of the machines in physics were attacked and cracked recently, and
were subsequently used to launch a successful denial of service on at
least one of the UBC networks. Although it is not clear
exactly how, it seems that one or more parties were able to obtain one
of our user's (strong) password and were thus able to ssh into the
user's account remotely using the password.
of precisely how it happened, this incident serves as
stark reminder to all of us of the importance of practicing safe
Safe computing includes the following precautions (not an exhaustive
- NEVER ever give your password to anyone else.
If a guest comes and needs
access, send the guest to someone who can give them an account. If your
wife or girlfriend needs to get on quickly, get them an account, or log
on yourself. If you have any suspicion that your password could have
been compromised by anyone, then change it immediately on all of the
systems you ever use. In such an instance you should then also
change your ssh keys, using, for example, ssh-keygen -t rsa to generate
keys. Then, copy the public part of the new key to
~/.ssh/authorized_keys on the
machines to which you wish to be able to log into without password.
IMPORTANT: Ensure that
you REMOVE any old, potentially comprised keys, from those
- Beware of connecting to
from potentially untrustworthy hosts.
If you are on a trip, do not use ftp
with your password, and try not to
use ssh or putty on a strange machine. Your
password could easily be
sniffed. Download your own version of
putty or ssh onto a
(although that will not protect you from keyboard sniffers) or,
better, use your
- If you notice something suspicious about
your account, let the admins know, IMMEDIATELY!
This means contact Matt for the bh/vn machines and Bill for the theory
machines. For example, if you notice your last logon was from
Tashkent, and you were not in Tashkent in the last couple of days, let
- Make sure that your password is strong.
There have been a huge number of ssh password guessing attacks
recently. Your password should not be a word in any language, should
include a random scattering of lower and upper case letter, numbers and
punctuation. Passwords can now be of arbitrary length, not restricted
to the 8 characters of the old Unix standard.