CAIT Update: March 2019

New Items:

• Account Security: Who Cares, Really?
• New Signage for Xbox & Zoom Rooms
• Computer Security: "Thunderclap"

Updates:

• Email Security: Big yellow warning signs
• Adobe CC 2019 in Labs
• Zoom Room Status - The Buzz

"Security", as a term, has grown to such ubiquity in contemporary society that the word has lost most of its meaning.  When IT folks talk about your password as if it's the only thing protecting the nuclear codes it makes the whole subject come off as an absurdist waste of time, an overwrought and outdated concept that misses the point about risk and what is worth stealing.  

You and I aren't James Bond, we are not protecting the crown jewels, if someone wants in to my email account, let them -- I don't have anything exciting anyway.

But you know what you do have?  The one thing that advertisers spend millions of dollars per year hoping to develop, the foundation of Facebook's business model, one of the hardest things to build, and easiest to destroy -- trust.

Trust is the bedrock of human relationships and communication.  When you receive an email from a friend, your reception and reaction to that message is immediately informed by your relationship and implicit trust between you both.  A message from your boss, a family member, a friend, or even just an acquaintance skips that initial mental filter you would otherwise have (not to mention the Gmail spam filter).  We are all much more likely to click on a link sent to us by a friend than by someone we have no relationship with, even if that link is objectively suspicious.

Trust is the crown jewel you're protecting, and it takes a village of vigilance to maintain and build trust within a community.  That's why IT folks take account security so seriously, because you are putting a lot of trust into the platforms that we manage.  It is our duty, both as technology professionals and good stewards of the CalArts community, to partner with you to protect that trust.

There is no single answer to this problem.  Trust is lucrative, and bad actors are incentivized to constantly find news ways to abuse it.  

Check out the CAIT article: "4 Steps You Can Take to Secure Your Email"

Sean Latreille, one of CAIT's Customer Care Technicians, has developed new signage for the Xbox (and other IT-managed multi-media rooms) intended to make figuring out the technology just a little bit easier!  We think it looks great, and are looking forward to your feedback.  

Look for new signage like this one coming soon to the Buzz, Faculty Center, President's Conference Room, and Xbox!

A recent vulnerability affecting basically any computer with a Thunderbolt port, including both Macs and PC's, has been announced -- and it's called Thunderclap.

Essentially, security researchers discovered that Thunderbolt ports allow a malicious device to be plugged in and immediately be granted OS-level privileges to a computer.  For example, that means something like an external hard drive that has been altered to take advantage of this vulnerability could be plugged in and could immediately begin making copies of your files, capturing keystrokes, or a variety of other silent actions.

Thankfully, this was discovered in 2016 and has been patched since macOS 10.12.4 and Windows 10 1803.  As TheVerge reported, this isn't a particularly likely attack, as it requires physical access to your computer, but "Remember: dont just plug random stuff into your computer".

A 2016 report by Blackhat asked the question "Does Dropping USB Drives Really Work?" and produced a study that involved planting 297 USB keys around a University of Illinois campus.  These USB drives contained a single HTML file that would report back to a central server if it was opened and ask those who engaged with it to take a survey asking for their feedback.

Of the 297 USB drives planted on campus:

• 290 were picked up (98%)
• 135 were plugged in and phoned home (45%)

Thankfully these USB drives were part of an academic research project, but they could just as easily have been malicious and designed to hijack information, capture keystrokes, or some other nefarious deed.

The simple act of plugging something in to your computer can do more than what you intend, and being mindful of your actions will help protect you and the CalArts community.

In the January 2019 CAIT Update we introduced the CalArts community to new email security measures designed to combat phishing and spam.

Since then we have received a significant amount of feedback and have some further information to share, specifically to answer the question "WHY AM I SEEING ALL THESE YELLOW WARNING SIGNS IN MY EMAIL????"

Here are two specific examples of these warnings, one from the CalArts email web interface, and another from the Gmail app you may have on your phone or tablet:

We have received a lot of feedback surrounding this message, wondering why it keeps appearing in messages from someone you've been talking to for years.  

The short answer is: their email is not setup securely and is vulnerable to "spoofing", where an email looks like it's coming from someone you know but is actually coming from someone trying to trick you.  This is, of course, when your familiarity with this persons diction and use of language is particularly useful.  "Does this sound like them?" is a valid question, and can most often be a reliable indicator of any problems.  

Our typical recommendation is to inform the person that you're seeing this warning, and suggest they contact whoever manages their email system to take the appropriate steps to secure their email.

In this particular case a survey was sent to the CalArts community from Human Resources, using a platform called Qualtrics.  Even though this is a legitimate email, the warning appears because the name of the sender, "CalArts Human Resources", matches a name of a CalArts account -- but is not coming from that account.

This warning is particularly useful to combat phishing attacks, like the email in early February received by many people apparently from "Ravi S. Rajan", but was actually sent from a hostile email address.  This warning is designed to catch emails that share the name of a real CalArts email, but are being sent from an different address.

Please keep in mind that these warnings may not show up if you are using Mail on a Mac or iPhone, Outlook, or any other 3rd party email client.

In both of these examples, please feel free to either ask CAIT if an email looks legitimate, or send a separate email to the person you think it's coming from to confirm that they really sent it.

As we've talked about previously, Adobe recently completely changed how they are handling licensing Adobe CC both for Faculty/Staff computers and shared use computer labs.  This has caused a fantastic amount of problems, as Adobe CC 2019 applications require you to login through the Creative Cloud Desktop application in order to use them.

This requirement was introduced at the end of the Fall semester and requires a drastic shift how Adobe accounts are created, managed, and maintained.  Due to the work required CAIT does not expect Adobe CC 2019 applications to be available in shared computer labs during the Spring 2019 semester.

Students and Faculty who have individual Creative Cloud subscriptions are encouraged to save projects created in CC 2019 applications in CC 2018 format if available to ensure compatibility.

The Zoom Room equipment in The Buzz is now fully operational!  

Let us know if you have any trouble with the platform!