Emerson Freshmen Hantzley Audate interviewed Frankie Frain, the Director of Networking and Telecommunications, about the recent Heartbleed bug for a Journalism class assignment (JR103).
Yesterday, a massive security flaw (nicknamed “Heartbleed”) was uncovered which compromises secure computer systems across the Internet: at least 66% of websites as well as mail servers and other systems.
OpenSSL, a library of security and cryptographic algorithms, was discovered to have a vulnerability that’s been present as far back as two years. Many websites and apps that you use every day are affected by this, and they are scrambling to fix the issue. Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey.
How was Emerson impacted?
Some of Emerson’s secure websites relied on potentially-exploitable OpenSSL libraries. We have patched these sites with an update fixing the vulnerability, and have replaced their security certificates. This means that there should be no way for anyone to exploit these websites, or decrypt traffic coming to and from them, even if they had been compromised.
How does this exploit work?
This vulnerability may have allowed malicious hackers to capture small bits of data on secured systems, including user account information, such as passwords, as well as the systems’ security keys themselves. This could allow unencrypted eavesdropping even after the vulnerability is closed, if the system’s security keys haven’t been changed. Unfortunately, there’s no way to know if anything actually was compromised, as the exploit leaves no trace. It’s that bad.
At this point, many affected websites across the Internet are applying the patch and getting new security certificates. You can think of this as replacing the deadbolt and rekeying the lock. Some websites you use may ask you to change your password in the coming days as an additional precaution. Make sure you do not click links in emails. Make sure you go to the website directly, and only if you have been prompted.
There is nothing to suggest that Emerson usernames or passwords were compromised, but to be safe, we strongly recommend you change your Emerson password as soon as possible. Please visit http://password.emerson.edu/ to do so.
You can read more about the Heartbleed bug as well as the internet’s response at TechCrunch.
If you have any questions or concerns, please feel free to contact us by phone at 617-824-8080 or online at it.emerson.edu/help.
At Emerson IT, we’re always looking to improve the way we do things. Most recently, we’ve been looking at our email template. This is the visual style of the emails that you receive from us, either as IT announcements or tickets. It’s hard to miss, with a large purple banner at the top!
Our goal was always to have a distinctive look to our messages to help you recognize them, and more importantly, to help you recognize messages that aren’t from us. Phishing emails are always a big problem, but the template can help you recognize when an email is not legitimate and should not be trusted. However, we received feedback that the email in its current form obscured the content of the message with a huge banner. This is typically referred to as “the fold,” the point at which people must scroll in order to read anything else, and most people find it pretty inconvenient!
In response to your feedback, here’s our new version:
It’s cleaner, easier to read, and the content starts almost immediately. From now on, this email will take over for all IT announcements and ticket emails, so make sure you look for this template. We hope you like this new version and it makes a difference!
In an effort to increase transparency and accountability, we’ve worked hard over the last year to expand and document our evolving policies. We recently published the first round of these new policies, which you can read here: http://it.emerson.edu/policies/
Policies like Data Protection and Mobile Device Security serve to highlight the measures we take to keep your data private and secure. Other policies, like Software Installation and Temporary Workspace Lab Storage, are meant to clarify exactly what we support in the spaces we manage. These new policies, in conjunction with our Defined Services & Support page, are meant to provide a comprehensive view of how IT works at Emerson College.
We will continually update and add new policies as our procedures and technologies change. As always, if you have any feedback, please do not hesitate to send it our way.
From September 1st to March 6th IT had 3246 requests for help… and that doesn’t even count the requests for new projects and time spent working on projects already in progress.
We have gotten your feedback on 19% of those requests, and it is overwhelmingly positive!
Average responses from 617 surveys:
We get an average of 333 requests for help per week! The busiest week was the first week of school (589 requests), and the quietest was during winter break (3 requests).
Every time we resolve a request (also called a ticket), the user has about a 50% chance of getting a survey asking if they are satisfied. (You will not get a survey if you’ve gotten one in the last 5 days).
Thank you for all your feedback!
This is a post especially for those of you who live on Emerson’s Boston campus. No, it is not about Saint Patrick’s Day, HempFest, or the Red Sox. It’s about DHCP. Some on-campus-dwelling, Boston-based Emersonians experienced an interruption in wired network service on Monday, March 10th. This happened because a rogue (read: unauthorized) DHCP server was intercepting traffic on our network and preventing users from connecting to the internet.
DHC-whaaaaa? DHCP: Dynamic Host Configuration Protocol. DHCP is what computers use to join a network, and to obtain the information they need in order to connect to the internet. It is a protocol, a system of rules by which computers communicate with one another. It’s not a language, but a conversation.
What’s being said?
- If it’s the first time your computer has ever been plugged in to a network, it broadcasts a discover message.
- DHCP servers connected to the network see this message and recognize that a device is looking for information. They respond with an offer, which includes important information needed to join a network: an IP address (so you can send and receive packets), the domain’s nameservers (so you can type google.com into your address bar instead of 188.8.131.52), the time servers (so your computer knows what time it is), and more.
- The computer then requests to use the IP address and other information included in the DHCP server’s response.
- Finally, the DHCP server can either acknowledge or deny this request. If the request is acknowledged, the computer is connected to the internet! If the request is denied, the whole conversation starts over again.
Any DHCP server plugged in to a network can start offering IP addresses to requesting clients. There are lots of devices that can function as DHCP servers. This Apple AirPort Extreme, for example. If someone plugs the WAN port on one of these babies into our student wired network, it starts behaving like a DHCP server right alongside our own. What it doesn’t have is any of the correct information: it provides computers with invalid IP addresses, blank nameserver IPs, etcetera, which make it impossible for the computer to connect to the internet. So it’s handing out BS to students’ computers and stopping them from gaining access to the internet. This is what we experienced on Monday.
The networking team located the rogue device in a dorm room, disabled the ports it was connected to, and forwarded the necessary information to Housing and Residence Life so they could contact the student and take action. Now is a good time to remind everyone using Emerson’s network, wired or wireless, of our Electronic Information Policy. Item three in the list of Guidelines for Ethical Behavior reads:
Network services and wiring may not be extended beyond the port provided. Retransmission or propagation of network services is prohibited without explicit permission. This includes the installation of hubs, switches and wireless equipment.
Please remember that any unauthorized networking equipment you bring to your dorm room, in addition to violating policies you agreed to abide by, impacts the quality of service we can provide you and students living around you. If you are experiencing issues with connectivity or wireless signal strength, contact the Help Desk at (617) 824-8080 or put in a ticket at it.emerson.edu/help.
Yesterday, several of our faculty and staff members were affected by a temporary email disruption. This happened to some users in the morning, and others in the late afternoon.
Our email storage system experienced a limited, but marked, reduction in performance, which interfered with the sending and receiving of email for these users. Emerson email is now back to normal, and no data was lost during this time.
We are taking steps to increase redundancy in our system so that we may prevent this scenario in the future.
Thank you for your patience!
We strongly encourage you to update your iPhones, iPads, and Macs running Mavericks as soon as possible!
Last week Apple released an update for iOS that fixed “SSL connection verification“, which caused a lot of people to perk up and wonder exactly what that meant. This was followed up by an alarming notice from Apple regarding the integrity of SSL connections on iOS. Long story short, a small programming glitch caused Apple products to silently fail at checking SSL certificates in certain situations.
This is a major problem: SSL certificates provide websites with essential security, signified by URLs starting with https instead of http. Banks use it, critical applications use it, and hundreds of pieces of software rely on SSL working flawlessly to ensure the security of data passing between you and a website. Security professionals quickly discovered that this issue not only affected iOS devices, but desktop and laptop Macs running Mavericks as well. On February 25th, four days after the iOS update, Apple released a similar update to Mavericks, version 10.9.2, which fixes this issue on the desktop- and laptop-side. (Note: earlier versions of Mac OS X are safe, this only affects 10.9 Mavericks.)
If you haven’t already updated your iPhone or iPad, update as soon as you can! You can update your iOS software any time by going to the Settings app, clicking the General section, and selecting Software Update. If you own a Mac desktop or laptop running Mavericks (Apple’s latest operating system), also update as soon as you can! You can run updates on your Mac by clicking on the Apple menu in the top-left and clicking on “Software Update…”.
For those curious about seeing the glitch itself, German newspaper Der Spiegel points out the flaw in Apple’s code here. It’s pretty simple: that
goto fail; line existing twice in that context makes the process skip necessary security checks, meaning your secure connection might not be adequately checked to see if it’s actually secure. For those of you who are really curious about how security works with Apple devices, check out this white paper Apple just released.
For more information on critical security issues like this, follow this blog or follow us on Twitter. If you need any help updating your device, feel free to contact the Help Desk by calling 617-824-8080 or using our online Help Center if you have any questions or concerns.
For Data Privacy Month, we’d like to share a little-known feature of our spam filtering software: outbound email encryption. This can protect sensitive information from being viewed by third parties.
Anyone with an @emerson.edu address can explicitly encrypt the content of an email by typing [ENCRYPT] into the subject line, like so:
There’s no way to enable this for all of your email by default, and it does not encrypt or hide whom you’re sending mail to or where you’re sending mail from. This simply encrypts the contents, or body, of your email message, including attachments. Also, it only encrypts messages being sent to a non-Emerson email address. You can’t encrypt a message sent between @emerson.edu addresses.
Once sent, your message will not be delivered to the intended recipient right away. Instead, they’ll receive a notice that they were sent “Secure Mail” from your address. If they’ve never registered for our secure mail service before, the message looks like this (click on the image to see it full-size):
Your recipient can then sign up on our local MailSafe server, unique to Emerson College. The account they set up will be used to open all encrypted emails they receive from Emerson.
If they’ve already signed up, the message looks like this (click on the image to see it full-size):
All encrypted emails are sent as PDFs with the recipient’s MailSafe password protecting them. Encrypted attachments can only be extracted from the PDF using Adobe Acrobat Reader 7 or above.
Listen to Director of Networking and Telecommunications Frankie Frain speak to WECB about wireless upgrades and ECwireless-5GHz!