[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Athens security scam [long] <fwd>

To: <liblicense-l@lists.yale.edu>
Subject: Re: Athens security scam [long] <fwd>
From: "Anthony Watkinson" <anthony.watkinson@btopenworld.com>
Date: Sat, 25 Jan 2003 23:04:21 EST
Reply-To: liblicense-l@lists.yale.edu
Sender: owner-liblicense-l@lists.yale.edu

It is good to have a posting from Alan, who is a real expert in this area.
I did hear back in 2001 that a major US learned society publisher
suspected that a Russian institute was attempting to use methods like
those described below to set up a database of journals for sale in a
specific discipline. If my memory is correct this publisher may like to
comment, but I am keeping my posting vague in case the people concerned
would rather keep quiet.


----- Original Message -----
> Date: Fri, 24 Jan 2003 15:57:41 +0000
> From: Alan Robiette <agr@westgate.force9.co.uk>
> Subject: Re: Athens security scam [long]
> To: liblicense-l@lists.yale.edu
>
> Reply-To: Alan Robiette <agr@westgate.force9.co.uk>
> Message-ID: <200301241557410950.01927274@relay.force9.net>
>
>
> I don't normally see this list, so I apologise if I am going to repeat
> anything already covered on this matter.  But as one of those involved in
> fielding the recent Athens incident at JISC in the UK, I have a few
> comments on Anthony Watkinson's message below.
>
> 1.  No electronic security system is 100% bomb-proof.  What is more, in
> most of them people are the weakest link.  The attack on Athens was the
> oldest piece of social engineering in the book.  It's well known in
> security circles that if you want to capture someone's password, the
> easiest thing to try is to phone them up and tell them a plausible story;
> it's surprising how many people will fall for this and just give you the
> password with no questions asked.
>
> The same scam could have been directed against a publisher's own
> password-based system.  It's in no way specific to the Athens access
> management system which we use.  I am told that attacks of similar kind
> are reguarly used to try to capture AOL usernames and passwords, for
> example.
>
> 2.  That said, the perpetrator must have realised (unless he/she was
> extremely simple-minded) that the ploy would be very short-lived.  Apart
> from anything else, the usernames and passwords were to be emailed back to
> a real email account whose identity was not concealed!  In practice the
> attack was detected within hours, the affected accounts disabled and the
> location from which the attacks were coming blocked. The amount of abuse
> which could have happened in the time available must be pretty small.
>
> 3.  Who might be doing this, and why?  Well, we know from the traces that
> it's been possible to do that this attack originated from a specific
> university location, in a former Eastern European country.  The motivation
> we can only guess at: my mental picture is of a graduate student (say),
> desperate to get a thesis submitted and unable to get at some key journal
> articles because his university didn't have the publications required.
> That is sheer speculation of course, but it would fit the facts. If the
> purpose had been more sinister, e.g. to capture large amounts of
> electronic information and resell it, a good deal more thought would have
> been needed to avoid early detection.
>
> 4.  Finally, to Anthony's key question -- is systematic theft a real
> problem? I don't know of much personally.  There was an attack on JSTOR in
> comparatively recent times, details of which they give at
>
> http://www.jstor.org/about/openproxies.html
>
> Here there did appear to have been a serious intent to commit systematic
> theft.  I am not aware whether the perpetrators were ever traced in this
> case. The JSTOR incident should be of particular note since the attackers
> found a way to by-pass access control by IP address checking, which is
> still prevalent in the publisher community.  (Note however that the
> vulnerability exploited was again human frailty, in that open proxies only
> exist because those who set them up either did not bother to secure them,
> or did not know how to.)
>
> 5.  What are the lessons to be learnt from all this?  I guess the
> electronic world is getting more hostile all the time, and wherever there
> is an asset which is worth something to someone there is going to be
> *some* risk that an individual sufficiently highly motivated -- by money,
> or anything else -- will try to mobilise the resources to break the
> security system and steal what's inside.  Examples of this occur regularly
> in the entertainment industry.
>
> I would have thought that for academic journals and similar material the
> risk remains low, although the JSTOR experience is troubling.
>
> On the technical front there is a clear message that IP address checking
> is, in the real world, much more vulnerable than most people may have
> realised hitherto.  Although password-based systems such as Athens do have
> their limitations, they also have many advantages over IP address checking
> and are relatively easy to monitor for anomalous access patterns.  And of
> course we all need to be reminded to be vigilant, all the time, where any
> kind of Internet security is concerned: in the case of the UK academic and
> research community, we constantly review (with the supplier, EduServ) how
> our universities and colleges are using Athens and whether there are
> things we can do to improve both the system and our community's working
> practices.
>
> Regards
>
> Alan
>
> ----------
> Alan Robiette
> Authentication and Security Programme
> Joint Information Systems Committee (JISC), UK
> http://www.jisc.ac.uk/

Prev by Date: Re: Accessing Evidence-based Nursing
Next by Date: Re: Vanishing Act & Elsevier's reputation
Prev by thread: Re: Athens security scam [long] <fwd>
Next by thread: RE: Athens security scam [long] <fwd>
Index(es):
- Date
- Thread