The system was running slow. Anybody who has worked with a computer system knows that happens sometimes. I was watching it, but wasn't especially worried.
Then, on July 17, I got an e-mail message from the system administrator of the Royal Military College in Canada. He wrote that he had received some "unwanted attentions" from somebody calling in through the Internet, originating from OUR computer. He told me the accounts that this person had tried to log into -- all old accounts that our system software didn't use anymore. But I checked to make sure, and did find one old account that I removed.
On July 19, I got another call, this one from the Weber College in New York State. Same thing -- somebody tried to break into their library computer from ours.
This time, I called our Ameritech Library Services technical support staff in Provo, Utah. We both started looking at our computer on a random basis, every day. Nothing showed up.
On July 24, I got a phone call from a friend, someone running another library computer system, this one right here in Colorado. Excited, he announced that he'd just tossed somebody off his system, someone who was prowling around with "superuser" privileges (accounts which give you access to every system file, and the ability to add, revise, or delete virtually anything). My friend said he'd seen this person -- who was using an account called "hume" -- flee back to my system.
Immediately I logged in, and there he was -- an account called "kant." At this point, I unplugged our connection to the Internet. "kant" disappeared.
We stayed off the Internet for about five days to assess the damage. We found some 40 megabytes of data on our system in the "kant" account. We learned that kant tended to use our system most in the wee hours -- from 1-4. We learned that he had connected to our computer from a terminal server at the University of California-Irvine.
The contents of his directory were eye-opening. He had programs that sniffed out system passwords (to allow him access to the system). He had programs that when he logged off, went around and erased the obvious signs of his presence. He also had huge text files that spelled out in clear, beautifully organized prose, how to "crack" almost any kind of computer system. It was a complete hacker curriculum.
After five days of work with our Provo people, we re-opened our Internet connection. We had left a lot of kant's files alone -- which we were still examining -- but thought we had plugged the obvious holes.
On Monday, July 31, 10:30 p.m., I dialed into our computer to check it just before I went to bed. He was back.
The next three hours were a little frantic. From my home, I logged kant off the system, then hurriedly looked around the system to see what he'd done this time. Almost immediately, he logged back in, under another account name, but again with superuser privileges. I threw him off again. Then he came back on as kant. I threw him off. Then I got thrown off.
Then I logged back in and this time got a message from -- one of our people in Provo. "Why are you throwing me off?" he asked.
Cautiously, we tested each other. "What's my extension?" he asked. I told him. "Who's my team leader?" I asked. He told me. I started to apologize for over-reacting, when kant came back on again. He even had the effrontery to try to strike up a side-conversation with my system support person!
Finally, our Ameritech associate shut off the Internet access through software. And over the past week, we've taken a hard look at EVERYTHING.
We've erased kant's files (then up to 61 megabytes) -- and uncovered a few other tricks that gave him access to our machine.
Every single password has been changed. We've installed a variety of operating system patches to plug some little-known bugs that can be exploited.
Here's the good news: the hacker COULD have wiped out every single file we've got. He didn't. As near as we can figure, he (and it could well be a she -- I just THINK of kant as a he) was just appropriating our $100,000 computer as his personal toy, apparently setting it up as a hacker-friendly waystation on the cracker network. He wasn't interested in any of our data (other than passwords).
Here's the bad news: although we'll be back up on the Internet by the time you read this, and although we think we have vastly improved our computer security, we've also learned that absolute system security isn't possible.
Computers are like houses -- you can make them difficult and inconvenient to break into, but there's always a way around it.
Next week: hacking and the law.
Welcome
This blog represents most of the newspaper columns (appearing in various Colorado Community Newspapers and Yourhub.com) written by me, James LaRue, during the time in which I was the director of the Douglas County Libraries in Douglas County, Colorado. (Some columns are missing, due to my own filing errors.) This blog covers the time period from April 11, 1990 to January 12, 2012.
Unless I say so, the views expressed here are mine and mine alone. They may be quoted elsewhere, so long as you give attribution. The dates are (at least according my records) the dates of publication in one of the above print newspapers.
Unless I say so, the views expressed here are mine and mine alone. They may be quoted elsewhere, so long as you give attribution. The dates are (at least according my records) the dates of publication in one of the above print newspapers.
The blog archive (web view) is in chronological order. The display of entries, below, seems to be in reverse order, new to old.
All of the mistakes are of course my own responsibility.
All of the mistakes are of course my own responsibility.
No comments:
Post a Comment