Archives for March 2014

Next Stanford Data Security Deadline: WindowsXP Migration

By April 8th, 2014, all Stanford computers and devices running WindowsXP must be upgraded/migrated to a more secure system. The April 8th deadline marks the day that Microsoft will stop supporting WindowsXP, which means there’ll be no more security patches issued for that operating system, leaving systems vulnerable.

All devices running WindowsXP should therefore upgrade their operating system before the April 8th deadline.

There is an exception process in place for devices that would be very difficult to bring into compliance: a device might be attached to scientific equipment, running specific applications that can’t be easily upgraded, or performing a function that would be otherwise significantly impacted by changing the operating system. IRT staff are carefully reviewing each case and will work together with faculty to find the best solution.

If the cost of replacing or upgrading equipment seems prohibitive, Stanford recently announced a financial assistance program; departments are highly encouraged to take advantage of this program when possible.  Alternatively, if your devices will be put at greater risk due to expired operating systems, the School of Medicine offers a special network to provides enhanced security and safeguards for your computers and data. If you would like to discuss protecting your computers by placing them on this new network, please contact us, and fill out a compliance variance request form (below).

Devices connected to the new WindowsXP SecureNet will have to fulfill certain security requirements, including:

  • No other applications allowed (no email, no web browsing, etc)
  • Wired connection only (no wireless; it’s inherently insecure)

To apply for an exception to the WindowsXP migration deadline, or to another of the new data security requirements, please submit a Compliance Variance Request Form to ensure the temporary exemption is documented.

Linux Security Flaw Discovered; Users Should Update Now

Attention, Linux users: Developers have just announced the discovery of a serious security flaw in the GnuTLS library, affecting many, many open source applications and software packages. This includes users of Red Hat, Debian, and Ubuntu, among many others.

Similar to the newly-discovered iOS security bug, the Linux bug leaves users vulnerable to eavesdropping. Because it causes errors in the verification of security certificates, the bug makes it easy for attackers to bypass SSL and TLS connections in any website or application that uses that particular library, allowing them to eavesdrop on—and decode— encrypted traffic.

Developers recommend that all users update GnuTLS to version 3.2.12

For more information, see this article at arstechnica.com.