Restoring Network Access

On this page:
When a Compromised Machine is Detected
When Network Access Has Been Terminated
Necessity of Reformatting
When is a Machine Removed from the Network?

When a Compromised Machine is Detected

When the IT Security Support team determines that network access should be disabled because a machine has been compromised or is otherwise compromising the integrity of the campus network, an email is sent to the system owner.

This email contains a detailed description of the security incident, the reason the network access was disabled as well as detailed instructions (for several operating systems) on how to format the infected partition(s) and re-install the operating system safely.

System owners are urged to review current contact information for all computers under their care. Accurate system and contact information is one of the single biggest steps that can be taken to streamline remediation in the event of an incident. For help in looking up or changing your computer's contact information, contact the Service Desk.

When Your Network Access Has Been Terminated

The most obvious sign that your network access has been shut off is that you can't connect to the network - e.g., you get an error message from your browser. First check if colleagues can access the network. If you appear to be the only one, DO NOT move your machine to another drop, or activate wireless. This will only return a potentially harmful machine to the network.

Steps to take:

1. Check your email (e.g. via WebMail) from a colleagues's machine or use one of the public Athena workstations. You should have received detailed instructions for dealing with the compromised machine. (If you have not received email from IT Security Support, contact the Service Desk. The email may have been sent to someone else, or there may be another problem.
2. Follow the instructions in the email. They will include directions for formatting and re-installing your operating system. If you have local IT support, this would be a good time to call them in for assistance.
3. To get your drop re-activated, you/your IT support will need to reply to: security@mit.edu. It is important that the case number is included in the subject line. If you cannot find (or do not have) this information, provide the name of the machine normally attached to the drop, the building and room number of the drop, and the jack number. Once the security team has received all the information, they will assist you in re-securing your machine, as well as gathering any log information from your machine that can be used in tracking other break-ins. Your drop will not be re-activated until a member of IT Security Support is confident that it presents no risk. For more details, see our policy below on removing a machine from the network. This total process can take several hours to several days, depending on the severity of the problem.

The Necessity of Reformatting

Reformatting a machine is required when the nature of the infection or intrusion is such that it's not possible to detect and eradicate all possible malicious code on your machine. At this point you should not "trust" your computer for anything, including its ability to run antivirus programs that declare the computer to be "clean" or to protect any important data.

The only way to ensure that a trustable operating system is on your computer is to reformat and reinstall the operating system, as directed. We understand how frustrating and time-consuming this is, and we are sorry for the necessity. Many people at MIT have been victimized by a compromise and have had to go though this process. This is, unfortunately, the only way you can be sure that the recovery is complete. Once done, adding all critical patches before connecting the computer to the network, as well as running antivirus software, and ensuring the desktop firewall is turned on, should enable you to go back to using the computer normally.

When is a Machine Removed from the Network?

A computer is removed from the MIT network in order to protect the data on that computer from misuse or theft, or to protect other computers on the network from attacks.

When the IT Security Support team detects that a computer on the MIT network has been accessed by an intruder, usually indicated by an increase in malicious activity, action is taken to remove that computer's network access. Compromised hosts frequently begin to attack other systems right away, so it is important to disable the network access as quickly as possible.

Unfortunately, because the number of attacks has risen dramatically in recent years, the rate of compromise has exceeded our ability to contact system owners by phone before disabling the machine.

The IT Security Support team recognizes that a decision to remove a machine from the network can create inconvenience and difficulties for users. Please understand that the purpose is only to protect compromised systems and data from further misuse, and to ensure the safety of work at MIT and elsewhere on the Internet.