Skip Navigation
 Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Security 

To protect yourself, your work, and the UW

To most people on campus, the Internet is what they see in their Web browser window on their computer screen. But what's happening behind your screen, involving your network connection, can cause a lot of trouble.

What most people don't realize -- until they install a personal firewall program on their desktop and start getting dozens of alarms per day -- is that the UW network is under constant attack, and crimes and malicious activity occur every day. Here are two recent large-scale examples:

The price you pay if you are a victim

Responding to a computer security incident at the University of Washington can cost between $3,000 and $100,000 (not including any liability the UW might incur due to the compromise).

Today's computer and network technology is powerful. At the same time, the dynamic nature and anonymity of the Internet gives criminals new ways to secure victims and avoid detection. Some examples of these crimes are:

In addition to these crimes, malicious individuals can gain control of a multitude of systems by breaking into or "hacking" them. The "hijacked" systems are then used to inundate a Web site or Internet-connected server with a flood of useless traffic in what's known as a Distributed Denial of Service (DDoS) Attack. The goal of the DDoS attack is to disable the target's ability to perform normal business functions. It is possible that organizations that fail to show due diligence in minimizing their exposure to such threats may become targets for lawsuits.

The full story: University of Washington Medical Center intrusion

[Note: This incident is still under investigation by the FBI, but it is believed the incident likely occurred as follows.]

Most likely one of the first systems compromised was a Windows 95 desktop computer. The owner came in to the office one morning to find the icons on the desktop had been removed, and an icon "hey you" was there. The owner tried to open the file, which appeared to fail. This was only reported to the departmental support staff, who did not report it to Medical Center or campus security staff. This kind of attack is a trick to get the owner of the system to run a "trojan horse" program that installed itself on the system (the program "Back Orifice" was found installed on several Windows systems). The attacker could now monitor network traffic by "sniffing" packets on the network.

Once the sniffer was active, an email message was likely sniffed that contained the system administrator password to a Linux computer, the system administrator password to a Windows NT Terminal Server, and a link to instructions on how to use these passwords with VNC (a program that allows someone on a Linux system to log in to a Windows system with full remote access). The attacker later made reference to information which most likely was obtained from an email message with these passwords.

After gaining access to a more critical Windows Terminal Server, the attacker began installing Back Orifice on this and other servers (Primary Domain Controllers, Backup Domain Controllers, etc.). This was not found at first, because of a bug in the anti-virus software being used.

After watching activity on the network for a few days, the attacker intercepted a login session by the system administrator to Homer, and later that night logged in himself and started reading the system administrator's email. There he found a treasure trove of email with account names and passwords on dozens of critical systems (Web servers, domain controllers, terminal servers, shared accounts, etc.). He also found an email message that described the department's scheme for creating new accounts, which was "first initial + last name for the user name and last name (all lowercase) for the password."

The intruder was also able to locate files kept on the Windows Terminal Server by a medical researcher using Cardiology patient data obtained from a more secure patient database. Even though no compromise of the patient database occurred, the transfer of sensitive data to a less secured research computer still exposed records of over 4000 patients.

The story about "Kane" and his activities within the UW network were made public in an article published on SecurityFocus.com December 6, 2000.

Lessons to be learned


The full story: Distributed "warez" and denial of service attacks

In April 2002, UW Network Operations staff began to get reports of systems on the UW network attacking other hosts by sending large amounts of useless traffic over the UW's very high bandwidth network. This is referred to as a Distributed Denial of Service (or DDoS) attack. Hundreds of UW systems have been used for DDoS attacks going back to 1999.

Because of the impact on UW departmental networks and victim sites outside the UW, Network Operations staff were forced to shut off wall ports to many systems until they could be cleaned up. Sometimes this meant entire classrooms and offices were taken off-line because they shared the same wall port. Due to limited staff resources, the difficulty in getting data from compromised systems, and the amount of time and effort needed to understand what had happened to these systems and how to clean them up, many systems remained off-line for days, and in one case for over a week.

Little by little, over several weeks, Security Operations staff began to put together the pieces of the puzzle. The systems were all Windows NT and Windows 2000, and none had passwords on the administrator account. The UW network is scanned daily for such vulnerable systems and they were easily taken over ("like shooting fish in a barrel," as the expression goes). The intruders installed malicious software ("trojan horses" and back-doors), hid files and directories, and loaded up many of the systems with gigabytes of pirated software and movies (known as "warez") for distribution by Internet Relay Chat (IRC) channels.

Most of the owners of these systems chose to not use a password on the system administrator account because it was "easier" to use the system that way. These same people ended up having to wipe their hard drives clean and re-install the operating system and all applications, sometimes losing their own files in the process, as well as costing hours or days of time.

Lessons to be learned:

To learn more

There are plenty of issues and concerns that you need to be aware of as you enjoy the benefits of the UW's computing services. Take the time to become informed and wise users. Below are some suggested resources: