperate in keeping Yale's network secure. "I always want more people working on security. And they should be doing it more regularly."

Nonetheless, Long does find time to actively defend against future attacks. He goes to hacker websites and reads hacker newsgroups, because it is "better to keep one step ahead of hackers." He then tests the latest hacking method on Yale's computers to ensure that they are secure. He cites as successes Yale's lack of damage in the February attacks on universities and the Pentagon and also Yale's quick response to a hack into some student accounts on Pantheon in October. "All systems in Pantheon are well-maintained and are checked on an almost-daily basis."

Nonetheless, there are and will always be weaknesses in Yale's computer security. Part of the problem, Park said, is that Yale's system is too open. One can access Yale's network from many places in the world, and resources on the network are easily available to all Yale students. However, this leaves room for a hacker to take advantage of the many trap doors that come with this openness.

As Park discovered, a tightening of security can have some negative effects. "After the changes [made after the breach], our systems are less free and open. It's less convenient for students," he said. Lees also mentioned some of the extra work professors now must do in the name of security, such as changing passwords every three months and providing passwords for every resource used.

Long makes a powerful case for professors to make such sacrifices in convenience for added security by citing the great damage that a hack can cause. "Some people think the worst possible thing is having data deleted. But it's much worse if they change a little thing subtly, a few numbers here and there. You may never notice that."

What do you think? Respond in Speak your Mind.

Back to Online Features... 

All materials © 1998 The Yale Herald, Inc., and its staff.
Got any questions, comments, or advice? Email the online editors at online@yaleherald.com.
Like to join us?