Category Archives: Security

Website Outage (Resolved)

This morning from 9:12 am, the HSPH website stopped responding due to an issue with our web application firewall.  The web and server team quickly resolved the issue with our cloud vendors restoring access to the site by 9:32 am.

At 1:23 pm, there were additional related issues at our cloud hosting provider.  These were resolved at approximately 6:00 pm.

We apologize for any inconvenience caused by these outages.

Happy National Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM) – celebrated every October – was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Cybersecurity begins with a simple message everyone using the Internet can adopt: STOP. THINK. CONNECT. Take security and safety precautions, understand the consequences of your actions and behaviors online and enjoy the benefits of the Internet.

Tips & Advice

Keep a Clean Machine

  • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
  • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
  • Protect all devices that connect to the Internet: Along with computers, your smartphones, gaming systems and other web‐enabled devices also need protection from viruses and malware.
  • Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.

Protect Your Personal Information

  • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
  • Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals.
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer.
  • Own your online presence: Set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how and with whom you share information.

Connect with Care

  • When in doubt, throw it out: Links in email, tweets, posts and online advertising are often the ways cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark as junk email.
  • Get savvy about Wi‐Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
  • Protect your $$: When banking and shopping, check to be sure the sites is security-enabled. Look for web addresses with “https://,” which means the site takes extra measures to help secure your information. “Http://” is not secure.

 Be Web Wise            

  • Stay current. Keep pace with new ways to stay safe online. Check trusted websites for the latest information, share with friends, family and colleagues and encourage them to be web wise.
  • Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
  • Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

Be a Good Online Citizen

  • Safer for me, more secure for all: What you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community.
  • Post only about others as you have them post about you.
  • Help the authorities fight cybercrime: Report stolen finances, identities and cybercrime to http://www.ic3.gov (the Internet Crime Complaint Center) and http://www.onguardonline.gov/file-complaint (the FTC).

Visit http://www.stopthinkconnect.org for more information.

Tech Day will be held on September 25

Tech Day 2014Do you have technology questions and don’t know who to ask? Have you ever wondered who all these “IT” folks are and how they can help you? Do you like free stuff? If you answered yes to any of these questions, you’re in luck!

The HSPH Information Technology department is hosting a Tech Day on:

September 25th from 12:30 to 2 in the Kresge Cafeteria Atrium

We’ll be showing off the latest tech from tablets to video conferencing, hosting mini-talks, and raffling away prizes.

Come join us, meet the team, and have a great time.

Tables:

  • Dell — representatives from Dell will have the latest laptop, tablets and other machines available through the Harvard contract.
  • Harvard TPC — representatives from Harvard’s Technology Product Center will have the latest Apple products available through the Harvard contract.
  • Office 365 — User Services Team will demonstrate Office 365, a cloud-based email that HSPH will be migrating to in 2015.
  • WordPress — the HSPH web team will demonstrate and explain the School’s site-wide responsive design on a variety of devices.
  • Canvas — Media and Educational Technology Services (METS) will demonstrate Canvas, the learning management system that HSPH and Harvard are rolling out over the next year.
  • MediaSite — METS will demonstrate MediaSite, HSPH’s new course capture system that was launched in September 2014.
  • BlueJeans – BlueJeans video conferencing will host a remote session to demonstrate their video conferencing bridging service.
  • Virtual Desktops – The server team will be demonstrating our new virtual desktop, which will allow you to work on the same desktop from anywhere…

Tours:

  • We will offer quick 10 minute tours of the two new distance learning studios in Kresge LL and the HSPH server room.
Tech Day 2012

Hundreds of people stopped by a previous tech day to view new products and services.

Mini-talks (15 minute Q&A talks in Kresge 110):

  • Apple support: What do we offer?
  • Personal security (HRCI, Encryption, Privacy, and Virus Protection)
  • Digital signage
  • Google analytics
  • General Q & A

Vulnerability in Microsoft’s Internet Explorer

Updated: Wednesday, April 30th
Dear Members of the Harvard Community,
The U.S. Department of Homeland Security recommends that all users temporarily discontinue the use of Microsoft Internet Explorer (IE) due to a critical security flaw.
Harvard Information Security recommends that all members of the Harvard community use another browser, such as Mozilla Firefox or Google Chrome, until a fix has been issued for IE.
If Harvard internal sites require the use of IE, please limit use to those specific sites.
For more information about this flaw, please visit the Harvard Information Security website, security.harvard.edu.
Sincerely,
Christian Hamer
University Chief Information Security Officer

___________________________________

Tuesday, April 29th

Many of you may have heard or read in the news of the recent vulnerability in Microsoft’s Internet Explorer. Microsoft has released a work around until a patch is designed to fix this issue. SPH IT is now pushing out this work around to SPH configured Windows 7 PCs. Once this is done the risk is mitigated until the patch is released fixing the vulnerability.

For those not using a Windows PC configured by the SPH IT department or using any Windows XP PC (which is no longer supported by Microsoft and will not be patched at all) we recommend not using Internet Explorer but use a more secure web browser, such as Firefox or Chrome, for all non-Harvard web sites.

Please contact the Helpdesk (helpdesk@hsph.harvard.edu or 617.432.4357) with any questions or concerns.

Thank you,

Bill Mahoney
Director, Information Technology

 

New Policy on Access to Electronic Information Posted

Harvard University has posted a new University-wide policy on access to electronic information.

The policy on electronic information is grounded on six important principles:

  • Access should occur only for a legitimate and important University purpose.
  • Access should be authorized by an appropriate and accountable person.
  • In general, notice should be given when user electronic information will be or has been accessed.
  • Access should be limited to the user electronic information needed to accomplish the purpose.
  • Sufficient records should be kept to enable appropriate review of compliance with this policy.
  • Access should be subject to ongoing, independent oversight by a committee that includes faculty representation.

Read the full Harvard Gazette article.

Guidance on the “Heartbleed” Internet security vulnerability

To All SPH Faculty, Staff, and Students:

Last week, a security flaw dubbed “the Heartbleed bug” was discovered in a common Internet security protocol (OpenSSL) that protects credentials, such as usernames, passwords, and credit card numbers. An explanation of this flaw can be found on the Harvard Information Security website at: http://security.harvard.edu/heartbleed.  Harvard IT professionals across the University, and our own server team, web team, and Andy Ross our security manager, acted quickly to assess and patch any websites or applications that may have been vulnerable.  The Harvard PIN system and other enterprise applications were not affected as a result of Heartbleed, and Harvard Information Security currently has no indication that any information has been compromised.

Although there is a low risk that your Harvard account credentials were compromised, you are at greater risk if you use the same password for your Harvard accounts as for your personal accounts, such as personal email, social media, and other websites. We strongly recommend that you change your Harvard password immediately if you have also used it for external non-Harvard accounts.   Furthermore, it is important to not use the same password for Harvard and personal accounts going forward. It is always good practice to periodically change all your account passwords, and this may be a good opportunity to refresh your Harvard passwords even if you believe you are at low risk of being affected by Heartbleed.

You can find full instructions on how to change your Harvard passwords on our I/T Dept. website at: http://isites.harvard.edu/fs/docs/icb.topic731455.files/password_information_41414.pdfIf you have an SPH encrypted laptop,  pay close attention to the instructions under section 2.2 and 2.3.   Also, BEFORE changing your OUTLOOK Email password (see section 2.5), be sure to turn off all your portable devices (iPhone/iPad/Android/Tablet), to avoid your email getting locked out on that device.

If you have any questions or concerns about this security issue or need assistance to change your passwords, please contact the Helpdesk at 617-432-HELP or Helpdesk@hsph.harvard.edu  (Mon-Fri: 8 a.m.-6 p.m.)

Taso Markatos
CIO, SPH I/T Dept.

Fraud/Phishing alert from Bank of America

Bank of America has contacted Harvard University to make us aware of a recent email scam that has affected the University of Michigan and two local schools. The emails will appear to come from an official University department with a link asking employees to either confirm their login information or update their payroll or Open Enrollment benefits. If employees enter their data, it is captured by the perpetrators of the fraud. Once that credential data is captured, the information may then be used to change direct deposit information.

As always, please be suspicious of any link in email. If asked to log in to PeopleSoft or another sensitive system, do not follow the link. Instead, enter the URL directly into your web browser, or connect via a trusted source such as harvie.harvard.edu.

If you suspect that you are the victim of a fraudulent email, please contact the HSPH Helpdesk for support.

Thank you

National Cyber Security Awareness Month Events

In recognition that October is National CyberSecurity Awareness month, Harvard University Information Technology Security will be conducting information security briefings in the LMA area for faculty, students and staff.

Two will be at the Harvard Medical School (HMS) and one at the School of Public Health (SPH).

Below is the schedule:

October 4th 10 – 11 am at HMS TMEC 227

Topics: Cloudy with a chance of identity theft. Why a good password is very often your best defense   and  Is it ever not social? Protecting yourself in the age of social networking.

October 10th 12 -1 PM at SPH Kresge G1

Topics: Is it ever not social? Protecting yourself in the age of social networking.  and  Have device, will travel. How to be mobile and safe.

October 17th 2 – 3 pm at HMS TMEC 227

Topics: Have device, will travel. How to be mobile and safe.  and  Taming Lions, Tigers…..and Windows, Turn your operating system into a lean, mean, malware fighting machine.

Please come out and participate in a practical discussion on how to maintain your privacy.

Summer Security Tips

As HSPH faculty and staff begin heading out for the summer, we want to remind everyone of some important information security policies.

  • Harvard policy requires that all Harvard-owned laptops must be encrypted. If your laptop is not encrypted, please call our Helpdesk (432-help) to arrange for laptop encryption.
  • If you are traveling outside of the U.S. with an encrypted laptop or device, please consult the following link for some important information:
  • High Risk Confidential Information should not be stored on any mobile device (laptop, netbook, smart phone, USB key, etc.)
  • This fall the Information Technology Department will resume hosting information security briefings to update the HSPH community on new policies and changes regarding data security.

Thank you,
HSPH Department of Information Technology

HSPH Secure Passwords Rescheduled to Monday, Feb 7th

Date changed to Monday, February 7th due to weather.

On Monday, February 7th, we will complete our secure password migration for all HSPH systems. This will only affect a small number of HSPH users.

For those of you who have already completed this process in July-September, there will be no change on Thursday.

Each user affected will be required to reset their password after logging into either Novell on a computer or the Groupwise email system.  

Additionally, we have rolled out a new service that will allow you to reset your password 24-7-365 without having to call the HSPH Helpdesk.

To use the HSPH self-service system, each user will be required to establish four security challenge questions.

Starting on Thursday, you can visit https://password.sph.harvard.edu to setup your challenge questions and change your password.

It should take users no longer than 5 minutes to make the required changes.

For complete information on secure passwords and screen shots outlining the process, please visit:

HSPH Complex Password Policy ( http://isites.harvard.edu/fs/docs/icb.topic745555.files/complex-password-policy-email.pdf )

Please contact the Helpdesk at 617-432-4357 or helpdesk@hsph.harvard.edu if you have any questions.

Thank You!
HSPH IT Helpdesk