To: All GCN Sites 20:00 UT 14 Feb 03 Re: The original GCN Notices back on-line More good news. The GCN Notices are back on line. The system was repaired and new security patches installed. The system was back on the air at 21:00 UT 14 Feb 03. GCN went offline initially at ~21:30 UT 13 Feb 03. In the meantime, I was able to get a version running on another machine that was distributing emails and some sockets (the other socket sites that were behind firewalls were not possible from this interim machine). The total downtime was ~5 hours for most sites, and almost 24 hours for those socket sites behind firewalls. But now that the original computer (capella.gsfc.nasa.gov) is back up & running the GCN system, the original firewall entries will be applicable again. I believe everything is back in order and functioning properly (there was lots of investigations as a result of this hacker), but it is not possible to be absolutely sure, so please inform me if you see any problems or odd behaviour from your end. My apologies for this outage. Be asured that even more steps are being taken to prevent similar such occurances in the future. Sincerely, Scott Barthelmy To: All GCN Sites Re: GCN Noticess back on-line PART 2 (a status update message, 02:30 UT 14 Feb 03): Some good news. I was able to port the GCN program to another machine (gcn1.gsfc.nasa.gov) as a temporary solution until the original capella machine can be put back on the air tomorrow. And it is now running with the normal set of sites. The bad news is that about half of the socket sites are not connecting ("connection refused"). I suspect this is due firewalls at those sites that have been programmed to only let the capella.gsfc.nasa.gov machine in through each firewall. There is some delay during connection attempts in this interim setup due the usual subset of socket sites that do not connect (they are offline). The email sites are unaffected by this machine change. More than 95% of the sites are back to normal service by GCN (a 5-hr gap). This interim-GCN is connected to HETE and to INTEGRAL, and is distributing the normal set of imalive packets, test Notices, and any GRB notice that might be generated by HETE and INTEGRAL. Sincrely, Scott Barthelmy PART 1: Original message from 01:30 UT 14 Feb 03 To: All GCN Sites Re: GCN Notices off-line due to hacker attack Around 20:00 UT today (13 Feb 03), the GCN computer (capella) was compromised by a hacker. At ~21:30 the Goddard IT Security office blocked all incoming and outgoing internet activity for capella. With this block, the GCN Notices system is off-line to the rest of the world; there can be no socket connections or email Notices. (Please note that this does NOT effect the Circulars. The GCN Circulars is on a separate computer which is still operating, so any Circulars submitted will be distributed to the Circulars list. It is only the Notices that is off-line.) I immediately started the reconstruction and recertification of the machine, but given that this happened late in the normal business day, the work will not be completed until sometime tomorrow (Friday). The Goddard IT Security office needs to sign off that capella is safe, and they can not do that until normal business hours. I will keep you posted. After 10.5 years of hacker-free operations, GCN has finally fallen. There have been 3 previous attacks, but they never compromised the system because of a combination of the normal system protections and special protections I had implemented. This has been a particularly bad day following within a day of the INTEGRAL distribution problem. These are totally coincidental, but it does not make me feel any better. I apologize for the loss of service (18-24 hrs is expected). Sincerely, Scott Barthelmy