Some of the machines in physics were attacked and cracked recently, and were subsequently used to launch a successful denial of service on at least one  of the UBC networks.  Although it is not clear exactly how, it seems that one or more parties were able to obtain one of our user's (strong) password and were thus able to ssh into the user's account remotely using the password.

Irrespective of precisely how it happened, this incident serves as stark reminder to all of us of the importance of practicing safe computing.

Safe computing includes the following precautions (not an exhaustive list):
  1. NEVER ever give your password to anyone else.

    If a guest comes and needs access, send the guest to someone who can give them an account. If your wife or girlfriend needs to get on quickly, get them an account, or log on yourself. If you have any suspicion that your password could have been compromised by anyone, then change it immediately on all of the systems you ever use.  In such an instance you should then also change your ssh keys, using, for example, ssh-keygen -t rsa to generate new keys.  Then, copy the public part of the new key to ~/.ssh/authorized_keys on the machines to which you wish to be able to log into without password.

    IMPORTANT: Ensure that you REMOVE any old, potentially comprised keys, from those ~/.ssh/authorized_keys files!!

  2. Beware of connecting to theory machines from potentially untrustworthy hosts.

    If you are on a trip, do not use ftp with your password, and try not to use ssh or putty on a strange machine. Your password could easily be sniffed. Download your own version of putty or ssh onto a Windows machine (although that will not protect you from keyboard sniffers) or, better,  use your own laptop.

  3. If you notice something suspicious about your account, let the admins know, IMMEDIATELY!

    This means contact Matt for the bh/vn machines and Bill for the theory machines. For example, if you notice your last logon was from Tashkent, and you were not in Tashkent in the last couple of days, let us know.

  4. Make sure that your password is strong.

    There have been a huge number of ssh password guessing attacks recently. Your password should not be a word in any language, should include a random scattering of lower and upper case letter, numbers and punctuation. Passwords can now be of arbitrary length, not restricted to the 8 characters of the old Unix standard.

Maintained by choptuik@physics.ubc.ca. Supported by CIAR, NSERC, CFI, BCKDF and UBC.