Rice network administrators fear release of Satan

by Kraettli Epperson

Heralded by dramatic proclamations of doom, a powerful new set of network administration tools soon to be released onto the Internet has administrators at Rice and throughout the country worried about security.

The new package is named Satan by its creator, Dan Farmer, and is designed to help system administrators double-check their systems' security for holes.

However, according to Vicky Dean, director of systems and LAN management at Rice, who has used an early version of the programs, the programs are "very likely" to be used by amateur computer crackers to attempt attacks on systems like Rice's Owlnet.

"Basically, someone has gathered together all the tools that hackers have been using before into one easy-to-use package. These are old threats that are [to be] easily obtained and used," said Dean, who is in charge of preparing Rice for its public release.

Farmer, formerly of Silicon Graphics Incorporated, has vowed to release the tools onto the Internet as shareware Wednesday, despite strong protests from network system administrators throughout the world. System administrators everywhere are scrambling to secure their systems for what some expect will be an onslaught of intrusion attempts.

In a memo of March 23 directed to all Rice faculty and staff and posted to the Owlnet newsgroup rice.comp.general, Dean stated that "It is vitally important that we make every effort to apply all outstanding security patches to all systems on campus before the close of business on April 4, 1995. It is equally important to review the configuration of all systems on campus to verify that we are not permitting unintentional access to data."

On Wednesday, Dean reported, "We're aware of our security holes and we've patched them, updating the software ... We don't expect to be compromised ... The bottom line is that Satan is not introducing new threats."

Still, Dean said "We've been testing the beta [pre-release] version. We haven't been able to use it in prober mode yet, so we won't know what the threat will be to Rice."

Dean said, "There's nothing that the average user could or should do about this," adding that the Networking Services has done everything necessary to keep Rice facilities safe for now.

The latest threat, however, has brought older plans to reinforce Rice network security back to the fore.

"We're also working on a longer term solution to security. I spoke today with OSAC [Owlnet Steering Advisory Committee] ... today and they've agreed to be part of a pilot security study," Dean said.

Several systems to reinforce network security at Rice have been under discussion since the first of a series of serious intrusions into the system, beginning in January of last year and repeated in August and December.

Since the last serious intrusion in December 1994, users who are off campus but are attached to the Internet have not been allowed to log into the university network.

"When Owlnet goes down, it is very costly," Dean said. Estimates of losses caused by a single destructive intrusion into an institutional network are typically estimated in the tens of thousands of dollars due to lost research time, data loss and network staff labor to recover from the intrusion.

According to Dean, long-term changes in security are coming and another memo is impending.

"We're thinking about using a perimeter defense rather than our current host-based security. A perimeter puts a gate around Rice and distinguishes between connections from on and off campus ... It is a firewall technology. We're also thinking about using a one-time password certification system. We're testing Kerberos and S-Key," Dean said.

Kerberos' creator describes the program as a way to encrypt information going over networks, protecting the data from interception along the way.

S/Key's distributor says that this program fights hacker programs called network "sniffers" that try to steal user passwords.

According to S/Key's distributor, this program makes sending passwords over vulnerable network lines uneccessary.

Instead of sending the password, S/Key generates a sequence of numbers based on the password and transmits these to the network host computer, which checks them to verify that the user's version of S/Key has the correct password.

This item appeared in the News section of the March 31, 1995 issue.

Copyright © 1996 The Rice Thresher. All Rights Reserved.
This document may be distributed electronically, provided that it is distributed in its entirety and includes this notice. However, it cannot be reprinted without the express written permission of:
The Rice Thresher, Rice University, 6100 Main, Houston, TX 77005-1892, USA.

THRESHER ONLINE HOME PAGE The Thresher Online Project -- ethresh@listserv.rice.edu