The Tech - Online EditionMIT's oldest and largest
newspaper & the first
newspaper published
on the web
Boston Weather: 46.0°F | Light Rain

Network Security Log

IS NETWORK SECURITY TEAM

In May 2003, the Network Security Team opened 254 new cases. There were 142 systems compromised by intruders, of which 140 were Windows and 2 were Unix systems. There were also 24 other types of complaints, including virus infection notices, requests for vulnerability scans, and other queries. Additionally, the team responded to 88 complaints from external sources concerning compromised machines on campus.

We selected a number of Network Security cases with activity from the week of May 4 to June 3 that illustrate the type of destructive security events that occur on MIT’s campus. Identifying information has been removed for privacy.

5/13/2003: Windows 2000, Building 16.

A Windows 2000 machine was compromised, likely due to a weak or blank password; the intruder installed an FTP server. The machine was formatted and reinstalled with security patches. Downtime was three days.

5/13/2003: Windows XP, Building 1.

A Windows XP machine was compromised, likely due to a weak or blank password; the intruder installed an FTP server. The machine was formatted and reinstalled with security patches. Downtime was 17 days.

5/14/2003: Windows 2000, Building 31.

A Windows 2000 machine was compromised, likely due to a weak or blank password; the intruder installed an FTP server. The machine was formatted and reinstalled with security patches. Downtime was approximately two days.

5/17/2003: Windows 2000, Building NW10.

A Windows 2000 machine was compromised, likely due to a weak or blank password; the intruder installed an FTP server. The machine was formatted and reinstalled with security patches. Downtime was one day.

5/19/2003: Linux, Building 66.

A Linux system was compromised, and was being used to probe machines at the National Aeronautics and Space Administration. NASA security personnel contacted Network Security and the hard drives of the affected machine were handed over for forensic analysis in preparing a case against the intruders. Downtime was approximately two weeks.

5/26/2003: Laptop, Building NW86.

Laptop was stolen from a student’s room. Student was advised to contact Campus Police and fill out a theft report; Network Security can only act on requests from the police for data collection.

5/28/2003: Windows NT, ATIC Laboratory.

The ATIC Laboratory’s Windows NT domain server logged regular break-in attempts but remained un-compromised, due in part to strong passwords and current security updates.

5/28/2003: Windows, Building E2.

The U.S. Department of Agriculture security personnel contacted the Network Security Team about a compromised machine being used to conduct successful breakins against various USDA machines. The compromised machine is still currently down.

5/29/2003: Windows Printer, Building 8.

A Windows printer was compromised, likely due to a weak or blank password; the intruder installed an FTP server. The machine was formatted and reinstalled with security patches. Downtime was approximately two days.

6/1/2003: Linux, Building NW86.

A user account on a Linux machine was compromised and found sending network traffic to hundreds of hosts in Brazil. The system was formatted and reinstalled with security updates. Downtime was approximately one day.

Information on what to do if you suspect an attack is at http://web.mit.edu/ net-security/www/problems.html Related stories: