Below is a post from Information Services, warning about website hacking incidents that have happened recently within the University.
If you are responsible for a website, or even just web pages, but particularily if you use a self run blog/wiki/WCMS, then it is a good idea to follow the advice given below and periodically Google for your site/pages and include common spam type words, eg Viagra. For example to check homepages for that string, in the Google search box type “site:homepages.inf.ed.ac.uk viagra“. Unfortunately we do seem to have one example of a user run blog, which has been spammed, and this will be rectified shortly. Other hits seem to be genuine research type activity.
Neil
Original post from IS…
Dear colleagues,
There have been several incidents of insidious hacking of non-centrally
supported university websites in the last few months.
Affected sites selectively redirect users referred by a Google search, to
dubious commercial sites, such as online pharmacies.
To see the effect of this, put 'paypal site:ed.ac.uk' into google.com and
look at the search results mentioning Viagra.
If you come across an affected site, please notify me, and the site owner as
soon as possible.
These hacks take advantage of known security vulnerabilities in obsolete
versions of web content management systems and other web tools. They insert
malicious code which affects how the site appears to Google's robots, and
can redirect users coming from Google searches, but make no visible changes
to the site viewed at its normal URL.
To avoid your website being affected, ensure any web software you are
running is kept up-to-date with the latest security patches and upgrades.
Site owners should use google to check their own sites specifically using
the google search engine and then should address any hacking incidents
immediately, by following the 5 steps in the instructions at
http://stevepenny.com/googleviagraspamhack.html.
For many years, the School of Informatics has provided Windows and MacOS users with access to its file and printing resources via Samba. Since the introduction of the OpenAFS file system and the CUPS printing system, there have been better methods available for accessing these resources. Given this, the intention has always been to withdraw the Samba service at some point and the forthcoming server upgrade to SL6 seems like an opportune time to do so.
This will not be happening immediately however as there are currently still two usage case where Samba is required. The first is access to the NFS mounted homepages web area from Windows and MacOS and to get around this, we will be moving homepages to AFS space in the next couple of months. The second is access to certain finance areas where several users need access data at the same time, something AFS cannot currently provide. This data will continue to be provided via Samba but will be relocated to the Central University Samba service. This move is currently taking place.
We will make further announcements closer to the time about exactly when the Samba service will be terminated. In the meantime, if you have any comments or questions, please get in touch.
Edit: Iain suggests that access to documents scanned via the MFDs is a third usage case. At the moment, he is quite correct but the University has changed its MFD supplier meaning that all of our MFDs will be replaced over the summer. Scanning to Samba will not be supported on the new machines, the most likely replacement being scanning to email. There will doubtless be a blog article about the new MFDs in due course.
The 2nd minor update to ScientificLinux 6 (which is based on RHEL6) is now ready for deployment to the Informatics SL6 DICE office machines. A minor update like this provides us with the opportunity to update important software and fix any bugs which are not security issues (we apply security updates as soon as they are available) in a controlled manner.
At this stage we are only upgrading the office machines, we will not be upgrading the machines in the student labs, that will be done once the online exams have been completed. Upgrades for individual servers will be scheduled over the next few weeks and users affected will be contacted as necessary.
SL6.2 was released on 15th February 2012 and since then it has been thoroughly tested in our DICE environment so we are confident that this update will not cause any issues for users.
Details of the package updates are available on the LCFG wiki. For further, in depth information, there are also release notes from ScientificLinux and RHEL.
If you have any questions or problems with the upgrade please contact our User Support team through the support form.
As most of you will be aware, access to the School’s AFS file system requires that the user be in possession of a valid Kerberos ticket. Most of the time, this is handled behind the scenes and doesn’t cause any problems. Default Kerberos ticket is only valid for 18 hours though and this can cause problems when users attempt to run jobs for longer than 18 hours which require access to AFS space. Once the 18 hours is up, the Kerberos ticket associated with the job expires and the job loses access to the file system. This is probably not what you want.
Fortunately, there are ways around this. The tickets issued to Informatics users can be renewed for up to 28 days using a program called krenew. For jobs which need to run for even longer than this, the k5start program can use information held in a local file on a given host to obtain Kerberos tickets indefinitely. None of this is straightforward to do however and it is all too easy to make a minor error on the command line which leads to a job failing 18 hours later. Waiting 18 hours to see if something works makes for an awfully long run/debug/fix loop.
To simplify the lives of our users, we have written a wrapper script called longjob, now available on all DICE hosts, which takes care of much of the minutia of setting up long running jobs. Given an indication of how long a job is expected to last, the script will check whether suitable Kerberos tickets are in place, prompting the user for their Kerberos password if necessary to obtain new tickets, and then start the job. There is a man page which prospective users are encouraged to study and User Support will of course be happy to answer any questions about this script and indeed about long-running jobs in general.
Back in summer 2009 we reviewed our School Database provision. The result of that review was to commence a project to re-factor both of the existing back and front ends. This project also “adopted” a number of additional areas not specifically covered in the original review, including:
- integration of the old IGS and ISS Access database systems
- complete re-factoring of the Data Model
- implementation of a new generic synchronisation system for upstream data
- new externalised schema reperesentation including change management
- introduction of a web portal replacing most of the old reporting mechanism
- replacement of the old Tutoring Access system with a new HTBN bid process
Not all of the above are finished, however the primary work of re-factoring has now been completed.
We migrated the back-end from OpenIngres and a manually managed service to a properly LCFG managed PostgreSQL service, using our local authentication and authorization structure. This meant the service would cost considerably less effort to run and be much easier to support. This work was all done in late 2009 and early 2010. Apart from functional benefits offered by PostgreSQL over Ingres (such as data integrity bug fixes and performance) this change had no user visibility. Aspects of work associated with this re-factor were:
- port data model from Ingres SQL to PostgreSQL
- conversion of all internal triggers/functions and particularly assessment processing functions
- conversion of all live reports (in the order of many hundreds)
- change to using local infrastructure authentication/authorisation
For the front-end re-factor we designed and implemented a new web browser based database client for end users to maintain information in the database. This replaced the old native platform client which was based on an IDE toolkit that was no longer supported or generally available. This new interface was developed over summer 2010 and was first deployed for testing by ISS in November 2010 and rolled out for the IGS in January 2011. It was finally rolled out to the ITO in September 2011 just in time for the start of the current academic session. The new interface was backwardly compatible with the old one and allowed all the existing custom forms to be used. Most of these have now been replaced by new custom forms as the ITO structures were also changed to reflect more data being taken from upstream.
The new School Database service currently consists of the following core components:
- PostgresSQL Database, LCFG managed
- TheonSchema – external XML::Schema representation of the School Data Model
- TheonUI – web browser database client for admin users, main desktops are provided for Research Students, Taught Students, Courses, Duties, HTBN and Legacy HR/ITO/Computing
- TheonPortal – web based reports for all users
- TheonCoupler – generic sync system, keeps local data consistent with central data
- TheonMarker – assessment functionality processing and reporting
Further information is available on the project development web site.
Periodically, we test our preparedness for disasters by holding a mock disaster exercise.
On 27th February, the computing staff were told that part of the roof of the Forum server room had collapsed due to flood damage and that this had destroyed a number of the server racks. Obviously in such a scenario, it would be unlikely that computing staff would be allowed access to the server room, so they had to work out from records which kit had been damaged.
Each computing unit was asked to produce a report on what services would have been affected and the state of the backups for those services. They were also asked to test reinstall one service just from those backups. The reports are available here.
In summary, the only data that would have been lost was data on a small number of servers, owned by a research group, that we had not been asked to backup. The owner of these servers has been approached and given the opportunity to rectify, if required. Where Institute servers are being used to mirror each other, we plan to ensure that they are physically in different buildings. The exercise highlighted a number of relatively minor procedural problems, mainly related to record keeping, which will be corrected.
Major updates have been provided for the firefox web browser and the thunderbird mail client on ScientificLinux 6 which will take us up to version 10 (Extended Support Release). These updates provide a large number of fixes for serious security holes as well as many feature enhancements. We have tested these updates and do not expect any major issues. There will be some differences in how the interfaces behave so please expect some big changes but if you find anything which is causing a problem please let us know. The upgrades will be installed onto DICE SL6 desktop machines during the night of Wednesday 28th or the early morning of Thursday 29th March. If you use firefox or thunderbird you will need to restart the application after the upgrade has completed.
In a previous post we mentioned that noise levels in the self-managed server room (i.e. B.Z14) of the Informatics Forum were higher than we might like. And users of that room can’t have failed to notice that it’s also been much hotter and stuffier than anyone might like …
We’re pleased to say that alterations have now been made which radically improve the ventilation to that room. The results are that the air temperature is now pleasant, and – since we no longer need to use ventilation tiles equipped with active fans – the noise levels are much reduced.
There is some still some tuning and adjustment of the air-conditioning system left to do but, all-in-all, the alterations have been a complete success. We’re very grateful to our colleagues in Estates & Buildings for their help in getting this work done.
As a result of a 2009 EU directive, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) have been amended such that visitors to web sites must now give their prior consent to the placing of cookies. The way in which this is to be done is not specified by the regulations; the ICO’s guidance is simply that it should take into account the intrusiveness of the cookie into the user’s privacy. Enforcement by the ICO of this requirement is expected to begin in May of this year.
We have created a web page with information as to what is required and links to useful additional sites. This will be updated as we learn more. Comments and suggested additions to this site are welcome.
The University’s web team will be dealing with centrally-served pages. Updating the content of Informatics-served pages will fall on the site managers, as usual, though the CO/CSO team will be able to advise. Users with sites on self-managed machines or hosted on external providers will be responsible for updating those sites as necessary.
We expect the University to issue guidelines for site-managers around the beginning of March. We’ll link this from our web page and let you know.
Posted in News
|
Tagged cookies, PECR, privacy
|
It is possible to set up self-managed machines to use kerberos with ssh to connect to DICE machines without entering a password and we strongly recommend that you do this. We have created step-by-step instructions to help you set this up under Windows, Mac OS X and Linux. These instructions are also linked to from the FAQ.
