Thursday, September 11, 2014

GMail usernames and passwords published online

Yesterday we heard that around 5 million GMail accounts had potentially been expose online. No University of Sheffield accounts have been affected and Google have confirmed that the accounts have not been hacked. So no need to panic.


It’s very rare that a major email provider such as Google (gmail.com) or Microsoft (hotmail.com, live.com) has their password databases compromised. And further investigation quickly showed that it’s very unlikely that Google had been hacked. It is much more likely a collection of GMail accounts harvested from other websites and this has now been confirmed by a Google spokesperson.


This event re-emphasises how important it is that you never re-use your University password for any other online service.


If you have ever reused your University password for another service now is the time to change it! We’ve updated our rules so that University passwords are easier to choose and potentially stronger than ever.


Alongside phishing, the hacking of external websites is the most common cause of accounts compromise at the University. When your University account is compromised it exposes your sensitive information and any University data you have access to.


Recently we have seen hundreds of millions of accounts exposed worldwide including some very big names such as eBay, Adobe and Forbes. With each major breach we find that a small number of people from the University of Sheffield have reused their username and password to sign up for external sites. It’s fine to register using your University email address but never reuse your University password.


Managing multiple passwords can be difficult. We suggest committing your most important passwords (e.g. University, banking, email) to memory and then using a password manager for the others. There are some really good tools out there such as LastPass, 1password and keepass. It’s really important that you choose a password manager that fits with your needs (e.g. supports mobile devices, supports Windows/mac) and follow their security advice carefully, a good article on password managers  can be seen on LifeHacker.


If you choose to use a password manager, make sure you choose a really strong master password as this is what gives access to all of the accounts you have stored.


You can check to see if any of your accounts might have been compromised at sites such as https://breachalarm.com/ or https://haveibeenpwned.com/. https://isleaked.com/en allows you to check for gmail accounts affected by this most recent breach.

Google Online Security blog
Cleaning up after password dumps

Wednesday, August 27, 2014

Web Drop-in Sessions

The next Web Drop-In session is on Thursday 28th of August and it's the last chance to speak to CiCS staff before the students return and it all gets ultra busy again.

The session will run  for approximately an hour from 11:45am to 12:45 pm. in the Hawley Room, CiCS, on Brunswick Street.

If you've got any questions about:

* CMS
* cPanel
* Google Sites
* analytics
* anything else web-related

please come along and we'll do our best to help.

There's no need to book - just turn up on the day (although you will need to sign into the building).

We won't be able to train new users during the drop-in sessions, however there are training sessions planned for September and October in the Computing Centre on Hounsfield Road. Go to the web page at http://www.sheffield.ac.uk/web/training for more information and how to enrol.

We look forward to seeing you at the drop-in session or at one of the training sessions. 



Friday, August 22, 2014

McAfee Site Licence Expires Sept 25

The University site licence for McAfee antivirus protection is due to expire on Sep 25 2014 and will not be renewed.

CiCS will continue to look after virus protection on Managed 'University Desktop' computers but if you use a non-managed PC or Mac you must ensure that you do not have a copy of the University 'Enterprise' version of McAfee installed to ensure that McAfee's licensing is not violated.  


PCs
First you need to check whether you have the University 'Enterprise' installation of McAfee. Right-click the McAfee Shield on the taskbar. If you have the University Enterprise edition when you left click on About VirusScan Enterprise™ it will say:

McAfee
VirusScan
Enterprise
ver 8.x

If this is the case you must remove McAfee then take the following action as appropriate:
  • Windows 7 PCs on campus should be upgraded to Microsoft Forefront
  • Personal Windows 7 PCs at home should be upgraded to Microsoft Security Essentials
  • Windows 8 and 8.1 has Windows Defender built in so there is no need to install any extra antivirus

Home PCs running your own personally licensed version of McAfee will not need to be changed.

Macs

First you need to check whether you have the University 'Enterprise' installation of McAfee. Right click on the McAfee Shield on the dock, left click on ‘About McAfee Endpoint Protection for Mac’ will say

McAfee Endpoint Protection for Mac Version x.x.x RTW (xxxx)

If this is the case, whether on Campus or at home, you must remove McAfee and replace it with Sophos. You should install the correct version of Sophos from 


Alternatives

Alternative antivirus software installers are available from

and are available from on campus and via VPN from off campus.

Tuesday, August 12, 2014

External Calls Busy During Clearing

As many of you will already be aware, on Thursday 14th August this years A Level results will be released by UCAS.  In addition to this, the University Admissions service will begin the 
Clearing process.  During this time, and especially on the first day of Clearing, the University receives a very high volume of external calls from potential students which can saturate the main incoming lines in to the University.  As a result of this any incoming or outgoing calls from the University may receive a busy tone, typically during the peak hours of 09:00 - 11:30 on Thursday.  

We apologise for any inconvenience that this may cause.  The Clearing process is of great importance to the University and so we ask for your patience during this short period and, where possible, that you avoid making external calls from your University extension.  No issues should be experienced in making calls to internal University extensions.

In addition to this, use of the the Universities centralised call recording facilitities will be limited on Thursday 14th and Friday 15th August

Monday, August 11, 2014

Passwords: Now Stronger, Longer (and More Absorbent?)

It is now possible to create University passwords up to 30 characters in length and for the first time they can include mixed case letters as well as numbers and a few special characters. In addition the minimum length of new passwords has increased from 6 to 8 characters.

This means you can now have passwords like:

  • IHaveASmellyDogCalledEric
  • GetTeenageKicksRightThroughTheNight-ALRIGHT
  • Pa55w0rd

The final one illustrates that although we have made it easy for you to choose a very secure password it is still perfectly possible to choose a poor password. Ultimately, the security of your data depends on the strength of password you choose and the diligence with which you protect it.

You can continue using your current password if you like, but we strongly advise you to choose a stronger password. To do this go to the Computer User Account Management link in the My services menu in MUSE. You will be able to choose a stronger password and it must have at least 8 characters.

However, even the strongest password is useless unless you protect it as follows:

  • Never write your password down
  • Never share your password with a colleague or friend
  • Never write your password in an email
  • Never use your University password on an external site such as Amazon, Ebay, Facebook or your bank
  • Never log into a website by clicking a link in an email or other electronic message

Even when University passwords were limited to 8 characters they were perfectly safe unless someone chose an obvious dictionary word. The most common cause of security breaches was when someone deliberately or inadvertently shared their password.

However, there was a perception by some people that our short passwords were fundamentally insecure. We hope that by re-engineering our systems to allow longer passwords we have allayed these fears. At the very least we have made it very easy to create very secure passwords. The rest is up to you.

Wednesday, July 30, 2014

SSiD to moderate student myAnnounce emails


The Student Communications Team in SSiD will be taking over the moderation of student announce emails from the 1st August. The messages will be moderated by the team in line with a new student announce policy which has been designed to make the emails more relevant to students.

The new policy has been developed after research revealed that students feel they are sent too many ‘spam’ emails from the University and as a result they don’t read their messages, meaning that they sometimes miss vital information relating to their studies.

Messages sent through the system will need to be more targeted and relevant, while events and volunteering announcements will be published in a weekly digest.

However, this does mean that messages with a student and staff audience will need to be submitted twice and approved separately. This makes it likely that staff and students will receive the message at different timnes and possible that the message could be approved for one audience and declined for another.

Eventually Corporate Affairs will take over the moderation of staff announce emails, which will mean changes to the way emails are currently sent to announce. The present system allows you to send one email and specify who you want it to be sent to as moderation was carried out by Peter Armstrong for both staff and student announce emails.

In the future when you want to send a message it will be moderated by The Student Communication Team if it is for students and by Corporate Affairs if it is for staff. It is hoped that this will reduce the amount of emails staff and students receive as more targeted announcements are possible.

Monday, July 28, 2014

New anti-phishing measure for University email

We've put in place a new measure to alert you if an email you have received looks a bit suspect.

Specifically, it will detect if a University of Sheffield email address appears to have been spoofed from a non-Sheffield Uni server - that means if somebody has tried to make it look like the email that they have sent is actually coming from someone else. 

When you receive an email like this, you'll see the message: 'Warning: Sender not verified' at the start of the email subject.

The trouble is, there are sometimes legitimate reasons why someone might send a message appearing to be from someone else.  Event management websites such as Eventbrite might send automatic reminders about an event, with the email appearing to come from the event owner's address.

We don't know at this stage how many, if any, false positives there might be. If you do find a false positive in your inbox, then let our helpdesk know by forwarding it to helpdesk@sheffield.ac.uk.