Category Archives: Security

Vulnerability in Microsoft’s Internet Explorer

Updated: Wednesday, April 30th
Dear Members of the Harvard Community,
The U.S. Department of Homeland Security recommends that all users temporarily discontinue the use of Microsoft Internet Explorer (IE) due to a critical security flaw.
Harvard Information Security recommends that all members of the Harvard community use another browser, such as Mozilla Firefox or Google Chrome, until a fix has been issued for IE.
If Harvard internal sites require the use of IE, please limit use to those specific sites.
For more information about this flaw, please visit the Harvard Information Security website, security.harvard.edu.
Sincerely,
Christian Hamer
University Chief Information Security Officer

___________________________________

Tuesday, April 29th

Many of you may have heard or read in the news of the recent vulnerability in Microsoft’s Internet Explorer. Microsoft has released a work around until a patch is designed to fix this issue. SPH IT is now pushing out this work around to SPH configured Windows 7 PCs. Once this is done the risk is mitigated until the patch is released fixing the vulnerability.

For those not using a Windows PC configured by the SPH IT department or using any Windows XP PC (which is no longer supported by Microsoft and will not be patched at all) we recommend not using Internet Explorer but use a more secure web browser, such as Firefox or Chrome, for all non-Harvard web sites.

Please contact the Helpdesk (helpdesk@hsph.harvard.edu or 617.432.4357) with any questions or concerns.

Thank you,

Bill Mahoney
Director, Information Technology

 

New Policy on Access to Electronic Information Posted

Harvard University has posted a new University-wide policy on access to electronic information.

The policy on electronic information is grounded on six important principles:

  • Access should occur only for a legitimate and important University purpose.
  • Access should be authorized by an appropriate and accountable person.
  • In general, notice should be given when user electronic information will be or has been accessed.
  • Access should be limited to the user electronic information needed to accomplish the purpose.
  • Sufficient records should be kept to enable appropriate review of compliance with this policy.
  • Access should be subject to ongoing, independent oversight by a committee that includes faculty representation.

Read the full Harvard Gazette article.

Guidance on the “Heartbleed” Internet security vulnerability

To All SPH Faculty, Staff, and Students:

Last week, a security flaw dubbed “the Heartbleed bug” was discovered in a common Internet security protocol (OpenSSL) that protects credentials, such as usernames, passwords, and credit card numbers. An explanation of this flaw can be found on the Harvard Information Security website at: http://security.harvard.edu/heartbleed.  Harvard IT professionals across the University, and our own server team, web team, and Andy Ross our security manager, acted quickly to assess and patch any websites or applications that may have been vulnerable.  The Harvard PIN system and other enterprise applications were not affected as a result of Heartbleed, and Harvard Information Security currently has no indication that any information has been compromised.

Although there is a low risk that your Harvard account credentials were compromised, you are at greater risk if you use the same password for your Harvard accounts as for your personal accounts, such as personal email, social media, and other websites. We strongly recommend that you change your Harvard password immediately if you have also used it for external non-Harvard accounts.   Furthermore, it is important to not use the same password for Harvard and personal accounts going forward. It is always good practice to periodically change all your account passwords, and this may be a good opportunity to refresh your Harvard passwords even if you believe you are at low risk of being affected by Heartbleed.

You can find full instructions on how to change your Harvard passwords on our I/T Dept. website at: http://isites.harvard.edu/fs/docs/icb.topic731455.files/password_information_41414.pdfIf you have an SPH encrypted laptop,  pay close attention to the instructions under section 2.2 and 2.3.   Also, BEFORE changing your OUTLOOK Email password (see section 2.5), be sure to turn off all your portable devices (iPhone/iPad/Android/Tablet), to avoid your email getting locked out on that device.

If you have any questions or concerns about this security issue or need assistance to change your passwords, please contact the Helpdesk at 617-432-HELP or Helpdesk@hsph.harvard.edu  (Mon-Fri: 8 a.m.-6 p.m.)

Taso Markatos
CIO, SPH I/T Dept.

Fraud/Phishing alert from Bank of America

Bank of America has contacted Harvard University to make us aware of a recent email scam that has affected the University of Michigan and two local schools. The emails will appear to come from an official University department with a link asking employees to either confirm their login information or update their payroll or Open Enrollment benefits. If employees enter their data, it is captured by the perpetrators of the fraud. Once that credential data is captured, the information may then be used to change direct deposit information.

As always, please be suspicious of any link in email. If asked to log in to PeopleSoft or another sensitive system, do not follow the link. Instead, enter the URL directly into your web browser, or connect via a trusted source such as harvie.harvard.edu.

If you suspect that you are the victim of a fraudulent email, please contact the HSPH Helpdesk for support.

Thank you

National Cyber Security Awareness Month Events

In recognition that October is National CyberSecurity Awareness month, Harvard University Information Technology Security will be conducting information security briefings in the LMA area for faculty, students and staff.

Two will be at the Harvard Medical School (HMS) and one at the School of Public Health (SPH).

Below is the schedule:

October 4th 10 – 11 am at HMS TMEC 227

Topics: Cloudy with a chance of identity theft. Why a good password is very often your best defense   and  Is it ever not social? Protecting yourself in the age of social networking.

October 10th 12 -1 PM at SPH Kresge G1

Topics: Is it ever not social? Protecting yourself in the age of social networking.  and  Have device, will travel. How to be mobile and safe.

October 17th 2 – 3 pm at HMS TMEC 227

Topics: Have device, will travel. How to be mobile and safe.  and  Taming Lions, Tigers…..and Windows, Turn your operating system into a lean, mean, malware fighting machine.

Please come out and participate in a practical discussion on how to maintain your privacy.

Summer Security Tips

As HSPH faculty and staff begin heading out for the summer, we want to remind everyone of some important information security policies.

  • Harvard policy requires that all Harvard-owned laptops must be encrypted. If your laptop is not encrypted, please call our Helpdesk (432-help) to arrange for laptop encryption.
  • If you are traveling outside of the U.S. with an encrypted laptop or device, please consult the following link for some important information:
  • High Risk Confidential Information should not be stored on any mobile device (laptop, netbook, smart phone, USB key, etc.)
  • This fall the Information Technology Department will resume hosting information security briefings to update the HSPH community on new policies and changes regarding data security.

Thank you,
HSPH Department of Information Technology

HSPH Secure Passwords Rescheduled to Monday, Feb 7th

Date changed to Monday, February 7th due to weather.

On Monday, February 7th, we will complete our secure password migration for all HSPH systems. This will only affect a small number of HSPH users.

For those of you who have already completed this process in July-September, there will be no change on Thursday.

Each user affected will be required to reset their password after logging into either Novell on a computer or the Groupwise email system.  

Additionally, we have rolled out a new service that will allow you to reset your password 24-7-365 without having to call the HSPH Helpdesk.

To use the HSPH self-service system, each user will be required to establish four security challenge questions.

Starting on Thursday, you can visit https://password.sph.harvard.edu to setup your challenge questions and change your password.

It should take users no longer than 5 minutes to make the required changes.

For complete information on secure passwords and screen shots outlining the process, please visit:

HSPH Complex Password Policy ( http://isites.harvard.edu/fs/docs/icb.topic745555.files/complex-password-policy-email.pdf )

Please contact the Helpdesk at 617-432-4357 or helpdesk@hsph.harvard.edu if you have any questions.

Thank You!
HSPH IT Helpdesk

Data Loss Protection Software Implemented at HSPH

The fourth item in Harvard University’s Information Security Mandate “Finding High Risk Confidential Information (HRCI),” requires that each School must ensure that all University-owned computers and servers are annually scanned to locate High Risk Confidential Information (HRCI).

In response to this University mandate and over the next few weeks, the HSPH Department of Information Technology will begin deploying a new security product called Data Loss Prevention (DLP), from McAfee.  This product will be used to scan all HSPH-owned PC’s and servers for HRCI annually. Once the automated scan of your computer is completed, each user will receive an email from the DLP system, listing any files which meet the preset patterns for HRCI, such as social security numbers. The user is then responsible for investigating and remediating the information as necessary.

As a reminder to everyone, the Harvard Enterprise Information Security Policy states that no High Risk Confidential Information may be stored on any PC, laptop or other portable media, and approval must be obtained from the University and school Security officers  prior to storing any HRCI data on a secure server.

The University’s complete Information Security policy can be found at: http://www.security.harvard.edu/
Note: this offering is for PCs only, Macs are not targeted at this time.

For questions or assistance with this policy, please contact Andy Ross, HSPH Security Manager at 617-432-1279 or aross@hsph.harvard.edu.

Computer System Maintenance on Thursday, September 16, 2010

On Thursday evening, September 16th, we will be performing our normal system maintenance to all servers and network equipment.

The maintenance window will last from 7:00 PM til 1:00 AM.

The following services will have one or two small outages:
(You can continue to work, but may have brief pauses while services restart)

The following services will be unavailable for the duration of the maintenance window:

The IT Department recommends that you reboot your PC after any system maintenance.

This will ensure that the proper software updates are applied to your computer.

Be Green!  We also request that you shutdown your PC before you leave everyday.

All future planned maintenance windows are Thursday nights from 7PM to 1AM and on the following dates:

  • 10/14/2010
  • 11/11/2010
  • 12/16/2010

Last Call for Laptop Encryption

Laptop_Security.jpg

For the past 6 months, the User Services staff have been encrypting HSPH-owned Windows laptops in order to meet the new university security mandates.

For the final phase of this process, we are asking any faculty and staff who still have not had their laptops encrypted to contact us directly to set up an encryption appointment.

If you could please email us at helpdesk@hsph.harvard.edu with the most convenient
days
for us to encrypt your laptop, we will get back to you with a confirmed time.  Since the encryption takes 24 hours, any laptops brought in on a Friday will be kept until Monday. If your laptop has already been encrypted, you do not need to reply.

Please feel free to contact the Helpdesk at 432-HELP if you have any questions.

Thank you and have a great day!

Related resources: