Hacking prompts system security measures

Monday, November 23, 1998

Hacking prompts system security measures

COMPUTERS: New project shall combat password stealing,
unsolicited mail

By Angela Sveda

Daily Bruin Contributor

On Nov. 14 at 2 a.m., someone hacked into the computer science
department’s server, and though the break-in was not severe, it
reveals UCLA’s need for a governing body to report such break-ins
to other computer servers on campus.

Over the past few years, there has been a severe increase in the
number of hacking incidents at UCLA.

The Computer Science department alone faces one to two hacking
attempts per week, though only five per year prove to be
successful, said Fabrice Cuq, a programmer analyst for the computer
science department.

This increase in "hack-attacks" can be attributed to the rise in
Internet popularity, where users can go to websites that describe
how to hack into computer systems.

As a result, similar hacking methods are consistently seen, said
Max Kopelevich, manager of Physical Sciences Networking.

"Although departmental systems and network administrators are
aware of attacks they see against their systems, we do not
currently have a good global picture across the whole campus," said
Kent Wada, information technology security coordinator. Wada was
recently hired for the specific purpose of creating this "global
picture."

According to Wada, there are three main challenges facing UCLA.
The first is to understand the increasing complexity of security
exposures.

"Just keeping track of where new security holes have appeared is
a great challenge," he said.

While UCLA uses numerous computer servers that operate
independently of each other, their structure is not homogenous,
said Mike Petersen, manager of Computer Support for Life
Science.

Each server is therefore susceptible to attacks such as
"spamming" and password "sniffers." Spamming is the No. 1 threat
facing UCLA, said Don Worth, manager of planning and architecture
with UCLA Administrative Information Systems.

Spamming is a term used to describe what happens when outside
clients use computer servers such as UCLA’s as a gateway to send
copies of unsolicited e-mail to other outside clients. Although the
perpetrator and the recipient of the "spam" are not affiliated with
UCLA, the actual e-mail carries UCLA’s name.

UCLA then receives complaints from recipients of "spam," while
the perpetrator remains unidentified. Ultimately, spamming slows
down the server.

Another problem facing UCLA’s computer security is password
"sniffers." Hackers may install a password "sniffer," which records
the first 100 or so characters typed into the computer. The hacker
can then test the recorded characters as possible passwords,
allowing entrance into other computer systems. To hackers, UCLA is
appealing because of the high-profile faculty and staff, some of
whom have access to international computer systems.

Technical solutions to security exposures then need to be
understood and finally translated into policy supporting security
efforts.

The Authentication Project is one step toward creating a safer
and more convenient computing environment for the UCLA
community.

One aspect of this project is the development of a "smart card,"
which uses digital encryption to provide a convenient and secure
computer environment. The card will encrypt and decrypt computer
information via the "key" pair system which uses a public key and
private key pair that are two large prime numbers. One of them is
used to encrypt information, while the other is used to decrypt the
same information.

It is better than a password because it requires both the
password and the physical card to gain access to the computer, said
Worth.

Plans are under way to combine the smart card with the
BruinCard.

The smart card also allows users to digitally "sign," or
authenticate, their information. This "authenticated" data is
called a digital certificate.

For example, once an e-mail has been digitally signed, it is
impossible to change any information in the e-mail without
authentication from the smart card owner.

"There is already a focused effort to bring together information
technology security people together on this campus although it is
just starting up," Wada said.

"It’s sometimes difficult for people to appreciate why it is so
important to spend this time and everything; when there are so many
other things they need done," he added.

Comments, feedback, problems?

© 1998 ASUCLA Communications Board[Home]