A security vulnerability in the software used to encrypt sensitive data transmitted over the Internet has been receiving a lot of attention in recent days, but the defect is not expected to affect systems or users at Eastern.
University information technology personnel have installed patches on campus servers that potentially could have been affected by the Heartbleed coding flaw. That should alleviate any threat to campus IT resources and the faculty, staff and students who depend on them
Heartbleed is the name of the vulnerability coded into the software that runs Secure Socket Layer. SSL is the open source protocol that encrypts financial, personal and other sensitive information such as passwords and account numbers when it is transmitted over the Internet. The flaw could allow hackers to gain access to and steal that information.
The Heartbleed bug is thought to have been in existence for two years but was not known to the general public until it was revealed earlier this month by IT coders as part of the open sourcing process. That caused a stir in security circles because the existence of Heartbleed was not generally known, and its revelation may have alerted potential hackers to the vulnerability. The flaw is not thought to have been created maliciously but instead is believed to simply be a coding error that escaped detection.
“What bothers security professionals is that it’s good to identify a potential exploitation so it can be patched, but it’s bad to release it to the general public because then hackers find out about it and try to exploit it,” said Eastern’s Assistant Director of Information Security Mike Gioia of ITS.
To this point, there have been no known malicious exploitations of Heartbleed and no known data thefts – though it would be difficult to know if such exploitations have occurred because the process of “sniffing” data leaves no tell-tale evidence.
At Eastern, the process of protecting against Heartbleed involved installing patches on a few servers thought to be potentially vulnerable to the flaw, causing a network disruption that lasted a few minutes. No data breaches are known to have occurred.
Gioia said two thirds of servers in the world employ SSL. Sites that use the protocol are easily identified by the “s” part of the “https” section of a website’s URL, or the inclusion of a tiny padlock icon in the URL line.
Security professionals have advised website users to change their passwords as a precaution in light of the Heartbleed vulnerability.
Beyond that, there’s little that the average person can do to protect themselves against incidents such as Heartbleed, since the vulnerability exists on the service-provide side of the network, Gioia said.
Students at Eastern Illinois University will begin using a new cloud-based email service in May.
Microsoft Office 365 email will replace Zimbra as the email service for students’ PantherMail, offering them the same reliable functionality they have enjoyed in the past when using their official university email accounts – but with a number of new collaboration features and productivity tools.
The change is being made to provide students better value and service.
“The evaluation of Office 365 and decision to transition to it has been a collaborative process involving students, ITS staff, and Student Affairs staff,” said Assistant Vice President for Information Technology Services Kathy Reed. “It has been exciting and gratifying for ITS staff to work on a project that directly benefits EIU’s students and to firsthand witness the enthusiasm of the students involved.”
The migration of new and transfer student email accounts began earlier this month. Accounts of current students will be migrated after the end of the spring semester so as to not impact final examinations or grade submissions. Current students will be notified prior to the end of the semester about the date when their mailbox is scheduled to be migrated. Information Technology Services, which is implementing the transition, will provide support and assistance to students during and after the switchover.
Although the move to Office 365 will mean a new email interface for users, it will not affect students’ NetIDs or passwords, nor their email address or mailbox content. Students also will continue to log in to their accounts from the current PantherMail webpage.
The change will provide students with a number of new resources, chief among them free access to the full version of Microsoft Office suite applications, including Word, PowerPoint, Excel, OneNote, Outlook, Publisher, Lync, SharePoint and more. This includes rights to download and install copies of the newest Office desktop applications on up to five Windows PCs or Macs owned by the student, as well as rights to run iPhone or Android editions of Office Mobile. Purchased by individuals, Microsoft Office can cost $150 or more.
While Office 365 will be practical on all digital platforms, the mobile-friendly application is expected to be especially convenient to students who, more and more frequently, access their university email accounts via their smartphones.
In addition, students will receive 25 gigabytes of Microsoft OneDrive data storage, as well as 50 gigabytes of cloud storage for email at no cost. Currently, Zimbra users have 500 megabytes of data storage available to them.
In supporting the move to Office 365, ITS will be providing tutorials and information on its website about how to use and transition to the product, and it expects to sponsor a number of hands-on demonstrations at sites around campus to be announced, as well as through the Help Desk/Campus Technology Support.
ITS has been evaluating Office 365 since last summer and has employed a number of Eastern students in focus groups this spring to help tailor the new product to make certain that it fits student needs.
Students involved in those focus groups have been enthusiastic about the change and about Office 365 functionality.
During the migration of accounts from Zimbra to Office 365, all mailbox content and address book information will be transferred automatically, but calendar and briefcase information will not, so students will need to repopulate that data themselves.
The actual migration of data from old mailboxes to new is already under way and is expected to take only several seconds to a maximum of several minutes per account, depending on the amount of data to be moved; individual accounts will be unavailable during that time. No messages or data will be lost during the migration. During the process, students will be able to continue to use their email accounts without interruption. Students need not download any applications themselves, but mobile and imap or pop users will have to enter a new server address on their smartphones.
Eastern’s current licensing agreement with Zimbra expires this summer. Office 365 is available at no cost by virtue of the university having other licensing agreements with Microsoft.
Among the security enhancements students are likely to see with Office 365 email are improved reliability, enhanced security and robust spam and phishing protection.
Office supports PCs and Windows tablets running Windows 7 or higher, and Macs with Mac OS X 10.6 or higher. Office for iPad can be installed on iPads running version 7.0 or higher.
Although supported by Microsoft, Office 365 email does not display advertisements or commercial messages.
Office 365 will be available for student use only. Faculty and staff at Eastern will continue to use Zimbra for campus email.
Information Technology Services provides computing facilities and services for the legitimate instructional, research and administrative computing needs of the university. Proper use of those facilities and services supports the legitimate computing activities of Eastern students, faculty and staff. Proper use respects intellectual property rights.
Legitimate instructional computing is work done by an officially registered student, faculty or staff member in direct or indirect support of a recognized course of study. Legitimate research computing is work approved by an authorized official of a university department. Legitimate administrative computing is work performed to carry out official university business.
Intellectual property rights begin with respect for intellectual labor and creativity. They include the right to acknowledgment, the right to privacy and the right to determine the form, manner and terms of publication and distribution.
Proper computing use follows the same standards of common sense and courtesy that govern use of other public facilities. Improper use violates those standards by preventing others from accessing public facilities or by violating their intellectual property rights. Therefore, the basic policy of the university on proper use is:
- Any use of Information Technology Services facilities or services unrelated to legitimate instructional or research computing is improper if it interferes with another’s legitimate instructional or research computing.
- Any use of Information Technology Services facilities or services that violates another person’s intellectual property rights is improper.
- Any use of Information Technology Services facilities or services that violates any university policy, any local, state or federal law or which is obscene or defamatory is improper.
- Any use resulting in commercial gain or private profit (other than allowable under university intellectual property policies) is improper.
Many people use social networking sites such as Facebook and Twitter to communicate with family and friends. What they may not realize is that they also might be communicating crucial information about themselves to identity thieves and scammers.
Users of social networking sites open themselves to a number of dangers if they reveal too much information. Among them:
- Identity thievery: If you post too much personal information about yourself, online criminals can harvest your name, address, phone number and other information and use it to steal your identity. Only a few pieces of information are needed to access your financial resources. The large number of people who visit social networking sites also attracts large numbers of scammers.
- Viruses and malware infections: Cyber criminals use social networking sites to distribute computer viruses and malware. Click an infected link and you could inadvertently download a virus to your computer. Criminals also use social networking sites to gather private information about users and then employ it in phishing and fraud schemes.
- - Employers: More employers investigate applicants and monitor current employees through social networking sites. What you post online about yourself may reflect negatively on you, especially if you post photos of yourself exhibiting embarrassing behavior.
- Predators: Do you share your class schedule, plans or whereabouts with friends? If you do, you also make them available to sex offenders, thieves and burglars, as well. Knowing your schedule and location makes it easy for someone to victimize you, whether breaking in to your house or apartment while you’re gone or attacking you while you’re out. Don’t make it easy for a Facebook stalker to find you.
How do you best protect yourself against these potential threats?
- Don’t put personal information online in the first place.
- Don’t hesitate to ask friends to remove embarrassing or sensitive information about you in their posts.
- Don’t post your full birth date, address, phone number, etc.
- Use built-in privacy settings. Most social networking sites offer ways to restrict public access to your profile, allowing only your “friends” to view it. Disable extra options and enable only ones you know you’ll use.
Most sites don’t have a rigorous process to verify the identity of members, so be cautious when dealing with unfamiliar people online.
A final tip: Research yourself online to see what others may see. Enter your name – inside quotation marks — in Google and do a search. See if there is too much data or embarrassing information about yourself. Also, try searching for any of your nicknames, phone numbers and addresses to see what you find.
Information Technology Services and University Housing personnel are hopeful that steps taken to fix a campus network hardware problem have improved wireless Internet service in residence halls at Eastern.
Engineers from ITS and vendor Meru Networks replaced malfunctioning controller devices on the campus network recently in response to concerns from students in residence halls this semester about the wireless signal in some halls.
“There was a problem with the controller that manages the system,” said ITS Network Engineer Steven Steele. “When it would fail, the system would go offline, and even after coming back on, some access points still were not serving users. We replaced it and continue to monitor it in order to give students a better experience.”
University Housing and the Help Desk have been responding to students’ concerns and continue to seek input about recurrence of the connectivity issue.
“We tell students to make sure they let people know when there is a problem,” said Director of University Housing and Dining Services Mark Hudson. “We want to give students the service they deserve, but we can’t help if we don’t know the issue.”
If wireless network issues arise, students can contact the Help Desk at 581-HELP (4357) or by email at firstname.lastname@example.org or they can simply call the Housing Help Desk at 217-581-7708 or stop by the Virus Lab in the lower level of Taylor Hall for assistance related to Internet connections.
“We need to know if there is a problem,” said ITS Associate Director of User Services Dave Emmerich.
Network access in Eastern’s residence halls has been enhanced through the implementation of an application called SafeConnect.
The SafeConnect application resides on your computer, authenticates it, and scans it for required patches and software.
SafeConnect provides you a more secure computing environment when you connect to the EIU network in residence hall facilities. In order to gain access to the EIU network, you will be required to keep your computer’s operating system up-to-date. In addition, Safe Connect will check your computer to make sure it is running an approved and properly updated anti-virus program.
Computers that do not meet these predefined requirements will be placed on a “quarantined” segment of the network where users will be provided with instructions and tools to update their system to the minimum required configuration.
1. Verify that your computer has installed an operational network interface card.
2. Connect one end of your Ethernet cable into the network interface card and the other end directly into the orange data jack on the wall.
3. Turn on your computer and open up a Web browser. You will see the “Welcome to the Campus Network” login screen.
4. Enter your NetID and password (the same one you use for e-mail access).
5. When you see the screen, select “Click Here To Read The Full Policy.”
6. After you read the policy and indicate that you understand it, close out that window and click “Yes, I Will Install the Policy Key,” and accept the terms and conditions for Internet use.
If you select “I Do Not Accept,” you will see a popup window acknowledging your decision telling you that you have been declined access to the network.
7. SafeConnect will do an initial policy check to verify your software, patches and antivirus compliance. This check should take less than 30 seconds.
8. If your computer does not pass the validation rules, you will be redirected to pages that will help bring your machine into compliance.
9. Once you have complied with all of the validation rules, you will be successfully connected to the network.
For complete details about Safe Connect and how to configure your computer, go to http://its.eiu.edu/safeconnect/index.php
Incoming students and their parents frequently ask what type of computer, if any, a student needs to take to college. Eastern does not require students to bring personal computers to campus or to purchase computers once enrolled. However, while Eastern offers access to computers through several labs located across campus, many students find that owning a computer is more convenient and enhances their academic experience.
For students who prefer to purchase a laptop computer, Eastern Illinois University makes recommendations for minimum specifications, which will be academically appropriate and compatible with the EIU network. Major computer manufacturers offer special educational discounts to Eastern Illinois University students. Visit the University Bookstore in the University Union for more information about this program or go online at http://www.eiubookstore.com.
Any brand-name personal computer currently available off the shelf at retail will function on the EIU network and meet your basic academic needs. Computers purchased within the last two or three years should work properly, too. You need not spend thousands of dollars for a computer, as long as your machine meets these minimum guidelines:
- Processor: 2 GHz or better
- Screen: Your preference
- Memory: 2GB (3GB for 32bit Windows and 4GB for 64bit Windows)
- Hard Disk Drive: 160 GB or better
- Floppy Drive: None (We recommend students purchase a 128MB or larger USB Flash Drive)
- Optical Drive: DVD Burner or DVD Combo
- Operating System: Microsoft Windows / Macinstosh OSX / Linux
- Antivirus Software: All on-campus students receive Norton/Symantec antivirus software for their machines.
- Network Adapter: Integrated 10/100 Ethernet
- Laptop computers should be equipped with an 801.11b, g or n wireless card. All other features are optional.
- Software: Whatever system you decide to use on campus, your computer will need to work with files for word processing, spreadsheets, graphics, Web browsing, file transfer, e-mail and calendar programs.