Return to Home Page
To: All GCN Sites 20:00 UT 14 Feb 03
Re: The original GCN Notices back on-line
More good news.
The GCN Notices are back on line. The system was repaired and new security
patches installed. The system was back on the air at 21:00 UT 14 Feb 03.
GCN went offline initially at ~21:30 UT 13 Feb 03. In the meantime,
I was able to get a version running on another machine that was distributing
emails and some sockets (the other socket sites that were behind firewalls
were not possible from this interim machine). The total downtime was ~5 hours
for most sites, and almost 24 hours for those socket sites behind firewalls.
But now that the original computer (capella.gsfc.nasa.gov) is back up & running
the GCN system, the original firewall entries will be applicable again.
I believe everything is back in order and functioning properly (there was lots
of investigations as a result of this hacker), but it is not possible
to be absolutely sure, so please inform me if you see any problems or
odd behaviour from your end.
My apologies for this outage. Be asured that even more steps are being taken
to prevent similar such occurances in the future.
Sincerely,
Scott Barthelmy
FYI: The previous status messages on this matter and your site's current
configuration are appended below.
////////////////////////////////////////////////////////////////////////////
PART 2 (a status update message, 02:30 UT 14 Feb 03):
To: All GCN Sites
Re: GCN Notices back on-line
Some good news.
I was able to port the GCN program to another machine (gcn1.gsfc.nasa.gov)
as a temporary solution until the original capella machine can be put back
on the air tomorrow. And it is now running with the normal set of sites.
The bad news is that about half of the socket sites are not connecting
("connection refused"). I suspect this is due firewalls at those sites
that have been programmed to only let the capella.gsfc.nasa.gov machine
in through each firewall. There is some delay during connection attempts
in this interim setup due the usual subset of socket sites that do not connect
(they are offline). The email sites are unaffected by this machine change.
More than 95% of the sites are back to normal service by GCN (a 5-hr gap).
This interim-GCN is connected to HETE and to INTEGRAL, and is distributing
the normal set of imalive packets, test Notices, and any GRB notice
that might be generated by HETE and INTEGRAL.
Sincrely,
Scott Barthelmy
////////////////////////////////////////////////////////////////////////////
PART 1: Original message from 01:30 UT 14 Feb 03
To: All GCN Sites
Re: GCN Notices off-line due to hacker attack
Around 20:00 UT today (13 Feb 03), the GCN computer (capella) was compromised
by a hacker. At ~21:30 the Goddard IT Security office blocked all
incoming and outgoing internet activity for capella. With this block,
the GCN Notices system is off-line to the rest of the world; there can be no
socket connections or email Notices. (Please note that this does NOT effect
the Circulars. The GCN Circulars is on a separate computer which is still
operating, so any Circulars submitted will be distributed to the Circulars list.
It is only the Notices that is off-line.)
I immediately started the reconstruction and recertification of the machine,
but given that this happened late in the normal business day,
the work will not be completed until sometime tomorrow (Friday).
The Goddard IT Security office needs to sign off that capella is safe,
and they can not do that until normal business hours. I will keep you posted.
After 10.5 years of hacker-free operations, GCN has finally fallen. There have
been 3 previous attacks, but they never compromised the system because of a
combination of the normal system protections and special protections
I had implemented.
This has been a particularly bad day following within a day of the INTEGRAL
distribution problem. These are totally coincidental, but it does not make
me feel any better. I apologize for the loss of service (18-24 hrs is expected).
Sincerely,
Scott Barthelmy
////////////////////////// Your Current Configuration ///////////////////////////
Site_name: VSNET
Lon,Lat= 135.75 35.00
Distribution_method: EMAIL
Address: vsnet-grb@kusastro.kyoto-u.ac.jp
Filter: ALL
Error_limit= 360.100 [deg, diameter]
Delta_T_limit= 999.900 [hr]
Sources & Notice Types/Subtypes:
RXTE-PCA_Alert_wont: Enabled
RXTE-PCA_Alert_will: Enabled
RXTE-PCA_nosaw: Enabled
RXTE-PCA_saw: Enabled
RXTE-ASM: Enabled
IPN_POS: Enabled
ALEXIS: Enabled
RXTE-ASM_TRANS: Enabled
HETE_S/C_ALERT: Enabled
HETE_S/C_UPDATE: Enabled
HETE_S/C_LAST: Enabled
HETE_GND_ANA: Enabled
HETE_Test_notices: Disabled
Test_type2_notices: Disabled
INTEGRAL_Test_notices: Disabled
INTEGRAL_POINTDIR: Enabled
INTEGRAL_SPIACS: Enabled
INTEGRAL_WAKEUP: Enabled
INTEGRAL_REFINED: Enabled
INTEGRAL_OFFLINE: Enabled
Return to the Powerful Daisaku Nogami
vsnet-adm@kusastro.kyoto-u.ac.jp
