'Crackers' Infiltrate State-of-the-Art MIT Computer System

Although MIT has taken numerous steps recently to prevent unauthorized access to its computer system, hackers in the past several weeks have infiltrated MIT's computer network and certain personal computers on campus, forcing Harvard to re-examine its own computer security system.

Coordinator of Residential Computing Support, Rick Osterberg '96 said that Harvard's computer systems are not exempt from the troubles that have afflicted those of MIT.

"Every computer system that is on a network is subject to attacks on its security. This is true everywhere," he said.

According to Michael L. Barrow, MIT Network Operation network engineer, MIT's Unix network, known as Athena, as well as several students' personal computers, have recently been the targets of computer infiltrators.

Barrow said that these individuals should be referred to as "crackers" rather than "hackers" because they did much more damage to the systems than those who spend time fooling around with computer programs.

In September and October, Barrow said that MIT found evidence that persons outside of the MIT network had obtained the usernames and passwords of legitimate users. The "crackers" were able to obtain this data by intercepting non-encrypted information from e-mail programs like Telnet and Eudora.

With the personal data, Barrows said the computer "crackers" were then able to enter network accounts, create bugs and even reconfigure personal hard drives.

Usernames and passwords are available to outside observers through "packet sniffing." According to Osterberg, packet sniffing is akin to telephone wire tapping.

"It is looking in on other peoples' conversations on the network," he said.

Osterberg said "packet sniffing" is not only illegal, but also a violation of Harvard policy.

The basic problem, Barrow said, is that MIT "runs an open network." As such, there is nothing to separate MIT's network from the Internet at large.

To compensate for the network's intrinsic lack of security, MIT developed the Kerberos System several years ago. The system allows for encryption of usernames and passwords.

Barrows said that if a user has the Kerberos program when he or she logs on to the network, his or her computer receives a "ticket." Were a student to use Eudora with Kerberos, his or her password would be sent to the network in Kerberos' cryptographic code. As such, it cannot be read by unintended viewers.

Despite Kerberos' existence, the recent infiltrations reflect the fact that not all MIT students utilize the protective program.

According to Osterberg, Harvard's own computer systems have no similar encryption program. Still, he said that Harvard does try to maintain a secure computer network.

"Our system administrators stay cur- rent with information about security holes that are discovered for our types of systems, and take all necessary steps to close those holes," he said.

He said that the recent authentication checks and forced password changes on Unix were aimed at increasing security.

FAS Computer Services is also considering other methods of increasing the current system's security, according to Osterberg.

"We continue to explore numerous ways to improve the security of the networks and systems on campus," he said. "We are also exploring the possibility of providing SSH [secure cell] clients to users."

SSH is an encryption program similar to MIT's Kerberos.

However, Osterberg said providing SSH to Harvard computer users would involve a "very heavy financial burden."

"As with everything else, we are constantly looking to balance security with usability and convenience for our user community," he said

He said that the recent authentication checks and forced password changes on Unix were aimed at increasing security.

FAS Computer Services is also considering other methods of increasing the current system's security, according to Osterberg.

"We continue to explore numerous ways to improve the security of the networks and systems on campus," he said. "We are also exploring the possibility of providing SSH [secure cell] clients to users."

SSH is an encryption program similar to MIT's Kerberos.

However, Osterberg said providing SSH to Harvard computer users would involve a "very heavy financial burden."

"As with everything else, we are constantly looking to balance security with usability and convenience for our user community," he said