Yesterday, Microsoft issued the last update for Windows XP. As a result, Computing and Information Services will not be able continue supporting XP. For security reasons, CIS recommends upgrade or replacement of your computer as soon as possible. Faculty and staff, please consult your department's IT support professional prior to upgrading your operating system.
Background on OpenSSL and Heartbleed
Late on Monday, April 7, researchers discovered a flaw in the security tool, OpenSSL, which provides the encryption that protects Internet traffic and communications between one device and another. Most users would know this as the small, closed padlock and "https:" on web browsers to signify that your Internet traffic is secure. The flaw, nicknamed "Heartbleed", allows an attacker to capture usernames, passwords, and pretty much any other information.
Why this matters
OpenSSL is used everywhere: when you shop at Amazon, access your personal email, use your personal banking, or visit your social network, blogging and sharing sites. It can also be used to secure communications on personal mobile devices, such as smart phones and tablets, through the securing of web browsers, or installations of web apps you may have installed. The "Heartbleed" vulnerability in OpenSSL could allow a remote attacker to access sensitive data that is passed through it, such as login information like usernames and passwords.
What Brown is doing
Brown technical staff has been engaged and responding to this issue as soon as the bug became public. The Information Security and Network Technology groups in CIS, in conjunction with the technical staff members across campus, have assessed the areas at Brown that are impacted by this vulnerability. Most fixes are already in place, while others are in progress.
What you should do
Most of the work that needs to be done is by technical staff who must patch the affected servers and systems, whether for Amazon, Yahoo, your bank, social network, etc., or here at Brown for those few servers and systems that must be updated.
There are, however, there are a few tips and actions you may want to consider for your personal computing. The following have been gathered from multiple open sources, and are based upon guidance and advice from experts across many areas:
- At this time, Brown University is not asking users to change their Brown network passwords.
- Regarding your other passwords, we recommend that you update them but only after it has been confirmed that the websites have taken the proper measures and are secure. Many sites and services are already sending emails to their customers that they have taken the proper actions.
- If the sites and services that you use include alternate ways of confirming your identity, such as a cell phone number for confirmation text messages, consider using them. This will mitigate an attacker if your password has been compromised.
- You should exercise caution when visiting websites, as "Heartbleed" can affect web browsers. Expect all major browsers to address this issue very soon with an update, if they have not already.
- You can test sites using the Heartbleed Test Site (https://lastpass.com/heartbleed).
- In the short term, when finished with a website, completely log out if you were logged in (such as with Facebook, Yahoo, etc), and when finished surfing the web, close your browser.
- We anticipate a new wave of phishing messages using this vulnerability as an excuse to steal login credentials and compromise accounts. Beware of spam messages about "Heartbleed."
- Monitor financial statements closely. Check bank and credit card statements for unusual activity.
- Unless you have heard from your bank directly that they are not vulnerable, we recommend refraining from doing any online banking for a few days.
- Heartbleed Bug: Recap + Q&A Brown Bag | Sign-up for Brown Bag at brown.edu/go/heartbleed-brown-bag
- Background Information: The Heartbleed Bug
- Heartbleed Bug Health Report
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- NPR Marketplace story: The Heartache of Heartbleed
- Brian Krebs: What Can You Do?
- How to talk to your kids (or manager) about "Heartbleed"
ISG has added the new section How Do I ...? to their web pages. From the main "Information Security" link, click on the "How Do I ...?" link for a collection of commonly asked questions with quick answers, plus links to more details.
Brown's Google Apps service allows each of us to have 30 GB shared storage for email and Google Drive. If you're getting close to your limit or just feel like keeping things clean, you can find big files in your mail and drive using the following instructions.
There's now an easier way to search your emails by size. Open the Advanced Search by clicking the triangle on the inner right of the search box at the top of your email.
You'll see an option to enter a size in the Advanced Search. You might want to start with 15 MB - if you don't find enough results, decrease the number and try again.
Once you delete emails, they will be automatically removed from your trash after 30 days. You can also empty your trash manually.
You can also sort your Google Drive by size to find the biggest files. Find a column heading (such as 'Owner' or 'Last Modified') and click the small triangle next to it. Choose to sort by Quota Used. In Drive, the trash does not automatically empty - if you move a file to the trash and want to lower your used quota, you will have to click the Trash link on the left menu and then the Empty Trash button.
As promised, students can now download Office for free by following these instructions. Student copies of Office can be installed on up to five computers and will remain functional until 30 days after graduation.
Help us crowdsource Brown’s WiFi coverage issues! Report areas with no or low coverage by tweeting the location with the hash tag #brownwifi.
- Be as specific as possible about the location. Include the building, floor number, and room number or landmark to help us find the spot.
- We can only see public tweets – and for privacy reasons, don’t tweet the location of your dorm room. You can always email coverage issues to firstname.lastname@example.org.
- We won’t be able to assist you at the location - the hash tag is just for reporting areas with low or no wireless access. Immediate or unrelated issues should be reported as usual to the IT Service Center (email@example.com, 3-4357).
- If you’re on Twitter, follow us at @ITatBrown for tech updates.
The latest issue of Secure IT! has been released, now located on the new Information Technology site. While this brings a slightly different look to the newsletter, it continues to offer timely tips to keep you safe online.
We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: Spam, Spam, Spam, Spam :: A nuisance that can also be malicious.
- October means National Cyber Security Awareness Month :: And lots of chances to "Don't Get Caught, Get Cautious" and enter a contest to win an iPad mini or Samsung Galaxy Tab 3.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out how and why.
- Android Malware :: Being popular makes you a desirable target.
- ISG Moves to Main Campus :: Now conveniently located at the intersection of Angell & Thayer.
- Two-Step Verification :: When passwords aren't enough.
- Protecting Brown's Information :: Never taken the class? Like a refresher?
Excited about your new tablet? Top tips to keep it safe and secure are: use some type of screen or passcode lock, run the latest version of the operating system and be mindful of your privacy and Cloud options.
Get the details from Chad Tilbury, who prepared this article that appeared in the December 2013 issue of OUCH! newsletter. More details about this author and the newsletter appear at the end of this article.
Your New Tablet
Congratulations on your new tablet. This technology is a powerful and convenient way to communicate with others, shop online, read, listen to music, game and perform a myriad of other activities. Since this new tool may become an important part of your daily life, we strongly encourage you to take some simple steps to help keep it safe and secure.
Securing Your Tablet
The first step is to set a passcode or some other screen locking mechanism. Tablets are easy to take wherever you go, which also means they are easy to lose or have stolen. To help prevent your information from falling into the wrong hands, be sure you lock your tablet screen with some type of hard-to-guess PIN, passcode or swiping motions. In newer devices, there may be some type of biometric authentication, such as a fingerprint reader. Use the strongest method your tablet supports, and be sure to set your tablet so that it locks automatically after a short idle time.
Next, update your tablet so it has the latest version of its operating system. Bad guys are constantly finding new weaknesses in software, and vendors are constantly releasing new updates and patches to fix them. By running the latest operating system, you make it harder for anyone to hack into your tablet.
Pay attention when configuring your tablet for the first time. The most important configuration choices will be your privacy and Cloud options. Privacy is about protecting your personal information. One of your tablet’s biggest privacy issues is its ability to know and track your location. We recommend that you go into the privacy features and disable location tracking for everything, then enable it on an app-by-app basis. For some apps, it is important to be able to track your location (such as mapping software or finding a local restaurant near you), but the majority of apps do not need real-time location information.
The other important option is Cloud storage. Cloud services such as Apple’s iCloud, Microsoft’s Skydrive, Dropbox or Google Drive allow you to store your data on servers through the Internet. Most tablets have built-in options for automatically storing just about anything in the Cloud, including documents, pictures and videos. Think about the sensitivity of your data and decide whether it is appropriate to store it in the Cloud. Make sure you understand how your data will be protected (such as by a password) and how you can control who will have access to it. The last thing you want is for the private pictures you just took to be posted on the Internet without your knowledge, complete with their geo-location information embedded.
Be aware that tablets are increasingly synchronizing your apps with other devices, like your smartphone or laptop. This is common with many applications (including Google’s Chrome), is pervasive in Windows 8 and is one of the most widely used features of iCloud. Device synchronization can be a wonderful feature, but if you have it enabled, don’t be surprised to see the sites you visited or the tabs you created on your tablet’s browser appear in your browser at work.
Keeping Your Tablet Secure
Once you have your tablet secured, you want to be sure it stays that way. Here are some simple steps for you to consider as you continue to use your tablet:
- Keep your tablet operating system and apps current and running their latest version. Many tablets now automatically update your apps, a feature we encourage you to enable.
- Do not jailbreak or hack into your own tablet. This will bypass and render a tremendous number of security controls useless, making your tablet far more vulnerable to attacks.
- Only download apps you need, and only download them from trusted sources. For iPads, this is simple as only downloading apps from iTunes. These apps are screened by Apple before they are made available. For Google, we recommend you limit your apps to those found on Google Play. While you can download apps from other sites, they are usually not vetted and could be created with malicious intent. Finally, regardless of where you got your app, we recommend you remove it from your tablet once you no longer need or actively use it.
- When installing a new app, make sure you review and set the privacy options, just like you did when initially configuring your new tablet. Be careful of what information you allow the app to access, or what you allow the app to do with that information. For example, does the app you just downloaded really need access to all of your contacts?
- Be sure to install or configure software that allows you to remotely track, lock or erase your tablet in case it is ever lost or stolen.
- Syncing Chrome:
- Dangers of Cloud Computing: http://www.businessnewsdaily.com/5215-dangers-cloud-computing.html
- Common Security Terms: http://www.securingthehuman.org/resources/security-terms
- SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.php
Chad Tilbury is the guest editor of this issue. He has extensive experience investigating computer crimes and is the co-author of the FOR408 Windows Forensics and FOR508 Advanced Forensics and Incident Response classes at the SANS Institute. You can find him on Twitter as @chadtilbury, or on his blog, http://forensicmethods.com.
OUCH! January 2014 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf. OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
The latest issue of Secure IT! has been released. We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: It's All About Privacy :: With so much of our lives and actions online, protecting one's privacy is becoming increasingly more difficult. ISG is here to help.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out why you should.
- Targeted in a Recent Security Breach? :: Were you affected by the latest retail security breaches? Read ISG's recommendations on what you can do.
- Secure Your Home Network :: In his recent article "The Internet of Things is Wildly Insecure", security expert Bruce Schneier said, "If we don't solve this soon, we're in for a security disaster as hackers figure out that it's easier to hack routers than computers." Find out if your home router at risk and what you can do to mitigate it.
- Securing Your New Tablet :: If Santa surprised you with a new tablet, learn how to keep it safe.
- Follow us on Twitter :: ISG and CISO alerts, tips and more.
On Monday March 3rd the old voicemail system will be completely decommissioned. All old messages left on the system will be lostforever. If you need final access to the old system prior to March 3rd please contract the Telecommunications office at 863-2007 for instructions.