Re: Help with notice about TCP vulnerability rrequested

[Melissa Guenther <mguenther () COX NET>]

I didn't get any other replies, had some caffeine and wrote the following. Sending it out to those that might start 
considering keeping general users in the loop - in some ways it can be an awareness opportunity and help promote 
individual accountability.

A large number of research institutions and high performance computing centers, like (name), have become a target for 
some sophisticated ) attacks. An unknown attacker (or group) has compromised numerous multi-user Solaris and Linux 
computers on our campus using a variety of mechanisms. In most cases, the attacker gets access to a machine by cracking 
or sniffing passwords. 

If you believe your computer has been affected by these intrusions, please contact the (insert name and contact 
information here). Please include the name or IP address of the affected machine, as well as any compromised userIDs

The attacker appears to be deliberately targeting machines in academic and high performance computing environments, 
rather than attacking systems indiscriminately. 

It's not always obvious that a machine has been compromised, but they've been discovered at (name) because: ( I put in 
what I know - you know more and can probably change this)

You notice that your last login is not consistent with the last time you actually logged in 

You notice that performance on a particular computer has severely degraded 

Your system administrator makes mention that they notice that you are logging in from unusual locations -- in 
particular, a sys admin notices multiple failed logins, sometimes for more than one user ID, coming from another 
university or research location 

You have unexpected errors generated when a computer reboots.

This is the awareness opportunity

Countermeasures 

Note: all of the countermeasures discussed below involve some amount of work and inconvenience for you. As we're 
considering how to protect our machines, our research and our co-workers from these aggressive and sophisticated 
attackers, please remember that although it's disruptive, the time you spend today in changing passwords, applying 
patches, and being impacted by remote access restrictions is far less than the time you'll spend rebuilding your system 
if it's compromised!

No single protection mechanism will prevent computer compromises -- but implementing a few of these suggestions will 
minimize your chances of being successfully attacked.

Prevention:

 Install all security-relevant patches for your systems.

Be sure you are picking hard-to-crack passwords. Insert the URL for checking passwords here 

Use different passwords on all your accounts.

Check with a support person (seems every campus calls them something different) to see whether an authentication 
application ( like SSH with RSA keys or Kerberos) is advisable for you. [Note: these mechanisms will not prevent an 
account from being compromised, but they may make it harder for an attacker to access unprivileged user accounts.]

Limit remote access to unpatched multi-user systems, using host-based firewalls, or other mechanisms. This is a 
potentially management-intensive process, especially for machines with a lot of remote users -- but even relatively 
permissive rules ( allow connections from domainname.com; deny all else) provide some protection.



----- Original Message ----- 
From: "Matthew Keller" <kellermg () POTSDAM EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, April 22, 2004 12:47 PM
Subject: Re: [SECURITY] Help with notice about TCP vulnerability rrequested


> At this time, it is our opinion that notifying end-users would not be
> productive.
>
> On Thu, 2004-04-22 at 14:39, Melissa Guenther wrote:
> >         Something written geared to the average user is needed with
> >         regard to the latest top vulnerability and  I wonder if anyone
> >         has communicated something that thy are willing to
> >         share.  Most postings are for the technical person.
> >
> >         I need something to just make users aware that they may
> >         experience some dropped connections when they do certain
> >         things that require extended connections, like ftp.  Most look
> >         a the word TCP and check out.  Can anyone help - I have
> >         writers block.
> >
> >
> >
> >         Thanks
> >
> >
> > Melissa Guenther
> > Increasing Awareness to Improve Security
> > 480-786-6034
> >
> > ********** Participation and subscription information for this
> > EDUCAUSE Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
> --
> Matthew Keller
> signat-url: http://mattwork.potsdam.edu/signat-url/
> "No one ever says, 'I can't read that ASCII E-mail you sent me.'"
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.