Renaming of WEB-AUTH SSID

Hi

Sometime this week (24-29 of September) the “WEB-AUTH” SSID (Wireless network) will be renamed to the somewhat more instructive “ITU-guest”. The functionality will be the same, only the name is changed.

The “ITU” and “eduroam” SSIDs will not be changed.

Possible loss of data during night of 22nd/23rd of September.

Please control if data you added to ITU systems between midnight and early morning on Friday 23. September are still available!

Early in the morning on Friday the 23. September our primary administrative MySQL database server suffered a severe hardware breakdown.  Several central databases became inaccessible, which affected a number of systems, for instance the blog system this message is a part of.   Other systems included:  Wireless authentication, the student job database, the self-service area, the inventory system and many others. Please refer to the list at the end of this message.

We managed to bring the system online for short bursts during the morning until the system finally broke down completely around noon. We were then forced to revert to backups of the databases in question on a new server.  We managed to salvage some data, but several gigabytes of data had to be restored from backups. The databases all came back online during the afternoon, starting with the wireless access systems and ending with the blog system around 4 pm (16:00).

Unfortunately the restored backups were all performed several hours prior to the incident.  The backups were initiated at 11:45 pm (23:45) Thursday evening and lasted several hours.  Thus all changes performed since shortly before Midnight and until Friday afternoon were rolled back.  The systems changing data were effectively unavailable during the daytime, and the majority of the systems are not used during the night, so we trust very few changes actually were rolled back - if any at all.  However the possibility exists.

All users entering data into any ITU system during the night between the 22. and 23. September are encouraged to control if the data are still available.  Only a fraction of our systems were effected, thus for instance our finance and payroll systems, all student administration data etc. are not influenced at all, but we urge everybody to verify no data loss took place if they did any work on our systems during the night. The databases can be accessed from a magnitude of systems - some of which may not even be known to the IT department, as our task is in some cases merely to host the databases - not to maintain their content.

The names of the databases restored (fully or partially) are: blip, blog_itu_dk, bloglog_itu_dk_test, bs_ldap, cache, cacti, cfproject, cntmgr, docadm_v2, driftstatus, driftstatus_test, first, helpdesk, hpswitch, hsas2, hsas, information_schema, infrahealth, inventorydevel, inventory, invtemp, itsikkerhed, ITUUser, it_vagtplan_devel, it_vagtplan, KBtest, KBver3, kommunikation, kursuslearnitdb, machinelog, mailing, moodledb, mysql, netdot, ocs_test, op, qm1, radiusdb, radius, radius_test, roskilde2006, roskilde2007, roskildequiz, roundcubemail, roundcube, roundcube_update, rt3, selfservice, servers, ssh_access, studjob, studjob_test, studStart20101, studStart, superintendent, switchmac, SysAdm2, SysAdm, typo3, uid_gid, useradm and wifi_radio_status.

The IT department sincerely apologizes for any inconvenience resulting from this hardware failure!

Best regards

Claus - IT

Security issues in OS X Lion

There is currently two security issues with OS X Lion that you should be aware of!

1) Your password hash is readable by non-privileged users. Normally only users with high privileges (like the root user) has access to read this, but in OS X Lion a malicious website or anyone with physical or remote access (Remote Desktop or SSH) to your Mac will be able to read the SHA512 hash of all the local users on your Mac. An attacker will very likely be able to crack your password if he can access this.

2) It is possible to change a users password without knowing or submitting the current password. This allows a malicious website or an attacker with physical access to your Mac to change your password and execute code as root.

To increase the security on your Mac we recommend you do the following:

Disable Guest accounts and unused accounts
Go to System Preferences -> Users & Groups and make sure the Guest User is not allowed to log in.

Password protect your screensaver limiting unauthorized physical access.
Go to System Preferences -> Security & Privacy and enable “Require password after sleep or screensaver begins”

It is also possible to prevent unprivileged users to run the command that allow these attacks. To do so you need to chmod /usr/bin/dscl so only root can use it. Please note that we have NOT tested this and you could potentially damage your OS X installation if you don’t know what you’re doing. If you choose to do this it is at your own risk, and we will not likely be able to help you.

You can read a more detailed explanation of all this on this website.

For more information please read our IT Security page on our intranet. You’ll also be able to find a PDF version of the guide with screenshots.

Issues with PHP?

We’ve noticed that some of you are experiencing issues executing your PHP scripts on our webservers and we’d like to explain why this is happening.

First of all we’d like to apologize for not informing your enough about the changes we’ve made on these webservers. In the aftermath of the hacker attack in April we decided to upgrade our webservers as they were getting terribly old and it was becoming a challenge to security patch the software running on them. Some of them was running PHP 5.0.x and some even PHP 4.x.

The new webservers are running PHP 5.3.3 and needless to say there has been a lot of changes in PHP functionality and security. We underestimated the impact of the upgrades and the version differences, and we’re really sorry that some of your scripts no longer work due to deprecated functions in the new PHP version.

While we’d prefer being able to make all your scripts work again, we cannot downgrade PHP to earlier and more insecure versions. We can however guide and help as much as possible, and we’d like to point out some of the things that may affect your scripts.

Using “Register Globals”
One of the biggest changes is a security fix The PHP Group implemented where they disabled the register_globals functionality. In short it means that a lot of global variables are gone / changed. You can read a lot more about it here:
http://dk2.php.net/manual/en/security.globals.php and http://dk2.php.net/manual/en/ini.core.php#ini.register-globals

Tags
Some webservers allowed you to use <? as starting tag in your scripts instead of <?php. On most systems this has been changed to only allow <?php tags

OOP issues
In PHP 5 they implemented a new Object Model. If you’ve been writing object-oriented scripts there may be some things you need to change, but overall most of it should work. You can find the OOP migration document here:
http://www.php.net/manual/en/migration5.oop.php

Missing Functions
Almost all of your code should still work with very few changes, but a few functions has been removed that may affect your script. Please see this list of Backward Incompatible Changes: http://www.php.net/manual/en/migration5.incompatible.php

You may find even more help following these links:
Migrating from PHP 4 to 5: http://php.net/manual/en/faq.migration5.php
Migrating from 5.2.x to 5.3.x: http://dk2.php.net/migration53
Changelog for PHP 5.3.3: http://www.php.net/ChangeLog-5.php#5.3.3

We sincerely hope this helps you and that you’ll be able to fix your scripts with as few changes as possible. If you’re still experiencing problems after following the guides and tips above then please don’t hesitate to let us know at it@itu.dk. We won’t be able to go into detailed fixing of individual scripts but we’d like to know of any issues so we can look into possible tweaks of global PHP settings that may help.

Wireless seance in the atrium, week 4

The IT department will be hosting a short seminar about EDUROAM wireless connectivity.

This seminar will be held in the atrium, and the main issue will be to help students and employees getting connected (configured) to the wireless net EDUROAM.

There will be 2 seminars, the first will be held, Tuesday the 25th of January, and the other will be Friday the 28th of January

Students and employees can attend seminar Tuesday 11-13

New Students can attend the seminar, Friday 11-13

Best regards

IT Department
ITU
it@itu.dk

Wireless network update

As most probably know, we have had some challenges with our wireless network, the most noticeable being the low download speed which could sometimes be counted in bits.

This has been due to our wireless network equipment not delivering a satisfactory performance. We have for example not been able to manage bandwidth per. wireless client which has led to the fact that a single user was able to lower the speed of a radio for all other users than him on the individual radio (e.g. if the user had used a bit torrent client).

Nor has there been the possibility of actively roaming clients between radios. This means that a client connected to a radio with a very high load was not automatically transferred to a radio with a lesser load. As an example you could be 6 wireless clients working at the same table right between two radios and you would risk that all the wireless clients around the table were connected to the first radio and none were connected to the second radio. So in fact you had a radio, which was overloaded and right next to it, a radio doing nothing.

In the light of this we decided to change our supplier of wireless network equipment from HP to AeroHive and we have spent the last month replacing all wireless network equipment at the IT University.

The move from HP to AeroHive, has among other things, given us:
- 802.11n support.
- More than double the throughput per radio.
- Bandwidth control per. client.
- Intelligent and active roaming of wireless clients between radios.
- Less interference between radios.
- Treble MIMO support.

What we have done is purely a hardware replacement. This means that you will not experience any changes in the wireless setup.
You should still use the guides you can find here to setup you pc or mac.

If you have any problems with the wireless network, you are VERY welcome to stop by the IT Department between 10 and 13 on weekdays where we will gladly help you setup your pc or mac.
We will also host a few sessions in the Atrium during week 4 where you are most welcome with your laptop if you should have any problems with the wireless network. Please read more about these sessions here.

If you still experience problems with poor download speed, if you keep getting disconnected from the wireless network or if you experience other inconveniences with the wireless network please send us an email at it@itu.dk and we will look into it.

We hope everyone will be most satisfied with the new wireless network.

Opennet is closing down

The wireless network “opennet” will be closed down permanently Monday the 4. of October at 9:00AM

If you have a Windows-laptop supplied by the IT-Department, you dont have to do anything, since your computer is already configured to connect to the ITU wireless network.

If you are used to using opennet you now have the following wireless networks to choose from:

  • eduroam: this requires some configuration of your client, please see eduroam-guide for more info
  • WEB-AUTH: you simply need to connect to this network and subsequently open your browser. You will then be asked to login using your normal username and password.

If you have any guests visiting, they should use WEB-AUTH unless they are able to use eduroam.

Please look here for more info about the wireless network.

Regarding network monitoring and downloading of copyrighted material

With the new wireless network in place it increases the IT Department possibilities for monitoring the network here at the university. This is due to the fact that all users are authenticated by username and password and the IP address and computer name will be registered.

When downloading copyrighted material through e.g. BitTorrent the IT Department will be contacted by DK•CERT (Danish Computer Emergency Response Team) regarding illegal download and/or distribution.

When contacted by DK•CERT the IT Department will identify the user hiding behind the IP address which DK•CERT have registered and informed us. The user identification is now much easier with the enhanced monitoring possibilities in place. After the identification the supposed user will be called in for an interview with IT Security Function regarding the incident.

It is important to inform that the IT Department takes cases concerning illegal download and/or distribution of copyrighted material very seriously.

We will therefore point out to all our network users that downloading and/or distributing of material protected by copyright law - pursuant to the Danish legislation - is illegal and will be treated thereafter.

Regards,

The IT Security Function

Wireless Network postponed

Due to wireless network complication the IT department regrets to inform that the introduction to the wireless network has been postponed to week 38.

More information can be obtained in Thursday Morning newsletter.

Kind regards

the IT department

Wireless network

Wireless - troubleshooting - best practice (Torsdag morgen link)

WLAN modification (danish below)

Important information regarding the wireless network at ITU

September the 13th 2010 the wireless network “opennet” will be closed.

To get wireless network access after that date, you will have the following options:

eduroam: This network is based on standard 802.1x. It requires some setup of your computer (possibly the installation of extra software for some older operating systems. WinXP/Win7, Mac OS X 10.4 or later incl. most newer Linux distributions support 802.1x directly). On the other hand you will also have access to the eduroam network at several Danish educational institutions.

Students and staff will be at their logical network providing access to the drives and printers, etc. just as providing on the wired network. Eduroam visitors will be accessing a limited network resource.

More information about eduroam can be found here:

http://www.eduroam.org/

Guides for setup of eduroam will follow soon after eduroam network is up and running.

webauth: This network requires no special configuration of the computer. You connect just like the current “opennet”, opens a browser and are directed to a website where you enter your username and password. You will access the same network resources as you have via eduroam.

There will be a transition phase where all networks are available simultaneously.

Dansk

WLAN ændring

Vigtig info vedr. det trådløse netværk på ITU

D. 13. September 2010 bliver det trådløse netværk “opennet” nedtaget.

For at få trådløs netadgang efter denne dato har man følgende valgmuligheder:

eduroam: Dette netværk er baseret på standarden 802.1x. Det kræver en vis opsætning af ens computer (e.v.t. installering af extra software for visse ældre operativsystemer, WinXP og nyere, samt Mac os X 10.4 og nyere samt de fleste nyere Linux distributioner understøtter 802.1x direkte). Til gengæld har man adgang til eduroam netværket på flere danske uddannelses institutioner.

Studerende og ansatte kommer i hvert deres logiske net hvor der er adgang til de drev og printere o.s.v. man har på det kablede netværk. Eduroam gæster kommer i et net for sig selv med begrænset adgang.

Guides til opsætning af eduroam følger snarest når eduroam nettet er klart.

Mere information om eduroam findes her:

http://www.eduroam.org/

webauth: Dette netværk kræver ingen særlig opsætning af computeren. Man tilkobler sig ligesom på det nuværende opennet, åbner en browser og bliver ledt til en hjemmeside hvor man indtaster sit brugernavn og password. Man vil få adgang til de samme netværksressourcer som man har via eduroam.

Der vil være en overgangsfase hvor alle net er tilgængelige samtidigt.

Next Page »