May 2, 2014

Microsoft Internet Explorer Fixed

By Mike Holliday

Tuesday, May 1, 2014, Microsoft released a critical security update for Internet Explorer (IE). Users are encouraged to run Windows Update to patch their system. All versions of IE have a patch issued, including Windows XP.

To run Windows Update

  • Click Start
  • In the Search box, type: Windows Update
            (XP users may find it under Programs-Accessories-System Tools)
  • Choose Check for Updates
  • Install ALL Important/Security Updates (optional are optional)
            - Some updates may require a system reboot to completely finish the installation.
            - Some updates are cumulative, so you may need to repeat the steps above to get all important updates.

To verify that you are patched

  • Click Start
  • In the Search box, type: Windows Update
  • Click on View Update History
  • Sort by Date Installed
  • Look for:  Security Update for Internet Explorer..... (KB2964358)  or  (KB2964444)
           - Look for Installed On date:  5/1/2014 (or since)

If you have either KB update mentioned above - your Internet Explorer is patched and you should feel "safe" to use IE again.


For personal home computers
Make sure your system is enabled to get updates automatically from Microsoft.  For instructions to get security updates automatically from Microsoft, visit: www.microsoft.com/security/pc-security/updates.aspx
(NOTE: SVSU managed systems are already set to automatically obtain updates)

For those interested in the technical details about this security bulletin from Microsoft, visit: technet.microsoft.com/library/security/ms14-021

For known issues about the security update: support.microsoft.com/kb/2965111

If you have any questions or concerns, please contact the I.T. Support Center at 989-964-4225. 

April 29, 2014

Internet Explorer Vulnerability

By Mike Holliday

The Department of Homeland Security (DHS), along with US-CERT (Computer Emergency Readiness Team), have issued an advisory for users of Internet Explorer (IE) to discontinue use of IE until it is patched by Microsoft. The vulnerability is active and is being used to exploit and compromise systems.  Data and personal information are at high risk.

CERT has recommended users switch to another browser (Firefox/Chrome) until Microsoft has issued a fix.  As noted in a previous news article, users of Windows XP are even more vulnerable to this exploit.

Until further notice, SVSU ITS recommends all users switch and use Firefox or Chrome. 

Download Firefox from: www.mozilla.org

Download Chrome from: www.google.com/intl/en/chrome/browser

To learn how change your default browser in Windows 7, watch this tutorial we put together: www.youtube.com/watch?v=VeKGU9UrS7c

-----------------------------------

For more details about this CERT alert:  www.kb.cert.org/vuls/id/222929

From Microsoft, their technical details and workaround are posted in the following article:

technet.microsoft.com/en-US/library/security/2963983

April 11, 2014

Protect Yourself Against Heartbleed

Posted 4/11/2014

By Holly LaRose-Roenicke

As many of you may have heard, a flaw has been discovered in a common Internet security method. Although no specific security breaches have been identified, the flaw could allow malicious users to steal personal information. The flaw is associated with specific versions of OpenSSL, which is software that is widely used to secure web server traffic. The flaw is known as the "Heartbleed" vulnerability.

Many common websites using OpenSSL have been identified as vulnerable, including Yahoo!, Flickr, NASA and Facebook, among others. A fix for this flaw, which was announced this week, is available, and Internet service providers and website managers around the world are working to implement the patch.

What You Need to Do

ITS is strongly urging all SVSU students, staff and faculty to change your network password. To change your password, please go to my.svsu.edu and click on "changing your password" below the login box and follow the prompts to change your current password. 

Other Websites

  • For non-SVSU web services that contain sensitive data,  refrain from logging in for a few days while those are servers are patched or until you are certain they are not at risk. Or check a list of 100 most common websites and whether they have been fixed.
  • Confirm that websites you use have checked their systems and fixed them if needed. Once a website has patched the Heartbleed vulnerability, you should change your password for that site as swiftly as possible.
    • The password security firm LastPass has set up a Heartbleed Checker, which allows you to enter the URL of any website to check its vulnerability to the bug and whether the site has issued a patch.
  • If the site or service hasn't patched the flaw yet, contact the company and ask when it expects to push out a fix to deal with Heartbleed.
  • If they have not patched the flaw, avoid logging in to their service until they do. Once they confirm they have fixed the problem, then change your password.

To get detailed information on this bug, you can visit the http://heartbleed.com/ website.

The safety and security of the Saginaw Valley community is paramount – please use the above resources to ensure your personal information is protected.

April 1, 2014

Building a Better Password

Originally Updated 2/1/2012 © 2012 ePlace Solutions, Inc.

By Jennifer Paradise

Frustrated with trying to conjure up a password that no one could guess and that you’re not supposed to write down?  You’re not alone.

This training bulletin is designed to help.  In addition to offering the current “best practice” advice on passwords, some helpful tips are included.

Password Best Practices: 

  • Make your password at least eight characters long, but the longer the better.
  • Try to avoid repeating characters more than twice.
  • Make sure it has at least one letter, and one number.
  • Use a mix of small and capital letters. 
  • Use at least two of these characters somewhere in your password: ~!@#$%^&*()-_+={}[]\|;:/?.,<>.

How could anyone remember a password that complies with all of these best practices?   Here are some tips:

Think of some activity or place that you enjoy or find interesting, but avoid subjects that you discuss in social media, birthplaces, etc.  For example, you might say that Brazil, South America is interesting.  Start by making the password a manageable length, like BrazilSoAm.  Next, employ some of these ideas, or come up with your own variations:

  • The letter “a” looks like “@”, so swap it.  Now the password is Br@zilSo@m
  • The letter “i” looks a little like an exclamation point “!”, so swap it.  Now the password is Br@z!lSo@m.
  • The letter “L” looks a little like the number “1”, so swap it.  Now the password is Br@z!1So@m.
  • You might think that “Brazil, South America” could be separated to be easier to read, so add your favorite separator.  Now the password is Br@z!1>So>@m.

Some other ideas to get you thinking:  The letter “B” looks a little like “(3” or “/3”.  An “S” could be replaced with “$”.

March 21, 2014

Windows 7 Upgrade Project

By John LaPrad

Effective April 8th 2014 Microsoft has announced that they are discontinuing support for Windows XP. Because of this, SVSU will be upgrading all Windows XP computers (about 400) to Windows 7 and converting the computers from Novell to Windows Active Directory. This upgrade project will take place over the next 2 months.

Each computer user will be interviewed to determine what files, printers, and applications they have. All personal files will be backed-up and re-loaded on the computer after the upgrade. A full copy of the original computer will be maintained for two weeks to provide a safety net in case any files were missed during the upgrade process.

ITS has contracted with the company SPI to help make the migration happen as quickly as possible. The SVSU ITS Technical Services team will work closely with SPI to make sure the upgrade goes smoothly, and ITS Support Center will be available to answer questions.

If you have any questions about the upgrade or upgrade process, please call the ITS Project Manager, John LaPrad at 989-964-7134.

Thank you in advance for your understanding and cooperation during this process.

March 18, 2014

Microsoft Announces Windows XP End of Support

By Mike Holliday

Microsoft has announced the end of their support for Windows XP on April 8th.  For those that still use it, you should be aware that your system will no longer receive:

  • Security patches to help protect against viruses and malware
  • Software and content updates
  • Technical assistant from Microsoft.

If you choose to keep using Windows XP after April 8th, your system and data are at a greater risk of attack or data theft/loss. Your system will not be compatible with newer software, as well.

Internet Explorer version development for Windows XP ceased a long time ago, and future updates/patches for those older versions will cease. It has been recommended to use other browsers for Windows XP, to help mitigate risk.  Please note: due to the lack of future support for Windows XP, software developers (including browsers) will likely abandon further development and patches for their XP products.

Your best course of action, to protect your system and maintain performance, is to upgrade to a newer operating system. For university-owned equipment, there is an action plan coming forth and you should look for that communication coming soon. 

This advisory is really intended for the campus community and their personal home computer systems.

March 13, 2014

Campus Phishing Alert

By Joe Wojtkiewicz

We have another round of phishing/spam attempts circulating. This time they spoof the Sender information and make it appear as if sent from support@svsu.edu and "Web-mail Administrator".  It is an attempt to collect your account username and password to compromise your account to send out additional spam. 

ITS will not ask you to verify or update your account using links.  When in doubt, give the I.T. Support Center a call - or click on your SPAM button to report the message and remove it from your inbox.

 

Here is an example of the most recent attempt:

Phishing Example

March 6, 2014

Something Smells "Phishy" -- How to Spot Bogus Emails

© 2012 ePlace Solutions, Inc.

By Jennifer Paradise

You have probably heard about "phishing" by now. You have also probably been told to look for clues in emails that indicate that someone may be trying to get personal information from you. What should you look for in an email? Here are a few tips to keep you and your information safe from would-be thieves. 

Something Smells Phishy (464kB)

Image pointing out some characteristics of "phishy" emails.

March 3, 2014

What's "Social Engineering?" How does it affect me?

Originally updated 9/26/2012 © 2012 ePlace Solutions, Inc.

By Jennifer Paradise

Criminals use manipulative techniques known as "social engineering" to deceive their victims into revealing sensitive information.  Such scams play on emotions like fear and the human tendency to want to help or trust others. A common approach uses fraudulent "phishing" e-mails, as in fishing for information. The scamming e-mail is often designed to look as though it comes from an individual or organization the recipient will recognize, or has an existing relationship with. The message attempts to fool the recipient into revealing sensitive information. The mechanisms used may entice the recipient to (a) click on a link leading to a fraudulent website (although it may appear legitimate), (b) reply to a specific offer or request in the e-mail, or (c) download an infected attachment.

Defending against social engineering attacks is difficult because cyber thieves are creative and constantly coming up with new approaches, but the following guidance can help avoid becoming a social engineering victim.

Think before you click. Be cautious with any message you don't expect or that doesn't make sense. If you get a message from the New York police about a speeding ticket but you have not been driving in NY recently, it's bogus. Delete immediately. Even if you had been driving in NY, ask yourself whether it makes sense that the NY police have your e-mail address. Probably not.

Be wary of offers of something for nothing. These are most likely scams. Won the lottery without entering? A free gift card from a store you don't patronize? Likely bogus.

Check validity with a web search. If you suspect the offer/threat could be real, don't click. Search instead. Many sites list known hoaxes. Reading through these can put your mind at ease.

Carefully scrutinize the destination of links in e-mails and text messages. Hover your mouse/finger over the link to see where it really goes. Clever phishers sometimes include valid links among the malicious links in the e-mail in a further attempt to disguise their intent.

Do not respond to unsolicited requests for sensitive information, whether by e-mail, phone, or text message. If an unsolicited caller starts asking for personal information, it's time to end the call.

Do not submit personal information via website pop-up screens. Legitimate organizations do not ask for personal information via pop-ups.

If you think a request might be valid but can't verify the identity of the requester, then contact the organization making the request yourself so you can be sure of whom you are talking to.

February 28, 2014

ITS Announces a New Service Tracking System

Submit and track IT support tickets at http://mysupport.svsu.edu

By Mike Holliday

As users of the SVSU ITS Service Management System for IT requests, you now have the ability to submit new IT requests, to see status updates, and to track the progress of your requests online at: mysupport.svsu.edu

Additionally, ITS is launching the Service Request Management Customer Satisfaction Survey, which will allow users to provide valuable feedback specific to their requests.  We plan to use your responses to better understand and serve the campus.

A quick overview document (with screenshots) can be found here??.

By visiting www.svsu.edu/its‌ you will find a link to mySupport Online under the Contact Us section.