Mac OSX Yosemite: Compatibility

Apple recently released the newest version of their desktop/laptop operating system: Mac OSX 10.10, nicknamed Yosemite. It’s even a free downloadable upgrade!

Usually Stanford recommends, for security reasons, that computer users upgrade to the newest system; but should you upgrade to Yosemite yet? Stanford ITS has hopefully answered that question for you. They’ve made a list of security and productivity software that is important to Stanford users, and they’ve outlined whether or not that software is compatible with Yosemite.

So, before you upgrade, check out the ITS page on Yosemite (which they plan to update frequently).

Anti-Spam Filter

Are you getting a lot of spam in your inbox? You may want to update your webmail spam filters.

Stanford uses a product called Proofpoint to scan email at the server level, on its way to your email inbox. Mail that it judges to be spam with 100% certainty will be filtered out automatically. Other questionable email is marked with a “spam score” in the subject line, showing how closely it matches patterns based on known spam. The score will be between one and four hashmarks, with four being the most likely: [SPAM:####]

You can set a filter in your email program so that suspected spam with a specific number of hashes be sent automatically to the “Junk” folder (or deleted immediately, though that may mean legitimate email could be deleted). If an email gets filtered out accidentally, you can configure your email program to let it through.

How to set a filter, for Stanford Webmail, Apple Mail, Thunderbird, and Microsoft Outlook.

More about Stanford’s spam filtering

 

About: WindowsXP Secure Network

In our previous blog post, we mentioned that Microsoft will stop supporting WindowsXP on April 8, 2014, which means that they will no longer be issuing security patches for that operating system. Therefore, Stanford’s goal is to phase out the use of WindowsXP by that date.

Some equipment may be granted an exception, if the WindowsXP device is used to run equipment where a system upgrade would be prohibitively expensive or otherwise impossible. IRT is therefore offering to host certain WindowsXP devices on a separate, secure network that offers additional protections to make up for the lack of software patches.

If you are in charge of such a machine that can’t be easily upgraded, contact IRT Security to take advantage of this secure network.

 

Standards for the WindowsXP Secure Net include:

  • Network subnets for XP machines are limited to a range of 14 devices each (/28) to limit the risk to others should one of the machines become compromised.  No traffic between these networks is allowed.
  • Data transfers out are allowed, but no email or web services out – incoming traffic is severely limited as well.

Network Firewall Rules:

  • All outbound SMTP and WEB access is blocked from the WindowsXP Secure subnets.
  • Outbound file transfers allowed to Stanford hosts, other off-campus outbound is blocked.
  • Inbound ping and traceroute are allowed but nothing else.
  • In the case of remote management, from on-campus, we can set up VPN access to the XP devices.

Other Rules for Devices on the Network:

  • Local firewall rules on the computers should be set to disallow incoming communication other than specific port/protocol that may be required to support the primary function of the system and/or the device to which it is attached.
  • Wireless connections are inherently insecure. Wired connections are required on the WindowsXP Secure network.
  • No USB input to the WinXP device without special circumstances.  Transfers should be done on the network.  Software License USB Keys are allowed to use the USB Ports.
  • BigFix client installed, but in the cases where BigFix may interrupt ongoing work processes, it’s optional.

Next Stanford Data Security Deadline: WindowsXP Migration

By April 8th, 2014, all Stanford computers and devices running WindowsXP must be upgraded/migrated to a more secure system. The April 8th deadline marks the day that Microsoft will stop supporting WindowsXP, which means there’ll be no more security patches issued for that operating system, leaving systems vulnerable.

All devices running WindowsXP should therefore upgrade their operating system before the April 8th deadline.

There is an exception process in place for devices that would be very difficult to bring into compliance: a device might be attached to scientific equipment, running specific applications that can’t be easily upgraded, or performing a function that would be otherwise significantly impacted by changing the operating system. IRT staff are carefully reviewing each case and will work together with faculty to find the best solution.

If the cost of replacing or upgrading equipment seems prohibitive, Stanford recently announced a financial assistance program; departments are highly encouraged to take advantage of this program when possible.  Alternatively, if your devices will be put at greater risk due to expired operating systems, the School of Medicine offers a special network to provides enhanced security and safeguards for your computers and data. If you would like to discuss protecting your computers by placing them on this new network, please contact us, and fill out a compliance variance request form (below).

Devices connected to the new WindowsXP SecureNet will have to fulfill certain security requirements, including:

  • No other applications allowed (no email, no web browsing, etc)
  • Wired connection only (no wireless; it’s inherently insecure)

To apply for an exception to the WindowsXP migration deadline, or to another of the new data security requirements, please submit a Compliance Variance Request Form to ensure the temporary exemption is documented.

Important Apple iOS Update: Fixes Security Flaw

Attention, users of Apple devices: Just this weekend, Apple released a security update for iOS that fixes a major security problem in their software. Without the update, your iPad/iPhone/iPod Touch is left vulnerable to having your private information intercepted, while you’re using public WiFi connections.

Apple strongly recommends that iOS users update to the latest version of the software, available by connecting your device to iTunes and clicking “Check for updates,” or by opening the “Settings” app on your device and then selecting “General” and then “Software Update.”

Apple as yet has no patch for the same flaw in desktop/laptop systems, so in the meantime, you should avoid using insecure public WiFi (like at a coffee shop or airport) for transactions involving personal or financial information.

For more information about the problem, you can read this Slate Magazine article.

Caution: iPhones could be hacked at public charging stations

Apple devices are, on the whole, fairly secure. But Georgia Tech scientists just released new research demonstrating a way in which iPhones are currently vulnerable while charging.

Scientists at Georgia Tech’s Security Information Center successfully proved that it’s possible to introduce a malicious app to a charging device, through the USB cable (which, at a public location, might be secretly hooked up to a hidden computer). Their fake app looked like Facebook, but was really a Trojan horse, allowing the scientist-hackers complete access to the phone, and the ability to see everything the user could see, including passwords. They could eavesdrop on calls—and even place them.

An easy fix: the app was only able to install itself once the user—while still connected to the charger—entered the passcode and unlocked the phone. Therefore, you should not unlock your phone while it’s plugged into a public or unknown charger. If you need to use it, unplug it from the charger before unlocking it, and lock it before you plug it back in to continue charging.

Read the whole USA Today article here.

Reporting a Lost or Stolen Device

Reporting a Lost or Stolen Device

As computing devices become increasingly numerous and increasingly portable, they become much easier to lose — or to have stolen. Recently, phones and computers have gone missing even from within SoM offices and labs. Any employee who’s lost a device that is being used for Stanford business, whether personally-owned or University-owned, is responsible for following all school procedures related to the possible disclosure of information. This includes reporting the situation immediately to the Stanford University Privacy Office.

Now on the Data Security Program’s website is a streamlined checklist for reporting a missing phone, laptop, or other computing device. Click here for details.