March 26, 2010

For the past few weeks, hackers have tried to guess Email passwords for users in this and other faculties which rely on Nexus for authentication.

While our password rules are strong enough to prevent this strategy from successfully trying all the combinations necessary - one is only allowed 10 failed password attempts per 10 minutes, it creates a new problem. Accounts the hackers are trying to guess get locked out for 10 minutes at a time, and the real user on campus cannot log on, or his N: drive disappears. The result is a real denial of service for the valid user.

We have been manipulating firewall rules over the last few weeks as the hackers shifted tactics; favouring on-campus reliability over off-campus convenience.

This week the hackers started to use gmail servers to hack. There were approximately 1,000 bad password attempts per day from the gmail servers and thus many locked out nexus users. We were unsuccessful seeking cooperation from Google to fix the problem.

The short term solution was to block Gmail servers from logging into Engmail. It has proven effective so far, the attacks have disappeared.

The long term campus-wide strategy will be to deploy a VPN (virtual private network) and deny all off-campus machines from attaching to Email servers unless they first pass through the VPN. Thus gmail will be prevented from accessing all on-campus Email IMAP/POP services.

Access to Email off campus is permitted by MyWaterloo.ca, or by forwarding one's mail to the off-site provider.

We apologize for any inconvienence this causes, but it has been necessary in order to provide reliable on-campus access.

Erick Engelke
Director, Engineering Computing