SAN MATEO (02/28/2000) - A GROUP OF security companies and organizations are expected to announce an initiative next week that will provide universities with free software to help guard themselves against being turned into "zombies" used to launch a distributed (DoS) denial of service attack.
SSH Communications Security, the SANS Institute, RSA Data Security Inc., Massachusetts Institute of Technology (MIT), and MindBright Technologies will detail plans on Monday to equip more than 130 colleges and universities in the United States with free encryption software via SSHs (Secure Shells).
Through the security initiative, every student, faculty members, and staff member from the participating universities will be provided with SSH universal log-ins and stronger authentication channels via SSH product versions 1.0 and 2.1 for use on servers and PCs. Secure Shell is a secure log-in program developed by SSH Communications Security that eliminates clear-text password transmission and provides encrypted file transfers.
Admitting he has acted upon the shaky belief that hackers cannot compromise a system for malicious purposes if they are not aware of its location, Alex Vorobiev, director of systems support at the Maths Forum at Swarthmore College said administrators must take steps to safeguard their own systems.
"I'm sure any administrator at some point is guilty of security by obscurity," Vorobiev said. "I can't tell you how important [the initiative] is campus-wide, not only for the information department but for the students as well. I'm ready to do it tomorrow."
Other universities that have signed up for the free SSH encryption software include the University of Wisconsin, Georgia Tech. University, and the University of North Carolina, said Steve Acheson, program manager at the SANS Institute in Bethesda, Md.
Acheson said he expects all schools involved with the program to be fully equipped by the end of the summer.
PGP Security Inc., a division of Network Associates, also has turned its attention toward protecting universities from DoS utilization with its announcement that 150 universities worldwide have enrolled in its new free security program, CyberCop.edu. Through the program, PGP Security is giving universities a one-year free license to implement its vulnerability assessment product, CyberCop Scanner.
As part of the program, NAI Labs will compile a running "state of the Internet" report, collecting security data from the scanners to identify new types of DoS attacks, conduct trend analysis, and target specific vulnerabilities, said a PGP spokesperson. All of the collected information will be kept private.
The launch of the initiative seems timely. James Madison University discovered this week that 16 PCs on its student network had been infected with what appeared to be a variant of a popular DoS flood tool, Trinoo.
Arming hackers even further, a new set of DoS tools directed at Windows-based PCs to provide easier ways to send a successful DoS flood was posted on the Internet last week.
SSH Communications Security, in Mountain View, Calif., is at http://www.ssh.com. PGP Security Inc., in Santa Clara, Calif., is at http://www.pgp.com.
Brian Fonseca is an InfoWorld reporter.