A recently-exposed security glitch in software used by the University”s computer network is being remedied by system administrators and has not resulted in attacks by hackers.

“I have had no reports that anyone has broken in,” Chief Information Officer Jose-Marie Griffiths said.

The University”s problem stems from a weakness in the security shell that makes it possible for hackers to break into the system and capture the passwords of users logging in to the server.

“Sophisticated tools have not yet been developed to take advantage of the vulnerability, but it”s only a matter of time,” said Peter Honeyman, director of the University”s Center for Information Technology.

The potential to break into the University”s computer system exists, and eventually more simple programs could be developed, he said.

The University first learned of the glitch on Feb. 8 and issued an alert on Feb. 10, Griffiths said.

Initially, 90 percent of the University”s computer servers about 2,400 computers were running the faulty program, Honeyman said.

Griffiths said all of the University”s centrally managed systems were upgraded by Feb. 18, leaving the remote servers to be notified and upgraded. Griffiths estimated that less than 30 percent of the University”s computers are still running the old version.

“We discovered this vulnerability the same way everyone else did,” Honeyman said.

The University has access to bulletin boards and mailing lists that post discoveries of soft spots in computer security systems. But potential hackers have access to the same information, which means the University has to act quickly to preempt an attack.

“We were among the first to know of the problem, and we should be the first to fix it,” Honeyman said.

Griffiths said this particular glitch was significant because of the number of computers it affected.

She explained that the University”s size may put it at a disadvantage when facing hackers simply because the larger an institution is, the more room there is for error.

This makes it vulnerable to attacks, which could result in hackers gaining access to users” passwords. Hackers could have access to resources that normally only the user would be able to see, including e-mail and other resources available exclusively to the University community.

Denial of service attacks are another threat from hackers. Hackers can take over and control servers and then launch a coordinated attack on a single single site, causing it to overload and crash, said electrical engineering and computer science associate Prof. Sugih Jamin.

As far as protection of personal information, such as social security numbers and financial information, are concerned, “there”s reason for confidence and optimism that the University is doing a good job.”

“We”re reasonably well-protected,” Griffiths said, adding that there is no way to be completely safe from hackers.

“There is simply no way to write perfect software so you have to anticipate that problems will arise from time to time,” Honeyman said.

The upside of potential problems is that it reminds the University that the technology world is constantly changing. “It”s something we can never quite relax and say, “We”ve done this,”” Griffiths said.

In order to guard against attacks, Griffiths said it is essential for the University to constantly watch its programs for possible glitches.

“I would liken this to walking down the street in the dark and looking over your shoulder to make sure no one”s creeping after you,” she said.

Griffiths said the Infrastructure Subcommittee of the President”s Information Revolution Commission has endorsed recommendations by the Security Architecture Task Force to take measures to ensure security.

She added that the University”s computer system survived a barrage of hacker attacks in late 1999. Hackers realized researchers were occupied with the impending Y2K crisis and relaxed their guard on routine security.

“We were hit by a number of attacks, and we fended them off successfully,” Griffiths said.

Leave a comment

Your email address will not be published. Required fields are marked *