From:

SUbject:
Date:
To:
rnit.edu
Fwd: Extreme robotic activity of JSTOR at MIT
October 20, 2010 2 47 26 PM EDT
@ml! edu>

FYI ":
Begin for warded message :
-,
JSTOR at MIT'
@!TI1 t. e d u>
As par t of our tryi ng t o deve l o p a pl a n and roadmap for sec uri t y systems , ..... has bee n
t hi nk lng about th i s p r ob l e m a l ot . I a ske d him to sha r e hi s thinking , I agree
wi t h h i s
re sourc es and da ta have ext r eme l y v ari e d l e v e l s of pr o tect i ons a r ound t hem. Th e
l e vel s of p rot e cti on have t rad i t i ona ll y be e n de te r mi ned by t h e
1mplemento r s /owne r s / o per a tors 0=t he s ys t ems t hat e xi st I nst itut e -w i de . The qua l i t y o f
s e cur ity i mpl eme nt at i ons vary gr eatl y due to t he i nd i v i dua l s ' experienc e wi t h secur i ty
cont ro l s. We c ur ren t l y l a ck a c omplete a ccount ing of a l l sys tems that hous e v a l uab l e
d ata , however, t he e f f o r t s tak ing place c urrent ly are addre s s i ng t he a c counting of
systems tha t ho u s e data whi c h MIT i s beholden by s tate l aw t o p rot e c t .
IS&T-owned r esourc es, due to the impl eme nt ors ' expertise a nd kn owled ge of r isk,
typlca l l y have ti ghte r security c o nt r o l s , designed into t he s ys t ems , that lever age
var y lng t e c hn iques . Other s y s t ems , i mpl e me nt e d wi t hout invo l ve men t , h a ve b e e n
s e en i n e vents pr i o r wi t h poo r , limi t ed or ou t da t e d s ecur ity prot ections ; I TSSS ha s
wo r ke d with s ome DLCs , whe n approac he d , i n a c on sul t ing r o l e , t o recommend ways in which
DLCs c a n bo lster t he i r p rotec t i o ns . We've inter nally d i s c uss e d wa y s tha t , i n t he
fu tur e , onc e l a rge r - s c al e i s s ue s are a dd ress e d , i t woul d be benef i c i a l to the c ommuni t y
t o of fe r mor e sec ur i ty cons ul t i ng/ t e c hn i c a l s e c u r i t y aud i t s t o DLC 's a roun d c a mpu s to
ma na ge down t ne i r rt s k of exposu re and s ecuri t y thr eat .
Be c a us e tile way s of ac cessi ng data are so var i ed , the securi t y solut ions pr otectlng the
sys t e ms are also e xt r e me l y varl e d . Whil e our ef f o r t s spe nt a t t e mp t i ng to i de ntify t he
use r r e s po ns i b le for the JSTOR c r a wl Lng we re u lt i mate ly i n v a i n t h i s one instance, i t' s
i n t e r e s t i ng to not e Lhat JSTOR hasn' t yet impl emen t e d meas u r e s t o pr e ve nt t hl S e gr e qi ou s
l e ve l of a b use . The me as ur e s beln g t aken on MIT 's e nd wi l l e l 1mina te the p o s s i b i lity of
un lde nt ifiabl e u s e r s c r a Wl i ng JSTOR a nd d i s r upt i ng the commu n i t y ' s acce ss to the s er v i c e
1n t he future .
Since the reor gan izat i on oc c u rred , we ( Se c ur i t y & Net wor k) a r e now e xp l or i ng pa t hs that
had be e n rel a t ive l y qu i ckly d i s miss e d i n ye ars pr i o r i n orde r t o i mp l eme nt more c ompl ete
acces s c o nt r o l , intr usi o n detect i o n/ preventi on and ne twork b o rder p rotec tion . We are
al s o l oo k i ng t o i mp l e men t d at a l oss pr e ve nt i on mon itor i ng , l o g a na l ys is , gr e a t e r ma l war e
d e f e ns e s and unaut ho rize d s o f t wa r e inve nt o r y. Al l of t he s e sol u tions f al l into a l o nge r
t e r m p lan , though we ho pe t o be gi n imp leme nt ing t hem i n t he n e a r f ut ure . Add l ng b order
p rotec-t i o n to t he ne t wo r k - t hus rede fl ni ng the o p e nne s s of o ur ne twor k - of f e r s a
number o f a nc Lllar y be ne fi t s .
lIIIIImi 9ht have a f e e l for c o s t s , bu t we h av an 't gotten t hat f a r i n o ur p l a nni ng .
does n ' t hit t he mar k, l e t us know , and we ' l l f ill the ga p s .
I f th i s
MIT-000465
IT security Systems & Services
lIiiliii.lillllil(rastJ:llctllre Area, IS,,'r,
MIT
Important: DO NOT GIVE OUT YOUR USERNAMES/PASSWORDS, SSNs , or ANY OTHER PERSONAL
INFORNATION.
IT staff at MIT will " NEVER" ask for these data. Please ignore any email messages claiming
to be from MIT or any other business and requirrng you to reply with your personal
information:
On Oct 15, 2010, at 3:37 PM, wrote:
more
sorry," accidentally sent this before I was done.
Please keep in mind some of these folks know very little about our security environment
and we need to carefully educate them.
We might want to think about a session for lIIIIIand several others.
Meanwhil,,;, I have a meeting with _on morning and appreciailli..i.bit
lnformatlon prlor to that meet2ng along the 12nGS of the note J Just sent,,,,,,
Thanks so much for all you and your team are doingl I
Sent from my iPhone
On Oct 15, 2010, at 12:31 PM,
@mi t. e d u> wrote:
What II1II and Academic Council ate concerned about are this same sort of thing
happenlng to MIT owned and
managed resources/data. Do we have some protection around some of them?
I know we have an open network.
This gets to risk, what actions we can do immediately and what our longer term plans
(and costs) might be.
Sent from my iPhone
On Oc t 15, 2010 , at 4: 28 AM, @MIT.EDU> wrote:
THE CASE OF EXTREME ROBOTIC ACTIVITY OF AT MIT
Facts:
An unknown person, of unknown affiliation to MIT, masquerading as an MIT visitor, used
our wired network in building 16 to violate our own RUles of Use, and caused
unspecified riSk and possibly reputation damage to MIT by downloading large amounts of
content from JSTOR.org. This has now been reported to us tW2ce, first on or about the
weekend of September 25th, next on or about the weekend of October 9th. In both
cases, the initial notice from JSTOR came into the Libraries, and notification to rS&T
occurred a day or so later. JSTOR terminated all MIT access to JSTOR resources at
first, then restored 12mited access, and then restored full access. The amount of
downloading has not been provided to IS&T, but the Libraries might have that
assessment. It's likely that only one or two computers are used, the abuse is
intentional based on even the' limited facts that been able to gather at this
end.
MIT-000466
Enablers:
No authentication of visitors. ~ s t o r network access is provided as an on-demand,
self-service process for anyone who walks onto campus, plugs in, or elects to use our
wireless network, and declares themselves as a visitor, and they get 14 days of
network privileges.
No identity verification. Visitors are asked to provide an email address. The email
address is not used to verify that a bona fide identity exists. In both oj these
cases, the address provided was from mailinator.com's service which provides
unauthenticated, one-time, throw-away, anonymous email accounts. The addresses
wereghost@mai1inator.com and ghost42@mailinator.com.
No authentication of users accessing JSTOR.org. By agreement, JSTOR .org allows any
computer with a net18 IP address to access their resources without Iurther
identification or authentication.
Next steps:
Discussions between my team and the Libraries, and discussions within the Libraries,
both reached the conclusion that putting JSTOR access under the Libraries' e-control
framework will provide basic user access control. other controls are being discussed
as well.
Issues Remaining:
JSTOR insists that we certify that the perpetrator has been identified, we've removed
their access, and that all downloaded materials have been destroyed. We are unable to
do any of that. Without this certification, JSTOR will not resolve the case.
---
MIT
Important: DO NOT GIVE OUT YOUR USERNAMES!PASSWORDS, SSNs, or ANY OTHER PERSONAL
INFORMATION.
IT staff at MIT will *NEVER* ask for these data. Please ignore any em4il messages
claiming to be from MIT or any other business and requiring you to reply with your
personal information.
On Oct 14, 2010, at 3:15 PM,lIIIIIIIIIIIIIIrote:
Would you s send someone aB update on this which I can forward to I11III before the
weekend? Thanks, II1II
Sent from my iPhone
Begin forwarded message:
From:
Date:
To:
Cc:
SubJect:
Fyi,
@mit.ectu>
20.107i:i4i2i:ilIii8.PM PDT
@mit.edu>
@mit.edu>
Fwd: Extreme robotic activity of JSTOR at MIT
MIT-000467