General Article
As Internet use increases, Fred Hutchinson encounters new internal and external risks to its computer network. Hackers barrage the network looking for ways to get past the firewall, which permits desirable connections and repels those that are undesirable.
“People constantly probe the center’s network. If you are on the Internet, you are getting probed in some fashion, even if you are not an obvious target,” said Sean Harding, Fred Hutchinson’s new information-security engineer. Harding came to the center earlier this year from Amazon.com where he worked to protect Amazon from a variety of Internet threats, including hackers looking to knock the retailer offline.
Harding is the newest member of the center’s Office of Information Security, which was established in early 2003 in response to the growing reliance on the confidentiality and integrity of the center’s data as well as the availability of computer-network resources. Ron Hood, information-security officer, heads the office, which also includes information-security engineer Jonathan Li.
The use of peer-to-peer programs, which are used primarily to distribute illegal copies of songs and movies, creates potential vulnerabilities to the center’s network.
Peer-to-peer programs, made infamous by the music-sharing program Napster, create ad-hoc networks through existing Internet connections where members share digital files. Members connect directly to other members without a central point of management. There are now hundreds of software programs that can create these networks. Some popular networks include Gnutella, FastTrack and eDonkey.
By the fall of 2003, peer-to-peer network traffic accounted for 5 percent of the total inbound Internet use at Fred Hutchinson. Their use exposes the center to several risks. For one thing, they work by establishing a connection through the center’s firewall, the same firewall being probed by hackers looking for a way in. Peer-to-peer network software developers tend to respond slowly to security flaws. Once installed, peer-to-peer programs are often configured incorrectly. Harding said when he discovers one on a machine, it is not uncommon to find that it is set to share the entire contents of the computer’s hard drive.
However, it is the efficiency of these programs that really has a dramatic impact on the center. They are popular precisely because they can share and move vast amounts of information. In a short amount of time, a peer-to-peer program can distribute hundreds of copies of a popular movie or song. In September 2003, a single user running a peer-to-peer program accounted for 3 percent of the entire Internet use at Fred Hutchinson for that month, which cost the center about $300.
Another risk is exposing the center to copyright infringement. The copyright police monitor the center as they track pirated copies of protected material. In the fall of 2001, a German intellectual property firm, Copy Control Services, sent an e-mail asking the center to remove access to someone who had illegally distributed their software.
“We don’t want to ban peer-to-peer applications since they have potentially valuable scientific applications,” Hood said. “We focus on the violation of copyright, not on the use of the tool. We have to investigate extremely anomalous network usage because there could be a security risk due to a compromised machine. We are not actively looking for copyright violations, but if we come across it in our routine work, we will have to report it.”
