Skip to content Accesskey=4Skip to sub-navigation Accesskey=3View our Accessibility Options MIT Information Services and Technology Home About IS&T Contact IS&T Site Map Search Advanced Search
Getting StartedGetting Services by Topic or Alphabetically Getting Help

Related Links

IT Security at MIT
Contact Information
 

security@mit.edu

  


IT Security: System Compromise FAQ

What happens when MIT IT Security detects a compromised machine?

  1. Email is sent to the system owner stating that it has been necessary to remove the machine from the network because the machine has been compromised or is otherwise compromising the integrity of the campus network.

  2. This email contains a detailed description of the security incident, the reason the network access was disabled and well as detailed instructions (for several operating systems) on how to format the infected partition(s) and re-install the operating system safely.

  3. Occasionally, if contact information for a machine has not been kept up-to-date, no contact can be established. To confirm or update the contact information for a host, please see the MIT Host Lookup/Configuration Tool. For more details, see our policy on removing a machine from the network.

[Back to top]

What do I do if my network access has been terminated?

  1. The most obvious sign that a drop has been shut off is that the "link" light on a transceiver or ethernet card attached to it will not light. If your drop did get shut off, do not move the machine to another drop. This will only return a potentially harmful machine to the network.

  2. Check your email from a neighbor's machine or use one of the public Athena workstations. You should receive detailed instructions for dealing with the compromised machine.

  3. Follow the instructions in the email. They will include directions for formatting and re-installing your operating system.
  4. To get your drop re-activated, you will need to reply to security@mit.edu. It is import that you provide the case number in the subject line. If you can not find (or do not have) this information, provide the name of the machine normally attached to the drop, the building and room number of the drop, and the jack number. Once the team has received all the information, we will correlate it with our list of cases and assist you in re-securing your machine, as well as gathering any log information from your machine that can be used in tracking other break-ins. Your drop will not be re-activated until a member of IT Security is confident that it presents no risk. For more details, see our policy on removing a machine from the network.

  5. If you do not receive email from IT Security, your drop may have been disabled for another reason. In this instance, you
    should contact the Computing Help Desk.

[Back to top]

Why is it necessary that I reformat?

When we require a format and reinstall, a reformat is required because the nature of the infection or intrusion is such that it's not possible to detect and eradicate all possible malicious code on your machine.

Basically, anything could have been done to your computer --- malicious programs may have been installed, such as versions of Windows commands and utilities (so that Explorer might not show certain files, or the system monitor might not show certain processes running), keystroke loggers (sending a copy of all your keystrokes --- that is, account numbers/userids and passwords --- to a third party who could then use the information to compromise any system you accessed online), or programs to scan your files for particular information and relay that to third parties. These are all examples of programs that are widely circulating on the Internet, and the vulnerability used by the intruder to control your computer can introduce any or all of these onto your computer. Just closing the vulnerability after infection does nothing to stop intruders that leave "back doors" for future control --- the computer is still compromised even if the code to control it is dormant.

Think of it this way: once compromised, you should not "trust" your computer for anything, including its ability to run antivirus programs that declare the computer to be "clean". You should not trust it with any important data, and things like bank/financial web site access would be attractive to outsiders.

The only way to ensure that a trustable Windows operating system is on your computer is to reformat and reinstall the operating system, as directed. Implementing filtering before connecting the computer to the network (to then download all Microsoft-critical patches on Windowsupdate.microsoft.com), as well as running antivirus software should enable you (and us) to go back to using the computer normally.

We understand how frustrating and time-consuming this is, and we are sorry for the necessity. Hundreds at MIT have been victimized and have had to go though this process. This is, unfortunately, the only way we can be sure that the recovery is complete.

[Back to top]

How can I prevent this from (immediately) happening again?

There are two facilities in Windows that have very similar functions, TCP/IP Filtering and the Internet Connection Firewall (ICF).

We suggest that people use TCP/IP filtering rather than the firewall (ICF) because it works at a more basic level in the computer. For example, we have seen information that suggests that ICF takes several seconds to become active after a computer is booted, and at one time we were seeing computers compromised because there were so many probes on the network that some were being infected in that 6-10 second interval!

On the other hand, ICF is somewhat more flexible, allowing the advanced user more precision in determining what types of data are sent and received.

There are third-party firewalls available that perform some of the functions of ICF; we have no information on their limitations and weaknesses, and haven't seen any particular reason to recommend them.

You may find that leaving filtering active after applying necessary patches does not affect your use of the computer or services at all, but offers additional protection against re-compromise. There have been vulnerabilities discovered before Microsoft has been able to release patches, and if you can run with filtering you are more likely to avoid the associated compromises.

[Back to top]

Under what conditions would IT Security remove a machine from the network?

  • A computer is removed from the MIT network only in order to protect the data on that computer from misuse or theft, or to protect other computers on the network from attacks.

  • When the IT Security Team detects that a computer on the MIT network has been broken into by an intruder, action is taken to remove that computer from the network. Compromised hosts frequently begin to attack other systems. As soon as the I/T Security Team detects malicious activity, we disable the Ethernet port that services the affected computer.

  • A mail message is sent to the registered system owner, describing the problem and necessary recovery steps.

  • Unfortunately, because the number of attacks has risen dramatically in recent years, the rate of compromise has exceeded our ability to contact system owners by phone before disabling the machine.

  • System owners are urged to review current contact information for all hosts under their care. Security incidents will be resolved more rapidly if we have current contact information for each machine. Accurate system and contact information is one of the single biggest steps that can be taken to streamline remediation in the event of an incident.

  • The IT Security Team recognizes that a decision to remove a machine from the network can create inconvenience and difficulties for users. Please understand that our purpose is only to protect compromised systems and data from further misuse, and to ensure the safety of work at MIT and elsewhere on the Internet.

[Back to top]
MIT Home | Getting Started | Getting Services | Getting Help | About IS&T | Accessibility
Ask a technology question or send a comment about this web page.