NEWS
Hacking invite troubles DoIT
Looking for a print version?
Simply choose ‘Print’ on your computer and a printer-friendly document will be generated.
Also by Andriy Pazuniak:
- SSFC wittles Wunk Sheek budget (October 21, 2005)
- Cieslewicz, Judge come out on top in spring election (April 9, 2007)
- Music industry serves campus (March 22, 2007)
- UW to RIAA: No way (March 21, 2007)
Related Stories:
- New virus and Microsoft Windows problems lead to new patches (February 12, 2004)
- New Virus and Microsoft Windows problems lead to new patches (February 13, 2004)
- Texas hackers swipe student info (March 13, 2003)
- Kansas hacker scopes students (January 28, 2003)
- Lowe serves as new manager at DoIT (September 21, 2005)
by Andriy Pazuniak
Thursday, March 9, 2006
Inviting hackers to infiltrate a computer on the University of Wisconsin network might leave a Department of Information Technology employee subject to disciplinary action.
Responding to a publicized test where a computer hacker gained access to a Macintosh operating system in under 30 minutes, DoIT Technical Service Specialist Dave Schroeder challenged hackers to infiltrate a computer he secured using Mac OS X and had put on the UW network.
However, neither DoIT nor UW sanctioned the test and university officials shut it down prematurely.
And within the 38 total hours that the test ran, no successful attempts to hack into the host were reported or claimed by potential hackers.
According to DoIT Senior Administrative Programming Specialist Brian Rust, however, there will "probably be some" disciplinary action taken against Schroeder.
"Inviting people to try to break into a computer on the network creates problems way more serious than you expect," Rust said, adding Schroeder did not have approval to run the test using the UW network.
Rust warned that once a hacker is able to infiltrate a computer on the network, it leaves the system more vulnerable to a disruption.
However, Rust emphasized that no UW systems were compromised during the test, saying traffic on the network remained manageable.
Internet security expert and UW computer science assistant professor Paul Barford also criticized the test, and said it is never a good idea to draw the attention of hackers to a computer network.
Calling it a case of "letting sleeping dogs lie," Barford said sophisticated hackers, fully capable of infiltrating the system, might now consider the UW network a potential target, while it might have remained an anonymous one before Schroeder's challenge.
"There are bad guys, especially sophisticated, who have a lot of options to who to pay attention to," Barford said. "You don't want bad people to pay attention to Wisconsin."
Barford added that just because there were no successful attempts over the 38-hour test period does not mean there would not be one in the future.
Noting that the more malicious, sophisticated computer hackers might wait until there is less attention placed on the UW network before trying to infiltrate it, Barford said he would not be surprised if hackers tried to infiltrate the UW network in the future.
"Everybody was watching," Barford said. "[Hackers] don't typically go after what everybody's watching."
Anonymous (March 9, 2006 @ 10:17am):
Time for DoIT to clean house! There are way too many people there with way too little work to do. This case is just the tip of the iceberg. Wake up Annie, you have lots of little personal projects going on behind DoIT's back. Using company time and UW dollars. You need to take a physical survey of all the servers that are set up under dozens of desks and find out just exactly what they are being used for. I will tell you that most are not work related.
Anonymous (March 9, 2006 @ 12:36pm):
I think the real worry was not the Macintosh being hacked, but rather the thousands of inept Windows machines on campus that can be used as possible drones for a hacker. For the record, he didn't do anything to secure the Mac, it just comes that way. I, for one, respect Dave Shroeder who actually put forth an academic solution, but when DoIT shuts down the challenge it showed how uncool they really are. The challenge started as a great UW promotion for academic understanding and ended in a draconian power struggle to cover their backs.
The missing story here is that UW doesn't want anyone to know they are like all other networks: Unable to be truly dynamic and fluent in all systems so they can migrate on the fly to a more secure system. This proves my lack of trust for IT departments everywhere.
Anonymous (March 9, 2006 @ 12:50pm):
Good points from Barford. I thought the challenge was a interesting idea, but I was shocked to learn it was not sanctioned.
Anonymous (March 10, 2006 @ 2:01pm):
"Barford said sophisticated hackers, fully capable of infiltrating the system, might now consider the UW network a potential target, while it might have remained an anonymous one before Schroeder's challenge... 'Everybody was watching,' Barford said. '[Hackers] don't typically go after what everybody's watching.'"
Somehow I doubt that the University of Wisconsin -- one of the largest and most prominent public universities, with one of the most prominent CS departments -- is in any way "anonymous." Even on our own merits as a huge university it would be hard for us to remain anonymous on the internet; with the WiscNet NOC here on campus it's a virtual impossibility. I don't think relying on anonymity (hiding and hoping crackers/hackers don't notice the entire wisc.edu subdomain?) would be such a great idea.
As for nobody going after the machine when everyone was watching, according to Dave Schroeder himself as reported at http://www.macintouch.com/#tips.2006.03.09 : "Traffic to the host spiked at over 30 Mbps. Most of the traffic, aside from casual web visitors, was web exploit scripts, ssh dictionary attacks, and scanning tools such as Nessus. The machine was under intermittent DoS attack. During the two brief periods of denial of service, the host remained up.... There were over 4000 login attempts via ssh. The ipfw log grew at 40MB/hour and contains 6 million events logged." So, if crackers/hackers don't typically go after boxes that are being watched, as you claim, who was running the exploit scripts, ssh attacks and DDoS attacks?
As a final note, if you're truly worried about crackers/hackers now attempting to crack university computers, I think Dave's test proved at least one possible option. Move your critical web, database, or file servers to the Macintosh platform and take advantage of the security afforded by Mac OS X.
Andy Rusterholz
akrusterholz@wisc.edu
Anonymous (March 10, 2006 @ 5:06pm):
Sorry to see the official response to an event that created free global publicity for the UW in the technology community will be "some disciplinary action". Concern over network security is understandable, but some of Barford's comments are ridiculous. Applied to daily life, one would never leave their home for fear of being struck by a bus. Which, of course, leaves you wide open for death by fire, falling in the shower, or a bizarre ironing accident. Risk is inescapable. It's hard to further knowledge without it. It's also hard to believe the UW network isn't more at risk from its users than Mr. Shroeder's well-intentioned experiment. At any rate, I hope this isn't the last time I see the UW mentioned on tech sites. Best of luck to all involved ....
Anonymous (March 12, 2006 @ 3:51pm):
Dave has been a HUGE resource on this campus for nearly 10 years.. Nobody at DOIT is more helpful or knowledgeable. From all his years in the Tech Store and running the apple support site. He is due a break for messing this up.
If all the DOIT employees were half as helpful DOIT and UW would be a vastly better place..
For most things you can use the acronym Un-DOIT to characterize UW computer network and support.
Anonymous (March 15, 2006 @ 12:04pm):
As an alumni of UW I was proud to hear that the challenge to the hackers was being mounted by the IT department there. It seemed to be the crux of academic excellence to support a true test of the security of a typically configured Mac as opposed to the pre-hacked system that was being touted by the press as an example of the lack of security afforded by OS X.
I am shocked that the IT department chose to terminate the test particularly with the lame I prefer to be an ostrich comments being attributed to Barford.
I am ashamed that a truely interesting and seemingly academically valid test was being viewed as offense and irresponsible by my former school.
I personally will not be furthering my contributions as a UW alum.
Best of Luck to Dave Schroeder and as for UW I am embarrased for the school's lack of backbone.
Anonymous (March 18, 2006 @ 10:40pm):
It's hard to believe the UW network isn't more at risk now that this bozo has thrown down the guantlet to the hackers.
Bring it on? Hubris, plain and simple.
