Copy Link
Add to Bookmark
Report
SURFPUNK Technical Journal 014
Date: Wed, 16 Dec 92 18:41:37 PST
Reply-To: <cocot@osc.versant.com>
Message-ID: <surfpunk-0014@SURFPUNK.Technical.Journal>
Mime-Version: 1.0
Content-Type: text/plain
From: cocot@osc.versant.com (Captain COCOT)
To: surfpunk@osc.versant.com (SURFPUNK Technical Journal)
Subject: [surfpunk-0014] SECURITY: MIT Athena Incident
Keywords: surfpunk, security, athena
I would call this the worst Internet security incident I know of. I
suppose we'll read about this one in years to come. Kaptain Kludge
sends it.
Telnet, sending usernames and passwords in plaintext throughout the
net, is asking for trouble. This is part of the reason I'm interested
in the Public Key techniques of encryption *and* authentication.
Captain Cocot
________________________________________________________________________
________________________________________________________________________
Return-Path: <cec@MIT.EDU>
Date: Mon, 14 Dec 92 19:14:37 EST
To: infosys@MIT.EDU
Subject: FYI - Computer Security Incident
Over the weekend Information Systems staff discovered that one of the
Institute's Athena dialup servers had been compromised through an
unauthorized modification of the machine's system software.
If you have used the Athena dialup service during the last
two months to telnet to other machines, read on. Your
accounts on other machines may have been compromised.
Specifically, each time the telnet command was executed on this Athena
dialup machine the userid, password, and name of the system to which the
Athena user was connecting were evidently captured by an unauthorized user.
This individual is now in a position to use the captured information to
gain access to other systems. Our official system logs indicate that
during the time the modified version of the telnet program was in place,
over 4000 individuals used this particular dialup server. Those
individuals who executed the telnet command from this machine within the
past two months may have had their accounts on other machines compromised.
Check your username
To determine whether you are among the 4000 individuals most at risk, you
can use a command called checkmyid located in the Athena info locker. From
your Athena account, at the athena% prompt, type:
attach info
/mit/info/checkmyid
Change your password
We recommend that all Athena users change their passwords frequently - once
a semester is recommended. If checkmyid verifies that you are one of the
4000 people who used this specific dialup server during the last two
months, we STRONGLY recommend that you change your passwords immediately on
ALL systems, including Athena, to which you may have telneted. You must
assume that all accounts you may have reached using telnet are compromised.
Your new Athena password should be at least 6 characters long, and can
contain any combination of UPPER- and lower-case letters, numbers, or other
symbols that appear on the computer keyboard. For further information on
choosing a secure password, see Athena's On-Line Help Service.
Alert others
In addition please inform the system manager of any machines - including
Athena workstations in faculty offices - to which you may have connected,
since it is possible that the intruder may have used your account to
compromise those machines as well.
The individual who compromised our system used a pattern of attack
identical to one used by an individual operating from outside the MIT
community to attack a number of systems across the country during the past
year. In all likelihood, if you are among those whose accounts were
compromised, you will probably not find any damage to your files. This
individual's mode of operation is believed to be limited to breaking into
accounts for the sole purpose of discovering any userids and passwords
stored there to enable him to break into additional systems.
We sincerely apologize for the inconvenience this causes our user
community. We have taken immediate steps to eliminate this particular
security threat and we are reviewing and modifying our operational
procedures to limit our vulnerability to this and other types of attacks in
the future.
If you have any questions or comments, please send electronic mail to
<netsecurity@mit.edu> or contact your Athena cluster manager.
________________________________________________________________________
________________________________________________________________________
The SURFPUNK Technical Journal is a dangerous multinational hacker zine
originating near BARRNET in the fashionable western arm of the northern
California matrix. Quantum Californians appear in one of two states,
spin surf or spin punk. Undetected, we are both, or might be neither.
________________________________________________________________________
Send postings to <surfpunk@osc.versant.com>, subscription requests
to <surfpunk-request@osc.versant.com>. MIME encouraged.
Xanalogical archive access soon. Confusion to our enemies.
________________________________________________________________________
________________________________________________________________________
