Computer security continues to demand attention at UCI. In the first eight months of 2001, at least 952 attempts were made to scan systems on campus, seeking one of at least 60 different security vulnerabilities.

The good news is that almost all of these efforts failed, thanks to the ongoing effort of NACS staff and system administrators around campus. The bad news is that it will continue to be necessary for computer users on campus to stay informed and protect themselves. Three relatively recent attacks have gained publicity: Sircam, Code Red, and Nimda.

Sircam is a virus which comes as an e-mail attachment. Opening that attachment on Windows computers will execute “malicious code” which can harm your computer or distribute confidential information. Once a system is infected, it can also infect any other computer with which it is sharing disk resources (i.e., “network drives.”) Sircam can generate a large number of e-mail messages, each with a large attachment (200KB or more). It floods new victims’ mailboxes and places a great load on campus mail servers, thus interfering with systems beyond those infected. All “antivirus software” (such as McAfee and Norton) if up-to-date can detect and eliminate Sircam. This is easiest if you allow your antivirus software to use its automatic update feature. Code Red (and Code Red II) are “internet worms” which act through the Web server software IIS. This worm would change the content of your web site, and possibly launch “denial of service” attacks against other systems (seehttp://www.nacs.uci.edu/news/2001.4.html). Because Code Red could generate a lot of network traffic, it could even render HP printers with network (JetDirect) cards unusable. Code Red is deterred by having the latest update (“patch”) for IIS, but even the most careful administrators of Windows NT systems are vulnerable. (Windows 2000 systems are can be more thoroughly secured against Code Red.)

Nimda was another internet worm, which (among other techniques) could exploit vulnerabilities left behind by Code Red. Nimda was particularly insidious in that it could infect any computer using Internet Explorer to browse an affected Web site, with no sign to the person doing the browsing. Defense against Nimda is available at both ends: by patching IIS and making other prudent security changes to servers, and by running an up-to-date browser (Internet Explorer 5.01 or 5.5 with Service Pack 2, or Internet Explorer 6.)

NACS is coordinating a series of discussions on security techniques for computer support staff. If you would like to be included in the next meeting (to be held in October), please contact NACS.

A May 5, 2001 advisory from NIPC (National Infrastructure Protection Center) reported an increase in “distributed denial of service” (DDOS) attacks around the country. In fact, even whitehouse.gov was laid low by such an attack on Friday, May 4. (For more information, please see http://www.cnn.com/2001/TECH/internet/05/08/dos.warning.idg/index.html)

Ordinary DOS attacks involve keeping a computer or network device so busy handling spurious requests that the device becomes unable to manage the business for which it is intended. Sometimes these attacks are launched from a computer directly under the control of an attacker. Other times the attack is indirect, where a hacker takes control of a remote computer and uses it to launch an attack. (This intermediate computer is called a Zombie). Distributed DOS goes one step further by using a fleet of Zombies to launch coordinated streams, or to send many small bursts so that no one Zombie is easily noticed. (More can be found at http://www.staff.washington.edu/dittrich/misc/ddos/elias.txt)

NACS is undertaking a project to upgrade the campus border router which will provide better management of incoming network traffic. This project includes an intrusion detection system and a firewall to help detect such traffic flows. Additionally, UCI’s border router has already been configured to limit certain types of network traffic which reduces the threat of DOS attacks.

But firewalls and intrusion detection are only part of the picture. The best defense against having a computer being broken into and turned into a Zombie is to keep the system software on it up-to-date (“patched”), turn off all unused network services (“ports”), and to log activity on the system and scan the logs regularly.

Recently, NACS ran a scan on campus subnets looking for Windows 2000 machines running Microsoft IIS5.0, which has a well-publicized vulnerability on port 80 that allows remote hackers to establish telnet sessions with the system. Over 100 potentially vulnerable machines were found on campus, and this information was made available to departmental Computing Support Coordinators. NACS also regularly updates all DCS-supported machines to protect them against known kinds of attacks, and monitors the logs of these machines looking for suspicious connections from the Internet. NACS offers security updates to key support personnel around campus as well. If you do your own support and do detect DDOS activity of the type described by NIPC, please contact nacs@uci.edu. NACS is responsible for evaluating attacks and reporting to the FBI when warranted.