Groupwise Web and Password Security

Posted on May 9th, 2007 in Security by Eric B.

There are currently two ways (web addresses) for getting to the Groupwise Web client: gwweb.smith.edu and gwwebs.smith.edu (notice the “s” on gwweb - it stands for secure!). While they both work fine, you’ll notice three important differences at gwwebs.smith.edu.

  1. It is somewhat slower to bring up the initial page
  2. It will ask you to accept a “certificate” before you connect the first time (Tell it to accept “permanently”)
  3. Your web browser will show that you have a “secure connection” (just like purchasing an item on Amazon.com)

What a secure connection (or SSL) means to you is that your connection is encrypted. This means your username and password are encrypted before leaving your computer and flying across the internet where any “bad guy” could be sniffing for them.

In the future, ONLY encrypted connections will be allowed to Groupwise Web, but right now, it’s your choice. Because we STRONGLY feel that passing your password in clear text is a VERY BAD IDEA, we are changing the link on the Science Center home page to go to the secure connection. It’s a minor inconvenience that could protect the security of everything you do on the internet.

If you’ve got questions, let us know!

  • Comments Off

Change in FTP Access to Websci and Science Servers

Posted on May 7th, 2007 in Security by Eric B.

Background - Changes in FTP

FTP is a file transfer program that allows you to copy files between computers that support the protocol. In the Science Center, we currently have FTP working on “websci” (our webserver) and “science” (the Novell server that provides your H: drive).

FTP is an insecure service; it passes everything you type, including your username and password in cleartext over the internet. We’ve known this for years of course, but for various reasons could not quite justify shutting off the services. However today there are secure alternatives to FTP, so you can replace it without any problem. For that reason, beginning on June 1, 2007, we will disable all unencrypted/unsecured ftp services on websci and science.

How does this affect you? Probably many of you have never used FTP and can continue that! For those of you who do use it, here are your alternatives:

FTP on websci

If you currently use FUGU (on the Macintosh), you should be all set. Fugu uses only the Secure FTP protocol (SFTP). Another common Mac FTP client is Fetch. Fetch will use Secure FTP if directed.

If you now use WS_FTP on windows, you will need to quit using that and switch to a secure shell file transfer client. One is already located in your Start menu under “Programs/Internet/Secure Shell File Transfer.” The program is very similar to WS_FTP: you connect to the remote computer using your username and password, then you drag and drop files between the two windows. An very similar alternative is to use CoreFTP (see below under “FTP on science”).

If you use Macromedia Dreamweaver to edit your webpages, it already supports SFTP so you may need to do nothing, or simply edit your server configuration. CATS can help walk you through the steps if you need help.

If you use Macromedia Contribute, it also supports SFTP. Again we can help you with that if it’s not already setup correctly. Older versions of Contribute may not support SFTP; in that case we advise an upgrade.

FTP on science

The easiest method of moving files to/from Science is to skip FTP altogether and go to the science web page, click on Web Services (at the top) and read about NetStorage and NetDrive! Really, if you need to copy files to and from, say your home PC, and SCIENCE, you should use the above programs; they are much better (and more secure) than FTP.

If you must use FTP, we have enabled an SSL-encrypted FTP on Science, and have a free client called “coreFTP” available on the “software downloads” page on the science website. Instructions are on the webpage, but we are also available to help configure coreFTP. Note: coreFTP can also be used as an SFTP client with “websci”.

  • Comments Off

Email marked as “[**spam**]“

Posted on February 28th, 2007 in Security by Eric B.

Wondering what’s up with the mail marked as spam, some of which still gets into your Groupwise inbox? According to an email from ITS,

“The new subject prefixes [**spam**] and [**phish**] are being added by the McAfee virus protection appliances. The latest software update on these appliances incorporated a fee-free implementation of SpamKiller. Right now we have configured the McAfee appliances to merely add the spam scoring information to the headers and to prefix messages it identifies as spam. They are not taking any blocking action on messages based on spam content.

The MessageScreen anti-spam appliances are the next stop for messages. Several new rules have been added to look for SpamKiller scores and to take appropriate action. SpamKiller is much better at identifying image based spam for instance. However, MessageScreen will still honor user trusted sender lists and will deliver messages from trusted senders and domains no matter what the content. This explains why some messages arrive in your mailbox with the spam/phish prefixes.”

  • Comments Off

Telephone and Email Phishing

Posted on July 21st, 2006 in Security by Eric B.

Taken out of context, but a really good thing to remember:

… this is not a technology based scam; this is a lack-of-awareness scam. If someone calls you, or leaves you a number to call them, that is not a good reason to give them your personal details about your credit card and bank account. Further, if your bank issued your credit card they certainly already know the security code on the back of the card. This would make a good awareness Tip of the Day:
If anyone ever contacts you about your credit card, thank them, hang up, and call the number on the back of your credit card.

- Stephen Northcutt
Pres., SANS Technology Institute
7/21/06

  • Comments Off