Duke ITAC - October 24, 2013 Minutes

ITAC Meeting Minutes

October 24, 2013, 4:00-5:30

Allen Board Room

Next meeting:
Thursday, November 7, 2013, 4:00 PM, Allen Building Board Room
I.    Announcements

·        Reminder about the 7th Annual Tech Expo[3] which will be held Thursday, January 9th, 2014 at the Washington Duke Inn.  Further details will be sent to the ITAC email list.  Session proposals are requested as soon as possible.
What is Tech Expo?  A collaborative effort between Duke University and Duke Medicine for IT across the organization.  Includes some presentations by on-site vendors.  About 6 simultaneous sessions over 5 hours with a lunch included.  If you have any questions that are not answered on the website, it is suggested that you contact the ITAC committee at techexpo@duke.edu.
IV.    Agenda Items

4:05- 4:45 – Security Awareness, Richard Biever (25 presentation, 15 minute discussion)
What it is: October is National Cyber Security Awareness Month (NCSAM), a public awareness campaign to encourage everyone to protect their computers.
Why it’s relevant:  The IT Security Office will present on security awareness, as well as show videos and information on the security services all are encouraged to use. We all lead Internet-connected, digital lives. From our desks and homes to on the go, we work, learn and play online. To help raise awareness here on campus, the IT Security Office has participated or hosted several public events during the month of October, and today we will share some of that information.
Richard showed the group the following video as an introduction to his presentation.  It shows a “medium” named Dave who sits down with passers-by and tells them all about themselves:  http://www.youtube.com/watch?feature=player_embedded&v=F7pYHN9iC9I
Security and Privacy Hazards:
·        Government Sponsored Hacking
·        Cyber-attacks:  South Carolina Department of Revenue last year, Adobe last month
Last year’s stats showed that in Higher Education 98% of the breaches were due to accidental disclosure (e.g. “I lost my laptop”) or hacking.
This past summer there were 3 higher education security breaches within a month’s time at well known and well respected research universities.  Two of the schools were reported breached with the use of phishing attacks[4] which gave the hackers access to accounts which allowed them to access internal systems.  It is believed that eventually the hackers were able to get to password systems.  As a result, both institutions had to reset the passwords of all their users.
What are the risks?
·        Data exposure
·        Unpatched machines/applications
·        Password attacks
·        Phishing Attacks
How do we protect ourselves?
·        Enterprise Level
o   Vulnerability scanning
o   Risk assessments
o   Awareness activities
o   Intrusion protection
o   Log Analysis (Splunk)
o   Data loss prevention
·        User Level
o   Multi-factor authentication[5] (currently in pilot on the university side)
o   Password escrow (LastPass[6])
o   VPN
o   Antivirus (Symantec)
Intrusion protection
From January to August we experienced a tripling of the number of attempted attacks that were blocked per day.  We have a service that watches incoming and outgoing traffic and automatically blocks anything it deems suspicious.  The types of attacks have changed somewhat in the last three years.  Initially, the attacks seemed to be more targeted to servers (OS, Remote Desktop, etc).  In the past year or so, this trend has seemed to shift where end user devices are targeted more frequently.  ZeroAccess malware has been seen frequently.  Another piece of software looks for VOIP or teleconferencing devices either to eavesdrop or gain access to other areas of the network.
Phishing and Malicious Emails
In August less than 10% of emails that we received were considered legitimate.  Since so much is stopped, why are we still getting bad emails?  Because the schemes that hackers are using are constantly changing.  In July, there were about 7 waves of these phishing emails.  40 people across Duke were fooled by these messages.
How can you identify one of these bad emails that might still make it through to your Inbox?  See the security office’s Phishing page for the signs to look for:  http://security.duke.edu/internet-safety/phishing.  As a side note, the Webs.com domain has been completely blacklisted by Duke because it is frequently used maliciously.
In October so far, 14 accounts have been compromised as a result of users clicking on phishing messages and entering Duke credentials.
CryptoLocker Malware has recently been part of a phishing campaign aimed at Duke accounts.  It spreads via email using a Zip file attachment.  The malware encrypts all your files and demands payment in order to unlock files.  No current defense against this besides a good backup.
From Oct 8-11 8400 people received malware and by October 21st another 800 people.
Other Key Incidents at Duke:
·        Printer Hack in January:  The cause was default credentials.  Resulted in working with departments on moving them back into the private IP space so they aren’t accessible over the Internet.
·        Compromised Websites:  Could have prevented if content management system (CMS) had been patched.
·        Stolen laptop out of a car with some sensitive data on it.  Working with departments across campus to get laptops encrypted.
Penetration Testing
Discussed the results of the recent broad-based testing for campus.  The test demonstrated some areas Duke is successful in executing including end point protection, incident handling, and use of an IPS.  The test also pointed out areas for further analysis including review of ports/protocols available from the Internet.
Shift in the security community from emphasis on protective strategies to emphasis on detection so that attacks that do happen are detected quickly and can shorten the time the compromised system can be accessed by outsiders.
Why everyone is a target:
·        Gaming (e.g. World of Warcraft in-game currency)
·        Financial Information
·        Accounts
·        Extortion (e.g. Compromising pictures)
Recommended Services:
·        VPN
o   http://oit.duke.edu/comp-print/software/ (Search for VPN, Install for Windows/Mac, Choose default or Library profile)
·        Passwords/Passcodes
o   http://security.duke.edu/secure-your-devices/mobile-devices (Set up a passcode on your iOS or Android device, Set a password on your computer and/or update your Duke password)
o   Apple 5S has fingerprint reader.  We have been monitoring this and as of right now it is stored on a chip on the phone and not uploaded to Apple)
·        Password Escrow
o   http://oit.duke.edu/comp-print/software/ (Search for LastPass, Install for Windows or Mac, Save your passwords and secure with a Master password)
o   Duke’s site license makes it available for both business and personal use
·        Multifactor
o   https://oit.duke.edu/net-security/security/multi-factor-authentication.php (Sign up and use your iOS or Android device as a 2nd factor)
·        Encryption
o   http://security.duke.edu/whole-disk-encryption (Windows Laptops:  Talk to your IT department for PGP encryption, Mac Laptops:  Talk to your IT department for FileVault2 encryption)
·        Antivirus
o   For personal use, http://oit.duke.edu/comp-print/software/ (Search for Antivirus, Install for Windows or Mac).  For Duke use, Talk to your IT Admin.
Questions and Comments:
·        Were the universities forthcoming about how they responded to the security breaches they experienced?  To some extent yes, but they have kept many details to themselves.  There are groups where a lot of the universities communicate with one another regarding security issues.
·        How much of the increase in attacks is actually attacks and what is attributed to what we can detect?  A little bit of both.  As more and more devices connect to the network, the number of potential attacks increases as a result.  However, to increase our ability to detect new attacks, the software is updated on a weekly basis.
·        Emphasis needs to be made on adherence to policies.  All it takes is one or two weak links and the whole system can be exploited.
·        With regards to weak passwords, is it more useful to have complex/random passwords or lengthy passwords?  A little of both.  https://www.grc.com/haystack.htm has a write up of how to use words to create passwords.  Unfortunately hacking programs are wising up to this methodology.
·        Can penetration testing be done by individual users? Vulnerability scanning can be done using a tool called Nessus[7].  An open-source piece of software Metasploit[8] is the next step in penetration testing where it tries to exploit the vulnerabilities detected on the machine.
·        Windows Baseline Security Analyzer is an option for checking Windows machines.
·        Is there software that can be installed on a machine that watches for security breaches?  Not really.  If an attacker gets on your machine it’s because they 1) have your account (not really detectible other than using logging), 2) malware was installed (can be detected by Antivirus) and/or 3) misconfiguration (Baseline Analyzer or a vulnerability scanner might find this).  OSSEC is the closest thing because it can alert when changes are made to a system.  Currently this is being tested and deployed on the credit card network.
·        Is it okay to keep simple password for websites where nothing important will ever be entered?  A lot of sites are now linked together (e.g. Facebook authorizations) and even when they are not things can be learned out about you and your life through these sites.  With this kind of information that can be pieced together they can potentially gain access to other areas that are more sensitive.
·        How do you get a YubiKey?  Contact Richard Biever.
4:45- 5:05 – oAuth2, Mark McCahill (10 presentation, 10 minute discussion)
 What it is: OAuth2 is an Internet standard allowing individuals to have control over the release of their data to applications.  OAuth2 authorization infrastructure is similar to that used by Google, Facebook, Twitter to allow users to approve (and revoke) access to their data within those applications. OAuth2 will be useful at Duke for controlling access to your non-public data held in the LDAP directory, DukeCard, Student System and others, in order to determine whether specific data elements can be shared with other systems or apps.
 Why it’s relevant:  OIT is preparing to pilot an OAuth2 infrastructure providing individualized, application-specific control over access to personal data held in Duke systems.  By devising a standard, opt-in mechanism for individual users to authorize access to specific data elements for discrete applications, a student could (for example) authorize an app that builds course schedules to look at the student's ACES/SISS course enrollment but not the students’ grades or bursar balance or other data that might be in the system.
This technology allows users to consent to specific pieces of data being shared with applications for a defined period of time.
Use Cases
·        Flex Spending balances:  “What If” calculations
·        Course Calendar information:  Forming study groups, K-Ville tenting schedules
·        Directory photos
·        Sakai gradebook:  Finding out when a new grade has been posted
How is this secure?
App has to have a previous relationship with the “token broker”.  In other words, when a new app is created whoever created the app must register it with someone in OIT (Shilen) and this creates a paper-trail and enforcement point for getting agreement on how the data will be used, how the data will be secured, etc.
How do I revoke access?
There needs to be a place for users to go in order to revoke access from apps.  This is located on the Identity Management Self-Service Portal (bottom right of the screen).
What is the status?
It is running on a test instance and the infrastructure is there for production, but there are currently no applications using it as of yet.  OIT is in conversations with the Duke Card group in order to get the Flex Spending balance.  OIT will be working with the SISS group to get the course information.  In OITs meeting with the Registrar, it was discussed about whether or not it would be a FERPA violation if the Registrar denied a student’s valid request to their course-related data.
Auditing and Logging
·        When a user consents to release data
·        When an access token is generated
·        When the access token is attempted to be used
·        When the user requests to revoke a token
·        When a user leaves and NetID is expired, access to token log in is also cut off
What will you see?
·        Application Name
·        Server the application is running on
·        Description of what the application does (defined by the creator at the time they registered with the token broker)
·        Who is running the app (e.g. OIT, student, etc.)
·        Privacy statement including how the application uses the data and what the data retention policy is
·        Do you authorize this app to retrieve the following information?
·        Information about and link to revocation page
Questions and Comments:
·        It’s nice to have a central location to find out all the applications that you’ve authorized access to.  OIT is thinking of mandating app creators to include a link to the list of the accesses you’ve granted so that it’s clear (while using the app) where they need to go to revoke access, if wanted.
·        Default temporary authorization (e.g. month, semester, etc)?
·        Should users be educated more about what it means to revoke access?  Is data still available to the app creator from back when authorization was granted?  OIT could request that apps delete all prior data relating to a user when revocation occurs, but unfortunately this isn’t necessarily enforceable.  If it’s found that apps are abusing this, it’s always possible for OIT to shut the app down.
·        Are these apps all created within Duke?  Yes, and they will be driven mostly by the students.
 5:05- 5:20 – Virtual Machine (VM) Manager, Mark McCahill (10 presentation, 5 minute discussion)
What it is:  VM-Manager is a service that provides students and faculty with semester-long access to Linux Virtual Machines (VMs) for software developer projects.
Why it’s relevant:  VM-Manager VMs allows students and faculty to develop and test servers for Innovation CoLab projects or coursework. Faculty and students have complete control of the server, giving the flexibility that you need on a daily basis. VM-Manager VMs are well-suited as backend servers for mobile application or public-facing web sites because they have public IP addresses and are available 24X7.
The Virtual Computer Lab (VCL) has been running for a long time, but is project/assignment-driven and sessions are usually around 4 hours.  There is a need on campus for longer-standing VMs for semester long projects (e.g. setting up a website progressively over a semester).  For these kinds of needs, we have another tool[9].  The reservations last for a semester and the users are super users with root access.  They are responsible for backups, applying patches and installing any additional software that does not come installed by default.
In testing with CoLab the following needs were discovered:
·        Turn VM On/Off
·        Reload initial image
·        Snapshot of the state of the machine (automatically every 24 hours)
·        Export of image (to put on your local PC, Amazon web services, etc.) which can also serve as a backup strategy
·        Import (this is not currently available, but are working on this feature)
What can you run on these VMs?
There are prebuilt images of the most popular things (e.g. Ruby on Rails, Node.js, Lamp).  OIT is leveraging bitnami.org by modifying the images there for use at Duke.  They have about 60+ open-source app images which take about 20 minutes for us at Duke to make available to our user base.
VM creation is basically instantaneous because it’s already created.  When a user requests a VM, it’s really just giving the user access to the environment.  It takes a total of 15-30 minutes to get the full configuration and the user will receive an email when it has been completed.
There are currently about 50 of these VMs deployed currently.  The VMs are on their own network treated like a student dorm and are isolated such that any problems with these machines cannot inadvertently cause issues with the Duke network at large.  At the end of the semester, users are contacted to determine if VMs are still needed.   If a response is not received after a few weeks the VMs are destroyed.
The next step of VM automation for OIT production use is a project called Clockworks.  A huge benefit of this is standardizing VMs as much as possible.  The steps involved in automating a production VM is a bit more involved than those created for students and includes the following additional requirements:
·        Automate configuration of the network
·        Backups
·        Monitoring
·        Storage Options
·        Including in Configuration Mangement database
Questions and Comments:
·        Can students open up ports on these machines?  Yes.  They have root access so they can do whatever a server admin could normally control on a server.
·        Are the VMs behind the IPS?  Yes.
·        How big are the machines that are running these VMs?  Can they handle all the requests that might come up through the semester?  Because most users will not all be using the VMs at the same time, some over-subscription is possible.  Current provision for a VM is 2 CPU, 2 Gb RAM and 180-200 Gb Disk Space.
·        Is there a way to get things not in Bitnami on a VM?  Yes.  If it’s related to CoLab, contact Michael Faber.  If not related to CoLab, contact Evan Levine.
·        Is there a cap on the number of machines any student can request?  Currently it’s set to one per user, but if there is a need for more, this can be changed.
·        Should faculty plan ahead with the VMs they might need considering the images might change based on the course?  Yes, it is highly recommended that the faculty plan ahead of their courses and determine the requirements of the VM so that adequate testing can be done prior to the students needing to make use of them.
·        Is there any concern about a department’s tech support connecting to these machines prior to the faculty needing them for a course?  No.  This would be helpful for someone to evaluate the needs and usefulness of a particular VM image.  The tech support could also provision the user accounts needed if one machine could be used for all the students in a course.  In some cases not every student will need their own machine.
·        Do you have to give a reason for why you want a VM?  Yes, please.  Students are allowed to and encouraged to use VMs outside of a course (e.g. playing around with Linux).
5:20 - 5:30 – Other Topics
Nothing additional presented.

[1] https://wiki.duke.edu/display/OITSLP/New+Software+Evaluations
[2] http://today.duke.edu/students
[3] http://sites.duke.edu/techexpo/
[4] http://security.duke.edu/internet-safety/phishing
[5] https://oit.duke.edu/net-security/security/multi-factor-authentication.php
[6] https://oit.duke.edu/comp-print/software/license/detail.php?id=211
[7] http://www.tenable.com/products/nessus
[8] http://www.metasploit.com/
[9] https://vm-manage.oit.duke.edu/