Important Security Update Regarding Heartbleed Bug

April 9th, 2014 by Cyle Gage

Yesterday, a massive security flaw (nicknamed “Heartbleed”) was uncovered which compromises secure computer systems across the Internet: at least 66% of websites as well as mail servers and other systems.

OpenSSL, a library of security and cryptographic algorithms, was discovered to have a vulnerability that’s been present as far back as two years. Many websites and apps that you use every day are affected by this, and they are scrambling to fix the issue. Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey.

How was Emerson impacted?

Some of Emerson’s secure websites relied on potentially-exploitable OpenSSL libraries. We have patched these sites with an update fixing the vulnerability, and have replaced their security certificates. This means that there should be no way for anyone to exploit these websites, or decrypt traffic coming to and from them, even if they had been compromised.

The Heartbleed.

How does this exploit work?

This vulnerability may have allowed malicious hackers to capture small bits of data on secured systems, including user account information, such as passwords, as well as the systems’ security keys themselves. This could allow unencrypted eavesdropping even after the vulnerability is closed, if the system’s security keys haven’t been changed. Unfortunately, there’s no way to know if anything actually was compromised, as the exploit leaves no trace. It’s that bad.

What now?

At this point, many affected websites across the Internet are applying the patch and getting new security certificates. You can think of this as replacing the deadbolt and rekeying the lock. Some websites you use may ask you to change your password in the coming days as an additional precaution. Make sure you do not click links in emails. Make sure you go to the website directly, and only if you have been prompted.

There is nothing to suggest that Emerson usernames or passwords were compromised, but to be safe, we strongly recommend you change your Emerson password as soon as possible. Please visit http://password.emerson.edu/ to do so.

You can read more about the Heartbleed bug as well as the internet’s response at TechCrunch.

If you have any questions or concerns, please feel free to contact us by phone at 617-824-8080 or online at it.emerson.edu/help.

Changes to Emerson IT Emails

April 3rd, 2014 by michael_jessen

At Emerson IT, we’re always looking to improve the way we do things. Most recently, we’ve been looking at our email template. This is the visual style of the emails that you receive from us, either as IT announcements or tickets. It’s hard to miss, with a large purple banner at the top!

Our goal was always to have a distinctive look to our messages to help you recognize them, and more importantly, to help you recognize messages that aren’t from us. Phishing emails are always a big problem, but the template can help you recognize when an email is not legitimate and should not be trusted. However, we received feedback that the email in its current form obscured the content of the message with a huge banner. This is typically referred to as “the fold,” the point at which people must scroll in order to read anything else, and most people find it pretty inconvenient!

In response to your feedback, here’s our new version:

Emerson IT's New Email Template

It’s cleaner, easier to read, and the content starts almost immediately. From now on, this email will take over for all IT announcements and ticket emails, so make sure you look for this template. We hope you like this new version and it makes a difference!

New IT Policies

March 27th, 2014 by Cyle Gage

In an effort to increase transparency and accountability, we’ve worked hard over the last year to expand and document our evolving policies. We recently published the first round of these new policies, which you can read here: http://it.emerson.edu/policies/

Policies like Data Protection and Mobile Device Security serve to highlight the measures we take to keep your data private and secure. Other policies, like Software Installation and Temporary Workspace Lab Storage, are meant to clarify exactly what we support in the spaces we manage. These new policies, in conjunction with our Defined Services & Support page, are meant to provide a comprehensive view of how IT works at Emerson College.

We will continually update and add new policies as our procedures and technologies change. As always, if you have any feedback, please do not hesitate to send it our way.

Behind the scenes: IT satisfaction rates

March 20th, 2014 by jennifer_stevens

word cloud of praiseful survey responses

From September 1st to March 6th IT had 3246 requests for help… and that doesn’t even count the requests for new projects and time spent working on projects already in progress.

We have gotten your feedback on 19% of those requests, and it is overwhelmingly positive!

Average responses from 617 surveys:

graph showing that on a scale of 1 to 5 where 5 is "very pleased", the average answer was 4.5

 

We get an average of 333 requests for help per week! The busiest week was the first week of school (589 requests), and the quietest was during winter break (3 requests).

 

graph of high tickets at start of school year, low over thanksgiving winter break and spring break

Every time we resolve a request (also called a ticket), the user has about a 50% chance of getting a survey asking if they are satisfied. (You will not get a survey if you’ve gotten one in the last 5 days).

Thank you for all your feedback!

 

Recent Problems with Student DHCP On Campus

March 14th, 2014 by hana_carpenter

This is a post especially for those of you who live on Emerson’s Boston campus. No, it is not about Saint Patrick’s Day, HempFest, or the Red Sox. It’s about DHCP. Some on-campus-dwelling, Boston-based Emersonians experienced an interruption in wired network service on Monday, March 10th. This happened because a rogue (read: unauthorized) DHCP server was intercepting traffic on our network and preventing users from connecting to the internet.

DHC3PO

“I am DHC3PO, computer-internet relations.”

DHC-whaaaaa? DHCP: Dynamic Host Configuration Protocol. DHCP is what computers use to join a network, and to obtain the information they need in order to connect to the internet. It is a protocol, a system of rules by which computers communicate with one another. It’s not a language, but a conversation.

What’s being said?

  • If it’s the first time your computer has ever been plugged in to a network, it broadcasts a discover message.
  • DHCP servers connected to the network see this message and recognize that a device is looking for information. They respond with an offer,  which includes important information needed to join a network: an IP address (so you can send and receive packets), the domain’s nameservers (so you can type google.com into your address bar instead of 4.53.56.119), the time servers (so your computer knows what time it is), and more.
  • The computer then requests to use the IP address and other information included in the DHCP server’s response.
  • Finally, the DHCP server can either acknowledge or deny this request. If the request is acknowledged, the computer is connected to the internet! If the request is denied, the whole conversation starts over again.

Any DHCP server plugged in to a network can start offering IP addresses to requesting clients. There are lots of devices that can function as DHCP servers. This Apple AirPort Extreme, for example. If someone plugs the WAN port on one of these babies into our student wired network, it starts behaving like a DHCP server right alongside our own. What it doesn’t have is any of the correct information: it provides computers with invalid IP addresses, blank nameserver IPs, etcetera, which make it impossible for the computer to connect to the internet. So it’s handing out BS to students’ computers and stopping them from gaining access to the internet. This is what we experienced on Monday.

Sad Beep.

The networking team located the rogue device in a dorm room, disabled the ports it was connected to, and forwarded the necessary information to Housing and Residence Life so they could contact the student and take action. Now is a good time to remind everyone using Emerson’s network, wired or wireless, of our Electronic Information Policy. Item three in the list of Guidelines for Ethical Behavior reads:

Network services and wiring may not be extended beyond the port provided. Retransmission or propagation of network services is prohibited without explicit permission. This includes the installation of hubs, switches and wireless equipment.

Please remember that any unauthorized networking equipment you bring to your dorm room, in addition to violating policies you agreed to abide by, impacts the quality of service we can provide you and students living around you. If you are experiencing issues with connectivity or wireless signal strength, contact the Help Desk at (617) 824-8080 or put in a ticket at it.emerson.edu/help.

Yesterday’s email disruptions

March 13th, 2014 by Robin Chace

Good afternoon,

Yesterday, several of our faculty and staff members were affected by a temporary email disruption. This happened to some users in the morning, and others in the late afternoon.

Our email storage system experienced a limited, but marked, reduction in performance, which interfered with the sending and receiving of email for these users. Emerson email is now back to normal, and no data was lost during this time.

We are taking steps to increase redundancy in our system so that we may prevent this scenario in the future.

Thank you for your patience!

Critical Apple Security Updates

February 27th, 2014 by Cyle Gage

We strongly encourage you to update your iPhones, iPads, and Macs running Mavericks as soon as possible!

Last week Apple released an update for iOS that fixed “SSL connection verification“, which caused a lot of people to perk up and wonder exactly what that meant. This was followed up by an alarming notice from Apple regarding the integrity of SSL connections on iOS. Long story short, a small programming glitch caused Apple products to silently fail at checking SSL certificates in certain situations.

This is a major problem: SSL certificates provide websites with essential security, signified by URLs starting with https instead of http. Banks use it, critical applications use it, and hundreds of pieces of software rely on SSL working flawlessly to ensure the security of data passing between you and a website. Security professionals quickly discovered that this issue not only affected iOS devices, but desktop and laptop Macs running Mavericks as well. On February 25th, four days after the iOS update, Apple released a similar update to Mavericks, version 10.9.2, which fixes this issue on the desktop- and laptop-side. (Note: earlier versions of Mac OS X are safe, this only affects 10.9 Mavericks.)

If you haven’t already updated your iPhone or iPad, update as soon as you can! You can update your iOS software any time by going to the Settings app, clicking the General section, and selecting Software Update. If you own a Mac desktop or laptop running Mavericks (Apple’s latest operating system), also update as soon as you can! You can run updates on your Mac by clicking on the Apple menu in the top-left and clicking on “Software Update…”.

For those curious about seeing the glitch itself, German newspaper Der Spiegel points out the flaw in Apple’s code here. It’s pretty simple: that goto fail; line existing twice in that context makes the process skip necessary security checks, meaning your secure connection might not be adequately checked to see if it’s actually secure. For those of you who are really curious about how security works with Apple devices, check out this white paper Apple just released.

For more information on critical security issues like this, follow this blog or follow us on Twitter. If you need any help updating your device, feel free to contact the Help Desk by calling 617-824-8080 or using our online Help Center if you have any questions or concerns.

Email Encryption at Emerson

February 20th, 2014 by Cyle Gage

For Data Privacy Month, we’d like to share a little-known feature of our spam filtering software: outbound email encryption. This can protect sensitive information from being viewed by third parties.

Anyone with an @emerson.edu address can explicitly encrypt the content of an email by typing [ENCRYPT] into the subject line, like so:

encrypt-subject-line

There’s no way to enable this for all of your email by default, and it does not encrypt or hide whom you’re sending mail to or where you’re sending mail from. This simply encrypts the contents, or body, of your email message, including attachments. Also, it only encrypts messages being sent to a non-Emerson email address. You can’t encrypt a message sent between @emerson.edu addresses.

Once sent, your message will not be delivered to the intended recipient right away. Instead, they’ll receive a notice that they were sent “Secure Mail” from your address. If they’ve never registered for our secure mail service before, the message looks like this (click on the image to see it full-size):

 

Click to see full size.

 

Your recipient can then sign up on our local MailSafe server, unique to Emerson College. The account they set up will be used to open all encrypted emails they receive from Emerson.

If they’ve already signed up, the message looks like this (click on the image to see it full-size):

 

Click to see full size.

 

All encrypted emails are sent as PDFs with the recipient’s MailSafe password protecting them. Encrypted attachments can only be extracted from the PDF using Adobe Acrobat Reader 7 or above.

If you have any questions about how to use this service, please do not hesitate to put in a support request or call 617-824-8080. A guide version of this blog post can be viewed here.

ECwireless-5GHz Interview with WECB

February 13th, 2014 by Francis Frain

Listen to Director of Networking and Telecommunications Frankie Frain speak to WECB about wireless upgrades and ECwireless-5GHz!

http://www.wecb-news.com/so-long-ecwireless-new-wireless-network-comes-to-campus/

Introducing Avaya IP Office

February 13th, 2014 by hana_carpenter

Once upon a time, voice and Internet traffic communicated over different networks. This is the world in which our current phone system was purchased and implemented: about 21 years ago. But now most voice traffic – in fact, most forms of communication – relies on IP (Internet Protocol) networks. Take your cell phone, for example: it’s not just a phone, is it? It’s a small computer with a data plan.

Starting this year, Emerson is replacing its outdated phone system with Avaya’s IP Office. New IP Office phones will not rely on a dedicated phone line; instead, they connect to the same ethernet ports that your desktop computer uses. “But IT,” you say, “I don’t have any open ethernet ports in my office!” That’s fine – just plug the phone into the wall and your computer into your phone.

New features also include:

  • Instead of being tied to a single handset, you will be able to log in to any phone at any desk on campus with your personal extension and receive calls there.
  • If you need to carry your extension with you, even when you’re not at a desk, you can download the Avaya one-X app on your smartphone and log in there. While you’re logged in, all calls made to your extension will be sent to your cell phone. Just log out of the app when your workday ends!
  • You will be able to check your voicemail from any web browser or have it sent to your email inbox.
  • Voicemail isn’t the only thing you’ll be able to do through your computer. You can opt to use a headset and a version of the Avaya one-X software on your computer to make and receive all calls.

Here’s the simple-to-use phone that will soon be on your desk:

IP Office Phone

Looks familiar, doesn’t it? You don’t have to have a phone on your desk at all, though. Anyone who opts to use the software or mobile application can also opt to use those exclusively.

Rollouts of the new phone system will happen floor by floor over the next year, and will come with support from IT, instructional documentation, and workshops if requested. As always, give us feedback and questions over at it.emerson.edu.