General Status: All Systems Go
All production LTS systems appear to be functioning normally and all LTS electronic services should be available.
Note: LTS Security Update – Compromised Credentials in Cloud Services (last updated: 15-Oct-2014)
Since Monday night, October 13, 2014, there has been a debate about the theft of almost 7 million Dropbox account credentials. While Dropbox has issued a statement that they were not compromised and that the information was taken from other services, it is still an area of concern for Dropbox account holders, particularly for those who have used the same password across multiple online accounts.
What Should You Do?
To reduce your risk and protect your privacy, follow these guidelines for all of your accounts:
- Change your password when there is news that a service has been breached. Whenever there is any chance that credentials have been compromised, act quickly! Log in directly to the online service and change your password.
- Don’t fall for phishing messages that send you links to change your password. Report any suspicious email attempts to reset your Dropbox password or any other service to LTS Information Security (email@example.com) for evaluation.
- Use “Two-step Authentication” if possible. Like many services, Dropbox offers the option to use “something you have”, such as your smartphone, to provide a second factor for authentication.
- Avoid using the same password across multiple accounts. If you use the same password for different Internet services and that password matches your Dropbox account password, change those as well and make each password unique. LTS Information Security can provide training and recommendations on best practices.
- If in doubt, contact us at the Help Desk (610-758-HELP) or email Information Security at firstname.lastname@example.org
Note: Lehigh Community Information Security Notice - Shellshock Bash Bug (last updated: 15-Oct-2014)
Shellshock or Bash Bug, disclosed on September 24, 2014, is a vulnerability in the widely used Unix Bash shell that can allow an attacker to gain unauthorized access to a computer system. Read more about how this can affect you and what we are doing at Lehigh.
Note: Phishing email threatens campus and personal data security (last updated: 15-Oct-2014)
Note: Another new phishing message has been released. It indicates that your account is using too much space and that you will no longer be able to send messages until you click a (fraudulent) link to verify your account. Ignore and delete this message if you receive it.
See latest phishing schemes: Recent Phishing Examples.
Many people are reporting phishing messages that appear to come from legitimate sources, such as LinkedIn, Facebook, the Better Business Bureau, Amazon, and American Airlines. These messages include links to sites that exploit vulnerabilities with Java and Adobe Flash. Be suspicious of any email that contains misspellings, poor grammar, convey extreme urgency, or ask for login or personal information.
Avoid clicking links until you can confirm that the message is from a legitimate source. Rather than using the link, go directly to the site by entering the web address in a browser. See more information on our LTS Phishing Guide page to avoid being caught.
Note: Microsoft Internet Explorer Vulnerability Actions (last updated: 15-Oct-2014)
On April 26, 2014, Microsoft announced that versions 6 to 11 of it's web browser, Internet Explorer (IE), contains vulnerabilities that might allow an attacker to compromise your PC. This is especially of importance for those clients still running the Windows XP operating system as Microsoft will NOT be developing a patch for that operating system. Read more...
Note: Lehigh Community Information Security Notice - Heartbleed Bug (last updated: 15-Oct-2014)
A security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet that use OpenSSL to encrypt webpages (pages that start with https) and other communications. SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.
Note: Vulnerabilities in Browser Plug-ins for Java and Adobe Flash (last updated: 15-Oct-2014)
Serious vulnerabilities have been discovered in Java and Adobe Flash which could result in your computer being compromised in various ways. These include: having malicious programs installed and run on your computer without your knowledge or permission; having your computer be used to attack other computers and networks or to send spam or phishing messages, or to spread viruses and other malware; and having sensitive private data (yours or Lehigh's) be exposed to others.
If you don't need the browser plug-ins, uninstall them or turn them off. However, since many of our web-based tools such as Banner Forms and Blackboard Collaborate require Java, make sure your plug-ins are up to date. You can quickly check the most common ones using free tools available from Rapid7 or Qualys.
For more information about Flash, read the Adobe bulletin. For more information about Java, as well as additional steps recommended by LTS, read the LTS Java News page.
Authorized users may post, cancel, or update messages on the maintenance page. Authorized users include Help Desk and Operations staff, and selected Systems, IT, and Client Services staff. Non-authorized users should contact the Help Desk at 610-758-4357 to report problems and outages.