University Times 
VOLUME 27 NUMBER 11 FEBRUARY 2, 1995 

Copyright (c) 1995, University of Pittsburgh 



Latest attack on the Internet yields no
casualties here, CIS says

As far as the Office of Computing and In- formation Services (CIS) is aware, no attacks have been
made upon Pitt's computer network using the "Internet protocol spoofing" (IP spoofing) or the
"terminal hijacking" methods discussed in an advisory issued last week by the federal Computer
Emergency Response Team (CERT).

Concerns about intruders attacking Pitt's Internet computer network, and the machines attached to it,
through IP spoofing or terminal hijacking have surfaced at the University since an article on the
method appeared in the Jan. 23 issue of The New York Times.

According to Mike Bright, data security officer for CIS's Administrative Information Systems, the
type of attacks mentioned in the CERT advisory involve the UNIX system. Numerous computer
users at Pitt employ UNIX, so their computers could be vulnerable to an attack using IP spoofing or
terminal hijacking. Administrative computers at Pitt, however, do not use UNIX, so are not
vulnerable to such attacks, according to Bright.

"Not that those [administrative] systems we use are perfect from a security standpoint," he says.
"They have their own set of flaws, but UNIX is such a popular system that it receives more than its
fair share of attacks." According to Bright, CERT releases advisories on security issues once or twice
a month. "There is nothing particularly new or exciting about this individual advisory," he adds. "It is
just that somebody at The New York Times picked up on it and did a front page story." In fact,
according to a Jan. 25 CIS advisory issued in the wake of the CERT advisory, IP spoofing is not
really a new way for intruders to attack a computer network. The method has been discussed in
academic papers since 1985. It involves using false return addresses to contact victim computers,
which recognize the stolen address as a trusted contact.

As explained in The New York Times article, the Internet works by breaking computer messages
into groups of digital packets of data, each of which has an electronic envelope that provides
addressing information used by special network computers, known as routers, that deliver the data.

IP spoofing makes use of a flaw in the design of the network to fool router computers into believing
that a message is coming from a trusted source such as a member of the University community with a
CIS account. By masquerading as a familiar computer, an intruder can gain access to a protected
computer network.

According to Jeff Carpenter, systems analyst in Systems and Networks, the IP spoofing and terminal
hijacking advisory was issued by CERT because it had noticed a pattern of incidents involving the
method at different sites on the Internet.

A follow-up article in the Jan. 28 issue of The New York Times reports that there have been at least
five known victims of IP spoofing or terminal hijacking since late December. As of October 1994,
according to CIS's Carpenter, the Internet is connected to more than 3.9 million hosts and 56,000
domains such as universities, businesses and government agencies around the world, which means the
break-ins have been very, very few compared to the number of computers connected to the
network.

Universities that have been victimized so far, The New York Times noted in its Jan. 28 story, include
Loyola University of Chicago, the University of Rochester and Drexel University. The attacks started
on Christmas Day when hackers broke into a home computer owned by a computational physicist, a
renowned expert in computer network security, who is employed by the San Diego Supercomputer
Center. "They [the IP spoofing and terminal hijacking attacks] are actually part of a bigger problem
involving the security of machines connected to the Internet as a whole," says Carpenter. "This
specific incident does not dramatically change that situation. It has been an ongoing problem for
years." When the Internet began in the 1970s, it involved a small group of friends who wanted to
share information by computer. Since the people using the system were known to each other, there
was no need for security. Consequently, the Internet developed with little or no consideration for
security.

Carpenter says security has only become a real issue on the Internet over the past five years as more
and more people join the network. The Internet is currently doubling in size each year.

IP spoofing and terminal hijacking are "fairly sophisticated attacks on the Internet system," according
Bright. Even though they have been known for 10 years, they never have been widely used because
they are complicated.

"There are a lot easier ways to break into people's computers than IP spoofing," says Bright. "You
can just walk down the halls and look for the little yellow, sticky pieces of paper hanging on their
computers with their password on it, and then log in." In terms of security, Carpenter says the most
important thing University users can do to insure that their computer is not compromised is to keep
their password confidential.

Still, both Bright and Carpenter say, CIS takes all threats to Pitt's computer network seriously and
has issued its own advisory (see accompanying story on this page) detailing actions members of the
University community can take to counter IP spoofing and terminal hijacking, and increase the
security of their computers.

"In order for the hijacking to occur as is described in the CERT advisory, your machine has to have
been compromised [electronically accessed by an intruder] to begin with," Carpenter says. "That's
what the real problem is for the user. Once a machine is compromised, a large number of dangerous
problems can occur and the hijacking is just one of those problems." Files in a computer that has
been compromised can be revealed, erased, stolen, altered and tampered with in numerous ways.

According to Carpenter, how a computer site fares as far as security is concerned depends upon the
experience of the people helping management and the users. He says there are cases in individual
departments at Pitt where computers have been compromised and in most instances that happened
because departments didn't follow the procedures listed in CIS advisories.

Bright warns, though, that users should be careful not to make the mistake of thinking that simply
because they have the correct software and have followed recommended procedures that their
computer will be secure. The only completely secure computer is one that is not connected to a
network and never turned on.

"Security is a pervasive concept," Bright explains. "It is not just a piece of software in a machine. It's
the machine's hardware, the software in it. It's the protocols, the way a machine is used. It's the
people who are using the machine, how well do they protect their passwords, the administrative
procedures, the physical security of a machine." Besides protecting passwords, among the most
important things departments and users can do to make sure their computers are secure is to keep
operating versions of software up to date, install security patches [software updates, provided by
software vendors, which are designed to help block intruders], and configurate [install patches and
set the proper parameters for the software being used] their machines in such a way as to make them
more difficult to compromise (see accompanying story on page 4 for details on security patches and
configuration).

"If an individual user has a machine that has a vulnerability [that has been accessed by an intruder], no
matter what level of network security we provide, they are going to have a possible exposure that
can be exploited," Carpenter says. Every time an advisory is issued by CERT, CIS evaluates the
University's exposure and puts out its own advisory with information relevant to Pitt. Such advisories
currently are available on the World Wide Web at
http://www.pitt.edu/HOME/Security/Security-Home.html. Members of the University community
who feel their computer might have been compromised by someone using IP spoofing or terminal
hijacking should contact the CIS helpline at 624-8888 or cis-helpline+@pitt.edu.

Computer users at the University also can electronically subscribe to the CIS advisory mailing list by
sending a request to security-advisory-request+@pitt.edu.

Advisories can be found, too, in the USENET newsgroup pitt.announce.security. Previous CIS
advisories are available for anonymous ftp at ftp://ftp.pitt.edu/info/security/pitt-advisories.

CERT, which is headquartered at Carnegie Mellon University's Software Engineering Institute, was
formed by the Department of Defense in 1988 after the "Morris Worm" incident, when a graduate
student at Cornell University released a "worm" onto the Internet that utilized weaknesses in UNIX
security to gain access to multiple machines.

Concerning computer security as a whole at Pitt, Bright says the fact the University created his
position of data security officer eight months ago is an indication that Pitt is serious about computer
security. So far, Bright says he is very pleased with what he has seen of Pitt's computer security
system.

But, at the same time, he cautions: "People want to use machines to share information, to be able to
do useful work, and the only truly secure machine is one that you can't log on and can't do anything
with. Any time you back off of that you have potential holes. So, are we perfect here at Pitt? No.
Are we exposed in various areas? Yes. But we've taken very reasonable business precautions based
on risk factors and reasonable cost to keep things safe." --Mike Sajna