Intruders Breach Network Security; Passwords StolenBy Daniel C. Stevenson
Intruders compromised a computer on the MIT network and used it to capture more than 600 usernames and passwords during a two-day period last November, according to Thomas J. Coppeto '89, systems programmer for Distributed Computing and Network Services, a division of Information Systems. IS was notified of the attack late last week.
The attackers used a custom program to illegally find the usernames and hidden passwords of anybody accessing a remote computer from any computer on a part of MITnet covering Buildings 1, 3, 5, and 7.
While users' Athena accounts may not have been compromised, usernames and passwords for any accounts they had on remote computers that they accessed using the telnet, ftp, or rlogin programs may have been exposed, Coppeto said.
Additionally, if users of computers on the affected network logged on to any of the Athena dialup servers without encrypting their passwords, their Athena accounts may have been compromised, he said.
5,000 accesses logged in two days
The attack was discovered in a log file on a computer used by the Free Software Foundation in the Artificial Intelligence Laboratory, Coppeto said. "The crackers, for some reason, copied the log to the FSF machine" from the machine used to "sniff" the information in Building 1, he said.
Upon discovering the situation, someone in the FSF notified the Carnegie Mellon University-based Computer Emergency Response Team and gave them the log file, Coppeto said. CERT then notified IS of the situation, and the FSF machine was disconnected from the network, he said.
"We have no idea who these people are but there are probably many of them," Coppeto said. "This is an Internet-wide problem, and we are currently not aware of what the CERT knows, if anything at all, about these crackers."
The log file showed two days' worth of data covering over 5,000 accesses to 13,000 different remote computers from machines on the network in question, Coppeto said. From this data, the crackers were able to capture 643 username, password, and destination machine groups, he said.
Chairman's office on compromised network
Networks at MIT "are typically divided along building boundaries, so a machine in 10-250 could be used to spy on machines in the Barker engineering library," for instance, Coppeto said.
The sniffer program on the Building 1 network could spy on machines in the public Athena cluster in 1-142, the 1-115 electronic classroom, and several hundred other machines in offices, laboratories, and departmental clusters in buildings across campus, Coppeto said.
The office of Chairman of the Corporation Paul E. Gray '54 and the News Office are also on the sniffed network.
Many of the destination machines were in the same area in Building 1, Coppeto said. The second-most affected destination machine was one of the Athena dialup servers, with 22 distinct username and password pairs captured in the two-day period, he said.
The log covered only one of 95 networks at MIT, Coppeto said. "It is highly probable, and we need to assume, that more machines on the MIT campus are being used to capture passwords at this very moment," he said. "We have no way of detecting this kind of activity."
Protect by encrypting passwords
"Every user who sends his or her password across the network in plain text is vulnerable to this sniffing attack, even if both machines are sitting on the same desk," Coppeto said.
Users can protect themselves by choosing a good password and using programs that encrypt their passwords before sending them across the network, Coppeto said. That way, a sniffing program will only turn up nonsense text when it searches for a password.
The best passwords are at least seven characters long and include a combination of upper- and lower-case letters, numbers, and other symbols, according to a press release from IS.
As an added precaution, IS recommends that all MITnet users change their passwords on all network-accessed accounts in response to the recent cracker activity.
Additionally, IS encourages users to use network services which provide encrypted password security whenever possible. These services include Techmail and Kerberos-encrypted telnet.
"It's no longer a question whether or not crackers have the ability to capture passwords off the network," Coppeto said. "It's happening."