Posts Tagged ‘Security’

Advance information: network migration

Thursday, July 12th, 2018

After a long (11 years) phase of stability in the D-PHYS network, we are preparing a pretty extensive network reorganization for 2018. This is mainly driven by ever-increasing information security requirements mandated by ETH. The D-PHYS network has traditionally been very open and we will try to keep it that way, but we need to implement some modifications. The basic premise is to partition our current /21 network (2048 IP addressess) into smaller groups that better represent the types of machines in those networks. This will then allow us to tailor each group’s firewall rules to the services needed by those machines. The roadmap looks like this:

  • Rearrange hosts in current /21 net to align with future VLAN boundaries
  • Partition the /21 net into smaller VLANs
  • Migrate individual subnets from our DHCP server to that of ID. This will also allow us to assign IPv6 addresses
  • Migrate the subnets into different virtual private zones (VPZ)
  • Assign and fine tune firewall settings on the different VPZ

As usual, we’ll try to implement these steps as smoothly as possible. However, a migration on this scale will not go entirely without issues. Step 1 will entail an IP address change for quite a number of hosts. We’ll make sure that our dyndns host names (foobar.dhcp.phys.ethz.ch) will be in sync with the new addresses, but this only works for properly configured DHCP hosts. Here’s how you can help: if you have any hosts in the 192.33.96.0/21 D-PHYS network that are statically configured (non-DHCP), please get in touch with us ASAP. The same is true if you’re using hard-coded IP addresses from that range instead of host names. We’ll need to deal with those hosts individually.
In the course of 2018 we’ll keep you updated on project progress and announce specific dates when we implement changes.

Update: since Informatikdienste are currently drafting an even more comprehensive Hönggerberg network reorganization that will deeply impact our plans as well, this project is currently on hold until we know more. Stay tuned.

Heartbleed OpenSSL Bug and D-PHYS Services

Friday, April 11th, 2014

On Monday the public was made aware of a severe bug in OpenSSL, a cryptography library which is used as the core of many cryptographically secured IT services. Since the bug was in the Heartbeat extension it has been named “Heartbleed”.

This bug allowed attackers to stealthily access parts of the memory used for cryptographic actions, i.e. it may include digital keys in use on servers or passwords transferred over encrypted connections.

If you used any password-protected D-PHYS web services or the D-PHYS mail server between 12th of December 2013 (or used the BackupPC web-interface since end of 2012) and Tuesday, the 8th of April 2014, there is a very small chance that your D-PHYS password and possibly other transmitted data may have been leaked to an attacker. We currently have no indication that this has actually happened on our servers.

To be safe, you might want to change the password of your D-PHYS account and any other account where the same password is used. See this Heise article for a discussion (in German) about whether you should change your password or not.

(more…)

The End of TWIG Webmail

Tuesday, February 5th, 2013

For the last 4.5 years, our customers could choose from two webmail solutions: Roundcube and TWIG. With the introduction of Roundcube we announced the eventual removal of the old TWIG service which hasn’t been updated in years and poses a serious risk in terms of security and spam distribution. Now the time has come to finally turn it off. All remaining TWIG users: please switch to Roundcube, TWIG will be disabled tomorrow, February 5, 2013.

Temporary SMB access restriction

Wednesday, April 11th, 2012

Last night a security problem was detected in the SMB server software we use for our group and home shares. In order to protect your data and our systems, we

temporarily restrict access to our group and home shares to the ETHZ IP address range

until security updates are available. If you’re outside the ETH network and need to access your data, use VPN. We expect the updates to be released later today or tomorrow and will then go back to world wide access.

Emergency reboot of Ubuntu workstations

Friday, September 17th, 2010

On Friday, September 17, at 22:00,  we will have to extraordinarily reboot our 64-bit Ubuntu workstations in order to deal with a nasty security issue. We’re sorry for the short notice but we’ve been unpleasantly surprised by this just as much as you have. If you’re reading this in time, please save all your data and log out if you can. Please note that also the terminal servers plimpy, plompy, plempy and plumpy (yes I know..) are affected. Thank you.

Linux Kernel Update

Friday, October 23rd, 2009

We installed new linux kernels for our systems and the machines need to be rebooted to run the new kernel. We will reboot the D-PHYS Linux Workstation “plimpy” this evening after 06:00 pm, not all the workstations. Please log out this evening before you go home, save all unsaved work and don’t start any long running jobs.

The terminal server “plimpy” is affected as well, please save all your open documents and log out from your LTSP terminal. Thank you.

Linux kernel local privilege escalation

Tuesday, August 18th, 2009

In case you’ve been wondering about the slightly dubious announcements of the past few days: on Friday (2009/08/14) a local privilege escalation in all Linux kernels of the last 7 years was published, together with an exploit. Unfortunately no patched kernels were available by Friday late afternoon, which put us into an awkward position. Generally it is not our policy to be sneaky about security issues, but in this case we really did not want to attract malicious script kiddies. That’s why we decided to keep our announcements somewhat vague. By now the worst seems to be over and all machines have been rebooted with patched kernels.

We apologize for any confusion or service degradation this episode may have caused on your side.

Linux Kernel Update

Monday, August 17th, 2009

We installed new linux kernels for our systems and the machines need to be rebooted to run the new kernel. We will reboot the D-PHYS Linux Workstations this evening after 08:00 pm. Please log out this evening before you go home, save all unsaved work and don’t start any long running jobs. You may also reboot your workstation yourself earlier.