Mark Kraitchman

Please check that your X Window system is secure.

X Windows is a networking and display protocol environment using a GUI
(graphical user interface). Common X Window servers include XFree86
and Xorg in UNIX style systems and Exceed, WinAXE, Cygwin’s Xwin on
Microsoft Windows systems.

In January 2007, it was discovered that there were keystroke logs on a
system at another University containing data from nine systems in
EECS. Eight of the systems were running various versions of the
Microsoft Windows operating system and one was running linux. We must
assume these keystroke logs contained all passwords used on these
hosts as well as all passwords used to connect to other hosts. It is
suspected that all 9 of the systems had insecure X Window Systems.

IRIS advises usng a layered approach to securing your X Window
System. Access to the X server should be controlled. Typically UNIX
style systems by default do control access to the X server, but a user
can overide the default. Typically Exceed on Windows by default allows
any remote host access to the X server; this is a bad thing.

In addition to controlling access to the X server by utilizing proper
configuration of the X Window system and using the related tools
properly, another layer of security can be added. A properly
configured host based firewall blocking unauthorized remote
access to the X server, typically 6000/tcp, is also recommended.

John Kim from the campus SNS (System and Network Security) group has
written a good knowledge base article concerning securing X Window
systems. The article contains details about configuring Exceed, the
Microsoft Windows firewall and the Symantec Client Security firewall at

https://security.berkeley.edu/node/373

It is also recommended that X traffic be encrypted for
example through an encrypted ssh tunnel.

If you need further help with securing your X Windows system please
contact your computer support person(s) or the EECS Helpdesk
(help@eecs, 395 Cory 9am-5pm, 313 Soda 10am-5pm, 642-7777).

There was a problem with services from cronus & rhea
Wednesday morning, January 31, 2007 concerning direct
communication to systems on the following networks:


128.32.40.0/24
128.32.41.0/24
128.32.47.0/24
128.32.48.0/24
128.32.112.0/24
128.32.132.0/24
128.32.153.0/24
128.32.168.0/24


NIS, DNS and time services were impacted on the 8 specified networks.

We appologize for the inconvenience. Steps have been taken
to prevent a similar failure from occuring again.

Beginning Tuesday July 11, 2006, access to the EECS caching DNS (Domain Name Server or Domain Name System) servers cronus and rhea will be restricted to campus IP addresses.

If you have a system off-campus, you will not be able to use cronus and rhea for DNS service. Instead you will need to configure your off-campus system to utilize your ISP’s name servers.

This action (restricting access to the EECS caching DNS servers) is occuring following the campus IS&T’s lead of restricting access to the main campus caching DNS servers, ns1.berkeley.edu (128.32.136.9, 128.32.206.9) and ns2.berkeley.edu (128.32.136.12, 128.32.206.12) beginning July 1, 2006.

It is currently considered a “best practice” to restrict access to caching DNS servers. DNS service on cronus and rhea has been abused from off-campus IP addresses. Because of the security risks associated with allowing anyone to access the caching DNS servers, many groups are restricting access to their caching DNS servers including UCLA, the University of Oregon and the University of Virginia.

IS&T has documented details and reasons behind why it is necessary to restrict access to caching DNS servers:

• http://net.berkeley.edu/DNS/recursion.shtml
• http://net.berkeley.edu/DNS/recursion-detail.shtml

Current cronus and rhea IP addresses include:

cronus interfaces                       rhea interfaces
cronus-32 128.32.32.21                  rhea-32 128.32.32.23
cronus-33 128.32.33.21                  rhea-33 128.32.33.23
cronus-34 128.32.34.21                  rhea-34 128.32.34.23
cronus-35 128.32.35.21                  rhea-35 128.32.35.23
cronus-36 128.32.36.21                  rhea-36 128.32.36.23
cronus-37 128.32.37.21                  rhea-37 128.32.37.23
cronus-38 128.32.38.21                  rhea-38 128.32.38.23
cronus-40 128.32.40.21                  rhea-40 128.32.40.23
cronus-41 128.32.41.21                  rhea-41 128.32.41.23
cronus-42 128.32.42.21                  rhea-42 128.32.42.23
cronus-43 128.32.43.21                  rhea-43 128.32.43.23
cronus-47 128.32.47.21                  rhea-47 128.32.47.23
cronus-48 128.32.48.21                  rhea-48 128.32.48.23
cronus-62 128.32.62.21                  rhea-62 128.32.62.23
cronus-63 128.32.63.21                  rhea-63 128.32.63.23
cronus-112 128.32.112.21                rhea-112 128.32.112.23
cronus-132 128.32.132.21                rhea-132 128.32.132.23
cronus-134 128.32.134.21                rhea-134 128.32.134.23
cronus-153 128.32.153.21                rhea-153 128.32.153.23
cronus-168 128.32.168.21                rhea-168 28.32.168.23
cronus-171 128.32.171.21                rhea-171 128.32.171.23
cronus-cusg 169.229.3.251               rhea-cusg 169.229.3.252
cronus-169-229-63 169.229.63.21         rhea-169-229-63 169.229.63.23

Caching DNS service will also end from IP address 128.32.33.5 on Tuesday July 11, 2006.

Please update your off-campus systems accordingly.

The DNS name coeus.Berkeley.EDU has been a nickname for our
Network Appliance fileserver coeus.EECS.Berkeley.EDU.

We are going to give up the coeus.Berkeley.EDU DNS nickname so
as to allow the campus Sponsored Projects Office to use it
for a campus-level information system beginning May 23, 2006.

A vulnerability in Microsoft Windows Metafile (WMF) handling was
discovered in December. This vulnerability affects all
versions of Microsoft Windows. Microsoft is working on a patch.

This vulnerability could let an intruder take complete control of
your system, install spyware and attack other systems.
Exploit code has been publicly posted and systems are being
compromised, including as of Monday January 2, 2006 41 systems
on campus of which 2 were in EECS.

Systems are vulnerable to WMF exploits via malicious web pages,
malicious email attachments and malicious attachments in instant messaging.

For more info please see
http://idsg.EECS.Berkeley.EDU/security/wmf.html
[Read more…] about Microsoft Windows Metafile (WMF) Handling Vulnerability Advisory

The IRIS general UNIX login server argus.EECS.Berkeley.EDU
is scheduled for routine maintenance on Wednesday, April 20th and will be shutdown and rebooted at 5:00pm.

We expect argus will be off-line for less than 10 minutes.

Please make your plans accordingly.

IRIS’ general UNIX login server argus.EECS.Berkeley.EDU is scheduled for routine maintenance.

argus.EECS.Berkeley.EDU will be shutdown and rebooted Wednesday 3/2 at 5pm.

We expect argus will be off-line for less than 10 minutes.

Please make your plans accordingly.