The Fermilab Computer Security Team administers the
laboratory's computer security program and provides the Fermilab
community with technical expertise and up-to-date information and
resources for improving computer security.
- March, 2012: The *MeNow tools (ScanMeNow, PortScanMeNow, etc) have been deprecated due to major changes implemented by the vendor of the underlying technologies
- Oct 5, 2012: FNAL Critical Vulnerability: Exposing Adobe ColdFusion Servers to the Internet
- November 6, 2012 Computer Security Awareness Day 2012
- June 19, 2012: FNAL Critical Vulnerability: Hypernews
- June 14, 2012: Cumulative Security Update for Internet Explorer (MS012-037)
- June 14, 2012: RE-RELEASE: Vulnerability in RDP (MS12-020)
- March 16, 2012: Vulnerability in RDP (MS12-020)
- December 27, 2011: FNAL Critical Vulnerability: Telnet server (telnetd) remote code execution
- December 8, 2011: Computer Security Awareness Day includes schedule of ITNA-required and Speed Session courses.
- November 11, 2011: FNAL Critical Vulnerability: Vulnerability in TCP/IP (MS11-083)
- August 24, 2011: FNAL Critical Vulnerability: Flexera FlexNet/FlexLM License Manager
- November 9, 2010: Computer Security Awareness Day Schedule of ITNA-required and optional courses.
- August 2, 2010: FNAL Critical Vulnerability - Windows .LNK handling (MS10-046)
- November 6, 2009: Updated Get-Cert package for Mac OSX adding the -t
option to get certificate from the Test KCA server, fix success message
handling. (includes fixing use of the encryption password for Globus
- September 22, 2009: Security Awareness Day 2009
Schedule of presentations for Security Awareness Day 2009
- September 16, 2009: Get-Cert for Mac OSX
fixed an error which caued the get-cert.sh script to not work
under 10.6 and some 10.5 systems. Please re-download this version..
- September 10, 2009: See Tools
page for a script fo make keytab for use with kcron in a shared (no
Kerberos principal account). This script be will added to the Fermi
Kerberos Tools for SLF 4 and 5.
- September 4, 2009: Get-Cert for Mac OSX updated with new kx509 binaries (v1.05 supports -s server option and 1024-bit keys) and fixes to support Leopard (10.5) and Snow Leopard (10.6).
- May 22, 2009: Updated the Proxy Server Manual Configuration document with more details on how to configure a web browser for explicit proxy operation.
- May 22, 2009: Updated the FNAL Site Proxy Servers FAQ
- May 8, 2009: Published the FNAL Patching timeline
- May 7, 2009: New version of get-cert for Mac is
available on Tools page. This code should also work on linux. We'd
appreciate testing and feedback on both platforms so that, if poosible,
we can merge both tools and just have one "unix-like" get-cert
- April 20, 2009: How to forward syslog to CST
- April 20, 2009: Info about Detecting system changes with checksums posted
- April 20, 2009: April 13, 2009: New Thunderbird Add-On: View Switch (Quickly switch your message pane between HTML, Simple HTML, RAW and Plain Text)
- April 10, 2009: Check out the Cert Manager Firefox/Thunderbird Extension! (it allows for a shortcut to the Certificate Store manager)
- April 3, 2009: Updated the krb5.conf
file to V2.10, added SERVICES domain to [realms].
- April 2, 2009: New KCA Service FAQ
- April 1, 2009: New Authentication Policy. Be sure to read!
- September 5, 2008: Created instructions on how to manually configure your web browser to test the new Proxy Servers.
- August 26, 2008: Released a new CA Certificate
for the Fermilab Kerberized Certificate Authority servers (KCA) as the
old CA certificate expires in October of 2008. The new CA
Certificate expires in 2018. See the page on CA Certificate Downloads for information on downloading and installing the Fermilab KCA CA Certificate.
- May 28, 2008: Swtiched to new
production KCA servers with new Subject Distringuished Names
for people and
- May 8, 2008: Added a list of the
KCA certficate Distinguished
Names for robots (special Kerberos
principals) which will be issued by the new KCA
- May 2, 2008: Added initial list of the
KCA certficate Distinguished
Names for people
which will be issued by the new KCA servers.
- April 22, 2008: FAQ concerning the new KCA service
- April 3, 2008: Instructions for
forwarding apache access, error, etc logs to central logging can be
Apache baseline is CD-DocDB # 1536. RA policies are #2336 and #2360.
- January 11, 2008: See Issues with
for instructions on dealing with expired certificates in your
certificate stores. Some of you may have an expired DOEGrids
certificate which might be causing problems.
- December 11, 2007: Added start of
How-To Guide on Notes
on Changing Your Kerberos Passwords.
- October 9, 2007: Changed the
files used to generate DOEGrids host/service certificate requests to
include a single CN in the DN; for multi-home nodes use a regular
expression such as (a|b|c|d).fnal.gov
for this CN.
- August 30, 2007: Updates on Tools page,
linking to newer release of Win32OpenSSL and removed the link to
Kerberos Client-only for Windows/Cygwin as this package is no longer
supported and very much out of date.
- August 15, 2007: DOEGrids Certificate Users:
Please renew (replace) your personal certificates as soon as you
receive the renewal notice E-mail from DOEGrids.org. Do Not Wait until
the expiration date since the pki1.doegrids.org
service site will not accept expired certificates for authentication.
- April 9, 2007: Updated the krb5.conf
file to match the Kits Test
version (V2.4) adding the CERN.CH realm.