Meet these requirements and never update your password again

You have so many things to remember: your lunch, your meetings, your appointments, your keys—your password to shouldn’t be one of them.

Wayne State faculty and staff can now create a permanent password that won’t need to be changed every six months. In order to create a better user experience, C&IT now offers the choice to keep your password throughout your time at Wayne State.

The password must meet the following requirements to qualify:

  • Must be at least 14 characters.
  • Must include one special character (!, #, &, %, ?, @, etc.).
  • Must not include AccessID, birth date, or the name of the user.
  • Must not be a previous password.

Recovery

While you’re updating your password, don’t forget to set up your recovery email address! This allows you to reset your password anytime, anywhere, using a personal email account (Gmail, Yahoo, etc.) You can find the instructions here.

If you decide not to change your password, you will still have to reset it every six months. You will also have to change your password if your account becomes compromised, regardless if you choose to use the permanent option (learn how to prevent this here.) If you have any questions or need help changing your password, please contact the C&IT Help Desk at 313-577-4357.

Welcome to IT Security @ WSU!

Welcome to the Wayne State C&IT Information Security Office blog! We’ve compiled some awesome information that will help you keep yourself and the entire Wayne State community safe from cyber security threats. Use the buttons below to discover more about information security and scroll down for the latest ISO news.

 

 

 

 

January 2017 Security Patches

Two posts from IT Security in a single day? Say it isn’t so! Don’t worry, this one is relatively painless.

It’s time to deal with our not-so-favorite time of the month, Microsoft Patch Tuesday. Happily, Microsoft has released *only* four patches yesterday — and one of them is a patch for Adobe Flash Player.  Told you it was relatively painless!

MS17-001 – Security Update for Microsoft Edge
MS17-002 – Security Update for Microsoft Office
MS17-003 – Security Update for Adobe Flash Player
MS17-004 – Security Update for LSASS

More information regarding the January patches can be found here:
https://technet.microsoft.com/library/security/ms17-jan

C&IT is testing and deploying these updates to our enterprise and supported desktop environments this week. It is strongly recommended that you update your computer with these important security fixes; Wayne State computers should be patched by departmental IT staff, while any personal computers will usually download and install them automatically:

https://support.microsoft.com/en-us/help/17154/windows-10-keep-your-pc-up-to-date

Stay safe and stay patched!

No More Updates for Windows 8.1

Alright, now that I have your attention, I can try to explain the slightly convoluted scenario that Microsoft has foisted onto us.

First of all, any vanilla Windows 8 systems are not affected.  For the time being, systems running Windows 8 will continue to receive their updates as scheduled.

However, if you are running Windows 8.1, you will be required to install “Windows 8.1 Update” in order to meet Microsoft’s new product baseline and continue to receive security updates for your operating system.  This Update (with a Capital U) is the rough equivalent of a Service Pack, and Microsoft will require this Update to be installed if you want to get any security updates published in the future.  

Home users should update their systems with this “Update” by May 13 to remain supported, while enterprise customers and systems have been given a small reprieve and have until August 12 to make the same changes.  If you do not patch by this time, the *only* patch available to you will be this lovely “Update” instead of anything more current.  From the Microsoft website:

“…the Windows 8.1 Update is a required update to keep Windows 8.1 devices current. It will need to be installed to receive new updates from Windows Update starting on May 13th. The vast majority of these customers already have Automatic Update turned on, so they don’t need to be concerned since the update will simply install in the background prior to May 13th. For customers managing updates on their devices manually who haven’t installed the Windows 8.1 Update prior to May 13th, moving forward they will only see the option to install the Windows 8.1 Update in Windows Update. No new updates will be visible to them until they install the Windows 8.1 Update.”

Any C&IT DeskTech managed systems will be taken care of during this transition process, however due to our diverse desktop deployment I wanted to make sure that all of our campus system administrators are properly aware of this interesting wrinkle.

More Information:

http://blogs.windows.com/windows/b/springboard/archive/2014/04/16/windows-8-1-update-and-wsus-availability-and-adjusted-timeline.aspx
http://blogs.technet.com/b/gladiatormsft/archive/2014/04/12/information-regarding-the-latest-update-for-windows-8-1.aspx

New Critical Vulnerabilities for Internet Explorer & Flash

Microsoft has revealed that a fresh vulnerability has been discovered for all versions of Internet Explorer.  Specifically, there is a way for malicious code to run on your computer if you use Internet Explorer (Versions 6 thru 10) and visit some bad web content.  Microsoft is actively working on a security patch which should be available in a few days.  In the interim, refrain from using Internet Explorer when browsing to unknown or unfamiliar websites.  The US Department of Homeland Security is also recommending that a different browser be used until a security patch is delivered.

While these vulnerabilities are not new, this part is: Windows XP WILL NOT have a fix for this.  If you are still running Windows XP, your computer will be vulnerable to the end of time and there is no way to properly secure yourself.  Microsoft will not be providing any further support for Windows XP, so if you are still running it, today should be a sign that you should upgrade as soon as possible.

More information:
https://technet.microsoft.com/en-us/library/security/2963983.aspx
http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903
http://mashable.com/2014/04/27/microsoft-web-browser-security-bug-could-impact-millions-of-users

But wait, there’s more!  Unfortunately we are hit with a double-whammy today.  Adobe just came out with a critical patch for yet another zero-day vulnerability completely unrelated to the above IE exploit.  Thankfully, Adobe has a software patch available to address this issue.  Computers that have Flash (and whose doesn’t) need for it to be updated immediately.  You can check your current version of Flash – and update it as well – at the following site: http://helpx.adobe.com/flash-player.html

More info regarding the Adobe exploit:
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks