Lisbeth Salander, the brilliant, fearless hacker heroine of “The Girl with the Dragon Tattoo,” “The Girl Who Played with Fire,” and “The Girl Who Kicked the Hornets’ Nest” is back in action in “The Girl in the Spider’s Web,” the continuance of the blockbuster Millennium series created by the late Stieg Larsson.And on page 210 of the thrilling crime novel, Salander hacks into the National Science Foundation (NSF) Major Research Instrumentation (MRI) supercomputer here at NJIT, and then gets out her own program for elliptic curve factorization before trying to crack a file she downloaded from the National Security Agency.
Like its predecessors, the book has become a runaway hit, debuting at the top of The New York Times Best Sellers list.
With National Cybersecurity Awareness Month right around the corner, the high profile name-check got us wondering: How accurate and probable is this plot point?
For the answer, we needn’t look any further than our very own in-house computer scientists and expert mathematicians.
“We had a supercomputer that was completely funded by the NSF MRI program,” confirms Kevin Walsh, a senior systems administration specialist for NJIT, who described a proposal to obtain the $300,000 equipment (named Hydra), which was put in service in June 2006. “Hydra occupied three racks located in the main computer room on the fifth floor of the Guttenberg Information Technologies Center, was a 76-node, 960 GFLOP cluster and taken out of service in Sept. 2013.”
According to Michael Siegel, mathematics professor and director of NJIT’s Center for Applied Mathematics and Statistics, the computer was used for applied mathematics research: fluid dynamics, wave propagation, mathematical biology and statistics. “The cluster would run codes written to solve complex equations arising in these applications,” he says. “The data stored on the computer would be from the output of these codes.”
So, what would it take to break into an NJIT supercomputer? Well, first, it’s important that the name doesn’t throw you off.
The “super” in supercomputer usually refers to the large computational capacity of the machine and doesn't refer to the supercomputer’s level of security protection, explains associate computer science professor Reza Curtmola.
“A supercomputer that is accessible remotely over a network can be hacked into just like any other computer that is connected to a network,” he says. “Like any computing device, a supercomputer runs complex software that is prone to have known and unknown vulnerabilities, which can be exploited by attackers. Moreover, an attacker can steal the authentication credentials of legitimate users that have access to the supercomputer, and then use that kind of access to gain further privileges on the supercomputer.”
In fact, modern supercomputers can be slightly softer targets than most, as they are made up of many smaller computers (nodes) sharing a separate internal network. While Salander would have to circumvent several layers of protection to get at the internal network, “The security on the internal network is often a bit weak because the purpose of the supercomputer is to facilitate fast connections between the internal nodes,” says Walsh.
In order to gain access, Walsh says Salander would have to first breach NJIT's firewall, then the supercomputer's head node (where researchers log in) before initiating an attack on the compute nodes through the internal network. “It would actually be quite simple to do this by tricking a faculty member into giving up their login and password, also known as phishing,” he says. “NJIT's network security manager has stated that ‘phishing is constant.’”
However, there is some creative license at work here.
“I don't think [Hydra] was ever used to factorize elliptic curves as the author suggests,” adds Siegel, who, ironically is on sabbatical in Sweden and lives in the same part of town on the island of Sodermalm, where Larsson called home and some of the events in his Millennium series take place.
For tips on strong password management and avoiding phishing scams, visit Cybersecurity at NJIT. And check out a “real-life” story on Wired.com about a hacker, who got busted for selling access to Energy Department supercomputers.
By Shydale James