With The 'Stanford Hacker' Loose, Is BARC Safe?

by Hinesh Jethwani    Apr 16, 2004

Stanford, along with a large number of research institutions and high performance computing centers, have become a target for some sophisticated Linux and Solaris attacks. An unknown attacker (or group) has compromised numerous multi-user Solaris and Linux computers on Stanford’s campus using an assortment of complex procedures.

Investigating the situation back home, CXOtoday decided to probe into the level of security employed by Bhabha Atomic Research Center (BARC), for protecting it own supercomputers - which are executing the country’s most confidential research projects.

With classified information at stake, defending the supercomputers is a matter of national security, and BARC is definitely NOT on the vulnerable list.

Speaking to CXOtoday, P.S. Dhekne, head, computer division, BARC, reassured, “People will always be inquisitive to discover the information that is locked within our supercomputers, but complete physical isolation at our end eliminates any possibility of a compromise. Our Supercomputers are executing only internal applications currently and there is no access possible from outside.”

BARC has a number of cluster-based supercomputers, and its pride - called Anupam - is a 128 node monster capable of delivering a staggering 365 Gigaflops per machine.

“Linux offers amazing flexibility for ’hardening’ systems, and combining it with multi-tiered in-depth security with efficient monitoring makes our system very secure. Even if an intruder manages to enter into level 1, an automatic alarm is triggered from the IDS, which exposes him even before he can proceed to the next stage,” explained Dhekne.

The closest that anyone has ever come to snooping in on BARC’s servers, were six teenagers - a group labeled as ’milwOrm’ - who managed to steal 5MB of classified information in 1998. The incident was downplayed as the information stolen consisted of only e-mails and memos.

The milwOrm used Wingate to hide their IP address, and they Telnet to NASA, US military networks and navy servers one by one. Taking these three jumps - deceptively masking their identity along the way - they finally managed to break into the BARC server.

According to Stanford’s ITSS Security Alert, in most cases, the attacker gets access to a machine by cracking or sniffing passwords. Local user accounts are escalated to root privileges by triggering a variety of local exploits, including the do_brk() and mremap() exploits on Linux and the sadmind, arbitrary kernel loading modules and passwd vulnerabilities on Solaris.

The ’Stanford attacker’ appears to be deliberately targeting machines in academic and high performance computing environments, rather than attacking systems indiscriminately.

Stanford system administrators and the Information Security Services office are in contact with a number of academic and research organizations involving ongoing Linux and Solaris compromises. The perpetrators regularly gain access to an unprivileged local user account, presumably by sniffing passwords, cracking passwords from other compromised systems, or by triggering vulnerabilities in remotely accessible services.

In cases where the victim machine is running up to date versions of the kernel and privileged applications, the compromised user account is typically used to run a password decoding application called John the Ripper. This program is what usually causes system performance to degrade. The attacker is knowledgeable about Kerberos as well as other authentication systems, and has been observed running dictionary attacks against Kerberos passwords, as well as local password databases, according to the website.

In cases where the target machine is running known vulnerable versions of an operating system or an application, or where there are insecure trust relationships between multiple machines (one of which is compromised already), the attacker is able to “get root.” With root privileges, he can replace core utilities and applications on the victim machine, usually with the intention of capturing more usernames and passwords, and making it easier for himself to access the machine at a later time.

Giving his comments on the Stanford issue, Dhekne said, “It is not surprising to know that Stanford’s supercomputers running on Linux were compromised by hacker attacks. University research centers being Academic Institutes do not spend the requisite time and effort on information security. However, the damage delivered to critical information, and manpower costs involved in correction and recovery are equally important, and should be given due prominence.”

Settling the dust on the issue, Dhekne concluded, “It is a continuous fight between system administrators and hackers. One has to have constant vigil and upgrade/enhance security measures to be sure about protection.”

Tags: BARC