18 September, 2012

Microsoft Internet Explorer 9 has been affected by a "0 day" attack.  Until the latest updates are available from Microsoft, I suggest Windows users switch browsers for the near term.  The

Microsoft also recommends installation of the Enhanced Mitigation Experience Toolkit (v3.0), and I recommend users use the Internet Explorer whitelisting settings, and consider the Office settings at a later time.

To check the integrity and patching of all your browsers, use the CWRU Browser Check Utility (requires CWRU login to access).

10 September, 2012

Casey at the Bat

I found this old story in my journal- and it is pertinent for the Campus Community at the beginning of the semester.

Casey called in to the Help Desk when he tried to download the new Windage Wimba software from the Case Software Center, but the accounting system told him that he had already downloaded it.  The new software had only been made available the previous day, the Casey knew he hadn't yet downloaded it.  In looking at the software available at the Software Center website, he learned that there were many applications that were already downloaded.  These included software for an operating system that he didn't use at all.  

Casey had played baseball for a few years, and he used some the name of his favorite baseball bat to craft his Case password, which was “OldHickory%34.”  He admitted that he had shared his account information teammate a couple of years ago, who had since graduated, and that he hadn't changed it  since the University wide password change in 2000-something.  

Further investigation revealed that someone using Casey's account had been logging into various resources around campus: The Library, Filer, Forum, Docshare, and the Case VPN, and the Case Software Center.  These logins were confirmed to come from off campus, while Casey lived on-campus.  In fact, several thousand dollars' of software had been downloaded with his account.  Casey had to change his password, and check his email accounts for misuse.  He also had to begin the process for regularly monitoring his credit report in case he was a victim of fraud or identity theft.  It was discovered that Casey's former teammate (and former friend) had in fact used Casey's account to steal software and move movies and mp3 files into the University IT systems.  Casey was disturbed that a 'friend' could do all this with his Case Network ID and password, and worse, he was responsible and accountable for all of these actions.  Fortunately, Casey reported his problem and the real thief was discovered and prosecuted.

Moral of the story?  You'll never know if somebody knows you well enough to guess your password, or even trick you into revealing it (e.g. phishing attacks).  A regular change process and using passphrases instead of passwords to memorize them will help Casey after he graduates and moves on to the professional world.

24 January, 2012

Where Oh Where Can My iPhone Be?

{This post has been updated with new items in September 2012}

I have been noting with interest the volume of users with iPhones and iPad devices, and sadly I also get the reports of lost or stolen iPhones and iPads.  For those of you who have suffered such a loss, I feel your pain.

The first level of pain is based on the answer to the question:  Was your device configured to the CWRU Mobile Configuration Standard?  If the answer is yes, you will be put at ease from the knowledge that any person who picks up your device cannot access your data, they cannot sync your files to a computer, can only make emergency calls, and with the logon banner, perhaps the Good Samaritan will call the "if found, please call..." number.  If the answer is no, well the second level of pain is in store for you, because all those bad things can happen to you, and you have put university data at risk, if you value any communications in your email store on the device.

The CWRU Mobile Configuration for the iPhone and iPad has these distinct features:

  • minimum 5-digit or character passcode to defeat guessing
  • a device wipe setting should a passcode guessing continue beyond 10 tries
  • 5 minute screen inactivity timeout
  • encrypted backup when synchronizing with a computer (a thief cannot easily breakin with a sync cable)
  • Sets the primary WiFi settings to the CaseWireless network
  • CWRU VPN settings
  • LDAP lookups
If you visit the CWRU Service Desk, you can have a nice desktop support person help you install this configuration utility.  Two versions are posted, one for University-owned devices, and one for student (BYOD) devices, the latter being a simpler control set.

How to I find my (properly secured) device if it is lost?  I recommend setting up iCloud services (under iOS 5.0).  This simple service is built into the iOS 5 series, and when you install the Find My iPhone App on your phone or iPad (a similar feature is available for your Mac).  The user manages the App by logging in with their iTunes account, and you have the built-in tracking feature.

Note: this won't work ex post facto, so you have to do the preventative measures before your problems occur.  In summary, make sure you
  1. Apply the secured configuration.
  2. Install and setup the Find My iPhone app and configure iCloud.
Post Script: There are similar features for Android devices- that will be discussed in a later feature.

23 January, 2012

Lose a laptop, keep the data

I've been looking closely at various laptop tracking products, intended as theft recovery services.  Some that look interesting are:

  • Computrace/Absolute software, offering 3 versions:
    1. LoJack for Laptops- the consumer version
    2. Computrace Plus- the next step up for corporate/enterprise devices
    3. Computrace Complete- the total package, with asset management, remote wipe, makes toast...
  • PCPhoneHome/MacPhoneHome
  • Orbicule Undercover (Mac Specific)
  • FrontDoor Software
The high-end systems track your laptop for you when it is lost, and when a recovery guarantee is offered, I say take it.  The Computrace service engages law enforcement for you, once you have a police report.  If they cannot find it, you'll get a refund of the cost of your device; some solace for the seasoned road-warrior, but not if your data is gone.

The lower end services will activate a pre-installed agent upon notification that the device is stolen or lost, and the vendor communicates with the customer where the tracked location of the device can be, assuming it is on a network somewhere (the eventual destination of stolen laptops).

Therein lies the Achilles Heel of laptop theft recovery software: if the computer never comes back to a network, it never "calls home" and no recovery is possible.  Additionally, the lower end products won't help much if the eventual thief (or person who buys it online from the thief) puts in a new hard drive or re-installs a new OS.  

I found Orbicule interesting in its many recovery options- notably about taking photos of the thief (presumed) using the stolen Mac.  The customer must refrain from playing "cops" and visiting where the  location of the device is reported.  Call your local police.

Overall, the largest cost to any user who suffers a lost laptop is the lost work- data - that is on the device.  I suggest two approaches to leverage this risk:  online backup services and cloud data management.   If your work product is online, you have less chance of losing it in a device theft.  The concept behind the Google Chrome Book is for the device to be cheap, efficient, and the valued data, to be online.  Follow that approach, and laptop recovery software is less of a value proposition.