Thursday, 25 September 2014

Bash vulnerability (aka Shellshock)

A new security vulnerability has been discovered in Bash. Known as the Bash Bug, or Shellshock bug, the flaw allows malicious network based attacks against *nix servers and potentially other Unix, Linux and Macintosh computers.

The scenarios in which this bug can be exploited are complex and not just limited to the use of bash from terminal. If you are responsible for any systems which may be affected by the bug, you must patch them as soon as the fix becomes available, if you’re not sure then please contact us.

This re-emphasises the need to ensure that all systems are patched promptly; you should have a process in place to make sure systems are kept up to date.  We will take care of the patching of server operating systems hosted on the CiCS VMWare estate, e.g. Ubuntu.

Vendors are now working to release patches that negate this vulnerability and they should be your first port of call if you require information about a particular OS. As yet Apple haven’t made a statement regarding OS X; we would expect any patch to be part of the normal automated updates.

Please feel free to contact us at if you’d like further information about this vulnerability, general good practice, hosting systems with CiCS or indeed any other security related matters.

News from Audio Visual Services

Audio Visual Services have been busy over the summer vacation making the following changes to both the services and the spaces they support.  Here’s an outline of some of the changes we can expect to see in the new academic year.
Audio Visual feedback

At the end of the 2013/14 academic year staff using AV resources were sent a form asking for feedback on the services AV provide. Following on from the feedback received an action plan was put in place and some changes have already been implemented with more on the way.  The result of these changes will enable the Audio Visual team to provide an even better service to staff.

The three links below contain the feedback received, AV comments, what changes have already been implemented and future changes to improve the service.

Refurbished teaching spaces

Over the summer CiCS and EFM have been extremely busy refurbishing over 30 spaces. All of these spaces have been upgraded with high definition capabilities. This includes HDMI cables for laptops or smart devices, top of the range visualisers and high quality projection/display screens. The information listed on the Room Bookings system and website will be updated in time for the start of the 2014/15 academic year to reflect the changes.

AV booking system upgrade

Over the summer the booking system has been upgraded to the latest version. The new version allows AV to email a confirmation of a booking, listing the equipment booked and the start and end times for example. Every confirmation will contain a unique job reference number. This will be important for those who need to make any adjustments or cancellations. Quoting a job reference number will allow the team to locate a booking easily. This change will be introduced within the next two weeks.

SmartBoard upgrade

The version of SmartBoard has been upgraded over the summer. SMART have made a number of key changes to this version allowing the team to deploy it so that it functions ‘straight out of the box’. Users will no longer have to wait 30 seconds for the service to be stopped to then have to relaunch it. Another useful change is if you want to annotate over anything you display, you simply just press the appropriate pen button and write. So say goodbye to the annoying box that overlays PowerPoint.

There is however an issue whereby the pen function takes a very long time to recognise if you are using TurningPoint. Discussions with SMART are underway to investigate and hopefully rectify the problem. In the meantime SMART recommend using PowerPoint in two ways when running TurningPoint: one for polling the other for your presentation. This is not ideal and hopefully there will be a better solution very soon.

Additional technical support for teaching

During weeks 1-3, CiCS will be providing three additional staff members to support teaching. This support is in addition to the standard support provided by CiCS AV. This year we are trialling a new approach. In the past CiCS staff were on standby just in case help was needed. In the future staff will be able to request support for session/s. Staff who would like help in using the technology within a session, can use the following request form:

This additional support is aimed at helping staff get up and running as smoothly as possible. CiCS staff are unable to stay for the whole duration of the session as they may be needed to help support more than one session.

 Over the next two weeks AV will be running a number of training sessions to help staff gain a better understanding of how to use the technology in teaching spaces. The training sessions will cover a range of technologies such as, using the audio-visual system (changing sources, presenting in dual projection, adjusting audio levels), using the Smart Podium (interactive monitor), using the visualiser (also known as digital OHP), troubleshooting faults, etc.

Staff can just turn up to the sessions, which will run on the following dates:

Friday 26 September                Hadfield Building, HB-LT22, 13:00-14:00
Monday 29 September             9 Mappin Street, 9MS-G04, 11:00-12:00
Wednesday 1 October             Jessop Building, JB-116, 11:00-12:00
Thursday 2 October                 Elmfield, EF-LT01, 11:00-12:00
                      Richard Roberts Building, RRB-A84, 15:00-16:00

Thursday, 11 September 2014

GMail usernames and passwords published online

Yesterday we heard that around 5 million GMail accounts had potentially been expose online. No University of Sheffield accounts have been affected and Google have confirmed that the accounts have not been hacked. So no need to panic.

It’s very rare that a major email provider such as Google ( or Microsoft (, has their password databases compromised. And further investigation quickly showed that it’s very unlikely that Google had been hacked. It is much more likely a collection of GMail accounts harvested from other websites and this has now been confirmed by a Google spokesperson.

This event re-emphasises how important it is that you never re-use your University password for any other online service.

If you have ever reused your University password for another service now is the time to change it! We’ve updated our rules so that University passwords are easier to choose and potentially stronger than ever.

Alongside phishing, the hacking of external websites is the most common cause of accounts compromise at the University. When your University account is compromised it exposes your sensitive information and any University data you have access to.

Recently we have seen hundreds of millions of accounts exposed worldwide including some very big names such as eBay, Adobe and Forbes. With each major breach we find that a small number of people from the University of Sheffield have reused their username and password to sign up for external sites. It’s fine to register using your University email address but never reuse your University password.

Managing multiple passwords can be difficult. We suggest committing your most important passwords (e.g. University, banking, email) to memory and then using a password manager for the others. There are some really good tools out there such as LastPass, 1password and keepass. It’s really important that you choose a password manager that fits with your needs (e.g. supports mobile devices, supports Windows/mac) and follow their security advice carefully, a good article on password managers  can be seen on LifeHacker.

If you choose to use a password manager, make sure you choose a really strong master password as this is what gives access to all of the accounts you have stored.

You can check to see if any of your accounts might have been compromised at sites such as or allows you to check for gmail accounts affected by this most recent breach.

Google Online Security blog
Cleaning up after password dumps