Resources

How did you discover it?
A routine system check.

What alerted The WELL to the presence of a cracker on their system?
A routine system check revealed an account with growing file storage but no logins from the account owner.

What actions did The WELL take to help trace the cracker?
Our technical staff began analyzing the situation over that weekend. On Monday, we contacted Computer Emergency Response Team (CERT), The FBI, Sun's Security Team, Tsutomo Shimomura of the San Diego Supercomputer Center, the Board of Directors of The WELL, representatives of The WELL community and EFF to discuss our appropriate response. We also contacted other Internet service sites who we believed were compromised. Our main objective was to understand risks, options and factors affecting our system security and Net-wide responsibilities.

After discussing the situation with the above groups, and carefully considering our options and responsibilities, we made the decision to contact the U.S. Attorney's Office and ask Tsutomo Shimomura to assist in apprehending the intruder. We did this in an effort to foster greater security on the global net.

We initiated round-the-clock staffing to monitor the illegal activity. The WELL technical staff were joined by Tsutomo Shimomura and his associates to help trace the suspect using sophisticated monitoring software that he supplied. At no time was the FBI involved in monitoring.

What was the chronology of events at The WELL leading up to the arrest of the cracker?

Friday, Jan 27, 1995	The WELL first becomes aware of unauthorized activity on its system and begins analyzing the situation.
Monday, Jan 30, 1995	The WELL contacts CERT and makes arrangements for Andrew Gross of the San Diego Supercomputer Center to come to The WELL and act as a consultant.
Wednesday, February 1, 1995	The WELL works to expedite the purchase of a new Sparc1000e main sever. Round-the-clock monitoring begins.
Tuesday, Feb 7, 1995	The WELL meets with the US Attorney and the FBI who asks The WELL to please keep the site open to help apprehend the cracker.
Tuesday, Feb 14, 1995 2:30pm PST	WELL technical staff notices that the cracker erased information on one transaction file on The WELL. The transaction file contained user log-on data, and was a file which is stored elsewhere and backed up regularly. The WELL decides to bring the system down to rebuild the damaged file and do further investigation. The WELL staff shuts down the system.
3:00pm PST	WELL technical staff is confident that only one accounting file has been affected. Approximately three hours after the incident the damaged file is rebuilt.
5:00pm PST	Shimomura reports to WELL management that they are hours from catching the suspect.
8:30pm PST	The WELL puts system back up. Monitoring continues.
10:30pm PST	Kevin Mitnick is arrested in Raleigh, North Carolina.
Monday, Feb 20, 1995	The WELL installs a new SPARCserver1000E.

Were other sites affected? The cracker allegedly broke into dozens of corporate sites and computer networks across the Internet.

What are The WELL's normal security procedures?
The WELL follows normal UNIX and Internet system security procedures including, but not limited to, implementing changes as recommended by CERT advisories, security patches as available from vendors (e.g. SUN, Cisco), regular use of system security diagnostic software, including "crack" and other appropriate security related measures. It is inappropriate to enumerate all our security measures in a public forum.

Did the cracker get WELL member's credit card information or personal files?
To our knowledge, no credit card information was accessed by the intruder. A total of 11 user accounts were compromised.

In general, the cracker was not interested in information on The WELL itself, but used The WELL for storing files from other sites. A file was found containing credit card numbers of another Internet service provider.

Could The WELL have re-secured the system by changing members passwords?
The tools used by this cracker would not have been defeated by changing individual passwords.

What exactly were you monitoring and who was doing this?
We were tracking network transactions, eg. ftp, smtp, telnet etc. to and from systems known and/or suspected by us to have been compromised.

Those monitoring the system included The WELL technical support staff, Tsutomo Shimomura and his associate Andrew Gross.

What did you do to strengthen the security of The WELL?
We re-installed application software from binaries, implementing one-time (DES) password protection for critical, including root, passwords and required every user on the system to select a new password (adhering to password syntax standards that make password cracking more difficult).

The WELL installed a new SPARCserver1000E on Monday, Feb 20, 1995.

Melissa Walia, Niehaus Ryan Haller PR
415-827-7094, color@well.com