Hackers compromise federal computers Virus linked to Internet attacks discovered on Ottawa machines BARRIE McKENNA

Washington Bureau; With files from Dawn Walton in Toronto; and Associated Press in Washington Friday, February 18, 2000

Washington -- Internet intruders have broken into Canadian government computers and infected them with a virus linked with the attacks that paralyzed top e-commerce sites last week.

Internet security company Network Associates Inc. of Santa Clara, Calif., said yesterday that it has found software on 20 computers worldwide, including five in Canada, capable of launching so-called denial-of-service attacks.

Also yesterday, ABC News reported that an Internet security expert has been in contact with an unidentified 15-year-old Canadian being investigated in connection with last week's attacks.

Network Associates would not reveal the location or owners of the infected Canadian computers, citing a confidentiality agreement with its customers and a desire not to jeopardize the Federal Bureau of Investigation's continuing probe.

The Globe and Mail has learned, however, that copies of the suspicious programs, known as zombie agents, have been found on federal government computers in Ottawa.

A Network Associates subsidiary, myCIO.com, which has offered free on-line diagnosis in the wake of the hacker attacks, said Canada had the highest rate of infection based on 20,000 confidential scans it has done worldwide since last week.

"Per capita, Canada has shown a higher percentage of hits than you might expect," said Mark McArdle, vice-president of Internet security at myCIO.com. "But Canada is a pretty wired society." In Ottawa, a spokesman for the Treasury Board, which is responsible for the government's vast array of computers, refused to say whether computers may have been compromised.

"It's under investigation by the RCMP," the official said.

The RCMP has also had little to say about the progress of its investigation.

"We are still in a position where we can only say that we are assisting the FBI in their investigation, so I cannot even confirm or deny if search warrants have been executed," Corporal Stiphane Bonin said from Ottawa.

The RCMP was also believed to have been helping the FBI search for the teenaged Canadian hacker who used the on-line pseudonym "mafiaboy."

Investigators in both countries say the unidentified hacker is among several copycats who have emerged since the initial attack on the Yahoo.com Web site.

Michael Lyle, chief technology officer for Recourse Technologies Inc. in Palo Alto, Calif., told ABC that a series of communications he had with the teen last Thursday and Friday have bolstered his belief that the youth was involved.

Mafiaboy apparently told Mr. Lyle specific details about the ports he used to connect with surrogate computers and launch the attacks -- information Mr. Lyle said only someone involved in the attack would know, ABC reported on its Web site yesterday.

Meanwhile, Network Associates said the 20 problem machines it located are mainly located at academic institutions. Its scans don't show whether the tools were actually used in last week's denial-of-service attacks.

But the appearance of the programs in Ottawa highlights the vulnerability of all large computer systems.

Unwittingly loaded on a powerful computer server, the tools can turn a computer network into a launching pad for thousands of bogus messages directed at a target Web site. Internet security experts said these tools were responsible for several of last week's attacks, which temporarily downed some of the best-known names on the Internet, including eBay.com, Yahoo.com and Amazon.com.

Fearing more such attacks, the U.S. Environmental Protection Agency shut down its Web site yesterday.

The EPA said the site, normally accessed millions of times over the course of any given month, will be down for a week or two until a security-upgrade program is finished.

"The agency has been working . . . for several months to strengthen the security of our Web site," the EPA said. "The decision to temporarily close access to the Web site was made after a meeting Wednesday with computer security experts."

At least three university computers in California -- located at Stanford University, the University of California at Santa Barbara and the University of California at Los Angeles -- are known to have been infected with the software. Experts, however, say 50 or more computers may have been involved.

The University of Alberta in Edmonton said yesterday it is trying to determine whether its computers were part of the problem.

"We received a routine complaint from a university in California that there was something suspicious that had originated from one of our machines here," said Barry Ladan, the university's computer-security administrator.

An attack on CNN's Web site appears to have come through a computer at the University of California at Santa Barbara, the school that contacted the University of Alberta.

"We're still taking the machine apart to see what files may have been put on it or what sort of activities it was involved in," Mr. Ladan said. The university's findings will be passed along to the RCMP, he said

http://www.globeandmail.ca/gam/TopNational/20000218/UHACKM.html

-- Martin Thompson (mthom1927@aol.com), February 18, 2000