Keep your Web Browser Updated

Security features are regularly updated in browsers, and it’s important that they be installed. Web browsers pass confidential information entered by you to the websites you visit, and their ability to keep that information secure may be their most critical feature. Given that, it’s important to keep your browser updated with the latest security releases.

We are particularly interested in getting the Hampshire community to upgrade to browsers that support a security feature called TLS v1.2. It’s a protocol working behind the scenes to keep your data secure as it is passed from browser to website.

Keeping Firefox Updated
Despite the importance of keeping security features up to date, there is a downside to updating browsers too frequently: websites may not be able to keep up with the changing features. We have seen issues like this with Mozilla Firefox, which rolls out new release every couple of months. Mozilla realizes this is an issue, and they have a slower release schedule that you can follow if you use the Extended Support Release (ESR) version; the ESR gives you security updates on a regular basis, but feature releases only come once a year. We recommend Hampshire computers stay current with the ESR version. Firefox has had TLS v1.2 support enabled since version 27; ESR is currently on version 38, and the general release is up to 44.

To check what version of Firefox you have installed use the FirefoxAbout Firefox menu on a Mac, and HelpAbout Firefox menu on Windows. There is an automatic update option in the About Firefox window, and if it works it’s very handy; in our experience it sometimes fails, in which case you can go to https://www.mozilla.org/en-US/firefox/organizations/all/ for the latest ESR release. (A note to Mac users: if you are unable to copy the new version of Firefox into your Applications folder because you don’t have permission, throw the old version in the trash before copying the new one over.)

Google Chrome
If you use Google Chrome, the default settings are to have it automatically update itself, and we recommend that you keep it that way. Learn more about keeping Chrome up to date.

Apple Safari
If you use Apple’s built in web browser, Safari, it will be updated through the Software Update mechanism–these days this is handled through the App Store application. Note that if you are using a version of OS X earlier than 10.9 then there is no version of Safari available that supports TLS v1.2. If you are concerned, you can switch to a different browser or upgrade your system to the current OS–but the latter option comes with its own caveats and may not be possible on older computers anyway.

Microsoft Internet Explorer
If you’re using Internet Explorer, don’t. Internet Explorer 11 does support TLS v1.2, but Firefox and Chrome are both better browsers.

Microsoft Edge
If you’re using Edge you’re pretty much on your own. Literally. Well, Edge does support TLS v1.2 but we–apparently like most of the world–don’t have experience with it or any compelling reason to switch.

Blogger PostDeliciousTumblrFacebookTwitterRedditGoogle+Share/Bookmark

Gmail Scam

We’ve seen a few people get taken in by a Gmail phishing scheme this week. If you get an email from a Gmail user with a link to a document, think twice before clicking and entering your username and password.

This latest scam is pretty straightforward, but it appears to be catching quite a few people. If you get the email and have a Gmail account, contacts in your address book will be harvested and everyone in it will receive a message from you with a link to a similar page. We don’t know what else is done with the username and password, but it’s never good to have a password compromised.

As always, prevention is the best medicine. Think before you click, and if you have any doubts confirm with the sender before accessing a link. Never enter your username and password on an unknown web page.

You’ll know if you’ve fallen for this scam because you’ll hear back from some people in your address book, and you may have some bounced messages that you don’t remember sending. If you’ve been scammed, change your Gmail password right away. If you use a similar password for other accounts it’s best to change those passwords as well. Finally, sending out a message to all of your Gmail address book contacts advising them to ignore the scam message

Tech Tip of the Week: Security Certificate Updates

As part of our continuous efforts to maintain secure IT services, we’ve updated our security certificate for Hampshire websites. Confirm the security exception if you’re prompted. Read on for details.

About Security Certificates
If you’ve been following the Heartbleed exploit then you’ve been reading about SSL (Secure Socket Layer). SSL is the secure protocol that browsers use to communicate with web services.

In order to prove that they are secure and truly who they purport to be, web services will provide a browser with a certificate. In order for the certificate to be trusted by the browser, it has to be from an authority that the browser knows and trusts. There are a limited number of Certificate Authorities (CA’s), and they are regulated and audited for compliance; every browser has a list of CA’s that it knows about and trusts (“Trusted Root Certificate Authorities”).

When a browser receives a certificate, it checks that it knows the issuing authority, and looks at other information such as the dates the certificate is valid. If it’s all good, you proceed on to the website without being aware of any of this happening. You can view the certificate for a secure site in your browser by clicking on the padlock icon in the address bar.

Confirming Security Exceptions
If a browser doesn’t recognize a certificate that it is given for a secure site, you may be asked to confirm that you want to allow a security exception. Often this will happen because your browser doesn’t have a root certificate for the Certificate Authority that was issued the certificate.

You should always be cautious when choosing to confirm a security exception. Double-check that you’re visiting the correct site, with no typos. You can look at the certificate and check the Certificate Authority; Hampshire is currently using Starfield as a CA. If you trust that the site is legitimate, confirm the exception.

Why You May be Asked to Confirm an Exception for a Hampshire Site
We have updated our certificates for “.hampshire.edu” sites in order to provide a more secure environment. This was not in response to any specific threat or breach, but part of our regular security maintenance process.

If your browser does not have a root certificate for Starfield, you may be asked to confirm a security exception when you next visit a secure Hampshire site. Once you confirm that exception you should be all set.

Tech Tip of the Week: The Demise of Windows XP

On Tuesday, April 8, Microsoft stopped supporting Windows XP, meaning no more updates to plug security holes. As time goes on computers running XP will become more and more insecure.

About Windows Operating Systems
Windows XP is a Microsoft operating system for PC’s that was released in 2001. In 2007 Microsoft released Windows Vista, which was intended to take over as the standard PC operating system. Vista was not generally well received, and many users continued to use XP; here at Hampshire we decided to skip deploying Vista and held out for its successor, Windows 7, released in 2009. The most current operating syste from Microsoft is Windows 8, but that is seeing a slow adoption rate because of its significant changes to the user interface.

Why XP is Still Out There after 13 Years
Windows 7 is generally well regarded, and was adopted by many PC users. Despite this enthusiasm, it did have some barriers to adoption: the system requirements–it runs best with at least 2 GB of RAM–and its cost–often more than $100. It’s also not a simple upgrade–you have to re-install any programs you have on the computer, which means it takes several hours to complete.

What’s Changing…
…or not changing, to be precise. Up until now, Microsoft has kept sending out updates to plug security holes in XP as they’ve been discovered; on April 8 of this year the last update was released. From now on Microsoft will release no security updates for Windows XP to the general public.

There is an exception to this–Microsoft is providing a paid update service to some critical use customers (did you know that 95% of ATM’s were running XP just before April 8?)–but for regular old users there will be no more updates.

How to Tell if your Computer is Running Windows XP
To check whether your PC has Windows XP, right-click on the Computer icon on your desktop or in the Start Menu, and choose “Properties.” A window will come up that will tell you what operating system you’re running.

What this Means for You
If you’re still running Windows XP on a computer, it will become less and less secure as time goes on. If it’s at all possible, it’s time to upgrade your computer to Windows 7 or Windows 8. If that’s impossible or impractical for you, take steps to make sure that you keep it as secure as possible:

  • Don’t use it for any transactions that you need to keep secure. It will become vulnerable to attacks that can steal passwords and other personal information.
  • Keep your antivirus software up to date and always running. This isn’t going to solve every problem, but it will definitely help.
  • Don’t use Internet Explorer as your browser. Choose Chrome, Firefox, or Safari.
  • When you don’t need to be connected to the internet, disconnect. That means turn off your wireless access (often there’s a switch on the side of a laptop as well as the option to turn off wireless through software), and unplug any Ethernet cable that’s connected. You can be sure there will be malware bots trolling the internet looking for XP computers to infect.

What IT is Doing About the Remaining XP Computers
We’ve been migrating users to Windows 7 over the past several years. There are still a few computers out there running XP that we’re actively scheduling for upgrades. We will be contacting everyone we’re aware of who has a Hampshire computer running Windows XP; if you don’t hear from us in the next week and are running XP, please let us know by emailing helpdesk@hampshire.edu.

Tech Tip Extra: The Heartbleed Bug and You

A major new web security flaw was discovered this week, so it’s time to change your banking passwords again. Read on for more information.

About SSL
You’ve probably noticed the padlock icon when you browse to “secure” websites, or the “s” at the end of “https”. Those clues indicate that the site you’re visiting uses a security protocol known as SSL (Secure Socket Layer) or its follow-on TLS (Transport Layer Security). The SSL/TLS protocol is designed to encrypt data transported to and from sites so that only the intended receiver can decrypt it.

What the Exploit Does
This week it was discovered that there is an error in a widely used implementation of SSL/TLS known as “OpenSSL.” The bug is related to the “heartbeat” function of the SSL protocol. The “heartbeat” function allows someone to send a message essentially saying, “Hey, SSL server, are you there?” The server should then respond “Yep,” and that’s that. In OpenSSL, though, it’s possible (easy, even) to trick the server into responding with the equivalent of “Yep. Oh, and by the way, here is some random information. Not sure what it is exactly, but check it out because maybe it’s my secret key that will let you pretend to be me and intercept passwords and other supposedly secure information. If that didn’t get you what you want, just ask again, maybe you’ll get lucky. And don’t worry, I won’t tell anyone about this little conversation of ours.”

What’s Being Done About It
A patch that fixes the bug has been released, and vulnerable sites are quickly installing it. You can check if sites you visit are vulnerable by visiting http://filippo.io/Heartbleed .

What You Should Do
Because there is no way to tell if a site has been hacked using this bug (you can only tell if it is vulnerable), the best practice available is to check to make sure a site is currently safe, and then change your password. Do this for every site you use for any financial or other sensitive information.

For more information check out http://heartbleed.com/.