Today’s Montana Kaimin has an article about illegal file sharing and how UM handles take-down notices. It’s worth a read.
Archive for the ‘Security’ Category
Kaimin covers illegal file sharing
Wednesday, September 23rd, 2009Guidelines drafted for external web systems
Thursday, June 25th, 2009Guidelines for appropriate use of external web systems like Facebook, MySpace and Twitter have just been drafted to help UM departments and student organizations use the tools responsibly.
The guidelines acknowledge the challenge of writing policy for an ever-expanding and changing set of non-University web systems. In response, the guidelines focus on constraints imposed by FERPA and other privacy laws and policies related to a student’s educational record; HIPAA and Montana health information privacy laws; federal and state archival and retrieval requirements for official electronic communication; and state laws regarding personnel evaluations.
The draft guidelines are available on the web at:
www.umt.edu/it/policies/externalwebsystems.aspx.
Don’t take the bait
Wednesday, January 21st, 2009IT launched a campaign at the end of fall semester – and will continue it through spring – to educate the campus community about phishing. A phishing email message is one that attempts to dupe the recipient into giving up personal information, usually his or her email username and password.Sometimes these fraudulent messages do a reasonable job of disguising themselves as legitimate messages by including terminology and branding specific to our campus. They usually include the threat of loss of service if you don’t comply with the request.
Our message to UM students and employees is simple:
Never respond to email asking you to provide personal information
The University of Montana will never ask you for personal information by email
How you can help
Campus departments can help with this campaign in a couple ways. The first way is to adhere to the promise that you will never ask students or employees to provide personal information by email. The second way is to help us spread the word. IT has posters, table tents and PowerPoint slides in a variety of designs to communicate the message. If you have bulletin board space, a computer monitor that displays public announcements, or some other channel of communication, and you would like campaign materials, let us know.
CAS for celebration
Monday, December 22nd, 2008On Dec. 29th, Blackboard will join the suite of UM web systems that are “CASified.”
CAS-Central Authentication Service-is the front door to a growing number of secure UM web services, including OneStop, the Mansfield Library system, iTunes U and now Blackboard. Your NetID and password unlocks that front door and gives you access to all of the systems inside.
The single point of entry, or “single sign-on,” provided by CAS allows users to move among the web systems without having to re-authenticate. CAS also notifies users when their password is about to expire, and eliminates the problem of getting passwords out of sync (one NetID with more than one password).
Getting strange bounce messages?
Tuesday, April 29th, 2008Are you suddenly getting large numbers of bounce messages in your inbox from messages you didn’t send? If so, then you are most likely the victim of e-mail spoofing, and the unwanted side effect that comes with it, known as “backscatter”.
This problem has been around for years, but a number of higher education institutions have reported a significant increase in this activity in the last month, and UM has not escaped.
IT Central has published a support page with more details, check it out here.
I do not like green eggs and spam
Thursday, March 13th, 2008If you’re weary of the volume of spam you get in your inbox, it might make you feel better to know how much spam ISN’T getting to your inbox.
In 2001, spam made up just five percent of the total volume of email messages worldwide.
By the end of 2007, spam accounted for more than 90 percent of all email received by large enterprises according to ProofPoint.
The onslaught of spam coming into University of Montana email systems is even more severe. One day last week—a typical weekday—1.8 million spam messages were blocked as they entered campus. Another 3,600 messages were delivered to recipients tagged as possible spam. These days, only about three percent of the messages that come to campus ever reach an end user.
“We’re tightening it up [spam blocking] as much as we can without blocking legitimate emails,” says Tom Travis, director of IT central systems. “We’re cutting it close to the boundary.”
Travis says campus email users may have experienced increased spam in their inboxes between late November and early February. Hardware problems compromised spam-blocking efforts during that period. By February, IT had restored spam and anti-virus services to full operational levels. Travis is confident that the spam blockers are now protecting email users from junk as best they can.
How does spam blocking work?
Spam blockers use a number of mechanisms to identify junk and virus-laden email. One method is rate control. Too many emails coming from one location raises a red flag. Emails with bad recipients also indicate a possible spam attack. The University also subscribes to a service that does pattern matching for spam, which includes recognition of sender addresses that have been blacklisted.
What can email users do?
Even with the best spam-blocking technology on the front line, the average email user can expect to receive hundreds of spam emails in their inbox every month.
“We educate our end users that if they get spam, right click on it and add it to your junk email list,” says Robert Logan, a systems administrator in the College of Forestry and Conservation who runs a Microsoft Exchange email service.
A right click on a message in Microsoft Outlook reveals a number of options for dealing with spam under the “Junk E-mail” menu item. If you click on “Junk E-mail Options”, you can set the level of junk email protection you want (left).
In GrizMail, which uses Outlook Web Access (OWA) as its email client, users can click on “Options” on the bottom-left of the screen and scroll down to the “Privacy and Junk E-mail Prevention” section.
Travis advises email users to be smart about what email messages they open as well.
“Email users need to develop the ability to detect suspect email,” he says. “You can look at email headers for some clues if you have suspicions.”
For more information about spam and tips for how to protect yourself, visit this Spam at The University of Montana page. You can also seek help from your desktop support person.
Java update addresses security issues
Thursday, March 6th, 2008Fresh on the heels of last month’s update, Sun has released Java 6 Update 5. Unlike last month’s update, this one does appear to get downloaded correctly if you use the automatic updater (at least it did for me). For Windows users, simply go to the Java Control Panel, click the Update tab, and let it do its thing.
You can also get a manual download at http://java.sun.com/javase/downloads/index.jsp
(for most folks, you’ll need the JRE Update)
Specifics on the exploits can be found here: http://www.us-cert.gov/current/index.html#sun_java_se_updates
Java confusion
Friday, February 15th, 2008In my blog entry last Friday, I mentioned some confusion over the Java update. This centers around three points, 1) Sun’s version nomenclature, 2) Conflicting info from Sun on what is the current version, and 3) Whether you need to uninstall your current JRE before installing the newer version.
The first item isn’t too difficult, and is more annoying than anything else, but I still wish Sun would just make up its mind and use one consistent versioning system. Basically, you’ll see the same version called two different things, depending on where you’re at. Version 1.6.0_04 is also referred to as Java Version 6,Update 4, etc.
Item number 2 is a little more annoying. If you go to www.java.com, it will tell you that the “recommended” version is Version 6 Update 3; however, go to java.sun.com, and you’ll be offered Version 6 Update 4, which is the update that contains the latest round of security patches. Also, if you are relying on the “auto update” feature of the Java control panel, it will tell you that you are currently up to date, even if you only have Update 3. Finally, Sun still supports Version 5 (or 1.5.x) and is still releasing security patches for it as well. If for some reason you have to run 5 instead of 6, the current version for it is Version 5 Update 14.
My recommendation: go to http://java.sun.com/javase/downloads and manually download JRE 6 Update 4, and install it yourself.
The third item is by far the most complicated, and I haven’t been able to find an authoritative answer. The original problem is that installing new versions of the JRE would still leave the old versions in place and callable. Sun did this for compatibility reasons. However, the downside was that if there was a serious security hole, simply installing the new version did not prevent you from being exploited. At some point along the way, Sun realized the error of their ways, and addressed this. BUT, the way they did it was NOT to remove the old version, but to make the older versions uncallable (One has to wonder why they did it that way, but I’m sure they have their reasons). This has obviously led to a lot of conflicting opinions about whether one should completely uninstall the existing JRE before installing the new version, and some folks still claim that despite what Sun says, these older versions are still exploitable (however those are all just opinions, I didn’t see anyone offering proofs). I’ve personally decided that I’m OK with just installing the new version, but if you want to be absolutely sure, you can always do the uninstall, but you’ll have to do it manually, and the scope of that is beyond this blog. However, google “uninstall Sun Java” and you’ll find lots of opinions on the best way to do this.
What can we learn from campus violence?
Friday, February 15th, 2008The recent shooting deaths of seven students at Northern Illinois University brings up unsettling thoughts about that happening here. At IT Central, we are the “Help Desk”. Being part of a Help Desk, means that by the time we are contacted, many times the caller or walk-in client is at the very end of his rope. He is extremely frustrated that his password doesn’t work, or that he can’t log into the wireless network and he blames the IT department for his difficulty. Being the Help Desk, we get: “You changed my password! Why does my password have to change?!! Why did you do this to me?!” Sometimes it gets pretty heated. Given the broad cross section of people we deal with, it is entirely conceivable that someone at some time could be pushed over the edge.
How do we deal with such possibilities? It is inconceivable that we would be ready for anything. How can we, as an organization, possibly be prepared or even think about the unknown?
The bigger question would be what can we as an organization do to prevent situations that would push someone over the edge? How can we change the processes that cause unexpecting users thinking that we have put obstacles in front of their learning or teaching experience? This can be difficult and certainly requires thinking and planning given the complexities of not only technology, but also interdepartmental policies and procedures.
So far, the best efforts are in the nature of what do we do in case of violence rather than in the prevention of it, i.e. alerting people via e-mail, voice mail and text message that there is a crisis. Let’s think ahead, so we aren’t simply mopping up the aftermath. It would require perhaps a suspension of disbelief and most importantly, time to come up with viable solutions. As the oft quoted ad jingle says: “We can do it.”
E-mail passwords and why should you protect yours
Wednesday, February 13th, 2008Recently in the Missoulian, an article told of a woman in a small Western Montana town who discovered that her Yahoo account had been compromised. While this may seem benign on the surface, what ensued made me sit up and want to shout: “Protect your passwords!”
Her Yahoo account had been hacked by someone in, guess what, Nigeria. This hacker had figured out her password (which was probably very simple) and changed it. He then proceeded to send e-mail to her contacts. The e-mails were pleas for money : “I am in a terrible and tight situation here, I don’t even have money to feed myself for a day, which means I have been starving,” read the e-mails, which asked people to wire her money in Africa. The e-mails were signed it with her usual signature of ”Thanx, Mickie”, so that people thought they were legit.
The e-mails also said that she had forgotten the bag with all her money, credit cards, return airline ticket and passport in a taxi, owed the hotel $1000 and needed $1500 to return home.
Her relatives and friends, fearing for her life and safety, started calling to ask how she could have gotten herself into such a mess. One friend actually wired $100 and said he was sorry he couldn’t send her more but he had recently lost his job.
Some of her contacts also knew that she had been to Africa at least once adding to the legitimacy.
Luckily she was home at the time, but it took her almost 8 hours of contacting authorities, Yahoo and her friends to let them know about the hacking and to change her password.
She was lucky in that only one person sent money and not that much. I think she learned her lesson that she needed to have a secure password and to keep it updated on a regular basis.
So remember, when you make a password easy to remember, it is also easy to hack. Even the smallest chink in the armor can be a big crack through which money can flow, usually away from you.
