[ISN] Hackers use Yale name

[InfoSec News]

http://www.yaledailynews.com/article.asp?AID=31167

BY ROSS GOLDBERG
Staff Reporter
January 9, 2006

A forged Yale e-mail address has been used to spread a security
exploit that infected over one million computers in the last two
weeks, including some on the University network.

The exploit, which attacks a weakness in the Windows operating system,
can allow hackers to remotely control a computer that downloads it. In
one version circulating in the United Kingdom, victims are tricked
into clicking on a link in an e-mail purportedly sent by a Yale
professor.

Yale Information Security Officer Morrow Long said the University
received about 30 complaints from British citizens, but given that
victims of hackers rarely bother to complain, many more were likely
infected.

"We got some e-mails here from people 
 who thought we were somehow
behind it," Long said. "We weren't happy 
 that we would have our name
dragged through the mud in some major virus attacks."

The Yale forgery is one of more than 200 versions of the bug, which
takes advantage of a vulnerability in the way computers render Windows
Meta File images. Several versions of WMF attacks -- though not the
one using the University domain name -- successfully infiltrated about
10 Yale computers and attempted to infect 20 more, Long said.  
University officials first detected an attack on the network on Dec.  
29, but Windows did not release a patch to fix the problem until a
week later. Long said that given the exploit's severity, the computers
could have been completely destroyed.

"It's very critical," he said. "Basically, if somebody clicks on it,
it can take over your system and do whatever it wants."

Officials are urging students to download the patch with Windows
Update to avoid a resurgence as they return to school.

The Yale version of the bug is carried in an e-mail from a nonexistent
"Professor Robert Gordens." The message announces that the University
suffered graffiti damage and broken windows over New Year's, and it
asks recipients to click on a link to see if they can "recognise [sic]
the culprit's work." The link automatically downloads the exploit to
victims' computers.

Long said members of the Yale community are frequently sent e-mails
with viruses attached from hackers forging the university domain name,
but attacks on outsiders are unusual.

Computer security experts said Yale may have been chosen due to its
international prestige.

"What you're trying to do in a social engineering attack is generate
trust," said Alan Paller, director of research at the SANS Institute,
which provides computer security training and research. "The idea of a
university being a sleazy organization just doesn't compute in
people's minds."

Though no one at Yale has been linked to the WMF attacks in Britain,
Paller said he hopes the incident will alert faculty to the dangers of
reckless network use, which he said is a chronic problem on university
campuses.

"Probably the best effect is it will wake your faculty to the idea
that they have a role to play here," Paller said. "When they don't
keep their systems safe, they put the whole community at risk."

Paller said faculty usually resist attempts to secure their networks
with Web site restrictions, but Yale Chief Information Officer Philip
Long said Yale has introduced netblocks on the primary sites involved
in the attacks. Since Jan. 1, administrators have also blocked all
e-mails with "Happy New Year" written in the subject line to protect
against another version of the exploit.

Officials said they expect that the e-mail block likely thwarted a
number of innocent e-mails.

"We knew it would affect people, but we weighted that against the risk
of a lot of people getting infected," Morrow Long said.

But Philip Long said administrators were unable to filter data with
".wmf" file extensions -- a step that Paller said was essential but
largely ignored by most universities.

Yale can take legal action against the hackers who forged its domain
name, Morrow Long said, but law enforcement will likely be unable to
identify the perpetrators given that the attacks cross several
national boundaries.