The Department of Computing (DoC) has suffered a security breach on their main shell server, named shell1, which provides secure shell access to the lab machines from outside the department. On the 24th of February, the College’s ICT Service Desk issued an email to DoC students informing them of a “security compromise” which was discovered on shell1, which affects a significant number of commonly used DoC systems. The email described the compromise as “root level”, indicating the breach made way for malicious activity under administrative privileges.

ICT’s email to DoC students advised them to change their college password at their earliest convenience as a “precaution to ensure the details are not known to the malicious parties responsible for the breach”.

A source informed Felix that the breach was a rootkit that was installed on the shell1 server which had gone unnoticed for three weeks. A rootkit is one of the most difficult types of malicious software to remove, providing continued privileged access to a machine while employing many strategies to mask its presence from administrators and users. The software would allow circumventing the security measures set up, allowing the malicious attacker full access to the target. Typically, keyboard logging or screen capturing software is installed following a rootkit installation. They may also render the affected computers ‘zombies’, i.e. causing them to join part of a botnet for use in DDOS (Distributed Denial of Service) attacks against other servers by bombarding them with data requests.

Rootkits are extremely difficult to detect, and removal may be impossible in the case of a kernel compromise. It is speculated that the malicious hackers involved recorded passwords of students and staff as they logged in to the department. A Computing class was advised by their lecturer to assume that “anything [they] did on those machines over the last three weeks, any data, communications, passwords, all that could have been recorded”.

It is not yet known whether the attack originated internally or otherwise, or what the intentions were. The Department of Computing Society sent out an email informing students of the actions they ought to take to reduce the potential damage caused by this. Changing the DoC password was considered of utmost importance, and those who did not by 5pm on the 25th of February had their accounts frozen until the password change had been made, with an email being sent to the account (no longer accessible, however) stating “[the user] will be unable to log in to [their] account” until the password is changed. Furthermore, any passwords stored by their browsers are also compromised, as well as the entire home directories where files are stored.

DoC and College have separate networks, which means non-DoC members are unable to log in to machines in the DoC labs using their normal credentials. Upon discovering the breach, ICT security imposed a block on the SSH (Secure Shell) service in DoC. DoC’s Computing Support Group (CSG) is currently having discussions with ICT to reopen access. For the moment, students have been advised to assume that “for the foreseeable future, no SSH access to or from DoC will be permitted”.

SSH is a protocol which provides a means to exchange data between machines via a secure channel. Students often use SSH to access their filesystem or applications on the lab machines from home. With the block of the SSH service arising close to a major coursework deadline, many second year students complained that they could not submit in time and called for extensions. The coursework, which involves rewriting a teaching operating system’s internals, had been extended over the weekend but the SSH service was not restored. Amongst the complaints, one student commented that “it was at worst an inconvenience”, and that “instead of [the group] working on the project on the sofa, [they] had to go into labs”. The review of whether SSH can be reopened continues today with further investigation.