[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Athens security scam [long] <fwd>

To: liblicense-l@lists.yale.edu
Subject: Re: Athens security scam [long] <fwd>
From: Alicia L Wise <alicia.wise@kcl.ac.uk>
Date: Fri, 24 Jan 2003 21:54:20 EST
Reply-To: liblicense-l@lists.yale.edu
Sender: owner-liblicense-l@lists.yale.edu
Forwarded on behalf of my colleague, Alan Robiette, who is an expert on
authentication and content security but not a member of liblicense-l.

With best wishes,

Alicia Wise

--- Begin Forwarded Message ---
Date: Fri, 24 Jan 2003 15:57:41 +0000
From: Alan Robiette <agr@westgate.force9.co.uk>
Subject: Re: Athens security scam [long]
Sender: Alan Robiette <agr@westgate.force9.co.uk>
To: liblicense-l@lists.yale.edu

Reply-To: Alan Robiette <agr@westgate.force9.co.uk>
Message-ID: <200301241557410950.01927274@relay.force9.net>


I don't normally see this list, so I apologise if I am going to repeat
anything already covered on this matter.  But as one of those involved in
fielding the recent Athens incident at JISC in the UK, I have a few
comments on Anthony Watkinson's message below.

1.  No electronic security system is 100% bomb-proof.  What is more, in
most of them people are the weakest link.  The attack on Athens was the
oldest piece of social engineering in the book.  It's well known in
security circles that if you want to capture someone's password, the
easiest thing to try is to phone them up and tell them a plausible story;
it's surprising how many people will fall for this and just give you the
password with no questions asked.

The same scam could have been directed against a publisher's own
password-based system.  It's in no way specific to the Athens access
management system which we use.  I am told that attacks of similar kind
are reguarly used to try to capture AOL usernames and passwords, for
example.

2.  That said, the perpetrator must have realised (unless he/she was
extremely simple-minded) that the ploy would be very short-lived.  Apart
from anything else, the usernames and passwords were to be emailed back to
a real email account whose identity was not concealed!  In practice the
attack was detected within hours, the affected accounts disabled and the
location from which the attacks were coming blocked. The amount of abuse
which could have happened in the time available must be pretty small.

3.  Who might be doing this, and why?  Well, we know from the traces that
it's been possible to do that this attack originated from a specific
university location, in a former Eastern European country.  The motivation
we can only guess at: my mental picture is of a graduate student (say),
desperate to get a thesis submitted and unable to get at some key journal
articles because his university didn't have the publications required.  
That is sheer speculation of course, but it would fit the facts. If the
purpose had been more sinister, e.g. to capture large amounts of
electronic information and resell it, a good deal more thought would have
been needed to avoid early detection.

4.  Finally, to Anthony's key question -- is systematic theft a real
problem? I don't know of much personally.  There was an attack on JSTOR in
comparatively recent times, details of which they give at

http://www.jstor.org/about/openproxies.html

Here there did appear to have been a serious intent to commit systematic
theft.  I am not aware whether the perpetrators were ever traced in this
case. The JSTOR incident should be of particular note since the attackers
found a way to by-pass access control by IP address checking, which is
still prevalent in the publisher community.  (Note however that the
vulnerability exploited was again human frailty, in that open proxies only
exist because those who set them up either did not bother to secure them,
or did not know how to.)

5.  What are the lessons to be learnt from all this?  I guess the
electronic world is getting more hostile all the time, and wherever there
is an asset which is worth something to someone there is going to be
*some* risk that an individual sufficiently highly motivated -- by money,
or anything else -- will try to mobilise the resources to break the
security system and steal what's inside.  Examples of this occur regularly
in the entertainment industry.

I would have thought that for academic journals and similar material the
risk remains low, although the JSTOR experience is troubling.

On the technical front there is a clear message that IP address checking
is, in the real world, much more vulnerable than most people may have
realised hitherto.  Although password-based systems such as Athens do have
their limitations, they also have many advantages over IP address checking
and are relatively easy to monitor for anomalous access patterns.  And of
course we all need to be reminded to be vigilant, all the time, where any
kind of Internet security is concerned: in the case of the UK academic and
research community, we constantly review (with the supplier, EduServ) how
our universities and colleges are using Athens and whether there are
things we can do to improve both the system and our community's working
practices.

Regards

Alan

----------
Alan Robiette
Authentication and Security Programme
Joint Information Systems Committee (JISC), UK
http://www.jisc.ac.uk/

*********** Original Message ***********

> Date: Thu, 23 Jan 2003 17:37:13 EST
> From: Anthony Watkinson <anthony.watkinson@btopenworld.com>
> Subject: Re: Athens security scam
> Sender: owner-liblicense-l@lists.yale.edu
> To: liblicense-l@lists.yale.edu
>
> Reply-To: liblicense-l@lists.yale.edu
> Message-ID: <200301232237.h0NMbDa18841@quickgr.its.yale.edu>
>
> Years ago, at the time of the first online journals, I worked for a
> subsidiary of a large corporation and, as security was very much a worry
> among publishers at the time, I went to the top to make sure that I was
> not going to have problems later on the basis that all my journals were
> going to leak away to non-subscribers. The official view was that there
> would be some leakage, in spite of all the efforts of librarians to stop
> it, but that it was only systematic theft which was a worry.
>
> What is described by Athens looks like systematic theft - of which as far
> as I know there has been very little in the online environment. Does
> anyone have any idea of who might be doing this and what they intend to do
> with what they acquire in this way? As far as I know there has been very
> little evidence of systematic theft and subsequent repackaging for sale,
> but others might enlighten me.
>
> Note that I am using the word "theft" for convenience and not making an
> ideological statement.
>
> Anthony Watkinson
Prev by Date: Accessing Evidence-based Nursing
Next by Date: Swets Blackwell withdraws bid for divine/RoweCom
Prev by thread: Swets Blackwell withdraws bid for divine/RoweCom
Next by thread: Re: Athens security scam [long] <fwd>
Index(es):
- Date
- Thread