Outside Hackers Infiltrate MIT Network, Compromise SecurityBy Dalié Jiménez
Over the past few weeks, hackers using "packet sniffers" have been able to determine the Athena passwords of several students who were using unencrypted telnet sessions.
Additionally, the hard drives of some students who run Linux from their personal computers have been erased or otherwise damaged.
Kerberos, an MIT-developed security system, encrypts information sent across the network. However, many students use telnet programs without kerberos encryption.
Packet sniffers are then able to detect userids and passwords as they pass across the network in text format. For instance, the Windows 95 telnet program, which is unkerberized, sends all information in text format without protection, said Michael L. Barrow '93, Information Systems' Data Pathologist.
There have been reports of compromised passwords in many dormitories including Macgregor House, East Campus, Next House and Baker House, Barrow said. However, it has not been only limited to dormitories. "We have received a lot of calls about this," he said.
Users who continue to use unencrypted telnet are compromising the security of their Athena accounts and MITnet.
"We want to get people to realize that this isn't theoretical, if you're sending your password in the clear, chances are that it will be taken," said Bob Mahoney, Information Systems' Network Consultant.
One student's nightmare
About a week ago Rafael H. Schloming '99, a resident of Macgregor, realized that his personal Linux machine had been broken into.
Monday night, he realized people had been trying to connect to his machine from outside the Institute. "I let my friends use my machine as a faster server to MITnet, but only people here know about it,"Schloming said.
Schloming himself downloaded a packet sniffer and attempted to track the hackers. "Iwas able to poke around for one minute and found there were 10-12 people logged on," Schloming said.
"All the names were Nazi-related, but before I had a chance to see what they were doing, they killed my connections and sent a script to wipe out my hard drive,"he said.
Realizing this, Schloming pulled the plug on his computer which caused a disk error. "I don't know what's still on the hard drive, if anything," he said.
Hackers obtain tools on the Web
These tools that hackers can use to set up packet sniffers are widely available on the Internet for free. Potential hackers don't even need to know much about UNIX, Barrow said. There are web pages that let hackers "follow a recipe"and gain root access to a system, he said.
"People install sniffers all the time," Mahoney said, and this sort of thing has been happening for a long time because users of MITnet have not been aware of the problem.
"You hear about the ones you find, but I'm sure there are many more machines that have been compromised," Mahoney said.
Currently, when users log on to Athena without using kerberos, a message appears warning them that their session is not encrypted.
Hackers nearly impossible to track
"We get calls from people whose machines have been broken into who want us to track these people down," Mahoney said. The problem is that it's almost impossible to do.
"Most of the time all we end up finding is someone else who's been broken into,"Barrow said.
"It's like tracking the AIDS virus," Mahoney said.
Use of encryption advised
Users need to log in using an encrypted connection. Kerberized telnet programs are available from Information Systems at http://web.mit.edu/is/help/ktelnet. "HostExplorer [the Windows version of kerberized telnet] is a very good beta and the thing we're most concerned about, encryption, is very solid," Mahoney said.
DES, the Data Encryption Standard which is the basis of ktelnet, is theoretically breakable, but has not been known to be broken, Barrow said.
The biggest problem seems to be people that are letting their friends log into the linux machines unencrypted, said Elliot Schwartz '98, a member of the Student Information Processing Board.
For the linux system administrators, Secure Shell Connection may also be helpful, Mahoney said. More information can be found at http://www.cs.hut.fi/ssh/.
Additionally, Athena linux users should subscribe to the linux-announce mailing list (blanche linux announce -a username) where a discussion of security issues and possible solutions can take place, Schwartz said.
Using encryption is a simple way to at least reduce, if not eliminate, the security problems, Mahoney said. "We have good solutions for the folks on campus," he added, "we can greatly reduce the problem with simple precautions."