UI: One computer likely browsing at Crimea website

CHAMPAIGN — Wrong place, wrong time?

A University of Illinois computer security official said someone using a desktop computer on the university network to visit the Crimea referendum website almost a week ago was likely just "browsing," not launching a cyberattack.

Joe Barnes, interim chief privacy and security officer for the UI's Urbana campus, and several of his staff worked almost nonstop Sunday through Tuesday afternoon looking into the claim by a Russian government media outlet, Voice of Russia, that the hacking of websites related to the referendum in Crimea originated from the University of Illinois.

The News-Gazette reported Tuesday afternoon that the university did not find any evidence of the campus computer network being involved in an attack.

Barnes first heard about the claim around 10 a.m. Sunday. Shortly thereafter, Barnes and his team from Campus Information Technologies and Education Services started an investigation that he described as "looking for a needle in a haystack" because initially they weren't sure when exactly the attack occurred. They scoured over 24 hours worth of activity logs that provide information about UI network traffic.

On Monday, UI staff reached out to the "abuse contact" for the domain referendum2014.ru and asked for a copy of its logs to verify the claim. Barnes said he doesn't know who owns the actual website.

The UI then received a small subset of logs for a more specific time frame, around 1 a.m. Ukraine time.

"We were able to look at our logs for that, plus or minus a few hours. We still didn't see any aggression," Barnes said.

They did see one UI-related IP address around the timeframe the attack occurred. The log showed about three lines of information. If there was an attack, it would have showed many, many more lines. (These activity logs can show 10 to 100,000 lines of information, according to Barnes.)

"We didn't see anything from our end attacking" the referendum site, Barnes said.

The UI IP address was sandwiched in between a whole bunch of other IPs that didn't belong to the UI and which were coming from an "anonymizer" service in the Netherlands, Barnes said. People can use such services when they want to browse websites anonymously.

Barnes said UI investigators did not see any anonymizer traffic in the UI logs.

His theory for why the UI was blamed?

"We were the only IP range in that swath they could identify," Barnes said.

It's hard to say what the person on the one desktop on the UI network was doing, he said.

"It could have been someone surfing that webpage ... just browsing," he said. Or a case of "wrong place, wrong time."

Barnes' best guess is that organized hackers were behind the cyberattack, he said.

The attacks on the referendum website were described as "distributed denial-of-service" (or DDoS) type of attacks.

Carl Gunter, professor of computer science at the UI who teaches and conducts research in the area of network security, has held lectures on denial of service techniques and how they can infiltrate systems.

Students in his information security lab alerted him to the claim about the UI's involvement on Sunday. They had quite a few chuckles about the report's reference to three airports in the area and that Champaign was home to a headquarters of the National Security Agency, he said.

A distributed denial of service refers to when machines from many different places are participating in the attack.

"There are two tricks that are used in these attacks. One is to compromise a machine of someone else to do the attack," Gunter said.

They're called "zombies." And people are not aware of what their machines are doing. If people who gather these "zombies" are good at it, they can prevent these individuals from knowing their machines are being controlled from elsewhere, he said.

"The second trick is called reflection. The way it works is you send something to a machine where you fake the origin of the message, then the machine responds to the address that was faked," he said.

Reflection is easy, and can done by anyone internationally, he said. Compromising machines is a little harder because the hackers have to find a security vulnerability and then have to manage the compromised machine.

"People get compromised all the time because of the increasingly capable ways of convincing people to put malware on their computers," Gunter said.

There are two main ways people can protect their computers from denial of service attacks, he said.

One is antivirus software that helps protect your computer against malware.

The second is to avoid downloading software from people you don't know. Such downloads are like letting someone you don't know into your house while you're not there, he said.

Oftentimes people will receive an email — with a postcard inside, for example — that leads the individual to install malware.

In the early days of the Internet, denial of service attacks were conducted for fun or mischief, Gunter said. Now they're seen in extortion attacks where hackers will threaten access to the site or computer unless people pay a ransom, he said.

The other motivation is political, to make a political point. And using a denial of service attack to prevent access to the Crimea referendum is an example of that, he said.

As for the possibility of someone outside the university using someone's university computer without their knowing and executing certain commands, Barnes said they didn't see any evidence of that.

"We're considering this matter closed," Barnes said.

Sections (2):News, Local

Comments

News-Gazette.com embraces discussion of both community and world issues. We welcome you to contribute your ideas, opinions and comments, but we ask that you avoid personal attacks, vulgarity and hate speech. We reserve the right to remove any comment at our discretion, and we will block repeat offenders' accounts. To post comments, you must first be a registered user, and your username will appear with any comment you post. Happy posting.

Login or register to post comments

Sid Saltfork wrote on March 22, 2014 at 5:03 pm

The website in question was an Anonymous website.  It was accessible on the web even after the story came out.  The site instructed, and requested Anonymous followers to act on a specific date which just happened to be the date Russia claimed that the attack was launched from the U of I.  Now; the U of I security cannot find the user, or users?  "Wrong place at the wrong time"?  

TA4093 wrote on March 22, 2014 at 9:03 pm

I think you need to read the article again.  The aggressive activity did not come from the UI network, it came from  an anonymized network that anonymous used to perform their attack.  UI cannot speak to other people's networks, only their own.  And it seems pretty clear to me that they are able to state that this attack did not occur from their network, but someone else's.  The operators of the referendum site pointed the finger at UI simply because one of their IP's showed up in the site logs and needed a scapegoat because of their inability (or anyone's for that matter) to trace the origins of the attack.