TechTarget

Hackers can tap alien intelligence screensaver

A vulnerability has been discovered in Seti@home, the desktop screensaver used by 500,000 people worldwide which runs a...

A vulnerability has been discovered in Seti@home, the desktop screensaver used by 500,000 people worldwide that runs a peer-to-peer scan for extraterrestrial intelligence.

Seti@home is a scientific experiment that marshals the processing power of Internet-connected computers in the Search for Extraterrestrial Intelligence, or Seti. Participants install a free software program that downloads and analyses radio telescope data.

The Seti@home software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at the University of California, Berkeley.

The screensaver software contains a buffer overrun vulnerability in code that processes responses from the Seti@home server, according to Dutch student Berend-Jan Wever, who has issued a security advisory.

After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.

The vulnerability affects all versions of the Seti@home client software, including those for the Microsoft Windows operating system, Apple's Macintosh operating system and versions of the Unix operating system.

The software running on the main Seti@home server at UC Berkeley contains a similar vulnerability.

A separate problem concerns the Seti@home client's transmission of information back to the Seti@home server. Wever discovered that all information from the Seti@home client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the Seti@home client.

Malicious hackers could collect the Seti@home data using any one of a number of common packet sniffing programs, providing useful information for planning a larger network attack.

The Seti@home team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release" .

The vulnerability would require attackers to "spoof" a fake Seti@home server and trick the software clients into connecting to it before they could be compromised. The Seti@home team knew of no previous attack on a client that used such a method, the Web site said.

However, clients could be tricked using spoofing tools or attacked from HTTP proxy servers or routers used by the Seti@home host machine.

More than four million Internet users have registered with Seti@home. Of those registered users, more than 500,000 are considered "active," having returned data to the main server within the past four weeks, according to the project's web page.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

This Content Component encountered an error

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close