Information Security and Policy
Information Security and Policy is responsible for developing and implementing policies, controls, and procedures to protect the University's computing, networking, and telecommunications resources from intentional or inadvertent modification, disclosure or destruction. This includes the development and implementation of a campus-wide security program that supports the academic and administrative use of information technologies and the responsibility for coordinating responses to computing, networking, and telecommunications security incidents. The purpose of this page is to provide links to resources on security issues and to pertinent University policies.
Security News & Alerts
Lehigh Community Information Security Notice - Heartbleed Bug
A security vulnerability named Heartbleed was disclosed Monday night, April 7, 2014. The vulnerability affects a large portion of websites on the Internet that use OpenSSL to encrypt webpages (pages that start with https) and other communications. SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.
While the likelihood of a concerted effort targeting Lehigh University and leveraging this technique may be fairly low, this vulnerability also affects the rest of your online life including other websites with which you conduct sensitive transactions as well as other networks you use to access the Internet. Since you already may be advised to change your passwords in those other places, it certainly wouldn't hurt to change your Lehigh University password as well, especially if you have either used it elsewhere with another logon or accessed our systems from any public wireless locations.
What we are doing at Lehigh:
Since Monday, April 7, 2014, Lehigh Library and Technology Services staff and the Information Security Office have been hard at work scanning the network to identify and notify server owners that were affected by the vulnerability. Affected servers had to be updated to the latest version of OpenSSL, and we are installing new SSL certificates with new private keys to ensure that communications to those servers remain confidential. The vast majority of Lehigh servers were patched as of Wednesday afternoon, April 9, 2014, and the networks are being re-scanned at this time for vulnerabilities that may exist on non-standard use server ports. As of Tuesday afternoon though all Internet facing servers had their patches applied. Currently, LTS staff members are working directly with departments to apply 3rd party vendor patches to network equipment and re-validate certificates for linked connections to vendor secured sites from our campus applications as well.
What You as a User Might Do:
Again, at this time we are not requiring you to change your password for your Lehigh account but that guidance may change. If you have used your Lehigh account password for access to other sites that have notified you of required change, we would strongly advise you to initiate a password change. We are also advising users to be careful about what sites they visit.
We also advise our user community that newsworthy, worldwide events are also often accompanied by substantial increases in fraud related to that news: Watch for fraudulent email claiming to be from Lehigh or from companies with which you do business, as criminals will undoubtedly take this opportunity to create targeted phishing email messages to trick people into divulging their passwords. Be on the lookout for sites that purport to tell you whether your site or your information has been compromised, especially if they demand personal details, login credentials, or payment. And feel free to contact the Information Security Officer, Keith Hartranft at email@example.com or 8-3994 with questions.
We expect to issue some further guidance for users as this evolves so please continue to monitor Lehigh's Information Security webpage and check for important guidance and status updates.
Windows XP Retirement Timeline
Microsoft has officially ended support for Windows XP as of April 8, 2014, and will no longer provide security updates. This presents a serious security concern to the University as Windows XP systems are now at a heightened risk of security compromise. Although the number of on-campus computers still running Windows XP is very small and represents less than 3% of all network-connected devices, Library and Technology Services (LTS) must take definitive steps to protect the University from Windows XP security risks.
LTS will gradually implement network isolation of Windows XP systems as follows:
- April 2014 - Grace period begins in which LTS will continue to assist users of Windows XP systems in upgrading computers that are compatible with Windows 7 and identifying those that must be replaced.
- August 2014 - Windows XP systems will be isolated from external Internet access.
- December 2014 - Windows XP systems will be fully isolated from all network access.
LTS understands that certain software, hardware, and research equipment may still rely on Windows XP. In conjunction with our clients who require stand-alone Windows XP systems (not connected to the Lehigh network), LTS will continue to review the viability and security of supporting those systems and alternative systems solutions. The LTS Help Desk or your departmental Computing Consultant can answer specific questions about the Windows XP transition.
Phishing Emails Threaten Campus and Personal Data Security
See latest phishing schemes: Recent Phishing Examples
Many people are reporting phishing messages that appear to come from legitimate sources, such as LinkedIn, Facebook, the Better Business Bureau, Amazon, American Airlines, and even Lehigh University itself. These messages include links to sites that exploit vulnerabilities with Java and Adobe Flash. Be suspicious of any email that contains misspellings or poor grammar, conveys extreme urgency, or asks for login or personal information.
LTS RECOMMENDATION: Avoid clicking links until you can confirm that the message is from a legitimate source. Rather than using the link, go directly to the site by entering the web address in a browser. See more information on our LTS Phishing Guide to avoid being caught.
Continue to all LTS Alerts & Bulletins.