Emory Report

January 18, 2000

 Volume 52, No. 17

Emory 'Net hacked

All things @emory.edu are fully operational again after an incident over the weekend of Jan. 7­9 that left much of the University temporarily adrift in the sea of cyberspace.

According to the Information Technology Division, on the evening of Jan. 7 an unidentified individual sent a "spoof" e-mail to Network Solutions Inc. (NSI), which maintains the Internet domain for Emory and about 6.5 million other accounts worldwide. The hacker was able to simulate an e-mail from Emory and requested that the University's domain be rerouted to <www.highspeednet.net>, a small Internet service provider in Laurel Springs, N.J.

Because NSI provides human technical support to its <.edu> accounts only during regular business hours, the authentication process for the request was largely automated, and the rerouting went through. As a result, external visitors to Emory's website went directly to the alternate site, and external e-mails directed to <@emory.edu> addresses bounced back or faded into cyber-oblivion. Also, due to the business-hour staffing, NSI was unable to begin fixing the problem until Monday morning, Jan. 10.

By Tuesday afternoon the problem had mostly been fixed, according to network operations Manager Ramous Fields, but because some Internet servers update their databases less frequently than others, the problems could have persisted until last Thursday.

Brian O'Shaughnessy, a spokesperson for NSI, said the company provides tech support to its educational accounts pro bono, which is why it is only available during business hours. He also said many <.edu> matters require highly technical expertise that is available only Monday through Friday.

As far as the security procedures that allowed automated authentication of the rerouting request, he said NSI provides three levels of security and "some of the onus falls on the registrant."

"A good way to look at it is like the lock on your door," O'Shaughnessy said. "There are better forms of security, but the lock works well-until someone takes a sledgehammer to it."

Fields said NSI has developed better security options since some of its older customers-like Emory-signed up but didn't expressly inform the University they were available. The University has upgraded its security options in light of the incident. As for the e-mails that were lost over the weekend, Emory recipients must ask the senders to resend them.

Information technology staff for Emory Healthcare first noticed the switch, Fields said, and reported it to ITD. The division is working with NSI and the authorities, including the FBI, to try to track down whoever is responsible, but Paul Morris, vice president for information technology said much of the sleuthing depends on how completely HighSp-eedNET maintains its log files.

--Michael Terrazas

Return to January 18, 2000 contents page