Home •What to do if you suspect problems • Resources • FAQ • Policies • Team • Search

Frequently Asked Questions

General security information	What tools are available to secure my machine? How often should I back up my machine? Are there any machines at MIT that might legitimately try to connect to my machine? What methods of secure, encrypted remote connections can I use at MIT? Are there PGP resources available at MIT? How do I pick a really good password? Why doesn't MIT filter and restrict access to MITnet? Will the security team check my machine for vulnerabilities? How do I keep my Windows machine secure? How can I keep up with security issues at MIT?

Getting help	What do I do if I think I've had a break-in? I'm being spammed. Can you help stop it? Why am I seeing SNMP queries in my logs? Why are some of my emails with attachments bouncing with "Virus not accepted" errors?

Procedures	What is the procedure for turning off a drop? What do I do if my drop is turned off? Why is it necessary that I reformat? How can I prevent this from (immediately) happening again?

The Team itself	What is the Network Security Team, and what does it do? Who is on the Network Security Team? Can I join?

General security information

What tools are available to secure my machine?
This question breaks down into two separate issues: What tools are available to increase the security of a machine, and to assess the security of a machine?

Increase the security of a machine
The Coast archive has a section on UNIX security tools, including tcp wrappers, tripwire, a more powerful finger daemon, and some tools for converting to shadow passwords. In addition, explore more secure communication programs, such as SSH (Secure Shell) instead of Telnet, or Kerberized POP instead of normal POP.

Asess the security of a machine
A number of programs are available to notify you of what information you're providing to the world, and what vulnerabilities might be present on your machine. COPS and tiger are designed to be run locally, and will identify some problems in configuration or security on your system. Programs like Satan and Nmap are designed to be run remotely, and will tell you what a cracker might be able to determine about your system without breaking in. Tools like Crack and John the Ripper can be used to assess the security of your password file. lsof (list open files) can be used to track down the files that a suspicious program is using. And last but not least, netcat is a utility that you may find invaluable in exploring or debugging.

How often should I back up my machine?

The rock climbers would ask "how far do you want to fall?" Many, many people find they haven’t done enough backups. It’s easy to say "I can recover the last week of work," but then find out you really can’t. When you think about the work involved, it’s cheap insurance.

There are three things to keep in mind:

Most backup systems offer "Full" and "Incremental" backups. Performing a full backup takes a lot of time, but if you have to completely reinstall your system, this provides the shortest path. Incremental backups are fast, but if you rely on them and need to recover the entire system, you will need to recover using the last full backup and all the intervening incremental backups.

Running an occasional Full backup and frequent Incremental backups provides the best balance of protection and speed.

Remember: You may not know immediately whether you've been broken into. Keeping a couple of months of backups will allow you to recover data that may have been damaged weeks ago.

Are there any machines at MIT that might legitimately try to connect to my machine?
Several machines at MIT may legitimately try to contact your machine:

is-security-scan-x.mit.edu (where x is a number) - The MIT Network Security Team periodically performs scans of all MIT hosts upon determination that a specific vulnerability is particularly common on MIT hosts or widespread throughout the MIT community. Such scans only check the specific port related to the vulnerability in question, and I/S notifies the appropriate system administrator if it is found that the vulnerability is present.

matisse.mit.edu - This OLC server performs finger requests every 10 minutes on the host in which a user with a pending OLC question last logged on. This is so that OLC can serve users better by knowing when they are zephyrable. Receiving dozens of requests from this system in a given day is totally normal, and is a threat neither to you nor I/S.

nemesis.mit.edu - Nemesis is the OLTA and OWL server. Similar to matisse, it performs finger requests every 10 minutes to keep track of users with questions in the queue.

search.mit.edu - Ultraseek, the MIT search engine, which can be turned away with a robots.txt file. (Mit has licenses for several instances of the search engine, so in the future there may be instances running on other systems as well.)

dandelion-patch.mit.edu - This is an MIT web server which hosts various gateways, including finger, zephyr, and others. For more information and use of these services, visit the SIPB web site.

What methods of secure, encrypted remote connections can I use at MIT?
We strongly encourage you to only connect to your machine or to the athena.dialup.mit.edu service through secure, encrypted means. The two most common ways of doing this are by using a Kerberized telnet client or by using SSH. Information Services and Technology recommends and supports Kerberized Better Telnet (Mac) and Host Explorer (Windows). Site licensed Mac and Windows software for encrypting connections can be obtained on the MIT Software Distribution site. For Unix systems, Kerberos and SSH resources are available.

For more information, see the Secure Connections web page.

Are there PGP resources available at MIT?
United States or Canadian citizens may download and use PGP software from http://web.mit.edu/network/pgp.html. There is a public key server at http://pgp.mit.edu.

How do I pick a really good password?
Read the Guidelines for Choosing a Password page for hints on how to do this. In general, never use a word from the dictionary, your name, the name of your spouse, or the name of your pets. Mix cases, letters, numbers and non-alphanumeric characters.

Why doesn't MIT filter and restrict access to MITnet?
MITnet is an "open" computing environment: we do not normally restrict access into or out of our network. This reflects both the traditional openness of the academic environment, and our opinion of where security efforts give the best return. Building walls around a network (usually via firewalls) often merely raises barriers to legitimate traffic, and gives a false sense of security to users within.

Will the security team check my machine for vulnerabilities?
Periodically, the team performs automated scans of campus subnets. Unfortunately, we do not currently have the resources to provide assistance in diagnosing security or network issues on a per-request basis.

How do I keep my Windows machine secure?"
The two most important things in keeping your Windows machine secure are having strong passwords and an up-to-date operating system. Please see this document for the detailed explanation.

How can I keep up with security issues at MIT?
Network Security has created a mailing list called "security-fyi@mit.edu" as a distribution channel where the MIT community can receive MIT-local network security information. This is intended to be a low-traffic, broadcast-only list used by Information Services and Technology to make subscribers aware of new threats, security-oriented user tools, and related news.

You can subscribe to security-fyi by sending a message to the list administrator at security-fyi-request@mit.edu.

Top of page

Getting help

What do I do if I think I've had a break-in?
See What to Do If You Suspect Problems and follow the instructions. You will need to unplug your machine from the network (without turning it off) and send email to security@mit.edu. Include the machine name; operating system type and version; contact person; and any other information relating to the suspected event.

I'm being spammed. Can you help stop it?
Contact Stopit (stopit@mit.edu) if you feel you have received harassing or threatening email. (If you believe you are in imminent danger of being harmed, contact the Campus Police at x3-1212.) The Network Security Team handles problems related to breaches or abuses of the network, not spam.

Why am I seeing SNMP queries in my logs?
Some Windows95 and WindowsNT system installations that include drivers for HP network printers will generate a high rate of broadcast packets when connected to an ethernet network. This has a serious impact on network performance for all users of that network. The Network Operations team has identified a fix for this problem.

Why are some of my emails with attachments bouncing with "Virus not accepted" errors?
A new, nasty virus for Windows was discovered the first week of June 2003. (Read more about W32/Bugbear.b.) MIT was primarily impacted by mass mailing. Network Operations has implemented a filtering on MIT's mailhubs and post office servers for the Bugbear.B virus. Any e-mail with an attachment of the form filename.xxx.yyy is automatically bounced back with a "Virus not accepted" error. This is probably not indicative of a virus on your system, and renaming the file and resending your email should solve the problem.

Top of page

Procedures

What is the procedure for turning off a drop?
Contact is made to inform the system owner that it has been necessary to remove the machine from the network because the machine has been compromised or is otherwise compromising the integrity of the campus network. Occasionally, if contact information for a machine has not been kept up-to-date, no contact can be established. To confirm or update the contact information for a host, please see the MIT Host Lookup/Configuration Tool. For more details, see our policy on removing a machine from the network.

What do I do if my drop has been turned off?
The most obvious sign that a drop has been shut off is that the "link" light on a tranceiver or ethernet card attached to it will not light. If your drop did get shut off, do not move the machine to another drop. This will result in more aggravation for the Network Security Team as well as another drop being shut off.

To get your drop re-activated, you will need to contact net-security@mit.edu. When you do that, provide the case number in the subject line. If you can not find (or do not have) this information, please provide the name of the machine normally attached to the drop, the building and room number of the drop, and the jack number. Once the team has received all the information, we will correlate it with our list of cases and assist you in resecuring your machine as well as gathering any log information from your machine that can be used in tracking other breakins. Your drop will not be reactivated until a member of the Network Security Team is confident that it presents no risk. For more details, see our policy on removing a machine from the network.

Why is it necessary that I reformat?
When we require a format and reinstall, a reformat is required because the nature of the infection or intrusion is such that it's not possible to detect and eradicate all possible malicious code on your machine.

Basically, anything could have been done to your computer --- malicious programs may have been installed, such as versions of Windows commands and utilities (so that Explorer might not show certain files, or the system monitor might not show certain processes running), keystroke loggers (sending a copy of all your keystrokes --- that is, account numbers/userids and passwords --- to a third party who could then use the information to compromise any system you accessed online), or programs to scan your files for particular information and relay that to third parties. These are all examples of programs that are widely circulating on the Internet, and the vulnerability used by the intruder to control your computer can introduce any or all of these onto your computer. Just closing the vulnerability after infection does nothing to stop intruders that leave "back doors" for future control --- the computer is still compromised even if the code to control it is dormant.

Think of it this way: once compromised, you should not "trust" your computer for anything, including its ability to run antivirus programs that declare the computer to be "clean". You should not trust it with any important data, and things like bank/financial website access would be attractive to outsiders.

The only way to ensure that a trustable Windows operating system is on your computer is to reformat and reinstall the operating system, as directed. Implementing filtering before connecting the computer to the network (to then download all Microsoft-critical patches on Windowsupdate.microsoft.com), as well as running antivirus software should enable you (and us) to go back to using the computer normally.

We understand how frustrating and time-consuming this is, and we are sorry for the necessity. Hundreds at MIT have been victimized and have had to go though this process. This is, unfortunately, the only way we can be sure that the recovery is complete.

How can I prevent this from (immediately) happening again?
There are two facilities in Windows that have very similar functions, TCP/IP Filtering and the Internet Connection Firewall (ICF).

We suggest that people use TCP/IP filtering (see the information here) rather than the firewall (ICF) because it works at a more basic level in the computer. For example, we have seen information that suggests that ICF takes several seconds to become active after a computer is booted, and at one time we were seeing computers compromised because there were so many probes on the network that some were being infected in that 6-10 second interval!

On the other hand, ICF is somewhat more flexible, allowing the advanced user more precision in determining what types of data are sent and received.

There are third-party firewalls available that perform some of the functions of ICF; we have no information on their limitations and weaknesses, and haven't seen any particular reason to recommend them.

You may find that leaving filtering active after applying necessary patches does not affect your use of the computer or services at all, but offers additional protection against recompromise. There have been vulnerabilities discovered before Microsoft has been able to release patches, and if you can run with filtering you are more likely to avoid the associated compromises.

Top of page

The Team itself

What is the Network Security Team, and what does it do?
The MIT Network Security Team was formed by Information Systems to respond to threats to network and system security at the Institute. We work with members of the MIT community, both system administrators and users, to increase the security of MITnet and connected hosts. We cooperate with administrators at other sites, as well as law enforcement, in response to security incidents.

Who is on the Network Security Team?
Our members come from within Information Services and Technology and from independent departments, labs, and centers, as well as a number of student staff.

Can I join?
We are currently working to balance two needs -- keeping the team at a manageable size, and seeing that we have enough people to do the work required. At this time, we have reached a fairly manageable size, though we remain interested in increased participation by previously unrepresented independent networks. If you are from a previously unrepresented network, send email to the team leader conveying your interest in participating and your request will be reviewed.

Top of page

--Back to the MIT Network Security Home Page--

Last modified July 16, 2002
Copyright �2002 Massachusetts Institute of Technology
Comments and questions to netsec-www@mit.edu