Did anyone learn from "The Cuckoo's Egg"?

Printed in InfoTech Weekly, April 1995, under the headline "There's Still No Heavy Hand on Hacking". This followed the apprehension of a couple of ratbags who had obtained passwords to a couple of older Victoria University of Wellington systems and used them to download pirated software.

Since said ratbags were using dictionary attacks on the password files of the attacked computers, the effect was that all passwords had to be changed, affecting several hundred users. We were Not Amused.

Fortunately, since this incident, shadow password files have become standard equipment on Unix systems, but it took a very long time. Now vendors make life interesting for security administrators by putting buggy software like Sendmail on systems. Heavy sigh.

Everyone just loves having their security woes adorning the newspapers

By the time the IT Weekly published the story about intrusions into Victoria University's computers however, the evidence required to apprehend the intruders had already been gathered and the police informed.

In fact, the news story had been prompted not by the break-ins themselves but the cleanup afterward, where over the preceeding week some 30 users' passwords, including one belonging to the campus radio station, had been changed to lock the intruders out.

In the 1970s, the designers of the Unix operating system thought that one-way encryption was sufficient security against passwords being guessed, and for convenience, placed the encrypted password in the same file that contains other information about users, which can be read by all users on that system.

Although there are nearly seven quadrillion possible Unix passwords, real passwords have to be remembered by people, and thus the actual likely combinations is a very tiny fraction of that number. Trying all words in a dictionary, along with some simple transformations is well within the capability of even cheap desktop computers.

Some 1,000 users had access to the two compromised computers. By running a similar attack on the two computers ourselves, we discovered about 30 insecure passwords. These we disabled and required that the legitimate owners present themselves in person to assign a new password, reasoning that if we could crack them, we must consider them already cracked.

Most of the breakable passwords were not guessable by a human being. Choosing passwords that are safe against increasingly sophisticated dictionary attacks is an arms race. Intruders can get faster computers and better algorithms but people can't upgrade their brains. Password changing programs can be made to only accept more and more "secure" passwords, but then users can't remember them and have to write them down, weakening the very security we're trying to improve.

The only answer is to step out of the game by storing encrypted passwords in shadow password files separate from other user information and not only readable by privileged programs.

In "The Cuckoo's Egg", Clifford Stoll describes how he discovered dictionary attacks being used to crack passwords in 1987. The technique was well known even at that time, and yet the advice has always been "choose better passwords", placing the onus on each and every individual user to guard against a fundamental system flaw.

Operating system vendors have been very slow to fix the real problem, and have done so in a decidedly half-hearted fashion. Often, shadow password files are only available by adding a "security kit", requiring much extra time and expertise to install them and then persuade other software to work with them.

The systems that were compromised did not have shadow password files available, despite being brought to current releases within the last two years. In one case, fixing the deficiency requires complete replacement of the computer.

These are two machines out of a large number on campus, many of which would require significant investment in time and effort to make properly secure.

More than two person-weeks were wasted tracking down the intruders and securing the compromised computers. That does not take into account the time that legitimate users were unable to use their access to the University's computers.

The law, alas, completely ignores this. Neither the intrusions into our computers nor the software piracy carried out using our equipment and networks are crimes under New Zealand law. Computer intrusions are simply not recognised in any way, and losses deliberately caused by the intruder must be proven to make any related charges stick. (Software piracy is a civil, not criminal matter.)

After some discussion with the Police Fraud Squad, and with much assistance from Telecom and administrators of other attacked systems, we were able to show that the two teenagers had used their illegitimately obtained access to our computers to obtain $400 worth of network traffic through the NZ Internet gateway at Waikato University, and had therefore had obtained credit by fraud. Search warrants were then issued, the teenagers visited and computers seized.

While we are most grateful to the Fraud Squad for their help, we must observe there is no group in NZ to deal with crimes involving computers within the Police or any other agency. It was up to ourselves and Telecom to provide and present all the evidence required to apprehend the intruders.

Anyone who has read "The Cuckoo's Egg", will find the technical problems and lack of any official computer crime unit or legislation described above hauntingly familiar. In the seven years since the book was published, very little has changed.