Hack leads point to California universities

Network administrators at the University of California at Santa Barbara confirmed today that one of their computers was used to attack CNN's Web site on Tuesday. Attackers had secretly managed to install software that helped send a barrage of messages that temporarily crippled the news site's servers.

Computers at Stanford and UCLA also were used in the attacks, according to reports. Officials at Stanford confirmed that attackers used an Internet router to send data aimed at Web auction site eBay, the Associated Press reported. There was no indication that anyone at either university was directly involved, only that their equipment was used, according to reports.

"A desktop computer in a research lab at the University of California, Santa Barbara, was electronically broken into by a computer hacker sometime before Tuesday night," the university said in a statement. "The computer was used in a 'denial of service' attack on CNN's Web site. There is no indication that the attack came from anyone in the university."

The UC Santa Barbara network administrator who discovered the intrusion, Kevin Schmidt, is cooperating with federal investigators.

An FBI spokeswoman said no search warrants have been issued for any computers that may have been used in the attacks. The agency still is interviewing companies whose Web sites were targeted. The FBI would not comment whether computers at UC Santa Barbara were used in the incidents.

The Web was rocked earlier this week by an unprecedented series of attacks that temporarily blacked out a half-dozen of the largest e-commerce and portal sites, drawing international attention, including that of President Clinton.

The attackers used a method called "distributed denial of service" attacks, which involve sending such large amounts of traffic at a Web site that it buckles under the load, becoming inaccessible to the outside world.

To mount such a huge attack, hundreds or even thousands of other computers likely were co-opted as unwilling participants, according to experts. Santa Barbara's computers appear to have been among the "zombie" machines used in this week's attacks.

In a statement, UC Santa Barbara officials said Schmidt had noticed abnormal amounts of traffic coming from the university when he logged on to check systems Tuesday night. He ultimately traced the problems to a desktop computer in a research lab, the college said.

Wednesday morning, Schmidt called CNN to notify the company that the university's computers had been used in the denial of service attack, the statement added.

University officials said the intrusion was unfortunate, but that they were balancing the interests of their research community with the need for security.

"We work hard to plug the known holes," Robert Sugar, professor of physics and chair of the Information Technology Board, said in a statement. "But this is an extraordinarily difficult job. We can never make the network 100 percent secure. To attempt to would interfere with the university's research and instruction."

The news marks a potentially significant step toward tracing the identity of the attacker, some security experts say.

"This is usually how incidents like this are solved," said Joel de la Garza, a security consultant with Securify.com. "It's a very good break."

Intruders often leave some kind of electronic "fingerprint" that can be traced to a known individual or hacker group, de la Garza said. Alternately, university networks usually keep extensive logs of traffic throughout the system that could be used to trace the original intrusion back to another machine on the Net, he added.

Some experts have speculated that systems at many universities or hospitals, which have high-speed connections to the Internet but relatively low security, could have been used as unwilling agents.

"Large universities have big iron sitting around on the Net," said Gary McGraw, vice president of security consulting firm Reliable Software Technologies. "They don't always have the resources to guarantee good security. In fact, many are committed to openness, and that makes it very easy for someone to commandeer them."

In previous, lower-profile incidents, investigators found that university computers, including ones connected to the high-tech Internet 2 system, were compromised and used as weapons.

The danger of such attacks has grown in recent months because of the release of software that makes it easier to distribute and operate these remote attack tools. Tools with names such as Trinoo, Tribe Flood Network and Stacheldraht (German for "barbed wire") are widely available on the Web

"Security isn't just about how well you protect yourself, it's about how well your neighbors are protected," said Drew Williams, a security team leader for Bindview, a Net consulting group. "It becomes a kind of neighborhood watch program."

MyCio.com, a division of Network Associates, said today that it found a computer at a university in Berlin that contained a software agent that could be used in a denial of service attack. However, a MyCio.com spokesman said the company did not know whether the computer had been used in any of this week's incidents.

Similar agents used for denial of service attacks have been found in computers around the Net for several months, according to federal computer security agencies.

Although finding an agent such as the Santa Barbara machine represents a step forward in the case, finding the computers that instigated these attacks will still likely take some time, according to Bill Pollak, a member of the Computer Emergency Response Team at Carnegie Mellon University.

Pinpointing the perpetrators could be "pretty difficult to do," he said.

Yahoo sent an email message to Internet service providers that warned the attackers "knew about our topology and planned this large-scale attack in advance." The email also said the attackers "probably know both Unix and networking...pretty well and learn about site topology to find weak spots," according to the Associated Press. Yahoo representatives could not be reached for comment.

Web portal Excite.com suffered a similar denial of service attack Wednesday night, according to spokeswoman Kelly Distefano. The attack, which occurred at about 7 p.m. PST, lasted for roughly one hour before trailing off. About 50 percent of Web users that tried to access Excite.com during the attack could not view the portal, Distefano said.

eBay said today that it fended off a second attack on its Web site this week. On Wednesday, the site was apparently hit by another denial-of-service traffic about 5:30 p.m. PST, according to eBay spokesman Kevin Pursglove. This time, eBay's engineers were ready and they rejected the flood of online inquiries, he said.

News.com's Michael Kanellos, Bloomberg and the Associated Press contributed to this report.