Heartbleed Security Vulnerability
What is happening?
On April 7, researchers announced a security vulnerability called "Heartbleed" that affected the security of over 66% of websites around the globe. The Heartbleed Security Vulnerability affects OpenSSL (secure browsing) by allowing attackers to read information that is expected to be encrypted. Critical information such as passwords or secret keys could be leaked if the problem is exploited. You can find more information about the issue on the Heartbleed website http://www.heartbleed.com.
Who is impacted?
Heartbleed is primarily a vulnerability that affects web servers that host secure (https) web pages. People who entered information into an unpatched web site after April 7th could have potentially exposed their information.
What is this being done?
The Office of Information Technology has enacted a remediation plan in accordance with http://www.us-cert.gov and has been actively scanning the network to locate vulnerabilities since April 8th. As vulnerabilities have been identified, immediate action to apply security patches has occurred. We are continuing to scan and monitor systems and work with campus personnel and vendors to assure that vulnerabilities are patched.
How will this impact me?
Most users will not be impacted. Password changes are not needed for most users of ISU systems because the majority of ISU systems including the MyISU Portal were not affected. OIT will notify the users of systems that were affected. Also, please remember that university personnel will never ask for your username and password.
What do I do if I have problems?
Please contact the OIT Help Desk at extension 2910.
Implementation of Screen Saver/Timeout Policy
As part of its ongoing efforts to improve the overall security of our computing environment, and under the leadership of Chief Information Security Officer Josh Flaherty, OIT is introducing a screen locking standard. For details, see: http://www.indstate.edu/oit/standards/screenlockingstandard.php.
On April 1, 2014, all ISU-owned computers that are attached to the ISU Active Directory domain will be updated for this policy. After the update occurs, the computer screen saver will activate after 15 minutes of inactivity (no action by keyboard or mouse), and the user’s password must be entered to reactivate the screen.
Computers impacted include primary computers used by regular faculty and staff; pool computers used by lecturers, student employees, and others; and computers in OIT-maintained labs.
Some computers will not be subject to the standard, since they do not contain data or are used in ways that cannot accommodate the activation of the screen saver lock. These include classroom computers and special purpose computers used in research.
It is a best practice to lock your screen manually when you get up and move away from your computer for any length of time. The automated screen lock will help to back up this practice and to ensure institutional data are protected from unauthorized access if you forget to lock your screen.
Please contact the OIT Help Desk at x2910 or by entering a ticket in the MyISU portal if you have questions or concerns.
Where Did the MyISU Badge Go?
On March 13th the MyISU Portal badge was removed from the home page of Portal users and moved to the MyISU Apps page. In its place students, staff, and faculty should see the new badges according to their role on campus.
You can use the appropriate Self-Service badge to get to the same
information quicker and easier.
The new badges look like this (depending on your role):
The old MyISU Portal badge will be officially removed on April 14th.
For more information about these new badges go to http://www.indstate.edu/oit/about/faq_luminis.php.
KeePass Password Management Software
Most users have many different accounts and passwords for applications and services. With increases in password strength and password expiration policies it is important to have a secure way to organize and remember passwords. To help solve this issue the Office of Information Technology is recommending password managed software called KeePass. KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known.
KeePass can be downloaded from the following site url; (http://keepass.info/download.html Download the latest professional edition).
For questions, go to http://www.indstate.edu/oit/security/keepassinstructions.php or contact email@example.com.
Public Safety and OIT Partner on Emergency Messaging Upgrade
OIT is working with Joe Newport and others in Public Safety to update and improve our notification process for emergency messages on campus computers.
Starting February 24, OIT is distributing Alertus software to all faculty and staff Windows computers that attach to the ISU network.
See the schedule here.
To see the Alertus screen that will pop up during our monthly emergency tests and in the event of a real emergency, click here.
For questions, call the Help Desk at x2910.
Student Employee Scam, 'Spear Phishing' Emails Target Online Banking
ISU employees should be on alert for fraudulent "phishing" emails designed to steal employee credentials to university and other banking websites. The emails have targeted university employees across the nation to reveal online login and password information or submit the credentials to a fraudulent site. Cyber-criminals are using the credentials to modify banking information to divert paychecks.
There is also a scam that is sometimes part of the online banking scam mentioned above that involves using students that are looking for employment. The scam either uses funds from the online banking scam deposited into the student’s account or from fraudulent checks mailed by the scammers to the students who then are tricked into wiring money to the scammers because they are told it is part of their job duties.
Do not click on or respond to any message that asks for credentials or personal information. ISU will never ask for individual login, password or other personal information via email.
People who have responded to an email or are made aware of scams involving student employment should immediately contact the OIT Help Desk at x2910 or IT-Help@indstate.edu.
OIT Help Desk is Changing Hours
The OIT Help Desk has changed its hours of operation. The new hours are:
Monday – Thursday: 7:30 AM to 7:00 PM
Friday: 7:30 AM to 4:30 PM – No hours change
Sunday: 3:00 PM to 9:00 PM – No hours change
This change only involves the OIT Help Desk, which provides initial phone support and response primarily for problems related to faculty and staff computers, and the software that runs on them. Additionally, any calls which come into the Help Desk line outside of the operating hours shown above will continue to be answered by our Operations personnel as they are today.
There will be no change to the following:
- Classroom support through the hotline phones.
- Instructional Tools Support (web-based courses) at x7000
- Student Help Desk in Stalker at x8800
If you have any questions or concerns related to this change, please contact Aaron Brink (firstname.lastname@example.org).
Windows 8 FAQ for Students
A list of frequently asked questions concerning Windows 8 is now available at http://indstate.edu/oit/helpdesk/windows8.php.