Universities, research centers retrench after hacks

Academic supercomputing labs continue this week to clean up Linux and Solaris servers targeted by unknown attackers, as law enforcement officials investigate.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
4 min read
Academic supercomputing labs continue to clean up Linux and Solaris servers targeted by unknown attackers over the last month, as law enforcement officials investigate the crimes.

The attacks compromised servers at several supercomputing labs and universities, including the San Diego Supercomputing Center, the National Center for Supercomputing Applications and Stanford University. While the attacker, or group of attackers, had access to many of the computers that act as nodes on distributed high-performance computing networks, the intruders were more interested in access to computing power than sabotage, laboratory staff maintain.

"There is no critical data that was lost, none of our systems were offline, and the result was really (just) an inconvenience for our user population," said Frank Dwyer, associate director of information technology for the San Diego Supercomputing Center. The compromised systems are devoted to academic projects such as modeling astronomical phenomena.

Dwyer and staff from other laboratories were close-mouthed for the most part, citing an ongoing FBI investigation into the attacks. The attacks represent one of the widest spread infiltrations of computer systems since a group of hackers--two California teens and three Israelis--gained access to Pentagon servers in the late-1990s. An FBI spokesman couldn't be reached for comment on the investigation.

University Corporation for Atmospheric Research computers were also compromised. UCAR said it is currently dealing with the issue. "In particular, certain affected systems have been taken offline until such time as the nature and extent of the breach can be determined and preventative measures to harden UCAR's IT infrastructure put into place," the group said in a statement e-mailed to CNET News.com.

The National Center for Supercomputing Applications, based at the University of Illinois at Urbana-Champaign, took several of its systems offline to secure them, said spokeswoman Trish Barker, but she also stressed that no major damage was done.

"I don't know if we were dealing with anyone that sophisticated," she said. "A lot of these compromises are somebody snooping around to see what they can access. I would classify this compromise in that way."

Among the computers compromised were machines acting as nodes in the distributed TeraGrid high-performance computing network. The far-flung supercomputing project, which only came online last month, has clusters of computers at the National Center for Supercomputing Applications, the San Diego Supercomputing Center, Argonne National Laboratory in Argonne, Ill., and the Center for Advanced Computing Research at the California Institute of Technology in Pasadena. The largest cluster of machines is administered by the NCSA.

The first two projects for the TeraGrid involve simulating galactic formation in the early universe and finding solutions to cleaning up groundwater pollution. The first two clusters of computers, at the NCSA and the SDSC, were connected earlier this year and together offered 4.5 teraflops (trillions of calculations per second) of computing power and access to more than 250 terabytes of disk storage, according to the project's home page.

Stanford University detected the attacks on its system last week but determined that most of the breaches occurred in March, said Sandy Senti, the university's security officer. Although the university's staff found that several computers had been compromised with "root kits"--a collection of software used by intruders to take complete, and stealthy, control of a system--the systems "weren't particularly important," Senti said.

Senti said the attackers seemed to be after computing power.

"This hasn't really affected us as much, because we don't have a high-performance computer center," she said.

Among the tools found by Senti's staff were so-called "password crackers," used by attackers to break the encryption on password files. Weak passwords can be cracked in seconds, while more complex passwords--consisting of numbers, letters and punctuation--will take much longer.

At least one supercomputing center found a version of a common password cracker, "John the Ripper," that had been rewritten to take advantage of distributed computing, said a source who asked not to be named. The application, installed on one computer, can farm out calculations to other installations of the same program through the message-passing interface (MPI) used in distributed networks. Such distributed password cracking can make short work of what would normally be considered a well-chosen password.

The attacks didn't use any new techniques to infiltrate the research centers. The attackers typically gained access to one computer on the network by attempting various common passwords or by exploiting a vulnerability that hadn't been patched on the system. By cracking that system's password file, and because users typically use the same password on multiple systems, the attackers were able to leverage their control of one system to gain access to others in the same network. The technique could also be used to gain access to another supercomputing center's systems, because many researchers have accounts on more than one supercomputing network.

SDSC's Dwyer said the research centers are reviewing their security and educating researchers on good password selection, but there is only so much academic institutions can do, because their systems are open by design.

"We are all about sharing information," he said. "We have a 6 petabyte (6 million gigabyte) tape library. We have people using our systems from all over the place."

While stressing that more-sensitive information is kept safer by being confined to less-open networks, Dwyer said the centers won't change their open nature.