<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>Remote Login Notifications</h2> <p>The goal of the "Remote Login Notification" sent to users is to detect compromised accounts.</p> <p> We have seen in the past compromized (Linux or Windows) computers or Web applications at remote sites, labs or universities stealing password from those who log into these computers. Users might not necessarily notice that their password got stolen, and continue to connect to CERN using SSH, CERN SSO, or the CERN Terminal Service. Usually they do this from a <i>small number of defined locations</i>, e.g. from home, from his university,... Attackers, who have gained knowledge of the credentials of a particular user, will also use these credentials to connect to CERN, too, but not necessarily from that user's "usual" locations.</p> <p>Therefore, each time the Security Team detects a new connection from a location "never" used before, the user will be sent such a "Remote Login Notification" ("never" means for the last few months). This "new" domain or location can be a conference venue or a hotel used during private or professional travel. For each new connection, there are two possibilities:</p> <ul> <li>If this connection was a <b>legitimate connection</b>, e.g. if you were indeed connecting from that conference hotel or from his friends, everything is fine and no further action is expected;</li> <li>If this connection was <b>not initiated by the user</b>, you are advised to <b>contact <a href="Computer.Security@cern.ch">Computer.Security@cern.ch</a></b>, since your account might most likely have been misused;</li> <li>If in doubt, we recommended that you <a href="https://account.cern.ch/account/CERNAccount/ChangePassword.aspx">change your password</a>.</li> </ul> <p>Notifications will only be sent for each new domain, or geographical location, but not for every new IP in that domain. In any case, however, the new domain or location will be whitelisted, so you are not notified again when using it again. Given our past experience, we accept that we might not detect a compromized account if the attacker uses the same location as you. Only if this domain/location remains idle for about three months, we will purge it from the whitelist. You can access and remove your locations on this <a href="https://my-logins.web.cern.ch/">dedicated webpage</a>.</p> <p>Please note that for humans, "locations" are much easier to understand than "IP addresses". Therefore, we are using a geolocalization service to try to give you an idea where this IP belongs to. Usually this works pretty well, but sometime there are mis-matches. Have mercy. Check for example at <a href="http://en.utrace.de">http://en.utrace.de</a> and type in the IP address you want to localize.</p> <p>Also note that CERN offers multiple ways to access its services, including Web, Mail, and SSH. There is constant work to improve the quality of the "Remote Login Notifications", but not all authenticated services can be covered at this time. As a result, depending on the authentication service used, you may or may not receive a notification.</p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <ul class="sidemenu"> <li><a href="/home/en/privacy_statement.shtml">Privacy Statement</a></li> </ul> <h3>Computer Security Incident Response</h3> <ul class="sidemenu"> <li><a href="/services/en/emergency.shtml">Emergencies</a> <li><a href="/services/en/sems.shtml">Self-mitigation portal</a></li> </ul> <h3>Consulting, Pentesting & Reviews</h3> <ul class="sidemenu"> <li><a href="/services/en/reviews.shtml">...on request</a> <li><a href="/services/en/whitehats.shtml">CERN WhiteHat Challenge</a> </ul> <h3>Host-Based Intrusion Detection</h3> <ul class="sidemenu"> <li><a href="/services/en/csl.shtml">Central security logging</a></li> <li><a href="/services/en/password_dumps.shtml">Password Dump Notifications</a></li> <li><a href="/services/en/receipts.shtml">Remote Login Notifications</a></li> </ul> <h3>Traffic Control & Monitoring</h3> <ul class="sidemenu"> <li><a href="/services/en/dns.shtml">DNS analysis</a></li> <li><a href="/services/en/ids.shtml">Network-based intrusion detection</a></li> <li><a href="/services/en/firewall.shtml">The CERN outer perimeter firewall</a></li> <li><a href="/services/en/dnim.shtml">Statistical traffic analysis</a></li> <li><a href="/services/en/spam.shtml">SPAM filtering</a></li> </ul> <h3>Vulnerability Scans</h3> <ul class="sidemenu"> <li><a href="/services/en/device_scans.shtml">Device scans</a></li> <li><a href="/services/en/network_scans.shtml">Network scans</a></li> <li><a href="/services/en/passwords.shtml">Password cracking</a></li> <li><a href="/services/en/web_scans.shtml">Web application scans</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>