Date: Wed, 16 Dec 92 18:41:37 PST Reply-To: Message-ID: Mime-Version: 1.0 Content-Type: text/plain From: cocot@osc.versant.com (Captain COCOT) To: surfpunk@osc.versant.com (SURFPUNK Technical Journal) Subject: [surfpunk-0014] SECURITY: MIT Athena Incident Keywords: surfpunk, security, athena I would call this the worst Internet security incident I know of. I suppose we'll read about this one in years to come. Kaptain Kludge sends it. Telnet, sending usernames and passwords in plaintext throughout the net, is asking for trouble. This is part of the reason I'm interested in the Public Key techniques of encryption *and* authentication. Captain Cocot ________________________________________________________________________ ________________________________________________________________________ Return-Path: Date: Mon, 14 Dec 92 19:14:37 EST To: infosys@MIT.EDU Subject: FYI - Computer Security Incident Over the weekend Information Systems staff discovered that one of the Institute's Athena dialup servers had been compromised through an unauthorized modification of the machine's system software. If you have used the Athena dialup service during the last two months to telnet to other machines, read on. Your accounts on other machines may have been compromised. Specifically, each time the telnet command was executed on this Athena dialup machine the userid, password, and name of the system to which the Athena user was connecting were evidently captured by an unauthorized user. This individual is now in a position to use the captured information to gain access to other systems. Our official system logs indicate that during the time the modified version of the telnet program was in place, over 4000 individuals used this particular dialup server. Those individuals who executed the telnet command from this machine within the past two months may have had their accounts on other machines compromised. Check your username To determine whether you are among the 4000 individuals most at risk, you can use a command called checkmyid located in the Athena info locker. From your Athena account, at the athena% prompt, type: attach info /mit/info/checkmyid Change your password We recommend that all Athena users change their passwords frequently - once a semester is recommended. If checkmyid verifies that you are one of the 4000 people who used this specific dialup server during the last two months, we STRONGLY recommend that you change your passwords immediately on ALL systems, including Athena, to which you may have telneted. You must assume that all accounts you may have reached using telnet are compromised. Your new Athena password should be at least 6 characters long, and can contain any combination of UPPER- and lower-case letters, numbers, or other symbols that appear on the computer keyboard. For further information on choosing a secure password, see Athena's On-Line Help Service. Alert others In addition please inform the system manager of any machines - including Athena workstations in faculty offices - to which you may have connected, since it is possible that the intruder may have used your account to compromise those machines as well. The individual who compromised our system used a pattern of attack identical to one used by an individual operating from outside the MIT community to attack a number of systems across the country during the past year. In all likelihood, if you are among those whose accounts were compromised, you will probably not find any damage to your files. This individual's mode of operation is believed to be limited to breaking into accounts for the sole purpose of discovering any userids and passwords stored there to enable him to break into additional systems. We sincerely apologize for the inconvenience this causes our user community. We have taken immediate steps to eliminate this particular security threat and we are reviewing and modifying our operational procedures to limit our vulnerability to this and other types of attacks in the future. If you have any questions or comments, please send electronic mail to or contact your Athena cluster manager. ________________________________________________________________________ ________________________________________________________________________ The SURFPUNK Technical Journal is a dangerous multinational hacker zine originating near BARRNET in the fashionable western arm of the northern California matrix. Quantum Californians appear in one of two states, spin surf or spin punk. Undetected, we are both, or might be neither. ________________________________________________________________________ Send postings to , subscription requests to . MIME encouraged. Xanalogical archive access soon. Confusion to our enemies. ________________________________________________________________________ ________________________________________________________________________