Computer security breach at Stanford: 11/98

Issue of
November 4, 1998

Hackers steal e-mail passwords; no damage found

BY LISA TREI

Hackers in Sweden and Canada broke into a campus computer via the Internet last month and used it to steal about 4,500 Leland e-mail passwords and enter other university systems, computer security officer Stephen Hansen said.

Although there is no evidence that the hackers tried to disable or damage the systems by deleting research or trashing e-mail, "the number of passwords compromised was quite large," Hansen said.

After the break-in was discovered during a routine security check on Oct. 26, all affected Leland account owners were contacted and told how to change their passwords. All but about 10 percent of those affected were students. By yesterday, Hansen said, only 200 account holders had not responded, and their accounts were frozen.

"We sent out a message on Thursday (Oct. 29) and people hopped on it so quickly that the system almost shut down," Hansen said. "By Friday, about three-quarters of the passwords had been changed."

Related Information:

More information on computer security

Despite the rapid response from Leland account holders, Hansen said, the hacker problem is not completely under control. So far, FTP (file transfer protocol) sessions, where files are transferred from one server to another, cannot be protected. Furthermore, up to 100 off-campus sites, mostly owned by other universities, were hit, and a few campus machines may have been missed during the ensuing security sweep. "The hardest thing is figuring out whom to contact," Hansen said.

The only account holders hit were those who had not used free campus security software PC-Leland, MacLeland or Kerberos kits for UNIX systems and had sent out their password over the network "in the clear," said Carol Farnsworth from the Distributed Computing Group in Sweet Hall. The software, which can be downloaded from the web, scrambles passwords.

"A lot of people don't understand that it's really easy to get in," Farnsworth said. "We want them to protect their passwords." In general, she said, people should change passwords at least every six months.

To encourage computer security awareness, Farnsworth is in charge of promoting a month-long campus campaign that was planned before the recent break-in. To find out more about related events, visit www.stanford.edu/group/dcg/pdd/projects/security/events.htm.

The recent security breach can be traced back to Oct. 8, when hackers broke into a non-Leland machine in the Storke Press Building and installed a data-stealing program called a "sniffer" to intercept a SUNet ID password from a student. That was used to log in to a Leland systems workstation in Sweet Hall on Oct. 11, where the hackers found a hole caused by a computer patch that had been improperly installed during routine maintenance.

"It was actually bad luck and human error," Hansen said. The hackers "hit a jackpot" when they found a weak link in Leland, a system that carries a lot of traffic. "Fortunately, these fellows were not particularly good," he said. The hackers may have been trying to collect the passwords for future use. "They use them to harass other people," Hansen said. "Often, it's just gangs of kids who work off major bulletin board systems. They use them to distribute copyrighted software, pornography and music CDs."

Hansen said the lesson from this incident underscores the importance of security. "You can't make it the lowest priority on the budget because it will come back and bite you," he said. SR