CyberGuard is starting to be mentioned in the press. Here is the address for the attached news release.
news.cnet.com.
Feb 17 2000 6:00AM ET More on Nuthin But Net...
Colleges Likely to Stay Net Security Risks
by John Borland
Staff Writer, CNET News.com
Special to CNBC.com
In the battle to strengthen Web security, the open-door policies that helped universities create the Net may now prove to be its weakest link.
E-Commerce Storm Rising
At least two California institutions-Stanford University and the University of California at Santa Barbara-have said their computers were taken over and used in last week's attacks on sites including Time Warner Inc.'s {TWX} CNN, eBay Inc. {EBAY} and Yahoo! Inc. {YHOO}. While federal investigators and private companies scramble to prevent a repeat of last week's incidents, universities say they can't guarantee their systems won't be used as launching points again.
"You can't just put a whole campus behind a firewall," says Robert Sugar, a UC Santa Barbara physics professor and chairman of the college's Information Technology Board. "Universities have particular problems because of the huge numbers of computers on campuses that have to be very open."
Last week's so-called denial of service attacks, which temporarily shut down Amazon.com Inc. {AMZN}, eBay, Yahoo! and other large Web sites, brought the Internet security issue to the forefront of national debate. It was the first time that high-profile and well-protected sites had been successfully targeted by Net vandals on this scale and has prompted a nationwide effort to prevent such incidents.
Time Warner Inc.
eBay Inc.
Yahoo! Inc.
Amazon.com Inc.
The attacks used a method known as "distributed denial of service," which involves sending a flood of innocent-looking Web traffic that forces a target's servers or infrastructure buckles under the load.
Launching an attack of this size requires the unwitting help of hundreds or even thousands of computers. Attackers do this by breaking into other computers connected to the Web and planting software that can be activated remotely at a later date, turning control of what is called a "zombie" computer over to the intruder.
That is where the universities come in. Because college computers often are more open to the public Internet than corporate systems and have high-speed connections to the Web, researchers say they have been-and will continue to be-prime targets.
Even before last week, campuses had proved to be the unwitting launching points for attacks on other institutions, including the University of Minnesota, and systems in Australia, France and Norway. Some computers connected to the high-speed Internet 2 were implicated in those attacks.
Universities have also been the focus of other digital controversies, such as students' widespread use of pirated MP3 music files.
At least part of the problem is a simple matter of resources. College campuses typically have thousands of computers-UC Santa Barbara has close to 12,000 -- with relatively few staff people dedicated to maintenance and security issues. That makes it extremely difficult to monitor what is happening on every single server and desktop connected to a university system, administrators say.
But universities say it is also an issue of academic and personal freedom- and of maintaining the openness that fostered the development of the Internet as it was originally used.
"Whenever you talk about restricting access, colleges are the first ones to stick their hands in the air and say, 'I don't think so,'" says Drew Williams, a security team leader for Net consultants BindView.
University officials say they need to allow students and researchers to use their systems while off campus and without tight restrictions. Openness and security need to be balanced, they say, but openness weighs more heavily in the equation.
"In trying to do one's best with security, we can't go to extremes that would prevent a university or company from carrying out what is its fundamental mission," Sugar says. "We try our best, but with that many computers and a small staff, to say that we are going to be 100 percent secure is unrealistic."
Some security experts criticize this attitude, saying that keeping systems deliberately open is the equivalent of inviting hackers to use university servers as weapons.
"It's like the gun companies being sued for not having trigger locks on guns that are used to kill someone," says Michael Wittig, CTO of network security company CyberGuard. "Basically those people who leave their systems open are not putting on trigger locks."
Campuses can install the latest security tools available online, searching for the known traces of hacker software like Tribal Flood Network or Trinoo, security consultants say. But the security environment changes too quickly to hold anyone-universities, companies or governments-to any official minimum standard, many experts add.
"It's difficult to know what 'best security' practices would be," says Elias Levy, chief technical officer SecurityFocus.com, a security-focused Web site. "Would you make companies check the latest [security reports] and update their systems once a month? Once a week? It's a moving target." |
