• As computing devices become increasingly numerous and increasingly portable, they become much easier to lose — or to have stolen. Recently, phones and computers have gone missing even from within SoM offices and labs. Any employee who's lost a device that is being used for Stanford business, whether

    Reporting a Lost or Stolen Device

About: WindowsXP Secure Network

In our previous blog post, we mentioned that Microsoft will stop supporting WindowsXP on April 8, 2014, which means that they will no longer be issuing security patches for that operating system. Therefore, Stanford’s goal is to phase out the use of WindowsXP by that date.

Some equipment may be granted an exception, if the WindowsXP device is used to run equipment where a system upgrade would be prohibitively expensive or otherwise impossible. IRT is therefore offering to host certain WindowsXP devices on a separate, secure network that offers additional protections to make up for the lack of software patches.

If you are in charge of such a machine that can’t be easily upgraded, contact IRT Security to take advantage of this secure network.

 

Standards for the WindowsXP Secure Net include:

  • Network subnets for XP machines are limited to a range of 14 devices each (/28) to limit the risk to others should one of the machines become compromised.  No traffic between these networks is allowed.
  • Data transfers out are allowed, but no email or web services out – incoming traffic is severely limited as well.

Network Firewall Rules:

  • All outbound SMTP and WEB access is blocked from the WindowsXP Secure subnets.
  • Outbound file transfers allowed to Stanford hosts, other off-campus outbound is blocked.
  • Inbound ping and traceroute are allowed but nothing else.
  • In the case of remote management, from on-campus, we can set up VPN access to the XP devices.

Other Rules for Devices on the Network:

  • Local firewall rules on the computers should be set to disallow incoming communication other than specific port/protocol that may be required to support the primary function of the system and/or the device to which it is attached.
  • Wireless connections are inherently insecure. Wired connections are required on the WindowsXP Secure network.
  • No USB input to the WinXP device without special circumstances.  Transfers should be done on the network.  Software License USB Keys are allowed to use the USB Ports.
  • BigFix client installed, but in the cases where BigFix may interrupt ongoing work processes, it’s optional.

Next Stanford Data Security Deadline: WindowsXP Migration

By April 8th, 2014, all Stanford computers and devices running WindowsXP must be upgraded/migrated to a more secure system. The April 8th deadline marks the day that Microsoft will stop supporting WindowsXP, which means there’ll be no more security patches issued for that operating system, leaving systems vulnerable.

All devices running WindowsXP should therefore upgrade their operating system before the April 8th deadline.

There is an exception process in place for devices that would be very difficult to bring into compliance: a device might be attached to scientific equipment, running specific applications that can’t be easily upgraded, or performing a function that would be otherwise significantly impacted by changing the operating system. IRT staff are carefully reviewing each case and will work together with faculty to find the best solution.

If the cost of replacing or upgrading equipment seems prohibitive, Stanford recently announced a financial assistance program; departments are highly encouraged to take advantage of this program when possible.  Alternatively, if your devices will be put at greater risk due to expired operating systems, the School of Medicine offers a special network to provides enhanced security and safeguards for your computers and data. If you would like to discuss protecting your computers by placing them on this new network, please contact us, and fill out a compliance variance request form (below).

Devices connected to the new WindowsXP SecureNet will have to fulfill certain security requirements, including:

  • No other applications allowed (no email, no web browsing, etc)
  • Wired connection only (no wireless; it’s inherently insecure)

To apply for an exception to the WindowsXP migration deadline, or to another of the new data security requirements, please submit a Compliance Variance Request Form to ensure the temporary exemption is documented.

Linux Security Flaw Discovered; Users Should Update Now

Attention, Linux users: Developers have just announced the discovery of a serious security flaw in the GnuTLS library, affecting many, many open source applications and software packages. This includes users of Red Hat, Debian, and Ubuntu, among many others.

Similar to the newly-discovered iOS security bug, the Linux bug leaves users vulnerable to eavesdropping. Because it causes errors in the verification of security certificates, the bug makes it easy for attackers to bypass SSL and TLS connections in any website or application that uses that particular library, allowing them to eavesdrop on—and decode— encrypted traffic.

Developers recommend that all users update GnuTLS to version 3.2.12

For more information, see this article at arstechnica.com.

Important Apple iOS Update: Fixes Security Flaw

Attention, users of Apple devices: Just this weekend, Apple released a security update for iOS that fixes a major security problem in their software. Without the update, your iPad/iPhone/iPod Touch is left vulnerable to having your private information intercepted, while you’re using public WiFi connections.

Apple strongly recommends that iOS users update to the latest version of the software, available by connecting your device to iTunes and clicking “Check for updates,” or by opening the “Settings” app on your device and then selecting “General” and then “Software Update.”

Apple as yet has no patch for the same flaw in desktop/laptop systems, so in the meantime, you should avoid using insecure public WiFi (like at a coffee shop or airport) for transactions involving personal or financial information.

For more information about the problem, you can read this Slate Magazine article.

Scam: “Greetings everyone!”

There’s been a phishing scam circulating on campus lately that has been submitted to us by several members of the Stanford Medicine community—because it’s being widely circulated, and because it’s also got some glaring warning signs that people have spotted right away.

This phishing scam employs the strategies of vague-enough-to-seem-relevant, and mundane-enough-to-seem-safe.  Yet even in such a short email there are numerous strange phrases and misspellings. But the biggest warning sign is the URL, in red below: it’s not even close to a Stanford address. Yes, it’s a fake.

Thanks everyone for checking before you click, and letting us know when you find scam emails!

Below is the email text:

From: “© Stanford University” <knbrevard@email.wm.edu>
Sent: Wednesday, February 19, 2014 1:40:07 PM
Subject: Greetings everyone!

Stanford University
450 Serra Mall
Stanford, CA 94305-2004

Deal All

A private message have been sent to you by the HEAD of department. Use
the link below to Login and view your message.

http://update-weblogin-stan-ford-university.yolasite.com/

Sign.
HEAD of department
Info Centre stanford
(c) Stanford University. All Rights Reserved.

Scam: “SSL VPN Access”

Here is a new twist on a by-now-familiar scam. They’re warning you that access to something will expire soon, unless you take action: the service in question this time is the VPN.

The target link is very sneaky: the linked text in the email leads you to believe that it might be correct. BUT, if you hover your mouse over the link, the REAL link will pop up, and it begins with:  //sussl.stanford.edu-u.tk/ It may begin with a link you recognize, but because it has more characters after “.edu” before the first slash, it means the link is a fake.

To be your own hero, always hover your mouse over a link in any email and check the pop-up link to see where it’s really pointing you. Any real Stanford address will only have /_____.stanford.edu/ between the first set of slashes; if it doesn’t, don’t click on it!

Full phishing email text below:

 From: Digital Access Librarian
Sent: Thursday, January 23, 2014 12:21 PM
Subject: SSL VPN Access

Dear User,
Your SSL VPN access will expire soon, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in future, you must take action at once!
To reactive your access, simply visit the SSL VPN page and login with your account then begin your secure session.

SSL VPN Login Page:

http://sussl.stanford.edu/dana-na/auth/url_default/welcome.cgi/

Sincerely,

Lewis Barnes
Digital Access Librarian
Stanford University Library
557 Escondido Mall
Stanford, California 94305-6063

 

Scams: Inactive SUNet ID, Mailbox Quota

Happy New Year, everyone! And here are two more iterations of very familiar phishing scams. The first warns, “Your SUNet ID Account will be Inactive in 2 days,” and the second shouts, “ !!!Administrative Notice Faculty/Staff/Student/Employee/Admin Warning!!! ” In both cases, the emails are trying to scare you into thinking that a service you rely on is about to end abruptly, so you should click on a link and fill out a form giving away your personal information.

The first email, as you may notice, is riddled with peculiar spelling errors, which is a red flag. Plus, the situation they’re describing seems unfamiliar and unlikely to Stanford affiliates. The second one is merely vague and very alarmist—and contains an awful lot of exclamation points.

But the most important thing to check is always the link they’re directing you to click on. Any Stanford link pointing to a webauth page should contain only /weblogin.stanford.edu/ between the first set of slashes.  The crucial link in the first email, for example, contains those characters at the beginning, BUT the URL continues and the first set of slashes ends with xxx.ir/. If you hold the cursor over a link and a URL pops up that doesn’t look right, don’t click!

Stay smart and safe in the New Year, everyone! Full email text below:

Email #1: 

From: “Stanford SUNet Support” <Support@Stanford.edu>
Subject: Your SUNet ID Account will be Inactive in 2 days
Date: January 15, 2014 9:57:37 PM PST

Dear Stanford Student, Faculty, Staff

Your Authcate Account will be inactive in 2 days. Because of some security problems about login from strange IP addresses we decided to make some changes (Upgrade) and this is due to the implementation of a new version of Centeral Authentication System(CAS) Weblogin in new year(2014).

You can active your account by going to the CenteralAuthenticationSystem(CAS) Weblogin and simply login by your SUNet ID to activate your account.

Then, after seccussfull login click on “Logout” and you will be redirect to http://account.stanford.edu and in StatusChecker  check your account state. if your Account Status is Active or not. If there was error in login, try to activate again.

Please note: If you get an Authentication Error Just try 2 times to login again, and return to the https://stanfordyou.stanford.edu/ portal login page and start again. because System will automatically block your IP and Account and you should contact Support System to Unclock.

Answers to some frequently asked questions (FAQs) are available on the helpsu.

Regards,

IT Services

Email #2:

Subject: RE: !!!Administrative Notice Faculty/Staff/Student/Employee/Admin Warning!!!
Sent: Fri 17/01/2014 08:01
Subject: !!!Administrative Notice Faculty/Staff/Student/Employee/Admin Warning!!!

465MB                 500 MB
Current size        Maximum size

Please increase your mailbox quota size automatically by clicking [URL removed] and fill-out the necessary requirements to automatically increase your mailbox quota size.

IMPORTANT NOTE : You won’t be able to send and receive mail messages at 480MB .

ITS help desk
ADMIN TEAM

 

Caution: iPhones could be hacked at public charging stations

Apple devices are, on the whole, fairly secure. But Georgia Tech scientists just released new research demonstrating a way in which iPhones are currently vulnerable while charging.

Scientists at Georgia Tech’s Security Information Center successfully proved that it’s possible to introduce a malicious app to a charging device, through the USB cable (which, at a public location, might be secretly hooked up to a hidden computer). Their fake app looked like Facebook, but was really a Trojan horse, allowing the scientist-hackers complete access to the phone, and the ability to see everything the user could see, including passwords. They could eavesdrop on calls—and even place them.

An easy fix: the app was only able to install itself once the user—while still connected to the charger—entered the passcode and unlocked the phone. Therefore, you should not unlock your phone while it’s plugged into a public or unknown charger. If you need to use it, unplug it from the charger before unlocking it, and lock it before you plug it back in to continue charging.

Read the whole USA Today article here.

Virus Alert: “Authorization to Use Privately Owned Vehicle on State Business”

Many Stanford employees have recently received this email, which has a .zip file attached. It may sound convincing—but it’s a fake email with a possible virus in the attachment, so you should delete it without downloading anything.

It’s a very cleverly-worded scam, because it sounds ambiguously official. It contains the everyday sorts of bureaucratic language that might sound familiar to University employees: accounting, mileage, travel reimbursements, etc. It makes vague threats that not following its directions will inconvenience you, but not in language histrionic enough to make you suspicious. Even the name of the form it references, STD 261, is actually the name of the form that authorizes use of a vehicle for state business.

But… “state business” is a red flag (especially when combined with a few weird grammatical errors). Stanford’s a private institution, and isn’t owned by the state. And even though it claims one should sign the form “annually,” you’ve probably never filled out anything similar. Plus, the language is ambiguous: other than the name of the attachment, the email doesn’t mention Stanford anywhere.

The text of the email is below, with the attachment/link removed. Again, if you received this email, delete it without downloading anything.

Annual Form – Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached).  The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file.  Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.