by Eric Smith
Criminal charges are to be heard this summer against a McGill electrical engineering student. The student, Marwan Alameddine, is charged with fraud and alleged to have broken into computer systems at McGill, Concordia and Université de Sherbrooke.
Alameddine, who entered a plea of not guilty this week at a preliminary court appearance, declined to comment to the Reporter.
According to electrical engineering system administrator Thom Levasseur, Alameddine succeeded in getting root user access at McGill. Afforded the highest level of UNIX access, a root user has the power to do just about anything in the multi-user system, including reading, copying and erasing files in any individual user's account, or changing passwords.
"It was unrepresentative--how far [Alameddine allegedly] went," said Levasseur. "Most of the second- and third-year students, when they first learn about UNIX, will try a few tricks to swipe each other's passwords. He got into things way beyond what others have touched."
According to Levasseur, it isn't necessary to have advanced computer skills to be able to crack even the most carefully defended systems. He suggests there are a very small number of extremely skilled hackers who are hired for purposes of corporate espionage to uncover flaws in UNIX operating systems. The routines they write to crack the systems become available to other users when they are posted on networks or bulletin boards.
Although system administrators and operating system developers inevitably find out about the flaws and quickly take measures to secure their systems against them, Levasseur says "the bad guys find out about bugs a week or two before the good guys come up with a patch to fix the problem."
He suspects that Alameddine was able to gain root user access to McGill's system by running a program called "Spy," which would have allowed him to read what was being typed on other machines in the network. "He got it the day we were changing the password," alleges Levasseur.
Since only two people have root user access to the system Alameddine is alleged to have cracked, Levasseur was able to detect when root activity was taking place while neither of the legitimate users were online.
"Once you're onto the fact that somebody has broken into your system," says Levasseur, "you can look at the list of log-ins. If there is a log-in at 10 o'clock and root activity at 10:01 when neither legitimate user was in the root, you need to investigate."
When Levasseur notified system administrators at Concordia that accounts on their systems were likely being compromised as well, Concordia officials brought the tampering evidence to the RCMP.
In an article published in Concordia's student newspaper, The Link, RCMP corporal Robert Beaulieu of the Computer Crimes Division tells how he was able gather enough evidence to arrest Alameddine and an accomplice in Toronto for fraud at the three universities.
Beaulieu is quoted in The Link explaining how he was able to monitor Alameddine's computer activities and his "chat" conversations with another computer user outside the university networks. With the help of Bell and Unitel, Beaulieu was able to trace the second user's calls to a residential number in the Toronto area. Alameddine's alleged accomplice can't be identified under the Youth Offenders Act. The Link article reports that Beaulieu and Concordia system administrator Mike Assels were able to catch both alleged offenders on-line at the same time, one in Concordia's Hall building and the other in a suburban Toronto bedroom.
Since the case is currently before the courts, and following the advice of the prosecutor, Beaulieu declined to comment on the operation to the Reporter.
Alan Greenberg, director of McGill's Computing Centre, says this is not the most serious case of compromised security at McGill. He recalls a case two years ago when the University system had to be shut down because of tampering by an intruder from outside McGill. Greenberg says he is not aware of McGill pressing criminal charges in any prior case of computer tampering.
Tampering is often not detected, according to Greenberg. "We catch most security problems by luck or by accident," he says, "or through the arrogance or the stupidity of the people doing the breach. If e-mail they sent bounces back because they made a typing error in the address, it goes to the system administrator. Or they might boast to their friends and one of them tells us."
"Systems do tend to be vulnerable," says Greenberg. "We don't have any systems that are 100 per cent safe." But he adds, "Our central system for most of the University's databases is not a UNIX system and not generally of interest to people who want to crack systems. It's also inherently more secure."
Levasseur adds, "We advise our professors not to keep any marks on their UNIX account since UNIX is multi-user by nature. Novell is more secure."
McGill staff can also contribute to the security of their accounts by following some recommendations on the choice and management of passwords. "The first level," says Greenberg, "is not to use your name as your password."
He adds that people sometimes use a birthdate, a child's name or a favourite model of car as a password. "Don't use something that someone who knows you can guess."
It is also inadvisable to use a word that appears in the dictionary. Greenberg points out that on many systems the password file is a public but encrypted file. The problem is that the encryption scheme is known. By encrypting the entire dictionary, it is possible to identify the words people use as passwords.
Greenberg recommends that on systems that allow it, "passwords should be at least eight characters long, mixing upper- and lower-case and including special characters or numbers." He also suggests that people change passwords frequently but not in any discernable pattern, use different passwords for different systems and, of course that they keep them to themselves.
The problem of security is not a new one, and, according to Greenberg, it is not likely to go away any time soon. "One of the results of tight fiscal constraints," he says, "is that we've had to reduce the number of skilled people administering the systems, while increasing the size and number of the systems."