ITS Offsite Workshop 2002
IT Security
ITS Offsite Workshop 2002
• Security Issues and PolyU Cases
• PolyU Computer Systems Security Policy
• ITS/CLO Partnership In IT Security
Security Issues
Security Issues
PolyU cases
Chan Ping Fong
Senior Computer Officer
Information Technology Services office
Security Issues
Universities are known to be
vulnerable spots !
Security Issues
Typical University IT Environment ...
• 10,000+ networked devices
• Very high-speed, high-capacity
networks with fast connections to the
• Hardware and software deployed are
significantly diverse
Security Issues
Typical University IT Environment ...
• Usually first to implement new
technologies, sometimes even before
they are matured
• Residence Halls networked
• Networked systems are being probed
continually for vulnerabilities
Security Issues
Typical University IT Environment…
• Computer locations vary widely, from
under a someone's desk to professional data
• Departments control own technology and
mostly act independently
• Non-existent or under-staffed
technical/security staff
Security Issues
Typical University IT Environment
• Hundreds of people authorized to access
confidential information from central
• User can extract data to any networked
device, to use local manipulation tools
• Once extracted, no one knows on which of
the thousands of networked devices sensitive
data is hosted
Security Issues
Typical Security Threats
Virus Attacks
Hacking and Cracking
User Abuses
Spam Mails
Denial of Service (DoS) Attacks
Cases reported and complaints received
almost everyday
Security Issues
Virus Attacks
I Love You
Code Red and Code Red II
Security Issues
• Multiple attack mechanisms
 Spreads via email ( not an attachment )
 Spreads via visiting infected web page
 Targeting 16 vulnerabilities !! ( some IIS, but not all )
• Nimda also threatened internal
Unlike CodeRed, which was only attacking IIS servers
Windows 9x and NT vulnerable via ‘open share attack’
Attacks IIS via Web Folder Transversal ( malformed ‘get’ )
And also via an incorrect MIME header
Security Issues
• Any PC on the NET communicate by using
• Any one could knock on your doors
– There are 65535 ports
– Your machine may serve any of 65536 ports
• Port scanning by hackers
– Find out the weakest link
• Force you busy, can’t do any useful job
– Denial of Service (DoS attack)
Security Issues
• Member of HARNET
– Another cyber community on the Internet
• More web applications on campus network
– More expose & risk
• Restricted access from outside
– By PolyU firewall, proxy server & VPN
• Limited restriction on access PCs within campus
– Protected by switches and routers
– Protected by departmental or personal firewall
– Rest, limited restriction
Security Issues
Hacking and Cracking(Before)
• Only really good hackers could crack
• Difficult to write programs to affect
Operating Systems
• Cracking was “expensive” – learning curve
and time
• Most cracking had specific purposes – e.g.,
financial gain, espionage, sabotage
Security Issues and Problems at PolyU
Hacking and Cracking (Now) …
• Veteran crackers are “publishing” code
for neophyte crackers: e.g., log-wipe
• Operating system and application APIs
are easy to use: e.g., Microsoft VBS
• More complicated operating systems
and software cause more bugs
• Automated vulnerability scanning
Security Issues
Hacking and Cracking(Now)
• Cracking for profit: e.g., credit card
theft, industrial espionage
• Cracking for fun: e.g., “script kiddies”
• Cracking for political reasons: e.g.,
PRC Government webpage
• Cracking as part of cyber-warfare
Security Issues
Cracker Mentoring
• Veteran crackers writing and publishing
• Cracker tools exist for cellular, voice,
data communications
• Cracker FAQs exist for almost all
Security Issues
Typical Hacking and Cracking
• Unauthorized access
• Cracking password
• Trojan horse
• Tapping
• Remote capture of someone’s
Security Issues
Typical User Abuses
• Download huge files
• Send out unsolicited massive emails
• Steal and sell email addresses
• Steal and leak out passwords to
Security Issues
Typical User Abuses
• Put unlicensed software/films/songs for
others to download
• Conduct commercial activities using
PolyU IT facilities and resources
Security Issues
Spam Mails
• Chain letters
• Spreading large number of e-mails
to many different users
• Mail relay
Security Issues
Denial of Service Attacks
• Port Scanning
• Ping Flooding
• Mail bomb
• Re-broadcasting of unwanted
Quote From Richard A. Clarke
“The Internet was built without a government or master plan.
It was also built without security as part of the central
design. Our entire infrastructure is vulnerable because
security was not designed in from the ground up.”
Richard A. Clarke,
National Coordinator for Security,
Infrastructure Protection, and Counter-Terrorism,
speaking at the Washington D.C. Summit, 18 April 2000
Quote from Computer Economics
“It is estimated that the worldwide impact of malicious code
was 13.2 Billion Dollars in the year 2001 alone, with the
largest contributors being SirCam at $1.15 Billion, Code
Red (all variants) at $2.62 Billion, and NIMDA at $635
Computer Economics,
2001 Economic Impact of Malicious Code Attacks,
02 Jan 2002
It’s a wild world
• Every week we see new break-ins, new attack tools, new
• 2002 CSI/FBI Computer Crime and Security Survey (503
– 90% of respondents detected “unauthorized use of computer
systems” in the last 12 months;
– The combined losses from just 223 respondents total $445
– $170 million from “theft of proprietary info” and $19 million
from “system penetration”
Top 10 Attack Source by Country
2.0% 2.5%
d Sta
t es
Un it e
K orea
Sout h
C hin a
G erm
Fr a n c
Ta iw
It a l y
Brit a
G rea t
Ja pa n
Top 10 Attack Sources per Internet Capita “ in
terms of number of attacks per 10,000 Internet Users”
Is r a e l
Ho n g
Tha il
K orea
Sout h
Fr a n c
Tu rke
ys ia
Ma la
Pola n
Ta iw
Den m
a rk
Some Security News …
• Bugbear-Worm tries to steal credit cards and passwords.
10 Oct 02
• CERT Advisory Trojan Horse Sendmail Distribution. 08
Oct 02
• W32/Bugbear-A continues to cause problems. 07 Oct 02.
• Cyberattacks against energy firms rise, 09 Jul 02.
• Hacker swipes $35,000 from Singapore Bank, 05 Jul 02.
Security Issues and Problems at PolyU
Intrusion Purposes/Consequences …
• Unauthorized access to data
• Installation of malicious code to collect
passwords, keystrokes, or other data in
• Huge consumption of network
resources, leading to slow to no
response on campus network
Security Issues
Intrusion Purposes/Consequences
• Loss of machine power for intended
• Defacement for political reasons
• Installation of programs to support
attacks on internal or external systems,
e.g. DDoS zombies
Security Issues
• URL of incident
Note to the administrator: You should really enforce stronger passwords. I
cracked 75% of your NT accounts in 16 seconds on my SMP Linux box.
Please note the only thing changed on this server is your index page,
which has been backed up. Nothing else has been altered.
IT Security Stories
Should it take an incident to wake us up?
Indiana U Office of the Bursar (2001)
IU Faculty Research Information
Database (1997)
University of Michigan patient records
University of Washington patient records
Stolen passwords at Berkeley, UCLA,
Many other cases not publicized
Recent Case at our Sister University
A student hacked into the PCs of 4 other
Accessed the homework of other
Obtained the password of another
Impersonate and withdrew the
classmate from university
The PolyU Real Cases
Real Case
The PolyU Real Cases
PolyU Real Case 1
E-Mails sent to staff in the same department
framing senior members of sexual abuses
ITS investigated and located the source
being another institution in HK
Case reported to police and a member in
that institution identified
Police decided not to pursue due to ‘public
The PolyU Real Cases
PolyU Real Case 2 …
Departments (and some students) sent
out surveys and promotional e-mails to
large number of recipients
Recipients regarded that mail spamming
and filed complaints to PolyU
Some recipients (ISP) blacklisted PolyU
and barred PolyU e-mails
The PolyU Real Cases
PolyU Real Case 2
Some Departments requested ITS to help
but disregarded ITS’s advice and kept on
Case reported to the Human Subject
Ethics Subcommittee
The PolyU Real Cases
PolyU Real Case 3
Millions of short enquiry packets (pings)
sent out to Internet by a Department
Ate up over 80% of PolyU’s Internet
bandwidth for 2 hours
ITS traced two machines in the
department’s lab and 100s of hours wasted
Nobody was identified due to no log kept in
Many more similar cases detected in the
same department
The PolyU Real Cases
PolyU Real Case 4 …
A graduate student sent out large volume
of e-mails on the Internet to solicit money
to help his sick wife
Over 200 complaints were received by
ITS from all over the world
Some recipients reported to their police
and activated investigation by HK and
PRC police
The PolyU Real Cases
PolyU Real Case 4
During the investigation, it was also
found that the student had also used the
PolyU IP address to register and host a
commercial website for business activities
Case reported to the Head
The PolyU Real Cases
PolyU Real Case 5
A graduate student sent out more than
once obscene e-mails to over 200 selected
recipients in the media and the HK
higher education community to attack a
senior staff in his department
Vast amount of time spent in the
investigation. More than 200 man-hours
just in ITS plus that of the senior management
The PolyU Real Cases
PolyU Real Case 6
The lab instructor of a training course
mistakenly generated an infinite loop among
the campus Netware servers
Paralyzed the whole campus network which
finally had to be shut down and restarted
ITS spent over 100 man-hours to trace the
problem and the instructor and fixed the
The PolyU Real Cases
PolyU Real Case 7 …
Code Red, Code Red II and Nimda Viruses
ITS sent out alerts and patches to all users
ITS called urgent meetings with departments
ITS identified and isolated infected ports to
contain the impact
Over 300 PolyU PCs affected by Nimda
The PolyU Real Cases
PolyU Real Case 7
Affected machines in turn degraded
performance of the campus network
and Internet
Damage considered small compared
to two other HK institutions which
had to shut down the entire campus
network to ‘stop the bleeding’
The PolyU Real Cases
PolyU Real Case 8
Some Linux machines in some departments
were attacked
They became the ‘launch pad’ of port scanning
to other machines on campus and the Internet
ITS received many complaints
The department refused to take action and ITS
had to disable their ports from the network
The PolyU Real Cases
Other PolyU Real Abuses
Theft of passwords
Use PolyU IT resources to solicit money
Use PolyU IT resources to run business
Give computer accounts to other persons
Insult other users on Internet with foul
Mail bombs
The PolyU Real Cases
Institutional Risks
• Reputation of the institution
• Increases the risk of suits filed by
students and others and associated
• Wastes of resources
The PolyU IT Security
• Prevention is better than cure
• Users cooperate and follow ITS advices
• Must be secure to sustain the
• The cooperation of CLO is essential
IT Security
Thank you