The WELL: FAQ Sheet for Press

February 18

Q. When did The WELL first become aware of the unauthorized activity on its system?

A. Friday, January 27th.
Q. How did you discover it?
A. A routine system check.
Q. What actions did the WELL take to help track the suspect?
A. Our technical staff began monitoring and analyzing the situation over that weekend. By Monday, we had contacted Computer Emergency Response Team (CERT), The FBI, Sun's Security Team, Tsutomo Shimomura of San Diego Supercomputer Center, the Board of Directors of The WELL, representatives of The WELL community and EFF to discuss our appropriate response. We also contacted other Internet service sites who we believed were compromised. Our main objective was to understand risks, options, and factors affecting our system security and Net-wide responsibilities.

After discussing the situation with the above groups, and carefully considering our options and responsibilities, we made the decision to contact the U.S. Attorney's Office and to cooperate with Tsutomo Shimomura in apprehending the intruder. We did this in an effort to foster greater security on the global net.

We initiated round-the-clock staffing to monitor the illegal activity. WELL technical staff were joined by Mr. Shimomura and his associates to help trace the suspect using sophisticated monitoring software that he supplied.

At no time was the FBI onsite at The WELL or involved in monitoring at our site.

Q. What was the chronology of events at The WELL the day leading up to the arrest of Kevin Mitnick?

A. Tuesday, February 14, 2:30 pm PST

WELL technical staff, which had been monitoring the activity for nearly 18 days, notices that the cracker has erased information on one transaction file on The WELL. The transaction file (there are dozens of accounting files on The WELL) contained user log-on data, and was a file which is stored elsewhere and backed up regularly.

WELL decides to bring the system down so we can re-build the damaged file and do further investigation. WELL staff shuts down WELL computers.

Tuesday, February 14, 3:00 pm PST

Technical staff positively determines that it is only one accounting file that has been affected. Approximately three hours after the incident the damaged file is rebuilt.

Tuesday, February 14, 5:00 pm PST

Shimomura and assistants are contacted, and confirm with The WELL technology team that the cracker appeared to have made a typing error when he zeroed the one accounting file. Shimomura reports that they are hours from catching the suspect.

Tuesday, February 14, 8:30 pm PST

WELL puts system back up. Monitoring continues in full gear.

Tuesday, February 14, 10:30 pm PST

Kevin Mitnick is arrested in Raleigh, North Carolina.

Q. What other sites were affected?
A. In the interest of their privacy, we will not say. We believe that at least a dozen sites were compromised.
Q. What are The WELL's normal security procedures?
A. The WELL follows normal UNIX and Internet system security procedures including, but not limited to, implementing changes as recommended by CERT advisories, security patches as available from vendors (e.g. SUN, Cisco), regular use of system security diagnostic software, including "crack" and other appropriate security related measures. We feel it is inappropriate to enumerate all our security measures in a public forum.
Q. Did the cracker get WELL members' credit card information or personal files?
A. To the extent that we are able to determine, no credit card information was accessed by the intruder.

We monitored nearly every keystroke of the cracker. A total of 11 accounts were compromised by the intruder, and we have contacted all of the account holders. In general, the cracker was not interested in information on The WELL itself, but used the WELL for storing files from other sites.

Q. Wouldn't have changing all members' passwords have secured the system?
A. Fundamentally, it wouldn't have made any difference. The tools used by this cracker would not have been defeated by changing individual passwords. Additionally, we have no information that would lead us to believe that member's passwords had been cracked or distributed.
Q. What exactly were you monitoring and who was doing this?
A. We were tracking network transactions, e.g.. ftp, smtp, telnet etc. to and from systems known and/or suspected by us to have been compromised. We added additional sites as we learned about this.

Those monitoring our system included The WELL tech staff as well as Andrew Gross, a consultant from Shimomura's office.

Q. What are you doing to strengthen the security of The WELL?
A. We've purchased a new main server, a Sparc 1000e. We're re-installing application software from binaries, implementing one-time (DES) password protection for critical including root passwords, and requiring every user on the system to select a new password (adhering to standards that make password cracking more difficult). We are continuing close liaison with Sun specialists and other system security specialists and advisors to examine techniques used by the cracker to gain system access and addressing these system weaknesses.

The WELL plans to install the new Sparc 1000e on Monday, February 20th.