FBI Probes Athena IncidentBy Eric Richard
Associate News Editor
In cooperation with MIT Information Systems, the Federal Bureau of Investigation has started an investigation into the recent security breach of one of Athena's dialup machines. An arrest warrant has been issued for the alleged perpetrator.
The Distributed Computing and Network Services division of IS has been "working with the appropriate authorities to arrest the responsible person," said DCNS Manager Joanne Costello. She believed the individual was to be arrested last week, she added.
"Last I heard, they were writing out the arrest warrant," said Theodore Ts'o '90, a systems programmer for DCNS. Ts'o refused to comment further due to the pending investigation.
No one from the FBI was available for comment yesterday, leaving the suspect's identity unknown.
On Dec. 14, DCNS released a statement on the incident. "This individual's mode of operation is believed to be limited to breaking into accounts for the sole purpose of discovering any user [identifications] and passwords stored there to enable him to break into additional systems," it said.
The suspect used a bug in the dialup program to replace the telnet command, which allows users to remotely log on to other computers, with a compromised version which captured every keystroke after the command was executed, according to Costello.
Ts'o said the telnet program was modified in October, two months before the statement was issued. Over 4,000 individuals may have used the compromised server during this time, according to the statement.
The statement was printed and distributed to all of the Athena clusters and was printed in Tech Talk. DCNS explicitly refrained from distributing the notice electronically, Ts'o explained. "One of our big concerns was that we did not want to tip off the guy that he might be arrested. At the time we sent out that notice, he was still active."
Full directory led to discovery
DCNS became aware of the security breach when "one of the people who was maintaining dialups found that the /tmp [directory] was filled up. He also found a program which made you a superuser on that dialup if you executed it," Ts'o said.
"The user ID, password, and the name of the system to which the Athena user was connecting were evidently captured" and placed in hidden files, which occupied a large amount of space, said Cecilia d'Oliveira '77, director of DCNS.
DCNS Network Manager Jeffrey I. Schiller '79 noticed signs that this breach of security was similar to other occurrences across the Internet, said Ts'o. "The pattern was obvious, so we looked around and found the hidden files."
The suspect may have used a similar program to initially gain access to Athena, Ts'o said. "We have discovered how he then made himself superuser and have closed that loop now."
"Basically part of the problem was that we weren't paying as close attention to the dialup servers as we should have," Ts'o said. "It was blind luck that we found it when we did," he said. He added that the dialup machines require a little more attention than the workstations in the clusters because machines in the clusters have a program that automatically purges modifications like the one the suspect made.
"Someone is working on ways of securing the dialup servers so that something like this can't happen again," Ts'o said.