Educause Security Discussion mailing list archives
Re: Help with notice about TCP vulnerability rrequested
From: Melissa Guenther <mguenther () COX NET>
Date: Thu, 22 Apr 2004 13:13:44 -0700
I didn't get any other replies, had some caffeine and wrote the following. Sending it out to those that might start considering keeping general users in the loop - in some ways it can be an awareness opportunity and help promote individual accountability. A large number of research institutions and high performance computing centers, like (name), have become a target for some sophisticated ) attacks. An unknown attacker (or group) has compromised numerous multi-user Solaris and Linux computers on our campus using a variety of mechanisms. In most cases, the attacker gets access to a machine by cracking or sniffing passwords. If you believe your computer has been affected by these intrusions, please contact the (insert name and contact information here). Please include the name or IP address of the affected machine, as well as any compromised userIDs The attacker appears to be deliberately targeting machines in academic and high performance computing environments, rather than attacking systems indiscriminately. It's not always obvious that a machine has been compromised, but they've been discovered at (name) because: ( I put in what I know - you know more and can probably change this) You notice that your last login is not consistent with the last time you actually logged in You notice that performance on a particular computer has severely degraded Your system administrator makes mention that they notice that you are logging in from unusual locations -- in particular, a sys admin notices multiple failed logins, sometimes for more than one user ID, coming from another university or research location You have unexpected errors generated when a computer reboots. This is the awareness opportunity Countermeasures Note: all of the countermeasures discussed below involve some amount of work and inconvenience for you. As we're considering how to protect our machines, our research and our co-workers from these aggressive and sophisticated attackers, please remember that although it's disruptive, the time you spend today in changing passwords, applying patches, and being impacted by remote access restrictions is far less than the time you'll spend rebuilding your system if it's compromised! No single protection mechanism will prevent computer compromises -- but implementing a few of these suggestions will minimize your chances of being successfully attacked. Prevention: Install all security-relevant patches for your systems. Be sure you are picking hard-to-crack passwords. Insert the URL for checking passwords here Use different passwords on all your accounts. Check with a support person (seems every campus calls them something different) to see whether an authentication application ( like SSH with RSA keys or Kerberos) is advisable for you. [Note: these mechanisms will not prevent an account from being compromised, but they may make it harder for an attacker to access unprivileged user accounts.] Limit remote access to unpatched multi-user systems, using host-based firewalls, or other mechanisms. This is a potentially management-intensive process, especially for machines with a lot of remote users -- but even relatively permissive rules ( allow connections from domainname.com; deny all else) provide some protection. ----- Original Message ----- From: "Matthew Keller" <kellermg () POTSDAM EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Thursday, April 22, 2004 12:47 PM Subject: Re: [SECURITY] Help with notice about TCP vulnerability rrequested
At this time, it is our opinion that notifying end-users would not be productive. On Thu, 2004-04-22 at 14:39, Melissa Guenther wrote:Something written geared to the average user is needed with regard to the latest top vulnerability and I wonder if anyone has communicated something that thy are willing to share. Most postings are for the technical person. I need something to just make users aware that they may experience some dropped connections when they do certain things that require extended connections, like ftp. Most look a the word TCP and check out. Can anyone help - I have writers block. Thanks Melissa Guenther Increasing Awareness to Improve Security 480-786-6034 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.-- Matthew Keller signat-url: http://mattwork.potsdam.edu/signat-url/ "No one ever says, 'I can't read that ASCII E-mail you sent me.'" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Help with notice about TCP vulnerability rrequested Melissa Guenther (Apr 22)
- <Possible follow-ups>
- Re: Help with notice about TCP vulnerability rrequested Marty Hoag (Apr 22)
- Re: Help with notice about TCP vulnerability rrequested Matthew Keller (Apr 22)
- Re: Help with notice about TCP vulnerability rrequested Melissa Guenther (Apr 22)