|
Policies & Guidelines
SOS Services
Spam Information
Incident Reporting
Security Guides
Setting Passwords
SOS Staff
FAQ
ITS sponsors an annual security
awareness campaign
 |
Frequently
Asked Questions
This page
is to help answer any questions you may have. If you do not
see your question here, please
e-mail us and we will try to answer it.
|
"In order
to protect the security and integrity of Computer
and Network Resources against unauthorized or improper
use, and to protect authorized users from the effects
of such abuse or negligence, the University reserves
the rights, at its sole discretion, to limit, restrict,
or terminate any account or use of Computer and
Network Resources, and to inspect, copy, remove
or otherwise alter any data, file, or system resources
which may undermine authorized use." --AD20
|
A. How do I report an incident to
the Security Operations and Services (SOS) Office?
If you need to
report an incident please e-mail security@psu.edu
or call (814) 863-9533. For details
on what you need to have available or included with the
incident report please refer to the Incident
Reporting page.
return
to the top
A.
What can I do if I feel harassed or threatened and wish
to press charges?
If at any time,
you feel threatened or harassed by any form of computer
communication, and wish to press charges please contact
Police Services immediately. Retain as much of the evidence
as possible. Be sure to save everything. It can help the
police track the harasser down, i.e. e-mail headers, date
and time logs, IP addresses from IRC communication. We aid
the police in many investigations, however, this type of
situation falls under police jurisdiction due to the potential
of physical harm.
A listing of
non-emergency phone numbers for Penn
State Police Services for different campuses is available.
return
to the top
A. Where
do I report unauthorized access attempts made against my computer?
If you detect that someone
has attempted to access a computer without authorization,
probe or "brake in" to your computer system, please
submit the firewall logs of the unauthorized
attempts
to security@psu.edu
or abuse@psu.edu,
without log files we may be unable to continue our investigation
into your incident. Immediately change your Penn
State Access Account password at https://www.work.psu.edu/.
For recommendations on how to create a strong password view
the SOS suggestions.
return
to the top
A.
What is the proper format to submit logs of unauthorized
access attempts made against my computer?
Please include the:
Date
Time
Source
IP Address
Destination
IP Address
Port
numbers that were involved
Time
zone that your machine/logs are set to
return
to the top
A. How do
I find my firewall logs?
Depending on what type of firewall
you have running on your machine there are several ways to
view the log files. For some of the most common firewalls,
ZoneAlarm, Windows XP Service Pack 2, and Norton/Symantec
the directions are found below.
To
retrieve your ZoneAlarm firewall log:
Unless you have moved or renamed
the location of your firewall logs they can be retrieved in
the following folder C:\WINDOWS\Internet Logs you will
see them listed as text (.txt) files by date (File name: ZALog2005.02.15.txt).
Example of ZoneAlarm firewall
log:
ZoneAlarm Logging Client v5.5.062.004
Windows XP-5.1.2600-Service
Pack 2-SP
type,date,time,source,destination,transport
(security)
type,date,time,virus name,file
name,mode,e-mail id (antivirus)
type,date,time,source,destination,action,service
(IM security)
FWIN,2005/02/09,17:52:14 -5:00
GMT,65.254.xx.xxx:0,146.186.xxx.xxx:0,ICMP (type:8/subtype:0)
FWIN,2005/02/09,17:52:42 -5:00
GMT,65.254.xx.xxx:32786,146.186.xxx.xxx:33452,UDP
FWIN,2005/02/09,17:52:44 -5:00
GMT,65.254.xx.xxx:32786,146.186.xxx.xxx:33453,UDP
FWIN,2005/02/09,17:52:48 -5:00
GMT,65.254.xx.xxx:32786,146.186.xxx.xxx:33454,UDP
FWIN,2005/02/09,17:52:50 -5:00
GMT,65.254.xx.xxx:32786,146.186.xxx.xxx:33455,UDP
FWIN,2005/02/09,17:52:54 -5:00
GMT,65.254.xx.xxx:32786,146.186.xxx.xxx:33456,UDP
FWIN,2005/02/09,17:52:56 -5:00
GMT,65.254.xx.xxx:32786,146.186.xxx.xxx:33457,UDP
FWIN,2005/02/09,17:53:24 -5:00
GMT,65.254.xx.xxx:0,146.186.xxx.xxx:0,ICMP (type:8/subtype:0)
FWIN,2005/02/09,17:53:52 -5:00
GMT,65.254.xx.xxx:32780,146.186.xxx.xxx:33450,UDP
FWIN,2005/02/09,17:53:54 -5:00
GMT,65.254.xx.xxx:32780,146.186.xxx.xxx:33451,UDP
FWIN,2005/02/09,17:53:58 -5:00
GMT,65.254.xx.xxx:32780,146.186.xxx.xxx:33452,UDP
FWIN,2005/02/09,17:54:00 -5:00
GMT,65.254.xx.xxx:32780,146.186.xxx.xxx:33453,UDP
FWIN,2005/02/09,17:54:04 -5:00
GMT,65.254.xx.xxx:32780,146.186.xxx.xxx:33454,UDP
FWIN,2005/02/09,17:54:06
-5:00 GMT,65.254.xx.xxx:32780,146.186.xxx.xxx:33455,UDP
return
to the top
To
retrieve your Windows XP Service Pack 2 firewall logs:
Unless you have moved or
renamed the location of your firewall logs, they can be
retrieved in the following folder C:\WINDOWS\Internet
Logs. You will see them listed as text (.txt) files
by date (File name: ZALog2005.02.15.txt).
Example of Windows XP Service
Pack 2 firewall logs:
Category: Firewall
Date,Message,Details
2/3/2005 11:22:44 AM,An instance of "C:\Program Files\Symantec
Client Security\Symantec Client Firewall\IAMSTATS.EXE"
is preparing to access the Internet.,An instance of "C:\Program
Files\Symantec Client Security\Symantec Client Firewall\IAMSTATS.EXE"
is preparing to access the Internet.
2/3/2005 11:15:16 AM,Unused port blocking has blocked communications.,"Unused
port blocking has blocked communications. Inbound
TCP connection. Remote address,local service
is (210.45.xxx.xxx,3306)."
2/3/2005 11:15:13 AM,Unused port blocking has blocked communications.,"Unused
port blocking has blocked communications. Inbound
TCP connection. Remote address,local service
is (210.45.xxx.xxx,3306)."
2/3/2005 11:00:09 AM,TCP non-syn/non-ack packet on invalid
connection. Packet has been dropped.,"TCP non-syn/non-ack
packet on invalid connection. Packet has been dropped.
Source IP address: xxx.psu.edu(146.186.xxx.xx). Destination
IP address: xxx.psu.edu(146.186.xxx.xxx). TCP Source
Port: 995. TCP Destination Port: 1507. Flags:
0x00000011."
A. What do
System Firewall logs look like?
Example #1
<Logs in GMT-0600>
Nov 21 10:29:47 actaeon sshd[85685]:
Failed password for nobody from 128.118.xxx.xxxport 59742 ssh2
Nov 21 10:29:49 actaeon sshd[85686]:
Failed password for patrick from 128.118.xxx.xxxport 60661 ssh2
Nov 21 10:29:50 actaeon sshd[85687]:
Failed password for patrick from 128.118.xxx.xxxport 33078 ssh2
Nov 21 10:29:50 actaeon sshd[85688]:
Failed password for root from 128.118.xxx.xxxport 33268 ssh2
Nov 21 10:29:51 actaeon sshd[85689]:
Failed password for root from 128.118.xxx.xxxport 33459 ssh2
Nov 21 10:29:51 actaeon sshd[85690]:
Failed password for root from 128.118.xxx.xxxport 33653 ssh2
Nov 21 10:29:52 actaeon sshd[85691]:
Failed password for root from 128.118.xxx.xxxport 33865 ssh2
Nov 21 10:29:53 actaeon sshd[85692]:
Failed password for root from 128.118.xxx.xxxport 34047 ssh2
Nov 21 10:29:53 actaeon sshd[85693]:
Failed password for rolo from 128.118.xxx.xxxport 34235 ssh2
Nov 21 10:29:54 actaeon sshd[85694]:
Failed password for iceuser from 128.118.xxx.xxxport 34451 ssh2
Nov 21 10:29:55 actaeon sshd[85695]:
Failed password for horde from 128.118.xxx.xxxport 34730 ssh2
Nov 21 10:29:55 actaeon sshd[85696]:
Failed password for cyrus from 128.118.xxx.xxxport 34996 ssh2
Nov 21 10:29:56 actaeon sshd[85697]:
Failed password for www from 128.118.xxx.xxxport 35204 ssh2
return
to the top
Example #2
<Logs in GMT-0700>
Fri 12/03 14:23:26 tcp 128.118.xxx.xxx.2265
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:23:26 tcp 128.118.xxx.xxx.2265
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:23:27 tcp 128.118.xxx.xxx.2265
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:28:06 tcp 128.118.xxx.xxx.4436
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:28:06 tcp 128.118.xxx.xxx.4436
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:28:07 tcp 128.118.xxx.xxx.4436
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:45:16 tcp 128.118.xxx.xxx.2762
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:45:16 tcp 128.118.xxx.xxx.2763
<| 128.118.xxx.xxx.1025 RST
Fri 12/03 14:45:16 tcp 128.118.xxx.xxx.2762
<| 128.118.xxx.xxx.135 RST
Fri 12/03 14:45:16 tcp 128.118.xxx.xxx.2763
<| 128.118.xxx.xxx.1025 RST
Fri 12/03 14:45:17 tcp 128.118.xxx.xxx.2763
<| 128.118.xxx.xxx.1025 RST
Fri 12/03 14:45:17 tcp 128.118.xxx.xxx.2762
<| 128.118.xxx.xxx.135 RST
return
to the top
The following information is
useless to our investigation.
|
OrgID:
PSU-8
CustName:
The Pennsylvania State University
Street:
105 USB2
City:
University Park
StateProv:
PA
Country:
US
PostalCode:
16802
RegDate:
2001-02-05
Updated:
2003-08-25
OrgAbuseHandle: SOS10-ARIN
OrgAdminHandle: SJS11-ARIN
OrgTechHandle: MAC5-ARIN
NetHandle:
NET-66-71-0-0-1
OrgID:
PSU-8
Parent:
NET-66-0-0-0-0
NetName:
PENNSTATE
NetRange:
66.71.0.0 - 66.71.127.255
NetType:
assignment
RegDate:
2001-02-05
Updated:
2003-06-10
NameServer:
OTC2.PSU.EDU
NameServer:
ISENGARD.CSE.PSU.EDU
NameServer:
F04S03.CAC.PSU.EDU
NameServer:
NS1.EMS.PSU.EDU
TechHandle:
MAC5-ARIN
TechName: Contino,
Michael
TechPhone: +1-814-863-0859
Teche-mail: mac@psu.edu
OrgAbuseHandle: SOS10-ARIN
OrgAbuseName: Security
Operations and Services
OrgAbusePhone: +1-814-863-9533
OrgTechHandle: MAC5-ARIN
OrgTechName: Contino,
Michael
OrgTechPhone: +1-814-863-0859
OrgTeche-mail: mac@psu.edu
OrgAdminHandle: JAR117-ARIN
OrgAdminName: Reel,
Jeffrey Alan
OrgAdminPhone: +1-814-863-2428
OrgAdmine-mail: jar12@psu.edu
|
return
to the top
A.
What can I do if I suspect that my password has been stolen
or compromised?
Change all of your
passwords IMMEDIATELY. This would include
your Penn State Access Account
Password, and computer account passwords (i.e. administrator,
guest, etc.). For
recommendations on how to create a strong password view the SOS
suggestions.
Please keep notes and
report any unusual behavior as evidence that our office can use
in investigating the incident.
return
to the top
A.
What do I do when I receive spam and what can SOS do about it?
return
to the top
A.
What can I do when I receive spyware?
Adaware
and Spybot
S&D, are both popular spyware tools, designed to detect
and remove a variety of spyware types from a user's computer.
Though equally effective, Spybot S&D is a bit more advanced
than Ad-Aware; novices are encouraged to first try Ad-Aware. Note:
Spybot Search and Destroy is free for use on both University and
personally-owned machines. However, Ad-Aware is free only for
personally-owned machines. Users who wish to run it on University-owned
machines will need to purchase this product.
return
to the top
A.
What are full headers and how do I get to them?
Headers provide a detailed
log of a message’s history and make it possible to draw some conclusion
about the origin of a piece of e-mail even when other parts of
the headers have been forged. "To" and "From"
lines from messages are insufficient evidence to correctly identify
the source. Both lines can be easily forged by anyone. The Received
lines found in the headers reveal valuable information regarding
the true origin of the message. Although forged Received lines
can be inserted, Spammers have no way of removing genuine Received
Lines placed by machines that relayed the message. It is simply
a matter of distinguishing the facts from the forgeries.
For details on how
to get the headers from your e-mail program, please visit the
Header page.
return
to the top
A.
Am I allowed to experiment
with security-related software tools using Penn State networking
resources?
Unless you have the express written
consent of the Director of ITS Security Operations and Services,
you are prohibited from conducting or attempting to conduct security
experiments, security scans, or the
use of security-related software tools.
(Policy AD20
Computer and Network Security - Policy => II. Responsibilities
Related To Access To And Use Of Computer And Network Resources
=> System Users => f.). If
done either purposefully or accidentally, the violation of any
University Policies will result in
a referral to OJA or OHR.
return
to the top
A.
How can I communicate with groups of people at Penn State?
Establish or join a
Listserv! There are online tutorials provided by the ASET. Please
follow the URL: http://lists.psu.edu
.
If you intend to propagate
chain mail, conduct a personal commercial enterprise, or send
mass unsolicited mailing and news posts, we suggest that you obtain
a private commercial account that does not have policies restricting
said behavior. Such private accounts can be obtained from Internet
Service Providers (ISP). However, this does not protect you from
other people filing complaints with us. In turn, we will contact
your ISP. You must be sure that any use is consistent with the
ISP's policies.
return
to the top
A.
How do I handle e-mail that I suspect came with a computer
virus?
NEVER open an attachment
from a stranger and be highly suspicious of attachments from
friends. The worm-type viruses utilize personal Internet address
files to distribute the virus among unsuspecting acquaintances
of the infected sender.
Penn State has
a site-license for Symantec Anti-Virus for students, staff,
and faculty. We urge you to install an Anti-Virus program
OR if you already own one, please update the virus definition
files.
Current information
on today's viruses and worms:
For additional
assistance, please contact:
return
to the top
A.
For what purposes may not I use my Penn State University
Access Account?
return
to the top
A.
What can I do if Penn State University is blocking my mail?
Sometimes
it appears as though Penn State is blocking your e-mail when
unfortunately, your IP address may appear on a Dial-Up User
List (DUL), a list that the University subscribes
to, but does not maintain. In which case please have someone
from your ISP go to the following URL and request that they
be removed from the Dial-Up User List.
http://www.mail-abuse.com/removereq_dul.html
In
order to determine if Penn State networks are blocking your
e-mail please submit the following info to
security@psu.edu
It is
crucial that we receive the following information from complainants
to include the full bounced message::
Final-Recipient:
RFC822; <xxx@psu.edu>
Action: failed
Status: 5.1.1
Remote-MTA: dns; xxx.psu.edu (146.186.xxx.xxx)
Diagnostic-Code: smtp; 550 5.7.1 Rejected: 68.230.xxx.xx see
http://aset.its.psu.edu/spamfilter.html for information
return
to the top
A.
Can I share my access account with members of my family?
No, Penn State Access Accounts are intended for use by a
single individual. Group Access Accounts
will not be authorized. In extraordinary circumstances, they
may be authorized under AD20
with the explicit written permission of the Senior Director
of ASET. Each of the following conditions must hold for approval:
- The Account will be used for explicit purposes specified
in writing.
- No other means exists for providing equivalent service.
- The service is deemed critical by the Senior Director
of ASET.
- One person will be designated as responsible for the Group
Account.
return
to the top
A.
Can I use my roommate’s Ethernet connection if my connection
is disabled?
No, Penn State Access Accounts are intended
for use by a
single individual. If you find that your
Ethernet connection is disable contact
ResCom.
return
to the top
A.
Can I set up a wireless connection in the Residence Halls?
No, as stated in AD20,
"Respecting the physical hardware and network configuration
of University-owned networks. System users must not extend the
physical network on which their system resides (e.g., wiring,
jacks, wireless connection)".
return
to the top
A.
Can I upload copyright material that I purchased on my personal
web space?
No, the possession and/or distribution (to include making
available online) of such files is in direct violation
of state and federal laws, and University policy. The University
regards such copyright offenses very seriously. System users
must remove any copyrighted materials that they do not have
the copyright holder's specific permission to possess. As
noted above, they must not place such material on University
systems or to personally-owned systems attached to the University
network at any time and must not engage in unauthorized copying,
transmission, distribution and/or downloading of such works.
return
to the top
A.
Can I use my Penn State University user ID to advertise a
commercial enterprise on my personal web space?
No, Penn State resources and services are intended for University-related
use. Do not use these resources for purposes such as selling
a product, a profit-making business or sales position, or
in conjunction with mass mailings. If you need to use the
Web, e-mail, or Netnews for purposes unrelated to Penn State,
use a commercial service. Many companies known as Internet
Service Providers (ISPs) offer Web space and e-mail services.
One method of finding an ISP is to use a search engine such
as http://www.google.com/.
Also see the following policies:
return
to the top
A.
Are two antivirus programs better than one?
When running Penn State's licensed antivirus
program Symantec, it is strongly recommends that you run only
one antivirus program at a time. You may also wish to use
a standard space browser. Having more than one antivirus program
active in memory uses additional resources and can result
in program conflicts and false virus alerts. Your best defense
against computer viruses and malicious programs is to keep
your virus definitions up to date, and run Norton AntiVirus
Auto-Protect. If you choose to install more than one antivirus
program on your computer, then only one of them should be
active in memory at a time. (The Norton AntiVirus module that
is active in memory is named Auto-Protect. Other antivirus
programs will have different names for this function.)
return
to the top
|
|
