Posts Tagged ‘Security’

New service: hosted password manager

Monday, April 8th, 2024

TL;DR: we now offer a password manager service that also allows sharing passwords within groups.

Full story:
For a long time, we've been trying to promote IT security in general and secure password handling in particular. In both our introductory course and our documentation we recommend using a password manager to securely handle the plethora of passwords that modern-day life usually entails (hopefully a different one for each service!). What we did not have however was an easy-to-use solution to sync your password vault across your different devices. Yes, there's KeePassXC that can work with Polybox to ensure coherent password databases on all devices, but that's not exactly straightforward to set up.
In order to make setting up and handling the password manager easier for you, we're now announcing a new service: an Open Source password vault hosted at ISG D-PHYS:
Vaultwarden is an alternative implementation of the the Bitwarden backend and we've been evaluating it for a while. It now seems ready for prime time so after testing within ISG, we're releasing it to the Department. Aside from easier daily usage, it offers another feature that many (research) groups might find interesting: passwords and confidential information in general can be shared with others, e.g. the group's credit card with all PhD students.
If you'd like to give it a try, please read our service description to get started.

Phishing and malware emails

Sunday, September 29th, 2019

In light of the recent surge of malware waves, we have decided to quarantine all incoming emails containing Microsoft Office documents with macros enabled - actually, we have been doing so for a week already. Unfortunately way too many of you still open those documents and risk (or succeed in) infecting your computer. Emails containing such dangerous documents will be quarantined and are never shown to the user. Emails with static office documents (no macros) will be delivered unaffected. We're aware of the fact that this policy might create the occasional false positive, but the benefits for all of D-PHYS far outweigh the downside and real use cases for macro documents via email are in fact very rare. In the 8 days of operation so far, we've detected ~850 infected office documents and only 1 false positive. Quarantined emails will be deleted after 30 days, so you have ample time to contact us in case a valid document gets flagged by accident.

Please get in contact if you have any questions.

The end of Windows 7 is coming…

Wednesday, January 16th, 2019

The time has come to upgrade your Windows 7 computer to Windows 10
since extended support for Windows 7 ends on January 14, 2020 (Windows lifecycle).

Why can I no longer use Windows 7 on the ETH network after the end of 2019?

Only operating systems with security support by the vendor are allowed to connect to the ETH network.

Unsupported operating systems that no longer receive security updates render the computer vulnerable to threats like viruses, malware or hacker attacks and also pose a threat to other computers on the network.

What should I do now?

  • If you are using an OEM computer with preinstalled Windows 7 for your daily work, please update it to Windows 10 by the end of this year, at the latest. The easiest way is to use the "Microsoft Media Creation Tool" available here.
    This process is called "inplace upgrade". All applications and configuration settings should be kept.
  • If your computer is installed with the Windows 7 Enterprise license from ETH IDES, order Windows 10 Enterprise from the IT-Shop and use it for the upgrade.
  • If your computer is located in a lab and needs to be highly available to collect measurement data, there is the possibility to use a Windows 10 LTSC version instead of the Enterprise version. Please contact your IT administrator within your group. He should be able to help you or can get in touch with us if he needs additional help. More details about the LTSC version are described on our readme page.
  • If you think that you cannot upgrade your computer, please refer to our readme for possible solutions or contact us.

Note that at some point the network security group of Informatikdienste will start scanning for remaining Windows 7 computers at which point we will be forced to disconnect them from the network.

Advance information: network migration

Thursday, July 12th, 2018

After a long (11 years) phase of stability in the D-PHYS network, we are preparing a pretty extensive network reorganization for 2018. This is mainly driven by ever-increasing information security requirements mandated by ETH. The D-PHYS network has traditionally been very open and we will try to keep it that way, but we need to implement some modifications. The basic premise is to partition our current /21 network (2048 IP addressess) into smaller groups that better represent the types of machines in those networks. This will then allow us to tailor each group's firewall rules to the services needed by those machines. The roadmap looks like this:

  • Rearrange hosts in current /21 net to align with future VLAN boundaries
  • Partition the /21 net into smaller VLANs
  • Migrate individual subnets from our DHCP server to that of ID. This will also allow us to assign IPv6 addresses
  • Migrate the subnets into different virtual private zones (VPZ)
  • Assign and fine tune firewall settings on the different VPZ

As usual, we'll try to implement these steps as smoothly as possible. However, a migration on this scale will not go entirely without issues. Step 1 will entail an IP address change for quite a number of hosts. We'll make sure that our dyndns host names (foobar.dhcp.phys.ethz.ch) will be in sync with the new addresses, but this only works for properly configured DHCP hosts. Here's how you can help: if you have any hosts in the 192.33.96.0/21 D-PHYS network that are statically configured (non-DHCP), please get in touch with us ASAP. The same is true if you're using hard-coded IP addresses from that range instead of host names. We'll need to deal with those hosts individually.
In the course of 2018 we'll keep you updated on project progress and announce specific dates when we implement changes.

Update: since Informatikdienste are currently drafting an even more comprehensive Hönggerberg network reorganization that will deeply impact our plans as well, this project is currently on hold until we know more. Stay tuned.

Heartbleed OpenSSL Bug and D-PHYS Services

Friday, April 11th, 2014

On Monday the public was made aware of a severe bug in OpenSSL, a cryptography library which is used as the core of many cryptographically secured IT services. Since the bug was in the Heartbeat extension it has been named "Heartbleed".

This bug allowed attackers to stealthily access parts of the memory used for cryptographic actions, i.e. it may include digital keys in use on servers or passwords transferred over encrypted connections.

If you used any password-protected D-PHYS web services or the D-PHYS mail server between 12th of December 2013 (or used the BackupPC web-interface since end of 2012) and Tuesday, the 8th of April 2014, there is a very small chance that your D-PHYS password and possibly other transmitted data may have been leaked to an attacker. We currently have no indication that this has actually happened on our servers.

To be safe, you might want to change the password of your D-PHYS account and any other account where the same password is used. See this Heise article for a discussion (in German) about whether you should change your password or not.

(more…)

The End of TWIG Webmail

Tuesday, February 5th, 2013

For the last 4.5 years, our customers could choose from two webmail solutions: Roundcube and TWIG. With the introduction of Roundcube we announced the eventual removal of the old TWIG service which hasn't been updated in years and poses a serious risk in terms of security and spam distribution. Now the time has come to finally turn it off. All remaining TWIG users: please switch to Roundcube, TWIG will be disabled tomorrow, February 5, 2013.

Temporary SMB access restriction

Wednesday, April 11th, 2012

Last night a security problem was detected in the SMB server software we use for our group and home shares. In order to protect your data and our systems, we

temporarily restrict access to our group and home shares to the ETHZ IP address range

until security updates are available. If you're outside the ETH network and need to access your data, use VPN. We expect the updates to be released later today or tomorrow and will then go back to world wide access.

Emergency reboot of Ubuntu workstations

Friday, September 17th, 2010

On Friday, September 17, at 22:00,  we will have to extraordinarily reboot our 64-bit Ubuntu workstations in order to deal with a nasty security issue. We're sorry for the short notice but we've been unpleasantly surprised by this just as much as you have. If you're reading this in time, please save all your data and log out if you can. Please note that also the terminal servers plimpy, plompy, plempy and plumpy (yes I know..) are affected. Thank you.

Linux Kernel Update

Friday, October 23rd, 2009

We installed new linux kernels for our systems and the machines need to be rebooted to run the new kernel. We will reboot the D-PHYS Linux Workstation "plimpy" this evening after 06:00 pm, not all the workstations. Please log out this evening before you go home, save all unsaved work and don't start any long running jobs.

The terminal server "plimpy" is affected as well, please save all your open documents and log out from your LTSP terminal. Thank you.

Linux kernel local privilege escalation

Tuesday, August 18th, 2009

In case you've been wondering about the slightly dubious announcements of the past few days: on Friday (2009/08/14) a local privilege escalation in all Linux kernels of the last 7 years was published, together with an exploit. Unfortunately no patched kernels were available by Friday late afternoon, which put us into an awkward position. Generally it is not our policy to be sneaky about security issues, but in this case we really did not want to attract malicious script kiddies. That's why we decided to keep our announcements somewhat vague. By now the worst seems to be over and all machines have been rebooted with patched kernels.

We apologize for any confusion or service degradation this episode may have caused on your side.