Cornell Chronicle index page Table of Contents Front page of this issue

Threats to campus computers and networks escalate, and CIT responds

By Bill Steele

Several recent computer security incidents have shown that Cornell Information Technologies (CIT) is well prepared to respond to viruses and other attacks, but that many end users across campus haven't yet learned to be vigilant.

Steve Schuster, security director for the Office of Information Technologies (standing in the rear), relies heavily on his two technicians, Dan Adinolfi (seated) and Mark Scannapieco, to respond to viruses, break-ins and other threats to the security of Cornell's computers and networks. Barry DeLibero/University Photography

In early June, a virus known as "BugBear" began appearing on campus. First news of the virus came to the office of Steve Schuster, director of security for the Office of Information Technologies, at 11:15 a.m. June 5, when the CIT Network Operations Center (NOC) called CIT senior security engineer Dan Adinolfi to report that a virus-filtering program installed on network postoffices 8 and 9 was showing unusual activity.

"There was a sudden increase in the number of e-mail messages being quarantined," Schuster explained. "We see that all the time, but on that day it was huge." On a typical day, he said, perhaps 500 or 600 messages would be quarantined. On the first day of this virus outbreak, there were 5,252, and on the second day, 1,415 quarantined.

At 11:31 the NOC informed Adinolfi that although CIT's filtering software was catching some of the virus-infected e-mail messages, virus reports were starting to come in from across the campus. Schuster also started to get calls directly from network administrators and deans' offices. Postofffices 8 and 9, recently opened, are on a new computer that runs a virus- and spam-filtering program called PureMessage. Users on the old postoffices, 1 through 5, weren't getting the benefits of filtering. (The old postoffices will be updated to use the new systems early in the fall.)

Bugbear is technically a "worm," because it spreads by sending copies of itself to other computers. It often arrives as a message from someone the recipient knows, with an attachment that does the dirty work. Worms don't always require the recipient to click on the attachment. This one exploits a defect in Microsoft Outlook Express -- the e-mail program that comes with Microsoft Windows -- that can cause the computer to run the program when the message is simply opened and read, or opened in a preview window. It also can run from a Eudora preview window, when Eudora is set to use Microsoft Internet Explorer to display previews.

The worm creates and sends new e-mail messages to addresses in the infected computer's address book and attaches copies of itself to those messages. The bodies of the messages will contain material from other messages on the infected computer. BugBear was spreading all over the country and the world on June 5, apparently aimed at financial institutions. In addition to making copies of itself, it sends off data from the infected computer that could include such things as credit card numbers and passwords. At Cornell, Schuster said, some of the messages contained sensitive information.

Schuster's office checked with Symantec, the makers of the Norton Anti-Virus software widely used on campus. "They already knew about it and were preparing updates [to Norton], but the first download didn't work. Everybody sat there and kept hitting refresh on the Symantec Web site," Schuster recalled. Twenty minutes later, at 1:10 p.m., a workable update came through. Then Schuster's staff and network administrators across the campus began patching their systems and cleaning up infected machines. Cleanup probably took an average of one and a half hours for each infected computer, Schuster said. He estimates that 150 to 200 computers across the campus were infected. One group saw nine of its computers infected, with administrators there spending a total of 15 hours to clean up.

Around July 1, a different kind of attack surfaced, in which a large number of intruders tried to exploit a newly discovered vulnerability in several versions of Microsoft Windows. Computer professionals had been aware of the vulnerability for several weeks, and Microsoft had made patches available to correct it. CIT did its best to make sure that system administrators at Cornell were aware of the availability of the patches, but not all applied them. In mid-July, applications were being circulated on the Internet that would allow relatively unskilled hackers -- what the industry calls "script kiddies" -- to try breaking into unpatched computers.

While many unpatched computers were protected by firewalls that control the kinds of connections outsiders can make, Schuster estimates that about 100 computers on campus were compromised. So far there have been no reports of data lost or other damage on campus, but again, many hours have been spent in patching and repairing.

On Aug. 2, yet another worm began circulating via e-mail. This one, officially known as W32/Mimail, ingeniously spoofs its return address to contain the domain name of the recipient, so Cornell users got messages that seemed to be from "admin@cornell.edu," even if the message actually came from Singapore or Latvia. The message announced that the recipient's e-mail account was to be cancelled, encouraging many people to click on the attachment. So far there are no reports on how many Cornell computers were affected. This was followed about a week later by a worm called W32/Blaster, which travels over networks rather than via e-mail. It does not harm infected computers but is designed to cause all of them to launch a "denial of service" attack on the Microsoft Web site that distributes patches and updates.

The moral for computer users? Be paranoid: "Never open attachments from people you don't know," Schuster advised. "Before opening any attachment, ask yourself if you expect to be getting this attachment. Unless you know the sender and you are expecting an attachment from them, do not open the attachment. And always keep your anti-virus software up to date."

Schuster hopes to propose new security measures for the Cornell system and is collecting data on the impact the recent attacks have had on the campus.

Computer security help

  • Cornell has a site license for Symantec's Norton Anti-virus. It is free for use on any university computer and by any member of the Cornell community on a home computer. The software can be downloaded through Bear Access or from the CIT Web site at http://www.cit.cornell.edu/software/downloads/antivirus/.

  • CIT recommends using Eudora for e-mail rather than the vulnerable Outlook Express, but for users who insist, there are a number of steps that should be taken to reduce risk, spelled out on the site at http://www.people.cornell.edu/pages/drb1/ Windows/OutLookExpress/OutLookExpress.htm.

  • For more information on keeping your computer secure, visit the CIT security page at http://www.cit.cornell.edu/computer/security/.

  • For other computer-related problems, call the CIT HelpDesk at 255-8990.

    Read more about Steve Schuster and the challenge of computer security.

    August 21, 2003

    | Cornell Chronicle Front Page | | Table of Contents | | Cornell News Service Home Page |