You may have heard this week about the discovery of a severe vulnerability that has affected the security of many websites. This flaw, called the Heartbleed bug, was discovered Monday in a popular open-source software package, OpenSSL, that is used to encrypt usernames, passwords, and other sensitive communications between a person’s browser and a website. (Not all websites that use OpenSSL are vulnerable, however.)
Fixes for this flaw have been announced, and we are now working to quickly identify all systems affected at The New School. Most core systems have either been patched or are not vulnerable to this bug. MyNewSchool, Banner, and Touchnet (a credit card payment system), for example, are safe to use. Google has also announced that its core services, including GMail and Apps, have been patched.
Even though most of our systems were not vulnerable, situations like this provide a useful reminder to change your password for added security. If you have concerns about securely connecting to any New School website because of this flaw, contact IT Central at email@example.com.
For non–New School websites, such as your bank and your personal email, you may wish to check online or wait to receive notification from the site operator that the system is safe to use. If no information is available, contact the site to confirm that it has not been affected by this vulnerability. You can use this Heartbleed test site to test websites’ vulnerability as well, but be sure to read the test site’s FAQ to understand the validity of the results.
As we start the new academic term, please be reminded to keep you personal information safe and look out for "phishing" scams. Phishing is an identity theft scam that uses "spoofed" or fake emails and web sites to trick people into giving out personal information such as user names and passwords, credit card numbers, or social security numbers. The emails or web sites usually look official at first glance, which is what makes them so successful.
To avoid phishing scams, we recommend that you:
Always be suspicious of emails asking for sensitive information.
Email is not a secure form of communication. Organizations you do business with (including The New School) already know your account information, and will never request it from you via email.
Never respond to an email request for personal information.
If you think the message might be legitimate, look up the organization's phone number (don't trust the phone number in the email), call them on the phone, and provide the information that way.
Never click on the links in an email you suspect might be phishing.
If you're unsure about a link to a site you receive in an email, hover your mouse over it. If the link text in the email doesn't match the link address, DO NOT click on the link.
Please note that The New School's Information Technology department (and the Help Desk) will NEVER:
- Send you an email that your mailbox (or file server) storage limit has been exceeded and ask you to click on a link to upgrade your account.
- Send you an email asking you to click on a link to "confirm your information" for any purpose.
- Send you a link to a "web form" that collects information such as your NetID and password.
- Ask you to provide personal information via email.
February 6, 2013—This security advisory provides important information for all New School computer users. Please read the entire advisory to learn about the actions you need to take to secure your computer and information.
Recently, you may have heard about several security vulnerabilities in Java, which is a popular programming language used for writing all kinds of computer applications, including some that work inside your web browser, via a special plug-in. Most computers at The New School have some version of Java installed on them, and therefore may be vulnerable to these security issues. To ensure that the New School computing environment is protected from these Java security issues, we are asking each member of the faculty and staff to take a few minutes to ensure that his or her computer's Java version is up-to-date by following the simple instructions below.
The Banner application has special Java support requirements. If you are a Banner user, you will have received a separate email from Enterprise Applications via the Banner listserv with detailed instructions on how to update Java on your system. Please do not make any changes to your Java environment until you receive that email.
Please follow the appropriate directions below:
Updating Java on Microsoft Windows computers
Follow the directions below to update Java on Microsoft Windows XP, Windows Vista, or Windows 7:
- Open the Windows control panel by selecting Start > Control Panel
- Double-click on the Java (or Java Control Panel) icon. If you cannot find the Java Control Panel, Java is not installed on your system and you do not need to do anything further.
- Select the "Update" tab
- Check the checkbox next to "Check for Updates Automatically" and then click on the Update Now button
- If you're running Windows 7, a window may pop up from "User Account Control" asking whether to allow "jucheck.exe" to make changes to the computer. If this happens, click Yes
- If a window pops up to say that you already have the latest version of Java installed, click OK to close the window and go to Step 11
- When the "Java Update Available" window appears, click Install
- When the "Welcome to Java" window appears, click Install
- If a window appears extolling the virtues of the Ask toolbar, un-check the box next to "Install the Ask Toolbar..." to prevent installing the toolbar, and then click Next
- When the "You have successfully installed Java" window appears, click Close
- Click OK to close the Java Control Panel window
Updating Java on Mac OS X computers
Determine what version of Mac OS X you're running by opening Apple Menu > About This Mac.
If you are running Mac OS X 10.6.8 (Snow Leopard) or earlier, use Software Updates to update Java:
- Open Apple Menu > Software Update...
- When checking for updates completes, verify that "Java for Mac OS X v10.6 Update 12" appears in the list of updates
- Click Update All or Install All Updates (one or the other, depending on which version of Mac OS X you're running)
After installing the update, the Java plug-in in Safari will be disabled. If you need the plug-in (for example, to use Banner), follow these instructions to enable it:
- Open Safari
- Select Safari > Preferences
- Click on the "Security" tab
- Check the checkbox next to "Enable Java"
If you are running Mac OS X 10.7.5 (Lion) or Max OS X 10.8.2 (Mountain Lion) or later, follow these instructions:
- Open Apple Menu > System Preferences...
- Select View > Java or double-click on the Java icon to open the Java Control Panel. If you cannot find the Java Control Panel, Java is not installed on your system and you do not need to do anything further.
- Select the "Update" tab
- If the Update tab says that you have the recommended version of Java, click OK and go to Step 9
- Click on the Update Now button
- When the "A new version of Java is available!" window appears, check the checkbox next to "Automatically download and install updates in the future" and then click Install Update
- When the "Ready to Install" window appears, click Install and Relaunch
- Enter the administrator password if necessary
- Close the window that says "The Java Control Panel opens in a separate window"
We ask that all New School faculty and staff take a few minutes right now to perform the steps in this security advisory. This will help ensure that New School computers, and more importantly New School information, are protected against these serious security vulnerabilities.
If you have any problems or questions while performing the steps described in this advisory, please contact the Help Desk at firstname.lastname@example.org or (212) 229-5300 x4357.
August 21, 2012—New School faculty, staff, and students are advised to ignore email messages they may have received recently inviting them to accept a "free membership" to College Collaborative Networks. The emails advertise that "The College Collaborative Networks at http://www.ccnets.org is now open for sign up (choose 'NewSchool')," however, very little information is available about the service or the organization behind it. While there is no reason at present to think that the site has any malicious intent, it is not an official New School social media site, and should not be used for any official university work. We suggest avoiding it for personal use as well.
The New School offers several ways to obtain official communications and network with colleagues, including MyNewSchool, New School News, New School blogs, Facebook, and Twitter. For more information about connecting with The New School, visit www.newschool.edu/connect.
The Information Security Office offers these reminders for email users:
- Always be suspicious of e-mails asking for sensitive information. Email is not a secure form of communication. Organizations you do business with (including The New School) already know your account information, and will never request it from you via email.
- Never respond to an email request for personal information. If you think the message might be legitimate, look up the organization's phone number (don't trust the phone number in the email), call them on the phone, and provide the information that way.
- Never click on the links in a suspicious email. If you're unsure about a link to a site you receive in an email, hover your mouse over it. If the link text in the email doesn't match the link address, do not click on the link.
For assistance and information on computer security issues, the first point of contact is the IT Help Desk: 212.229.5300 x4357 or email@example.com. Additional information can be found at www.newschool.edu/information-technology/security/.
Back to top