Archive for the ‘Security’ Category

D-PHYS network migrations

Wednesday, July 7th, 2021

Several network migrations will take place over the next months that will have an impact on the design and inner workings of the ethernet network at D-PHYS. Even though all hosts will be affected at a technical level, we believe that most changes will not require any involvement from your side. By the end of the year this should further increase the fault-tolerance of the cabled network infrastructure and enhance the security of the bulk of the computers at D-PHYS.

Network segmentation

The central Informatikdienste are splitting several networks into smaller chunks to increase the overall stability and fault-tolerance. Unfortunately the details are flagged as confidential, prohibiting us from exposing the precise structure of this segmentation. The main repercussion is that our D-PHYS networks will no longer be able to span across all current buildings at once. So depending on the building, we will have to introduce new subnets and assign new IP addresses to the computers inside.

NAT network

Motivated by the above-mentioned segmentation as well as security considerations, we are planning to migrate a large number of hosts to a NAT network. This means that the computer will only get an ETH-internal IP address and will no longer be directly reachable from outside of ETH. From inside ETH or VPN, all communication with that computer remains unaffected. However, while the host can still communicate with all of the internet, it will no longer be exposed to direct attacks from the outside. We believe that this is a very sensible default for most computers and laptops. Of course it will still be possible to assign a public IP to selected hosts in order to provide a specific service to the outside. The new NAT network also provides DynDNS with sentname.dhcp-int.phys.ethz.ch hostnames and full IPv6 connectivity. So if you rely on DNS entries for dynamic IP addresses, make sure to use the domain dhcp.phys.ethz.ch for public subnets and dhcp-int.phys.ethz.ch for internal subnets.

DHCP migration

Right now, some of our networks are serviced by our own D-PHYS DHCP servers, while others use the DHCP servers of central IT services. We are now consolidating all networks and migrating the remaining ones step-by-step to the DHCP servers of Informatikdienste. This change is mostly technical and should remain unnoticed by most users.

For further details and up-to-date information please refer to our readme page.

Phishing and malware emails

Sunday, September 29th, 2019

In light of the recent surge of malware waves, we have decided to quarantine all incoming emails containing Microsoft Office documents with macros enabled - actually, we have been doing so for a week already. Unfortunately way too many of you still open those documents and risk (or succeed in) infecting your computer. Emails containing such dangerous documents will be quarantined and are never shown to the user. Emails with static office documents (no macros) will be delivered unaffected. We're aware of the fact that this policy might create the occasional false positive, but the benefits for all of D-PHYS far outweigh the downside and real use cases for macro documents via email are in fact very rare. In the 8 days of operation so far, we've detected ~850 infected office documents and only 1 false positive. Quarantined emails will be deleted after 30 days, so you have ample time to contact us in case a valid document gets flagged by accident.

Please get in contact if you have any questions.

Web server upgrade – step 2

Wednesday, August 28th, 2019

With the migration of the 'personal' web sites completed we're now addressing regular web shares. The easy ones have already been moved to the new web server and we're now asking share owners to prepare for migration. We will perform the migration for you, but your web site has to be ready for the environment on the new server (PHP 7 or Python 3 in particular). We're currently planning to power off the old web server at the end of 2019, so if you haven't migrated by then, your site will be offline. Please work with us to keep this deadline.

The end of Windows 7 is coming…

Wednesday, January 16th, 2019

The time has come to upgrade your Windows 7 computer to Windows 10
since extended support for Windows 7 ends on January 14, 2020 (Windows lifecycle).

Why can I no longer use Windows 7 on the ETH network after the end of 2019?

Only operating systems with security support by the vendor are allowed to connect to the ETH network.

Unsupported operating systems that no longer receive security updates render the computer vulnerable to threats like viruses, malware or hacker attacks and also pose a threat to other computers on the network.

What should I do now?

  • If you are using an OEM computer with preinstalled Windows 7 for your daily work, please update it to Windows 10 by the end of this year, at the latest. The easiest way is to use the "Microsoft Media Creation Tool" available here.
    This process is called "inplace upgrade". All applications and configuration settings should be kept.
  • If your computer is installed with the Windows 7 Enterprise license from ETH IDES, order Windows 10 Enterprise from the IT-Shop and use it for the upgrade.
  • If your computer is located in a lab and needs to be highly available to collect measurement data, there is the possibility to use a Windows 10 LTSC version instead of the Enterprise version. Please contact your IT administrator within your group. He should be able to help you or can get in touch with us if he needs additional help. More details about the LTSC version are described on our readme page.
  • If you think that you cannot upgrade your computer, please refer to our readme for possible solutions or contact us.

Note that at some point the network security group of Informatikdienste will start scanning for remaining Windows 7 computers at which point we will be forced to disconnect them from the network.

Advance information: network migration

Thursday, July 12th, 2018

After a long (11 years) phase of stability in the D-PHYS network, we are preparing a pretty extensive network reorganization for 2018. This is mainly driven by ever-increasing information security requirements mandated by ETH. The D-PHYS network has traditionally been very open and we will try to keep it that way, but we need to implement some modifications. The basic premise is to partition our current /21 network (2048 IP addressess) into smaller groups that better represent the types of machines in those networks. This will then allow us to tailor each group's firewall rules to the services needed by those machines. The roadmap looks like this:

  • Rearrange hosts in current /21 net to align with future VLAN boundaries
  • Partition the /21 net into smaller VLANs
  • Migrate individual subnets from our DHCP server to that of ID. This will also allow us to assign IPv6 addresses
  • Migrate the subnets into different virtual private zones (VPZ)
  • Assign and fine tune firewall settings on the different VPZ

As usual, we'll try to implement these steps as smoothly as possible. However, a migration on this scale will not go entirely without issues. Step 1 will entail an IP address change for quite a number of hosts. We'll make sure that our dyndns host names (foobar.dhcp.phys.ethz.ch) will be in sync with the new addresses, but this only works for properly configured DHCP hosts. Here's how you can help: if you have any hosts in the 192.33.96.0/21 D-PHYS network that are statically configured (non-DHCP), please get in touch with us ASAP. The same is true if you're using hard-coded IP addresses from that range instead of host names. We'll need to deal with those hosts individually.
In the course of 2018 we'll keep you updated on project progress and announce specific dates when we implement changes.

Update: since Informatikdienste are currently drafting an even more comprehensive Hönggerberg network reorganization that will deeply impact our plans as well, this project is currently on hold until we know more. Stay tuned.

Access to Windows Remote Desktop blocked from outside ETH

Tuesday, January 3rd, 2017

In the last few weeks we discovered some attempted attacks on the Windows Remote Desktop feature from sources outside of ETH.

In order to protect both your machines and our network, we decided to block RDP access from ETH-external networks. If you still need access from outside the ETH network (e.g. from home) you have to first open a VPN connection to ETH and then start the Remote Desktop client.

More information about installing the VPN client is available here.

New SSH Host Keys on Managed Linux Machines

Wednesday, August 12th, 2015

After several years it was time to update the SSH host keys of our managed Linux machines. Therefore, if you reconnect with SSH, you might get a warning similar to this one:

ssh login.phys.ethz.ch
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
36:04:d8:3d:89:a2:76:19:ef:b6:f0:0a:f2:5c:81:a3.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Offending key in ~/.ssh/known_hosts:1
RSA host key for login.phys.ethz.ch has changed and you have requested strict checking.
Host key verification failed.

This is because your computer has memorized the previous host key and is bailing because the current one is different. This mechanism is designed to prevent users from man-in-the-middle attacks. In our case it can be treated as a mere notification that the SSH key has changed.

In order to get rid of this warning, you simply need to delete the old key from your ~/.ssh/known_hosts file. This can be done either by deleting the entry manually or with the following command

ssh-keygen -R login.phys.ethz.ch

for the machine you try to ssh into.

On the next SSH connection you will be prompted to accept the new key. Power users may also download the full list of SSH keys of all our managed Linux computers.

Windows Server 2003 reaches its End-of-Life on July 2015

Thursday, June 25th, 2015

Microsoft will provide a final bunch of patches for Windows Server 2003 on July 14th. 2015. After then, no more security and stability fixes are going to be released. This means that still running Windows Server 2003 machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.

The central IT security group of ETHZ continuously inspects the network streams for signatures of XP and Windows Server 2003 computers. If you have a running Windows Server 2003 machine connected to the public network, please migrate the operating system to a newer version i.e Windows Server 2012.

If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk

Keep in Mind: Windows XP reached its End-of-Life one Month ago

Thursday, May 22nd, 2014

Microsoft provided a final bunch of patches for Windows XP in April 2014. Since then no more security and stability fixes are going to be released. This means that still running Windows XP machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.

The central IT security group of ETHZ continuously inspects the network streams for signatures of XP computers. In the D-PHYS public networks they still detect around 15 Windows XP based computers. If you have a running XP machine connected to the public network, please migrate the operating system to a newer version i.e Windows 7.

In case you are forced to keep Windows XP up and running, you can migrate the machine to our eXile network. Simply send the required information to isg@phys.ethz.ch after you've read and understood the eXile Terms-of-Use, so we can prepare the machine for the eXile network.

If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk

Heartbleed OpenSSL Bug and D-PHYS Services

Friday, April 11th, 2014

On Monday the public was made aware of a severe bug in OpenSSL, a cryptography library which is used as the core of many cryptographically secured IT services. Since the bug was in the Heartbeat extension it has been named "Heartbleed".

This bug allowed attackers to stealthily access parts of the memory used for cryptographic actions, i.e. it may include digital keys in use on servers or passwords transferred over encrypted connections.

If you used any password-protected D-PHYS web services or the D-PHYS mail server between 12th of December 2013 (or used the BackupPC web-interface since end of 2012) and Tuesday, the 8th of April 2014, there is a very small chance that your D-PHYS password and possibly other transmitted data may have been leaked to an attacker. We currently have no indication that this has actually happened on our servers.

To be safe, you might want to change the password of your D-PHYS account and any other account where the same password is used. See this Heise article for a discussion (in German) about whether you should change your password or not.

(more…)