On Guard Against Cyberthreats

Like any computer user, Chris Cramer worries about malicious hordes of worms, viruses and other digital vermin hurtling into Duke at light-speed from the internet, disguised as streams of innocent electrons. But in Cramer's case, his knowledge could cause an acute case of the heebie-jeebies. As Duke's information technology security officer, he defends some 35,000 computers and thousands of users against a phalanx of foes.

"I don't lose sleep worrying about attacks, but I do sometimes lose sleep because of attacks," Cramer said. "I did when Slammer hit."

Cramer was sleeping late one Saturday in January 2003 when his colleague Keith Gentry called with grim news: Duke's computer network was repeatedly losing contact with the internet.

A caffeine addict, Cramer did not even pause for a mug of tea before logging onto the Duke network. He paged through screen after screen of network traffic patterns. Something extraordinary was happening - some computers on the Duke network were clogging the pipes to the internet with torrents of data packets.

"I worked to identify the offending machines and Keith pulled them off the network," Cramer said. "When we got to the internet again, we learned we were dealing with Slammer, the fastest spreading worm ever." Slammer disrupted 75,000 computers, causing airline flight cancellations and ATM network failures. A mere 10 computers at Duke had blocked the university's access to the internet.

Worms like Slammer become infamous, but Cramer said many attacks come from threats most people have never even heard of.

"Everybody knows about worms, viruses, spyware and spam," said Cramer. "We use countermeasures against them, but we also deal with newer threats such as botnets, phishing and keyloggers. At the moment, botnets are my biggest concern. Phishing is a close second."

Botnets, or robot networks, consist of myriad robot-like pieces of software awaiting commands from their hacker-creator, Cramer said. "Bots are installed on computers that have been broken into, or 'hacked.' The bots log onto chat rooms normally used by people exchanging text messages," Cramer said.

The hacker can enter the chat room at will and order thousands of bots to launch a simultaneous attack on the same computer, network or website, said Cramer. "One minute things are quiet, and the next, a hacker's personal army is firing off tens of thousands of messages, trying to blow your system off the internet," Cramer said.

Antivirus firm Symantec recently reported the number of botnets exploded from 2,000 in the first half of 2003 to 30,000 in the first half of this year. The average botnet ensnared 2,000 computers and the largest about 400,000 systems. Several hundred computers on Duke's network were botnet victims in the past year, Cramer said.

"Phishing" messages abound in the daily deluge of spam that accounts for half of the 900,000 e-mails delivered to Duke on an average day, said Cramer. "A phishing message tries to dupe you into revealing sensitive information," Cramer said. "It might look like an official bank notice and provide a link to an authentic-looking website. The site prompts for the information a con artist needs to access your real bank account." Cramer advised contacting the named financial institution about such messages.

Security threats sometimes masquerade as friendly phone calls, Cramer said. "A hacker might say he's your system administrator and needs your password to fix a problem with your account. Your impulse is to help someone who says he is helping you." Hackers call such tricks "social engineering" because they facilitate break-ins by exploiting human social impulses rather than technical flaws.

After breaking in, hackers often look for passwords to additional systems, Cramer said. "Passwords are encrypted for storage and network transmission," said Cramer. "Keyloggers are programs that hackers install to intercept keystrokes before encryption, straight from the keyboard."

Cramer said spyware, which covertly gathers information about the computer user, may report personal web-viewing habits to third parties, display advertisements or steal confidential information such as credit card numbers. Often spyware installs itself surreptitiously along with popular programs for downloading files.

Although viruses and worms are old threats, they are still growing, said Cramer. Symantec reported 4,500 new viruses and worms in the first half of 2004.

"About 10,000 to 20,000 of the 900,000 messages delivered by the Duke e-mail system on an average day are identified as infected, but that number can be much higher," said Heather Flanagan, senior manager of collaborative systems in the Office of Information Technology. For two weeks at the start of the academic year, infected files ranged from 200,000 to almost 600,000 per day, Flanagan said.

Only a tiny percentage of viruses reach the computer help desk, according to Debbie DeYulia, senior manager for technology support. "Between Aug. 16 and Sept. 14, viruses accounted for less than two percent of the 9,000 calls to the help desk," said DeYulia. "That suggests antivirus measures are working pretty well. Still, about a quarter of the 400 problems worked on by our service center in that period were viruses."

Cramer said viruses frequently arrive as e-mail attachments and activate only if the recipient opens the attachment. "Never click on any file or program you were not expecting, even if the message looks official or appears to come from a friend," said Cramer.

Unlike viruses, worms spread without any user action by exploiting a particular security flaw, Cramer said. Sometimes worms spread with startling speed. In August 2003, Blaster infected 100,000 computers in just ten minutes.

By any name, new types and variants of malicious software appear all the time, Cramer said.

"Keeping up with malicious software is like the Red Queen's problem in Alice in Wonderland," Cramer said. "You have to run as fast as you can just to stay in one place."

For additional general information about security threats and antivirus software, including alerts on the latest worms and viruses, users should check the Duke Office of Information Technology website frequently.