These days security is a vital part of our operations, not a luxury. Recently (Nov. 1999) Astronomy Department computers were compromised by hackers. To prevent further invasion across the University, the Astronomy Department was entirely disconnected from the rest of campus and the Internet for 3 weeks - no e-mail, no WWW, no file transfer - while the operating system of each of their computers was reinstalled. Our goal is to minimize the chances of a similar disaster for the Chemistry Department.

THE INTERNET IS NOT A FRIENDLY PLACE ANYMORE!

This incident demonstrates again how dangerous the Internet has become. Since hackers constantantly find new ways of exploiting security vulnerabilities in operating systems and applications, we have to spend considerable time and effort to counter those threats. We will never achieve perfect security, but well thought-out measures can go a long way both in reducing the risk of being broken in to and minimizing the impact a potential breakin would have.

Unfortunately, security and functionality are often conflicting goals, and they require a delicate balance. We don't want to be wide open to any bored high school student who downloads readily available exploit scripts from the web, but we also don't want to make it impossible for our users to read their email or access their files in some form from outside the Department.

On average, most if not all our computers are "scanned" about three times a day, 7 days a week, from somewhere on the net. "Scanning" computers is the equivalent of walking from house to house in a neighborhood and checking whether entry can be gained through various methods: one "scan" would check out all the windows and look for open unsecured ones, another scan would check all front doors, then another scan would check for garage doors, and so on. These scans may be run by different people, and from different places all over the world. Scans are done fully automated by programs (scripts) that can be downloaded from websites. Claiming that one's own house would not become a target because it doesn't look fancy from the outside and because there is nothing of real value inside is beside the point in cyberspace, since scans - unlike real burglaries - are usually not aimed at any particular "house", but at a wide range of "addresses", e.g. all of Upper Arlington between Lane Avenue and Fishinger Road. Unlike physically walking from house to house, scanning the equivalent of Upper Arlington would take only seconds or minutes. Even if your house doesn't contain anything of real value, if the intruders find an unsecured window, they will enter the house, leave a mess, and you (or Computer Support) will have to clean up. And, unlike with real burglaries, once a hacker breaks into one computer, he has gained a foothold and can use this computer to break into other computers or launch denial of service attacks, within the Department or elsewhere. If 'elsewhere' happens to be a military site or a popular web site such as Yahoo, Amazon, etc., the FBI will put the University under considerable pressure and insist that all network connectivity to the entire building or Department be blocked immediately. This has happened earlier this year on campus, and we certainly don't wish to have it happen to us.

Also, it cannot be overemphasized that hackers, once they've gained access to your computer, can delete files and even modify data (which is even more insidious). The results of years worth of work can be destroyed in an instant, and you cannot rely on the validity of your research data any more.

If not for our firewall, many of these scans would find some vulnerability for which an exploit script exists (the automated tools that perform the "burglary"), and they would result in breakins. There are about 500 computers in our Department, and it is a practical impossibility to secure each and every one of them, largely because we don't have direct control over the majority of them. We have no way of knowing that graduate student X has received a new computer (probably running Linux) and that this machine is now on our network, badly configured and wide open to attacks.

The Network Security group at OIT has been performing regular scans of all hosts on campus. They use commercial security scanning tools and send detailed vulnerability reports to all system administrators and to OSU's Internal Audit office. One can assume that Internal Audit will excert pressure on Department Chairs whose departments have serious security vulnerabilities and who are not showing any signs of improvement. Thus it is in the interest of the entire Department to maintain good security.

Computer Security is not something that we can accomplish alone. We depend on all of you, our users, to cooperate and help us to minimize risk and be as secure as we can be. Some of our measures may seem inconvenient and may require you to learn something new, but you can be assured that we don't implement them in order to keep you from doing your work.

To quote Alan Paller, director of research at the SANS Institute (System Administration, Networking, and Security) in Bethesda, MD (Computerworld, Feb. 21, 2000, Vol. 34, No. 8):

We must stop accepting the excuse of "There's nothing worth protecting on my systems." Maybe there's no critical data there, but a system connected to the Internet is a loaded weapon, and it shouldn't be left out where criminals can use it to attack others.

For more information on security related topics, check out the Security section of our web pages. In particular, go to the following link:

Home Network Security (CERT)