IT ServicesStaff

Specialist Services

Mailing Lists

Introduction

Following a comprehensive consultation session in 2004, four security related mailing lists have been created.

it-security@lists.lboro.ac.uk 
This list is for general security announcements and is available for the discussion of any security related topics with other University IT Support staff.

windows-security@lists.lboro.ac.uk 
This list is for Windows specific security announcements only.

unix-security@lists.lboro.ac.uk 
This list is for Unix, Linux, and BSD based specific security announcements only.

mac-security@lists.lboro.ac.uk 
This list is for Macintosh specific security announcements only.

To subscribe to any of these lists, you should send an e-mail message to Majordomo@lists.lboro.ac.uk containing the single line:

subscribe listname

in the main body of the message, where listname is the name of the mailing list you wish to join. For example:

subscribe it-security

If you have any problems, please contact our Service Desk who will be happy to advise further.

We recommend that all IT Support staff should join it-security and then the appropriate list(s) for the computers they support.

Archives of all four lists are kept and can be accessed from the links below:

Reports

Reports are given in the below formats, if you have any problems please contact our Service Desk who will be happy to advise further.

In order to allow IT Support Staff to make a judgement on the importance of vulnerabilities announced to the Security Service lists, we have introduced a standard template.

This standard template is designed to allow staff to gain important details of a patch or vulnerability at a glance, rather than spending a lot of time reading the details to see if it affects them.

The template is reproduced below:

Issue: <One line description of the security issue>

Operating System: <Operating System, and version number where available>

Criticality: <Low, Moderate, Important, or Critical>

Date Released: <Date Released to the general public>

Source: <Source of the original information and URL>

Description: <Full text description of the issues, with specific reference to the problem in the context of the University IT infrastructure if appropriate>

Further Details: <URL linking to further information>

These enhancements have been requested by various members of IT Support Staff.

This explains all the components of the standard 'Compromised Machine Report' that gets mailed to IT Support staff when we discover or get reports of compromised machines.

The subject will always be Compromised Machine - <IP Address>, we archive all the e-mails and this is an easy way to see at a glance if the machine in question has been compromised before.

Then follows some standard text explaining what has happened and actions that you should take. The only changes between messages are; the machine details on the first line and fourth paragraph which informs you if we have disconnected the machine or if you need to try and locate it.

A computer '<HOST> - <IP>' appears to have been compromised by a cracker (someone who breaks into computer systems for malicious reasons).

It is also likely the cracker would have installed a back-door Trojan and/or key-logging software.

We have disconnected this machine from the network to ensure the integrity of the whole campus IT infrastructure.

It is essential this computer remains disconnected from the network and is re-installed from scratch. We also recommend you change any passwords which may have been stored on or typed into the computer in question.

Thank you for your co-operation in this matter.

Then follows the technical information about the machine in question, allowing you to locate the machine easily and some clues regarding the compromise.

Technical Information

DNS: This is the FQDN (Fully Qualified Domain Name) entered into the DNS.

IP: This is the IP address of the machine.

MAC: The MAC address is assigned to the network card and should be unique.

NIC: The manufacturer of the network card.

WINS: The WINS name is the same at the Netbios name given to the PC.

Switch: The last managed switch connection [ Port Number ] (Switch Name).

Users: The user name of anyone who has read e-mail from that machine.

Last Seen: Last time the machine has been seen by our monitoring tools.

Port Scan:

This is a list of open ports on the machine.

Services:

Copies of the nmap services output for any services which provide a banner when probed. This will usually show FTP servers and backdoors on compromised machines.

Detailed logging:

Any further logging provided by our monitoring tools.

If you have any further questions or have any suggestions for additional information then please contact the IT Service Desk.