IT Solutions
> Zum Inhalt

Security Policy of the TU Vienna - How to?

Contact Addresses and Comments

Keyword: Security
Title: Security Policy of the TU Vienna - How to?
Author: Udo Linauer
Organisation: ZID
Version: 25th June 2005
Revised by: Andreas Klauda

Overview

This document contains a list of contact addresses maintained by the ZID as well as detailed explanations for the topics dealt with in the Security Policy. This document will be updated whenever necessary.

Versions

Here, revisions of the document with a short summary of the changes are noted.

Version 28th May 2000, 1st release

Contact Addresses

Support for the operation of a computer
ZID, Dept. Standardsoftware
Computer Help Line: 58801-42124
e-mail: help@zid.tuwien.ac.at
URL: http://www.zid.tuwien.ac.at/systempflege/
Problems with viruses
ZID, Information Security Officer

Prevention, Anti-virus software
ZID, Dept. Standardsoftware
 
e-mail: security@tuwien.ac.at

STS-Service-Line: 58801-42004
e-mail: help@zid.tuwien.ac.at
Network problems
ZID, Dept. Kommunikation
Hotline: 58801-42003
e-mail: trouble@noc.tuwien.ac.at
Problems with hackers
ZID, Information Security Officer
Tel: 58801- 42026
e-mail: security@tuwien.ac.at
Spam mail, phishing mail, viruses
ZID, Information Security Officer
e-mail: help@zid.tuwien.ac.at
Violations of netiquette
ZID, Information Security Officer
 
e-mail: help@zid.tuwien.ac.at
System Administration
Find a system administrator at TU Vienna
ZID, Dept. Kommunikation

Report changes in personnel
ZID, Dept. Kommunikation

Find system administrator world-wide
Europe:
USA:
Asia, Pacific:
 
URL: http://www.zid.tuwien.ac.at/tunet/tunet_datenbank/

 

e-mail: hostmaster@noc.tuwien.ac.at

 
URL: http://www.ripe.net/cgi-bin/whois
URL: http://www.arin.net/
URL: http://www.apnic.net/
Internet services for students
ZID, Dept. Zentrale Services

Problem Report System:
 
Hotline: 58801-42006

URL:https://service.zid.tuwien.ac.at/support

e-mail: studhelp@zid.tuwien.ac.at

Table of Violations

A. Use of electronic communication facilities for attacking individuals or groups of persons (disregarding "netiquette").

Repeated and undesirable sending of messages, distribution of insulting or harassing information as well as distributing false information about a person or a group of persons are violations against the standard "netiquette" of the internet. TU Vienna is an intensive user of the internet and a large organisation with members having different world views. Therefore it is necessary to define rules for the orderly use of electronic communication.

Violation Contact
A1) Distribution or circulation of information that vilification or insult of persons based on their skin colour, nationality, religion, sex, political attitude or sexual preferences.

A2) Distribution of private information of an individual or a group of persons.

A3) Repeated and undesirable sending of messages.
1. Contact the sender or originator of the message. Make the person aware of the violation against the Security Policy of the TU Vienna. Ask for data to be deleted, if necessary.


2. Send details to the ZID: help@zid.tuwien.ac.at

Important: Provide the contents of the message and all available information about the sender (e-mail header) or web address.

B. Use of electronic communication facilities obstructing the work of others

B1) Sending "mail bombs" or use of similar techniques that obstruct the work of others

Violation Contact
B1) Sending "mail bombs" or use of similar techniques.

1. Contact the originator of the attack. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks.

2. Send details to the ZID: security@tuwien.ac.at

Important: Provide the contents of the message and all available information about the sender (e-mail header).

B2) Deliberately wasting computing resources. This includes the consumption of inordinate amounts of resources (e.g. disk, printer, network), more than has been assigned, creating problems for others.

Violation Contact
B2) Deliberately wasting computing resources.

1. Contact the originator of the problem. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks.

2. Send details to the ZID: security@tuwien.ac.at

B3) Sending excessive electronic messages (spam mail), mainly for commercial use, is perceived as disturbing by most users and is not allowed. Official announcements of internal events, regulations etc. may be distributed, in analogy to in-house postal services.
In case of doubt, please ask for approval by the head of TU Vienna (Rektor) for TU-wide mailings or for approval by the dean (Dekan) for mailings within the faculty.
Announcements should be kept short and limited to the target group.
It is also allowed to install mailing lists, where people can subscribe.

Violation Contact
B3) Sending excessive electronic messages (spam mail).
Exception: distribution of official notes in analogy to in-house postal services.

1. Contact the originator of the message. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks. Attention, the return address can be falsified!

2.    Send details to the ZID: help@zid.tuwien.ac.at

Important: Provide the contents of the message and all available information about the sender (e-mail header).

B4) Electronic chain letters are usually harmless and more or less informative. They cause however costs (e.g. telephone charges) and often are designed to block mail servers (for example a competing company) or even parts of the internet. Therefore it is not permitted to send electronic chain letters or bring them into circulation. You should be aware that software companies usually dont send notifications about security problems through electronic mail and never ask you to further distribute this information. Also organizations concerned with security issues or virus problems send information only on request. Whenever you are asked to send an e-mail to as many persons as possible, this is certainly considered an e-mail chain letter.

Violation Contact
B4) Sending or forwarding electronic chain letters.

1. Contact the originator of the message. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks.

2. Send details to the ZID: help@zid.tuwien.ac.at

Important: Provide the contents of the message and all available information about the sender (e-mail header).



 B5) Manipulation of electronic data. This encompasses editing or corrupting data without explicit agreement of the owner.

If you become aware of any kind of data manipulation, do the following:

1. As a user

a. If your own documents have been manipulated, first of all check permissions and change your password immediately.

b. If you need assistance, contact the responsible system administrator.

c. Inform the responsible system administrator if you suspect someone to have manipulated data.

d. Notify the responsible system administrator, if you have observed the manipulation of data of others.

2. As system administrator

a. When you are notified, review the information on correctness.

b. Thoroughly check your computer (esp. on security issues).

c. If you know the originator of the manipulation, bar access. If there was no access authorization, D2) applies (access violation).

Violation Contact
B5) Manipulation of electronic data.

1. Contact the originator. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks. Inform the system administrator.

2. If you cannot resolve the problem yourself, contact the ZID: security@tuwien.ac.at

B6) Attempting to gain unauthorized access to information resources. Unauthorized access to read or copy data is not permitted. Exception: backups made by the system administrator and deleting data, if technically necessary (e.g. temporary files) or explicitly required by the Security Policy.

Violation Contact
B6) Attempting to gain unauthorized access to information resources.

1. Contact the originator. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks. Inform the system administrator.

2. If you cannot resolve the problem yourself, contact the ZID: security@tuwien.ac.at

C. Violation against license agreements or other contractual agreements

C1) Copying and distributing of copyright protected material on computers of the TU Vienna and/or over networks of the TU Vienna, in contradiction to license agreements or other contracts.

If you become aware of a copyright violation, do the following:

1. As a user

a. Contact the owner of the data and check legal implications.

b. Report to the responsible system administrator.

2. As system administrator

a. When you are notified, review the information on correctness.

b. Contact the owner of the data and check legal implications.

c. You have to delete the data, if the originator is not willing to do so.

Violation Contact
C1) Copying and distributing of copyright protected material on computers of the TU Vienna and/or over networks of the TU Vienna, in contradiction to license agreements or other contracts.

1. Contact the originator. Make the person aware of the violation against the Security Policy of the TU Vienna, and ask to immediately delete data.

2. Send details to the ZID: security@tuwien.ac.at

C2) Disclosure of access authorization or making access available to others (with or without charge) without permission covered by agreements.

Access authorization is granted in concordance with the TUNET Acceptable Use Policy. Undocumented passing of access authorizations to others is not permitted and complicates the analysis of security problems.

If you become aware of a violation, do the following:

1. As a user

a. Report to the responsible system administrator.

2. As system administrator

a. Bar the unauthorized access.

b. Take the computer from the net, if no permission for TUNET exists, and report to the ZID.

Violation Contact
C2) Disclosure of access authorization or making access available to others (with or without charge) without permission covered by agreements.

1. Contact the originator. Make the person aware of the violation against the Security Policy of the TU Vienna, and demand a written notice.

2. Send details to the ZID: security@tuwien.ac.at

D. Use of electronic communication facilities for attacking computers, networks or services

D1) Portscans (automated exploring of servers and services). Exception: security tests by arrangement with the system administrator. Portscans often are the first step of a hacker attack, where computers are scanned for vulnerabilities.

Violation Contact
D1) Portscans (automated exploring of servers and services). Exception: security tests by arrangement with the system administrator.

1. Contact the originator of the problem. Make the person aware of the violation against the Security Policy of the TU Vienna and demand a written notice.

2. Send details to the ZID: security@tuwien.ac.at

Provide relevant log files.

D2-D3) Unauthorized access to information resources or attempting to gain unauthorized access (hacking) and so-called Denial-of-Service-Attacks (DoS) are the most severe violations of the Security Policy. A successful hacker attack violates several rules, among them Unauthorized access to information resources and the use of these resources as a basis for attacking other computers.

Because D2) and D3) represent a particular risk for the TUNET, these violations must be reported to the responsible system administrator as well as to the Information Security Officer at the ZID.

Violation Contact
D2) Unauthorized access to information resources or attempting to gain unauthorized access (hacking). Exception: security tests by arrangement with the system administrator. Any hacking activities must be reported to the ZID!

D3) Damaging or interfering with electronic services (denial of service attacks). Must be reported to the ZID!
1. Contact the system administrator of the computer or network that causes the attacks. Make the person aware of the violation against the Security Policy of the TU Vienna, and demand further prevention of the attacks.

and

2.    Report to the ZID: security@tuwien.ac.at

Provide relevant log files.

D4) Distribution or circulation of viruses, computer worms, trojan horses, or other destructive programs.

These programs are malicious and may:

1. Damage data
2. Provide unauthorized access
3. Cause damage to others
4. Image loss through 1-3

These programs spread almost automatically. Only suitable anti-virus software can guarantee protection. The department "Standardsoftware" of the ZID offers anti-virus software for reasonable prices for institutes of the TU Vienna. Contact http://www.zid.tuwien.ac.at/campussoftware/, or STS-Service-Line: 58801-42004 or e-mail help@zid.tuwien.ac.at.

Violation Contact
D4) Distribution or circulation of viruses, computer worms, trojan horses, or other destructive programs.

1. Contact the originator of the problem. Make the person aware of the violation against the Security Policy of the TU Vienna and demand a written notice.

2. Send details to the ZID: security@tuwien.ac.at

Provide relevant log files.

D5) Spying out of passwords or the attempt to spy out (password sniffer).

Violation Contact
D5) Spying out of passwords or the attempt to spy out (password sniffer).

1. Contact the originator of the problem. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks.

2. Send details to the ZID: security@tuwien.ac.at

D6) Manipulation or forgery of mail headers, electronic directories or other electronic data, especially attempting to impersonate someone else, IP-spoofing, etc.

Remarks:

1. Attempting to impersonate someone else is a violation of the Security Policy of the TU Vienna. e-mail may, however, be sent anonymously or using a pseudonym.

2. Exception: use of Network Address Translation (NAT) or similar technologies in case of a firewall.

Violation Contact
D6) Manipulation or forgery of mail headers, electronic directories or other electronic data, especially attempting to impersonate someone else,

IP-spoofing, etc. Exception: use of Network Address Translation (NAT) or similar technologies in case of a firewall

1. Contact the originator of the problem. Make the person aware that such attacks constitute a violation of the Security Policy of the TU Vienna and demand that such persons cease and desist from making such attacks.

2. Send details to the ZID: security@tuwien.ac.at

D7) Taking advantage of recognized security loopholes and/or administrative shortcomings.

Remark:

1. If you as a user of a computer become aware of an information security problem, you are obliged to inform the system administrator and to demand repair.

Violation Contact
D7) Taking advantage of recognized security loopholes and/or administrative shortcomings.

Contact the originator of the problem. Make the person aware of the violation against the Security Policy of the TU Vienna and demand a written notice.

1. Send details to the ZID: security@tuwien.ac.at

Sample Protocol

Report No.: ............................................... Date: ........................................

 

User ID: .............................................

 

Name: .......................................................

 

System/Service: ....................................................................................................................

 

Complaint made by: ...............................................................................................................

 

Person in charge: ..................................................................................................................

Violation:

  • Discrimination (A-1)
  • Sensitive Information (A-2)
  • Harassment (A-3)
  • Mail bombs (B-1)
  • Wasting of resources (B-2)
  • Spam mail (B-3)
  • Chain letters (B-4)
  • Data Manipulation (B-5
  • Data access (B-6)
  • Copyright violation(C-1)
  • Pass on access rights (C-2)
  • Portscan (D-1)
  • Hacker (D-2)
  • Denial of Service (D-3)
  • Virus etc. (D-4)
  • Passwort Sniffer (D-5)
  • Spoofing (D-6)
  • Taking advantage of loopholes (D-7)
  • Known security loopholes
  • Other ............................................................................................................................

 

 

 

Description: ......................................................................................................................

 

.......................................................................................................................

 

.......................................................................................................................

 

Measures taken: ......................................................................................................................

 

.......................................................................................................................

 

.......................................................................................................................

 

Explanations: .......................................................................................................................

 

.......................................................................................................................

 

.......................................................................................................................

 

Person in charge: ....................................... Seen by: .......................................