HomeIncident Report

Security Incident Report

In the event of a computer security incident (such as virus infection of the device you are managing/operating or any illegal intrusion by a hacker), you are required to submit an incident report to the address specified below.

Incident Report Forms and Where to Submit Them

Where to Submit
(via e-mail)
* Put at the end of the above-mentioned address.

How to respond to a security incident

If a virus infection is detected:

  1. Unplug the network cable from the computer immediately.
  2. Identify the virus and remove it using anti-virus software.
  3. Apply the latest security patches available from the Windows Update website, etc.
  4. Send an Incident Report to the network committee members of departments and centers as well as the IMC.
  5. When using a P2P program, you need to submit a “Report on the Inappropriate Use of TUT Network” to the IMC.

Regarding virus e-mails with spoofed addresses

Many of virus mails use spoofed addresses.
Take the example below. This e-mail’s sender is At a glance, you may mistakenly think that this is an e-mail from TUT.
However, a closer look at the header finds that " []" is the origin of the message, pretending to be from TUT.

Received: from ( [])
by (Postfix) with ESMTP id E6B4348C7
for <>; Tue, 27 Jan 2004 17:46:03 +0900 (JST)
Received: from ( [] (may be forged))
↑ A string in brackets is considered to be the real sender.
by (8.9.3p2/3.7W) with ESMTP id RAA24795
for <>; Tue, 27 Jan 2004 17:45:59 +0900 (JST)
↑ This part is faked.
Message-Id: <>
Subject: test

There is currently no effective solution to the issue of e-mail spoofing.
When an e-mail is sent from someone pretending to be someone else, as in the above case, it is no solution to send an e-mail to complain about it. To effectively prevent yourself from falling prey to spoofing, it is very important to look at the header with careful attention.

* Importance: the same applies to spam e-mails.

Check your password to prevent system hacking

Many system hacking incidents have recently been reported to us.
One very common example is ssh password hacking, a case in which an account with a fragile password is hijacked, through which a server root privilege is taken over.
The hacker use this server to carry out password hacking attacks against other servers (including those outside the University). Another case is that a hijacked server was used to create a phishing website, from which e-mails pretending to be from a specific company were sent to many people to lead them to this fake website.
The IMC is currently working on countermeasures against these issues. You are strongly advised to check to ensure that the servers you manage have no fragile passwords.
(In the past, there was a case of a TUT graduate’s account becoming a target of a hacking attack. Be sure to conduct a thorough check.)

If you detect any hacking:

  • Unplug the network cable from the computer immediately, and notify the IMC.
  • Do not reboot the computer after unplugging the network cable from it; otherwise, vital evidence will be lost.
  • You are asked to cooperate by keeping logs and other evidence, so that we can obtain as much positive proof as possible of this attack having been made by an outsider, rather than from inside the University.

Cautions in password settings

  • Avoid easy passwords.
    Most common passwords you should avoid are: a word/term, place name, personal name, those spelled in opposite directions, and those with numerical numbers put at the beginning or at the end.
  • Increase the number of characters (More than seven characters long is recommended.)
  • Use a mix of letters (upper case and lower case), numbers and special characters
  • Change your password on a regular basis

Good examples (Passwords that are easy to remember but hard to break)

  • Combine two words, with numbers between them.
    • E.g. When a location, extension number, abbreviation are combined: tempaku66<:!>39imc
  • Use only the first letters in each word of a favorite phrase, and insert numbers between some of the words.
    (It is also a good idea to change your favorite Japanese phrase into alphabetical letters.)
    • Example 1: “Keisanki center” → kei3ki1000ta
    • Example 2: “Sekai-ni-hitotsu-dake-no-hana” → seka!2h!to2dakeno87

* It is important to devise a password creatively.

Bad examples

  • Login name itself (It is also not recommended to use it in capital letters or in a repetitive manner.)
  • Name of yourself, spouse, child, parent, pet, close friend, or colleague
  • Favorite cartoon character name or superior’s name
  • All-too-common names
  • Name of the OS used or computer host name
  • Full or part of your birthday, phone number, driving license number, health insurance ID number; easily guessable personal information
  • Words in English or other language dictionaries
  • Place names, proper names
  • Repetition of the same letter, a sequence of letters on the keyboard (e.g.: qwerty, qawsedrf)

Source: Joho security jiten (Information Security Dictionary), supervised by Norihisa Tsuchiya, Kyoritsu Shuppan Co., Ltd.

Cautions in server operation

  • When you use a server merely as an e-mail server or web server (in short, when remote login is not required), you should not start sshd, rshd or telnetd service.
  • When you start sshd service, you should set
“PermitRootLogin no”
and “PermitEmptyPasswords no,”

and prohibit login as a root user and login with blank passwords.
It is also recommended to, in addition, set

“PasswordAuthentication no,”

which prohibits password authentication and accepts public key authentication only.

  • You should keep the logs of the servers used for telnet, ssh, mail, WWW, and other public services (for internal and external use).