Frequently Asked Questions|
When did The WELL first become aware of the
unauthorized activity on its system?
Friday, January 27th, 1995.
How did you discover it?
A routine system check.
What alerted The WELL to the presence of a
cracker on their system?
A routine system check revealed an account with growing
file storage but no logins from the account owner.
What actions did The WELL take to help trace the
Our technical staff began analyzing the situation over that
weekend. On Monday, we contacted Computer Emergency
Response Team (CERT), The FBI, Sun's
Security Team, Tsutomo Shimomura of the San Diego
Supercomputer Center, the Board of Directors of The WELL,
representatives of The WELL community and EFF to discuss
our appropriate response. We also contacted other Internet
service sites who we believed were compromised. Our main
objective was to understand risks, options and factors
affecting our system security and Net-wide responsibilities.
After discussing the situation with the above groups, and
carefully considering our options and responsibilities, we
made the decision to contact the U.S. Attorney's Office and
ask Tsutomo Shimomura to assist in apprehending the
intruder. We did this in an effort to foster greater security on
the global net.
We initiated round-the-clock staffing to monitor the illegal
activity. The WELL technical staff were joined by Tsutomo
Shimomura and his associates to help trace the suspect using
sophisticated monitoring software that he supplied. At no
time was the FBI involved in monitoring.
What was the chronology of events at The WELL
leading up to the arrest of the cracker?
Friday, Jan 27, 1995
||The WELL first becomes aware of unauthorized activity on its
system and begins analyzing the situation.
Monday, Jan 30, 1995
The WELL contacts CERT and makes arrangements for
Andrew Gross of the San Diego Supercomputer Center to
come to The WELL and act as a consultant.
Wednesday, February 1, 1995
The WELL works to expedite the purchase of a new
Sparc1000e main sever. Round-the-clock monitoring begins.
Tuesday, Feb 7, 1995
||The WELL meets with the US Attorney and the FBI who asks
The WELL to please keep the site open to help apprehend
Tuesday, Feb 14, 1995
WELL technical staff notices that the cracker erased
information on one transaction file on The WELL. The
transaction file contained user log-on data, and was a file
which is stored elsewhere and backed up regularly.
The WELL decides to bring the system down to rebuild the
damaged file and do further investigation. The WELL staff
shuts down the system.
WELL technical staff is confident that only one accounting
file has been affected. Approximately three hours after the
incident the damaged file is rebuilt.
Shimomura reports to WELL management that they are hours from catching the
The WELL puts system back up. Monitoring continues.
Kevin Mitnick is arrested in Raleigh, North Carolina.
Monday, Feb 20, 1995
The WELL installs a new SPARCserver1000E.
Were other sites affected?
The cracker allegedly broke into dozens of corporate sites and
computer networks across the Internet.
What are The WELL's normal security procedures?
The WELL follows normal UNIX and Internet system security
procedures including, but not limited to, implementing
changes as recommended by CERT advisories, security
patches as available from vendors (e.g. SUN, Cisco), regular
use of system security diagnostic software, including "crack"
and other appropriate security related measures. It is
inappropriate to enumerate all our security measures in a
Did the cracker get WELL member's credit card
information or personal files?
To our knowledge, no credit card information was accessed
by the intruder. A total of 11 user accounts were
In general, the cracker was not interested in information on
The WELL itself, but used The WELL for storing files from
other sites. A file was found containing credit card numbers
of another Internet service provider.
Could The WELL have re-secured the system by
changing members passwords?
The tools used by this cracker would not have been defeated
by changing individual passwords.
What exactly were you monitoring and who was
We were tracking network transactions, eg. ftp, smtp, telnet
etc. to and from systems known and/or suspected by us to
have been compromised.
Those monitoring the system included The WELL technical
support staff, Tsutomo Shimomura and his associate Andrew
What did you do to strengthen the security of The
We re-installed application software from binaries,
implementing one-time (DES) password protection for
critical, including root, passwords and required every user
on the system to select a new password (adhering to
password syntax standards that make password cracking
The WELL installed a new SPARCserver1000E on Monday,
Feb 20, 1995.
Press Contacts 1995:
Jamie Corroon, Niehaus Ryan Haller PR
Melissa Walia, Niehaus Ryan Haller PR