The University Record, May 10 , 1999

Hacker breaks into ITD login server

By Rebecca Doyle

In the early morning hours of the final Sunday before exams, while students were feverishly pulling all-nighters to finish term papers and prepare for the last big tests of the semester, somewhere a computer began surreptitiously copying their passwords and login information.

At about 4 a.m. on April 25, a hacker broke into the login server in the U-M computing system using a compromised account and password. Once in, the hacker changed system files in order to obtain current accounts and passwords and captured 1,534 passwords, say representatives of the Office for Policy Development and Education (OPDE). During the 23 hours the hacker was attached to the U-M computing system, an additional 19,700 users signed on, but, according to Information Technology Division (ITD) staff, the hacker did not capture their passwords.

Administrators from ITD and OPDE notified all users who were signed on during that time and encouraged them to change their passwords. The 1,534 users whose passwords were captured were asked to change their passwords immediately to protect their computing resources. ITD staff reset passwords on May 4 for those who did not. If you find that you can not log in, call the ITD Accounts Office (764-8000) to obtain a new password.

ITD staff members responded as soon as they were aware that an intruder was in the system, says Ellen Vaughan, project manager for the login service.

“Because the U-M is an open environment, we are always vulnerable to this kind of thing,” she says. “We always try to stay one step ahead of potential hackers, but in this case, they got ahead of us.” Programming staff have “patched” the system and installed “trip wires” to ensure that an alert is sent as soon as security is breached. The FBI is currently investigating the incident.

No one can be sure what a hacker might do with information obtained from an individual’s account and password. If your password and account information were stolen, a hacker might do one or all of the following:

  • Send out e-mail that appears to be from you.

  • Break into other systems, with any traces leading back to you.

  • Use any resources you have access to.

  • Access and/or destroy documents in your IFS space.

  • Read your private e-mail.

    Vaughan also notes that the greatest vulnerability to the system is when people use passwords that are “sent in the clear”–without being encrypted by any connectivity software, such as Telnet.

    “If people will be more careful about passwords, we can cut down our exposure dramatically,” Vaughan says. “Secure Telnet software is available. Secure FTP software is not, and people need to be aware when they use FTP that there is a risk.”

    Even with secure connectivity software, users should make sure their passwords are not easily guessed and are changed regularly.

    Not only should users be alert to whether connectivity software they use is secure, Vaughan says, but “users need to be more aware when they buy any software that offers a connection to a remote service, and can check with site consultants, the 4-HELP line or any of their usual sources when they buy software to find out whether it will provide a secure way to log in to the service.”

    Guidelines for Choosing a Password

    The following guidelines will help you choose a safe and secure password:

    Select a unique password. Do not use a password you are using elsewhere, such as your bank PIN number or your password to another system.

    A good password length is 9 to 15 characters. Uniqname passwords can contain upper case, lower case, digits, punctuation and blank characters. Adding digits, punctuation and random capitalization always will improve a password, but do not use a blank space. The more varied your character set, the shorter your password can be.

    Many people make up a phrase and use the first letter of each word, including numbers and punctuation, as their passwords. For example, “Was the moon shining through three trees as I climbed 10 stairs last May?” (WtMst3taIc10slM?). You can also make up a long word like “!bunca*dinckDOc”.

    Do not pick a word out of any dictionary in any language. Simple transformations of words are not good choices, either. For example, do not add one character before or after a word (!horrible or horrible!). Do not randomly capitalize parts of a word (HorriBle). Do not double a word (horriblehorrible). Do not spell a word backwards (elbirroh). Do not remove the vowels (hrrbl).

    Passwords based on personal information that another person could reasonably learn are not good. Do not use all, part of, or combinations of your birth date, name, home town, mother’s maiden name, childhood nickname, pet’s name, favorite cartoon character, driver’s license, phone, address, license plate number, Social Security number or PIN numbers.

    Whatever system you use to devise your personal password, don’t tell anyone that system. (And don’t use any of the examples printed here.)

    Change your password often, and never tell anyone your password.

    The person trying to guess your password may be a total stranger who can find out more about you than you realize, but it also may be a friend who’s decided to play a joke on you or an ex-friend who could destroy all your files and send malicious mail using your uniqname.