SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Case 216 The Incident That Brought Us Together December 12, 2005 Jim Barlow, NCSA and Victor Hazlewood, SDSC

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Outline Case 216 Overview Timeline Intruder infrastructure Observations Why are we here today? Data Security Why do we need to worry? Conclusion

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Timeline Aug 03 – First known related attack Oct 03 – Dec 03 BNL, Caltech, and Colorado Mar 04 Berkeley, LBL, NCAR, ANL, NCSA, SDSC Apr 04 Stanford, Intruder , SDSC (Tsutomo website), Spafford comments to NSF, CIAC Note to FIRST, News coverage: AP and Washington Post, SDSC begins trace

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Timeline May 04 UMN and CMU sniff intruder, SDSC home directories wiped, password collector discovered at Colorado, DOE incidents, notice to Internet2 goes unnoticed, Big Company incident, NCSA honeypot set, Jim and Victor become partners of a sort June 04 - Nov 04 password collector and intruder hub moves to numerous places, intruder infrastructure changes multiple times, amazing cooperation between sites and with LE, possible perpetrator identified

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Timeline Dec 04 - May 05 Contact made with Swedish authorities Luckily, Swedish sites are also victims FBI notifies Swedish authorities of individual involved Swedes serve search warrant on teenager Monitored intruder activity stops for first time in over a year

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Intruder Infrastructure Infrastructure Diagram

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Observations Intruder gets a B- rating Intruder misses/ignores lots of items Had the potential to be much more effective (and dangerous) Never appeared to make the money jump

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Why are we here today? What has changed from last year? Have attacks gone away? Already seen similar attack methods Are we all completely secure? How do we get from here to there? Last year’s meeting. See final report* This year’s meeting. Theme: Data Security

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS 2005 – The year of the data breach Two data security incident per week Ranges from hacking to stolen machines Sites tracking incidents privacyrights.org – 95 incidents since Feb 15 idtheftcenter.org – 125 from Jan to early Nov attrition.org – 100+ reports this year High profile incidents ChoicePoint Iron Mountain storage company

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Data Breaches

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Why Should We Worry? Scientific data is valuable Who would want it? Titan Rain incident Competing researchers “Fictitious” incident Not just external threats Protect users from each other Informal survey of six HPC sites Strict guidelines can cause other problems

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Other Questions to Ponder Who are using our resources? Where are our crown jewels? What is the goal of security?

SAN DIEGO SUPERCOMPUTER CENTER NATIONAL CENTER FOR SUPERCOMPUTING APPLICATIONS Conclusion Goals of breakout sessions and conference Sharing of information and ideas Understanding our communities diverse perspectives Discuss our communities strengths and weaknesses Identify our community security needs How do we improve our posture? How can the NSF help?