UC Berkeley Cleaning up its Security Act

Bob Brown writes "UC Berkeley recently issued a scathing self-assessment of its IT department, which has been under fire in the wake of a couple of high profile security lapses at the school. NetworkWorld has a review of what the school's top networking guy says is being done to both secure and strengthen UC Berkeley's computer networks."

The Article

[zaguar]

Security... NEXT PAGE
has lapsed... NEXT PAGE
but we are... NEXT PAGE
doing our best... NEXT PAGE
trying to... NEXT PAGE
improve. END ARTICLE

Faulty Password Protection

[Xaositecte]

Obviously they haven't been rotating their passwords frequently enough, just force everyone to change theirs every three weeks and all security problems will be solved!

Re:Faulty Password Protection

[linj]

You'll end up with cycling passwords of "hello" and "password" every three weeks.

Re:Faulty Password Protection

[joe+155]

It sounds like you might be making a joke about this one but at my university (University of Warwick, uk) they had the worlds most lax attitude to security it was insane. There were several huge security leaks and no one seemed to question why they weren't using and changing secure passwords... someone script kiddie broke into the main server (taking all of our private info stored on it) using nothing more than a simple brute force crack... it gave in so easily because they'd used a word from a standard dictionary... I figure it would have taken no more than 60 seconds to get in. The moral of this and the UC Berkeley story is this; don't trust a university IT dept with any of your private information, store nothing on their computers, use a different password for the log on there and for everything else (if you insist on using the same one everywhere)

Re:Faulty Password Protection

[LilGuy]

You know, having so many rules might narrow down the crack time as well, if you know what they are. Obviously if you can get a huge dictionary, you won't need to try any combination of characters with a word in it. You won't need anything less than 8 characters, and you'll have to try at least one capital letter and a number, but most people will probably use two. People tend to like symmetry even in their passwords because it makes it easier to remember one half of something and then just spit it out again backwards. The non-alphanumeric character is kinda the stickler though. My best guess is that it will either be in the middle of the password or at the very end... probably by someone getting frustrated on their 10th attempt to set the password and finally figuring out what a non-alphanumeric key is.

But I'm not saying it's not a good idea. I just wanted to point out that the more rules you have to make your passwords secure, the less secure they may become.

Re:Faulty Password Protection

[Lewisham]

That's ridiculous.

I had heard bad stories about the IT provision at Warwick (particuarly their Resnet service), but didn't realise it was that bad.

Here at Bristol, I've worked for our Resnet over the summer, which is housed along with the IT guys. Security is absolutely paramount, and even for little Resnet projects, we would sit down for a couple of hours for a threat assessment (SQL injection, what happens if a dictionary attack succeeds, could we place exponential back-off on the login page).

That said, the physical security wasn't paid proper attention and some guys just broke in and stole thousands of pounds worth of rackmount computers from the machine room. Obviously they knew that the good stuff was down there, so they must have had some intelligence, but it should not have been so easy to get it. That's all changed now. You'd be lucky to get out with anything now.

Re:Faulty Password Protection

[bensafrickingenius]

"You'll end up with cycling passwords of "hello" and "password" every three weeks."

There needs to be a "whoosh" mod category. Can you guys at slashdot get working on that?

Grandparent knows that the password rotation scheme is common practice in *many* environments, and was pointing out the uselessness of such a strategy. It's called "illustrating absurdity with absurdity"

From TFA

[graemecoates]

Both have incredible amounts of data. As for clustering, there are a few computational clusters already around campus for traditional math, physics, astrology

Good to see they know what the networks are *really* being used for...

Hmmmm

[Sqwubbsy]

Kind of reminds me of the Harvard story where someone pointed out the lack of firewalls.

I wonder what kind of information is readily available? ;-)

Re:Link to print version

[Whiney+Mac+Fanboy]

God, that was silly of me! (didn't check the URL before posting)

Here's the article text, moderators, please mod the parent into the ground!

Securing UC Berkeley's network

School looks to shore up security in wake of breaches.

Linda Leung,Network World,04/24/06

The University of California at Berkeley has made a name for itself in networking, with innovations such as Unix, Berkeley Internet Domain Name, Smart Dust and SETI@home. But the school has made headlines over the past few years for some things of which it is less proud, namely a couple of security breaches (a stolen laptop containing personal information on graduates and a compromised database of California residents).

At the start of this year, the university published a scathing self-study of its Information Systems and Technology department. It acknowledged the school's advanced IT network and talented professionals but recommended radical changes to the IT department's governance and structure (read the report).

Clifford Frost, director of Berkeley's Communications and Network Services (CNS), recently spoke with Network World Senior Online News Editor Linda Leung about what the university is doing to ensure that when people think of the school, they think "innovation," not "infiltration."

How has IT evolved at the university?

It's been haphazard. In the case of the network, it's been pretty organized. Back in the '80s, there were campuswide committees that said networking is going to be important so let's start building it up now. The campus financial and administrative systems are pretty advanced. But campus student systems [such as online registration and course catalogs] are less well-funded and organized because there has not been a single high-level sponsor. This is one of key things the campus is open to addressing in the reorganization.

Also: What makes Harvard's net tick

What is your security plan?

Every networked device has to have its operating system kept up to date with security patches - Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95]. There are microscopes controlled by old operating systems - [the owners] have to put a firewall in front of them. We have software that people can use for free - they don't have to buy their own firewall or anti-virus software.

Having a policy only goes so far. McAfee's Foundstone scanner allows us to scan the network continuously for vulnerabilities. [If something is found] we tell [the device owners] to fix it or we turn off their access. Departments can log in and scan their own nets.

How else do you secure the network?

We do intrusion detection at the border of the campus network and more and more inside the network. We monitor to detect when systems have been broken into or are being broken into or about to launch an attack, and we can turn them off. We use McAfee IntruShield Snort, Nessus and Bro Intrusion Detection System. [Intrusion detection] is a big issue because we've had some pretty big security breaches on campus [see stories hereand here]. There is a big thrust in getting people to encrypt data on their desktop or laptop.

How do you get ahead of the security challenges?

The latest thing we're doing is getting people on campus to audit their systems, and the recommendation is to remove [sensitive i

20 years later and still the same

[penguin-collective]

Berkeley UNIX (the original BSD) was full of security holes. It shipped with such beauties like being able to get a shell by typing the right command at the SMTP server and multiple buffer overflow bugs in just about every server and command line program. And many people knew about it, both at Berkeley and elsewhere, but nobody cared much until the Morris worm. Apparently, while the world has moved forward, Berkeley still isn't taking security all that seriously.

Education vs. Change

[Dekortage]

It takes educating users. So far I haven't experienced resistance to education, but the amount we have to do is pretty staggering.

The issue is not about educating the professors and staff. Most everyone will happily participate. The issue is getting them to actually change their practices once they've been through the education. You need education, then support for the education, then regular audits about the education, then some more education.

FTA: ...the department has Smart Dust - tiny sensors that run TinyOS and TinyDB. They scatter this stuff out there - put it in trees, on animals - they're all networked together and people monitor them. That's different than [managing] a connection in every office.

I dunno, I'm pretty sure some of my past employers spend their days hanging from trees, or on animals... even in the office.

Re:OpenBSD too

[Whiney+Mac+Fanboy]

Yeah, I always suspected I can't trust the security of *BSD...

There's quite a bit seperating openBSD & the Berkeley Software Distribution. netBSD was based on the last Berkely distribution & openBSD split from netBSD because some developers wanted security to be a stronger focus.

The openBSD project has completely rewritten most userland tools & also done a complete code audit looking for security bugs. The relationship between the current codebase & what came out of Berkeley ten years ago is pretty minimal.

Sensitive stuff on laptops

[Lewisham]

The article, sadly, doesn't push on finding out why people were carrying around laptops full of sensitive information.

Why did they need it? "Oh, I'll just download an Excel file of every students personal details so I can make that Powerpoint presentation I want!" Why weren't they using some method of protecting the student's data at all? If I had access to data like that, I would only expect to get it on-demand from a server across a secure VPN with a tough password (SecurID perhaps).

I don't understand why you would want such information downloaded unless you were going to do something malicious. Could someone explain to me why these people were just walking out the doors with entire databases in their rucksacks?

Re:Sensitive stuff on laptops

[rjune]

A list of all of the students is commonly used to prepare reports required by the Department of Education (google IPEDS), providing data for college guides (we do about 50 per year), and surveys from professional organizations (e.g. Engineering Workforce Commission) However, the first thing you do with a file like that is to delete the following columns: Social Security Number, Names, Phone Numbers, Next of Kin data, and Addresses (except perhaps Country or State of Origin). The EMPLID (or college ID number) can be retained if additional data needs to be joined in. It is very easy to retain the necessary demographic data and delete the personal data that can uniquely identify a person. There is no excuse for such carelessness with sensitive personal data.

Re:Sensitive stuff on laptops

[buysse]

Under FERPA, even a name and a grade for a paper is federally-protected private data. So, if you have a spreadsheet with the scores from the last quiz, that's sensitive, personal data about students that triggers those laws. It isn't necessarily SSNs and CC#s. Hell, under FERPA, even the names of students in a class can be protected if one student has preferred to have their directory info suppressed. There's a report available from my current employer that has names and ID pictures for all the students in a class -- again, protected data.

The threshold is so low for private data that basically any academic staff is using it every day, and carrying it on their laptops, on USB sticks, on their home computers, etc.

Astrology cluster?

[Kadin2048]

traditional math, physics, astrology

I really want to know what goes on in the astrology cluster. Can you really parallelize reading the tarot? I wonder what kind of hardware they use; a giant Magic 8-Ball array? And what kind of qualifications does a sysadmin have to have there?

Security in Berkeley? Riiiight

[BerkeleyDude]

You'd think that since BSD comes from Berkeley, it should be a popular OS on campus... Think again. Everyone's #1 choice is: Windows XP.

You go to a (non-CS) computer lab. You login with your SID and password. A new Administrator account is created for you. Go ahead, do whatever you want - when you logout, all your files will be deleted, and everything will be restored to the original state. Completely secure, until you realize... "Duh. I have an administrator account. Why can't I just prevent the computer from restoring everything on logout?".

I reported this to one of the lab workers, and even demonstrated: she logged into her own account, but the desktop background picture said in big red letters, "Caution: This system has been haxx0red". She was pretty shocked, and said she would inform the system administrators.

This was half a year ago... Nothing has changed.

The CS labs are different, though. They run Solaris 9. Security shouldn't be a problem here. Usability is, though. How many of you guys remember what Gnome 2.0 looks like? How about Acrobat Reader 4? I do, unfortunately. And the Slashdot jokes about "^H" suddenly made so much sense...