• This is UBC requirement since Workday is requiring it starting May 1^st 2020
• UBC is adopting this method of authentication that most other large institutions already use in order to better protect UBC against phishing, data breaches, and various security issues. 

• Anyone with an employee ID
• Undergraduate student DOES NOT require MFA.  However, summer students working within the labs as an employee with an employee ID will have to use MFA
• Visitors – not required

• Not required for MFA
• There are multiple ways to do MFA without a hardware token:
  • UBC Office phone (phone call)
  • Lab Phone (phone call)
  • Personal phones (push, phone call, software OPT, or SMS depending on age/type of phone)
  • Personal tablet (push or software OPT)

• Yes, but only for faculty and staff
• We will maintain half a dozen spares for faculty and staff in the event they lose one or it becomes defective
• Compstaff IT will hold onto the spares and take care of the distribution to faculty and staff
• ~80 faculty & 16 department staff with 6 spares
• Hardware tokens will be treated like digital keys.  Faculty and staff will get sponsored tokens, but all research / lab members will have to go to the Bookstore if they want a hardware token.  

• Departmental Staff & Faculty (Sponsored): $8 One-Time Passcode (OTP) Type or $20 USB Type for faculty and staff (only offering OTP style)
• Lab Staff (Non-Sponsored): $10 OTP Type, $25 USB Type, or $25 OTP Type for Bookstore deposit (similar to a key)
• Note on purchasing hardware tokens for the department or as individual:
  • Departmental requests are also done through the Bookstore. If managers are purchasing on behalf of their staff they can do so directly using their speedchart code.
  • Units can place a departmental order with bookstore for 5+ via phone, or email order and Pay via JV, CC or P Card. (dept.sales@ubc.ca or 604-822-8547) and deliver via campus mail.
  • Individuals will also be able to purchase online via the bookstore website with CC or P Card (No JV option online) but this is not setup yet.

• Department Staff and Faculty – Get them from Compstaff IT
• Compstaff IT will purchase the tokens from the Bookstore
• All lab personnel – Get them directly from the UBC Bookstore 

• Department Staff and Faculty – Contact Compstaff IT for replacement (use spares)
• Lab Staff – purchase another one from the UBC Bookstore Key Desk

• Department staff and faculty – Contact Compstaff IT for replacement
• Lab Staff - Visit the UBC Bookstore Key Desk for a replacement. Replacements for the tokens will be the responsibility of the user (including battery dying) unless the token is deemed defective for some reason. The OTP-type have a known battery life of 3-5 years but if a token stops working after a much shorter period of time we would be able to track that and get a new one to the user

• Cost of maintaining that many hardware tokens for 400+ people is best managed by the UBC Bookstore
• Most people will use their personal phone due to convenience
• People can decide for themselves whether they want the hardware token or not and simply use their office/lab phone or personal phone
• The department avoids paying for tokens that are never used given that the majority of users will use their phone or other method of MFA

• Contact Compstaff IT or UBC IT for assistance
• We can issue a one-time passcode or time limited passcode for the duration they are away from Vancouver and/or their device/token

• No they work offline and simply generate a 6-digit number for you to enter at time of login

• Webmail Access
• FMIS Access
• HRMS Access
• Student System Access
• Web portals that use the Campus Wide Login (CWL) login screen

• No - only web portals asking for your Campus Wide Login (CWL) will prompt you

• No

• UBC VPN – maybe, if you are signing into a specific VPN pool but depends on the department
• EOS VPN – no

• Not at this time

1. Register your personal mobile phone using Push / OTP / SMS in that order (depends on age and type of phone)
2. Register you office phone or shared lab phone (not ideal but as a backup)
3. Personal wifi-only tablets  (you can opt to setup the Duo App on their personal tablet device – Android/iOS)
4. OTP Token
5. USB Token 

• Everyone: Information sessions conducted by Compstaff IT at next Department meeting
• Lab Staff: 1-on-1 or by helpdesk FAQ, drop in training at Compstaff offices
• Department Staff: 1-on-1 training 
• Faculty: 1-on-1 training 
• Email education campaign for department similar to encryption 
• EOAS Helpdesk website listing the various recommendations and resources for UBC MFA
• Info cards come with the token at point of purchase direct the user to contact UBC IT. There is not a kiosk. There will be targeted pop-up desks throughout the months of April and May however and users will be contacted directly by their admins about the times and locations of these booths that they can walk up to and receive assistance for anything eCWL related.

• Now – May 31 - We want all of the department staff and faculty on-boarded before they leave for summer
• Summer 2019 – we will continue to nag everyone in the department for those not on-boarded this Spring
• November 2019 – The deadline whenever everyone not MFA’ing is locked out

Faculty and staff should be aware of these changes:

New Update https://it.ubc.ca/news/don%E2%80%99t-lose-your-access-adobe-software 

https://ubc.service-now.com/kb_view_customer.do?sysparm_article=KB0016127

please register your CWL with:

site-license@it.ubc.ca

They require

Name, position, cwl name and software required

The new Exchange server includes a feature that you can use to change your password. You can access that feature by first going to your Exchange account using a web browser and visiting https://exchange.eoas.ubc.ca. 

For instructions please follow the steps in this short YouTube video:

https://www.youtube.com/watch?v=79S3rEEmYhw

Useful guidelines for identifying Phishing => https://bit.ly/2NcPKSF

On Wednesday, May 30^th at 9:00 am (PST), we will be updating our links so that course material is no longer served from arda.eos.ubc.ca.

If you have been accessing and posting course data on arda.eos.ubc.ca, please update your settings to use the new server koseu.eoas.ubc.ca. The location of your course files and the directory structure will remain the same. Your user name and password will be the same that you use when accessing your EOAS email account, i.e., to access course material on koseu.eoas.ubc.ca you will use the same user name and password as https://exchange.eoas.ubc.ca.

Why is this change occurring?

The operating system and applications on arda.eos.ubc.ca have been serving the department for many years. Over the last 18 months we have been working to identify replacement applications or move existing services to new homes so we can decommission arda.eos.ubc.ca. Moving course material from arda.eos.ubc.ca brings us one step closer to that goal.

Does this have anything to do with Canvas?

This change does not impact or have any relation to Canvas (http://lthub.ubc.ca/guides/canvas/).

Will I need to update my web pages?

If your web pages refer to “arda.eos.ubc.ca”, there is a possibility they will need to be updated. Prior to the move and after the move occurs, we will scan the existing pages for outdated links and update pages as we discover them. However, automated tools are not perfect and some links may go undetected, if you discover a broken link please email helpdesk@eoas.ubc.ca and we will prioritize those fixes in the queue.

What if I need more help or have questions?

We will be monitoring the help desk closely for the week and prioritizing any requests that come in requesting help as it relates to this change – if you have a question or identify a problem, email helpdesk@eoas.ubc.ca and we will prioritize your request.

What will happen to the files from the old server?

The files on arda.eos.ubc.ca will remain where they are for at least 30 days, however to avoid anyone accidently updating the old location after May 29^th, we will block access to those files. In other words, if you try to access your files at the old location, access will be denied.

If you have any questions or concerns, please contact the help desk via the from at https://helpdesk.eoas.ubc.ca, or by email at helpdesk@eoas.ubc.ca.

Sincerely,

Tom Yerex

“Well, we’ll not risk another frontal assault. That rabbit’s dynamite” ~ Monty Python and the Holy Grail

A friendly reminder that the UBC’s campus license for Oracle MySQL Enterprise is expiring on April 30, 2018.

Please switch to another database product If you are still using Oracle MySQL Enterprise and don’t have any other license arrangement with Oracle.  An option is MySQL Community Edition.

If you require further information, please visit the IT Service Catalogue (https://it.ubc.ca/services/web-servers-storage/database-administration-services/oracle-mysql  *).

If you have any questions or concerns, please contact us on our webform (http://web.it.ubc.ca/forms/dba  *)

http://remote.eoas.ubc.ca

Dear Colleagues,

Yesterday, a faculty member at UBC received a phone call at home from someone pretending to be a staff member from UBC IT offering to help check and update their computer.  This is an example of a “Windows Tech Support” scam, where the cybercriminal is hoping to install malware onto your computer.

Please be vigilant when you receive unexpected phone calls from a number you do not recognize. EOAS IT and UBC IT will never phone you at home to provide check-ups and upgrades on your computer without reason. 

If you receive a phone call from either UBC IT or EOAS IT that you did not expect, please refer that caller to your EOAS IT (Compstaff).

An update has been made to the mailing list application in the my.eos.ubc.ca portal:

• Distribution and mailing list members can be viewed.
• Updates can be made directly to the mailing lists and submitted to the help desk.
• Comment support has been (re)added.

There are still some outstanding features to be added:

• Automated distribution lists should not be editable.
• Updates to the lists should go directly to the mailing list system.

The department's mail server has gone offline. The problem is being investigated.

Kanboard (track.eoas.ubc.ca), has been upgraded to the latest stable release, version 1.0.43). A list of the new features and fixes can be found at https://kanboard.net/news/version-1.0.43.

The helpdesk.eoas.ubc.ca web site was down due to problems with a battery in a UPS unit. The site's certificate has been renewed and several updates applied to the server.

A new development web site has been set up at dev.eoas.ubc.ca. This site is intended to support ongoing development in a safe area that will not conflict with our production web sites. This site is not world-accessible, interested parties from off-campus must first use the University's myvpn.ubc.ca service (and eos context), to connect to the internal University network.

On-campus locations in the Department of Earth, Ocean and Atmospheric sciences should already have access.

Dear Colleagues,

The migration is complete and we are running on one mail system again, the webmail interface at (webmail.eos.ubc.ca aka. “SquirrelMail”), is no longer capable of sending new email messages.

You can still log into the old interface, but if you attempt to send an email from there it will go undelivered. The old webmail interface has been kept active in order to provide a comparison point for anyone concerned about whether or not the migration process was successful -- in other words, if you completed the migration and thought something was missing, you could go back to the webmail.eos.ubc.ca interface and check.

Eventually, we will take down the old interface and retire that system, for now the system is still working, but it will not send any email messages. If you need a web-based interface to send email, please use the new system at https://exchange.eoas.ubc.ca.

 If you have any questions or concerns, please contact us through the EOAS Help Desk by email at helpdesk@eoas.ubc.ca or by visiting https://helpdesk.eoas.ubc.ca, click the New Ticket > Create A Ticket link.

The UBC mail relay service was directing some mail traffic to two unused mail servers that have been retired (earth.eos.ubc.ca and pika.eos.ubc.ca). The problem was fixed by UBC IT and the fix took hold at roughly 3:30 pm today. Some mailing list traffic and individual messages failed to deliver as a result of the problem.

The log file for www.eoas.ubc.ca was registering a number of autodiscover.xml missing entries:

The problem was traced to hub.eoas.ubc.ca, the autodiscover entries were entered with an upper-case "A", i.e., Autodiscover/Autodiscover.xml. The file has been updated and changes checked into git.

The help desk now contains a Recent changes section where up-to-date information on changes to the my.eos.ubc.ca web site will be published.

PDF 2.0 is an emerging standard created by Adobe Systems. The prior format, version 1.7, has been in place since 2008 so the new standard will bring sweeping changes. The new standard should be finalized in the first half of 2016.

The new standard will not directly impact anyone until Adobe and other vendors began to update and release new versions of their products, it is impossible to predict how and when compatibility challenges will emerge. When compatiblity becomes an issue, the EOAS IT approach is to address the immediate need, then begin a process and plan how to avoid compatbility being an issue in the futre.

The immediate need is usually as simple as "I need to read this document", and in a case like this we will usually opt to convert the document to a format that can be accessed so you can get on with your work quickly. The person helping you may opt to immediately upgrade or change your computer, perhaps you are dealing with a project where there will be a lot of documents and the problem might occur again and again very soon.

The long-term solution is to provide you with the application or tools necessary to avoid the same problem happening again. It starts with a request to the help desk, after the initial problem is reported and addressed, the EOAS IT team can evaluate our options, balance our priorities, and try to assess the potential impact to come up with a plan. The challenge is for us to balance priorities and manage the expectations of our user community so everyone is satisfied.

You can learn more about PDF 2.0 from the PDF Association's web site at https://www.pdfa.org/what-will-pdf-2-0-bring/

Dear Colleagues,

Please note that ArsTechnica, The Guardian, and several other news sites are hightlighting a new security threat that leverages a trick of character encoding to fool people into thinking they are clicking on a link to Apple's web site when the link is potentially another (malicious), web site. You can read the articles at:

https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/

https://www.theguardian.com/technology/2017/apr/19/phishing-url-trick-hackers

If you own an Apple computer, you wil llikely receive periodic email from Apple.com. Please exercise caution when visiting any link that appears to be Apple.com and avoid downloading files or documents from Apple unless you are certain of the source.

Major browser vendors are working on a fix that will mitigate this particular attack vector.

If you believe you have been the victim of a phishing attack, please contact EOAS IT via email at helpdesk@eoas.ubc.ca or by visiting our web site at https://helpdesk.eoas.ubc.ca.

If you are using a standalone version of Matlab and you need to renew your license:

• Open MATLAB 
• Click on Resources 
• Click on Help 
• Hover over Licensing and then click on Update Current Licensing
• Select license 924490
• Update
• Restart Matlab

If you experience any problems , please contact the help desk at helpdesk@eoas.ubc.ca or through the help desk web site at helpdesk.eoas.ubc.ca.

Ransomware can be localized to target individual users or systems, or expanded to larger groups and even organizationally focused with the intent of paralyzing an organization.  Recently, there have been a number of ransomware attacks that exploit unpatched vulnerabilities on servers connected to the internet, resulting in an attack against the entire organization,impacting all operations; in higher education this affected the ability to teach and do research. Some examples include the University of Calgary, San Francisco Municipal Transportation Agency, Hollywood Presbyterian Medical Centre, and Carleton University.  

Below are some similarities and recommended solutions we have been able to draw between these recent organizational attacks:

1.     Vulnerabilities are exploited to gain an initial foothold

Solution:

We strongly encourage everyone to patch all networked systems; focus first on all internet facing servers, paying special attention to java-based servers as they are frequently targeted. If you require assistance in patching your servers, please contact your department’s IT Administrator.  If you are unable to patch your server or get help from your department, please contact security@ubc.ca.

2.     Keyloggers are installed to steal administrative credentials, which are used to map network shares and deploy ransomware

Solution:

For critical accounts that have control over multiple servers/systems (e.g. root, Administrator, etc.), use a privileged account manager that checks in and out the account, changing passwords for each usage.  Privileged accounts should have limited access to only those who need it and used only when necessary.  These accounts must not be used for checking email or web browsing or any other user related activity.

Anti-malware software must also be installed and kept up-to-date on all operating systems, such as Windows, Mac, and Linux.

3.     Ransomware encrypts critical files needed for research, teaching or administrative activities.

Solution:

Use network file shares that are backed up regularly (e.g Home Drive, Teamshare, or Workspace) for the storage of critical files.  Keep backups off-line and accessible only via specific privileged accounts that have restricted usage.

In addition to the above recommendations, we strongly encourage everyone to review and ensure they have the latest patches for their servers.

November 23^rd, UBC will begin blocking incoming network traffic from off campus for a range of network services.

This change will not impact email, web, SFTP, or the Department’s ownCloud service.

The majority of the services that will be blocked are no longer in use or were considered insecure for some time. One example of a service that will be blocked from off campus is print.

In this example, if you were printing from home to a printer here on campus in your office, after tomorrow’s change you will no longer be able to print directly to your office printer from home unless you establish a secure connection using UBC’s myDNS service and your account is configured for access.

A detailed article has been posted at the EOAS Help Desk knowledge base, this article is available to anyone who has already migrated, you can find this article by searching for "ports blocked at the UBC border"

If you require an exemption, for example if you are working with an external government institution that requires access to on campus resources using a service such as Remote Desktop Protocol (RDP), and you have not already contacted EOAS IT or UBC IT – contact us NOW, otherwise your connection may be interrupted.

If you have any questions or concerns, please submit a request through the my.eos.ubc.ca portal, or if you have migrated, you can email the EOAS IT Help Desk at helpdesk@eoas.ubc.ca.

A number of people are reporting receiving emails from American Express with the Subject line: Please activate your Personal Security Key

These emails look legitimate but should be ignored.  If you are an American Express card holder and have doubts about a communication coming from what looks like American Express, or believe you may have responded to one of these emails with your information, your best course of action is to contact American Express using the phone number on the back of the Credit Card.

A screen shot is included below.

As you may be aware, there was a recent denial of service (DDoS) attack that targeted DNS services offered by DynDNS (dyn.com), which resulted in sites and services interrupted for large companies including Paypal, Netflix, and Airbnb. According to press information, the botnet behind the attack leveraged flaws in a brand of smart cameras and DVRs (arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/).

The code used to exploit the flaw is now in the public domain. UBC and other institutions and companies are experiencing an increase of malicious traffic. The malicious traffic is targeting the University’s DNS servers and our networks are being scanned for insecure devices on port 23/TCP and 2323/TCP. In response, on November 2, 2016, the University will be blocking inbound traffic specific to ports 23 and 2323 for all UBC networks. Port 23/TCP is used by the application telnet (www.packetu.com/2012/04/17/whats-wrong-with-telnet/), and port 2323/TCP is designated as part of the 3d-nfsd protocol, however many vendors use that port as an alternative to port 23/TCP.  I don’t expect this change will impact anyone in our department. If you use telnet or port 2323/TCP to access services on campus from an off campus location, you will need to start using UBC’s myVPN service.

If you are not sure how to use UBC’s myVPN service, please contact helpdesk@eoas.ubc.ca or come drop-in to EOAS Main 113 and we can talk about what needs to be done.

A vulnerability called the DirtyCOW has been disclosed for all Linux systems. The vulnerability is especially problematic for multi-user systems, which allows local-user accounts to gain escalated privileges for the affected system.  

This vulnerability has been assigned CVE-2016-5195.  We recommend applying the latest patches to your Linux machine.  A bulletin has also been created for this: http://bulletins.it.ubc.ca/archives/28072

For more information on this vulnerability, please review the following links:

https://access.redhat.com/security/vulnerabilities/2706661

https://security-tracker.debian.org/tracker/CVE-2016-5195

https://nakedsecurity.sophos.com/2016/10/21/linux-kernel-bug-dirtycow-easyroot-hole-and-what-you-need-to-know/

Dropbox® recently confirmed that 68 million email addresses and password information were stolen from their database.  UBC IT has received the list of credentials that were identified as associated with this breach.  The IT Service Centre has sent out the notification below to these users yesterday.

From: UBC IT ITSC - Do Not Reply

Subject: 2012 Dropbox® Data Breach

This email was sent from an unmonitored mailbox. Please do not reply to it

Dear <email address>,

As you might have heard, Dropbox® recently confirmed that 68 million email addresses and password information were stolen from their database.

UBC IT has been notified that your UBC email address was identified as part of the list of credentials associated with this breach. 

If you use the same password for “Dropbox” as you do for your CWL account or other UBC accounts, please reset your password(s) immediately and use a different password going forward to ensure the safety of your data and any UBC electronic information.

You can change your CWL password at myaccount . ubc . ca (this is a non-clickable link, please type this in your address bar without the spaces)

If you have any questions, please contact the UBC IT Service Centre at it . ubc . ca/helpdesk (this is a non-clickable link, please type this in your address bar without the spaces).

Sincerely,

Rose Chan

Manager, Service Centre

Information Technology | Engage. Envision. Enable.

The University of British Columbia

Tel: 604.822.2008 

A bulletin has also been posted about this notification: hxxp://bulletins.it.ubc.ca/archives/28064.  If you have been impacted by this breach, please update your password immediately.

Regards,

Larry Carson
Associate Director, Information Security Management, UBC

All Services back up and running as of 8:45pm. Happy Mailing!

Charles.

UBC and the Faculty of Science has partnered with OnTheHub.com to offer faculty and staff access to Microsoft produces under an educational license.

You can use your CWL user name and password to access your free Windows 10 Education entitlement (and other products), by going to the Imagine Premium web site. Items such as Windows 10 Education (32/64 bit), are free of charge; you can download a Windows 10 Education DVD to upgrade your Windows 10 Home or earlier Windows operating system.

Faculty and staff are encouraged to take advantage of this offer as part of our ongoing effort to encourage everyone to encrypt their hard drive data. If you require help or have any questions, please email helpdesk@eoas.ubc.ca.

Adobe will be hosting a Digital Campus Workshop for staff and faculty at UBC Point Grey campus on Thursday, October 13, 2016.  The workshop will feature special presentations from Adobe and peer institutions from BC.  Participants will receive tips on how to transform the way they communicate to their audience and will have the opportunity to share ideas and learn from colleagues on how they are using Adobe products. 

Event Details

Date: Thursday, October 13, 2016

Location: Michael Smith Laboratories (2185 East Mall), 101 Multipurpose Room

Time: 1pm to 5pm

Snacks and refreshments will be provided.

To learn more about the event and to RSVP, please click here. Please feel to forward this invitation to other staff and faculty that might be interested in attending this event.

Dear Colleagues,

On Friday, September 9, from 8:00 p.m. until 9:00 p.m. (PST), there will be one or more brief outages of IMAP service and web-based email interface for the new mail environment.

The web-based interface, https://exchange.eoas.ubc.ca, will be restarted to make several adjustments to the settings. It requires anywhere from three to five minutes for the web server to properly close connections and restart, if you attempt to access the web page during the restart you may get a "page not found" message.**

We have been gathering data this week as more and more people migrate to the new environment. The IMAP settings, which the majority of our community use to connect, has received the greatest scrutiny and so we will be making adjustments there for performance and load. During the maintenance window, you may receive an error message when attempting to access a folder. If you see an error I suggest something the kids these days call Netflax, it delivers entertainment content via the FaceGoogle Tubes that cover the entire planet in something called the IntraWeb Highway.

Once the maintenance window is complete and you have finished a marathon session of Stranger Things, if you find either the web-based interface or IMAP are not working, please contact us by emailing helpdesk@eoas.ubc.ca.

Have a very happy Friday!

Tom.

---

** Did you know that Chrome contains a hidden game? The next time you receive the "Unable to connect to the Internet" error in Chrome and see a T-Rex standing there, try clicking the space bar. The T-Rex will bounce and the game will begin.

The outgoing mail server, ssmtp.eos.ubc.ca, went offline earlier this morning and those people who are on the old email server could not send email. As of 9:15 AM this morning, September 8th, the outgoing mail service has been restored for anyone using the old mail server.

The new mail server, exchange.eoas.ubc.ca, was unaffected.

Dear Colleagues,

I am emailing you to announcement that the Department of Earth, Ocean and
Atmospheric Sciences now offers a file synchronization and sharing
platform called ownCloud.

Many of you are familiar with ownCloud and possibly have your own server
or use ownCloud somewhere else. The widespread demand for ownCloud,
coupled with the challenges of using UBC's Workspace solution has prompted
me to offer a service for everyone in the department that is managed by
EOAS IT.

If you have your own server running ownCloud this will not affect your
server, however you may want to discuss a migration to this server.

To access the department's ownCloud server you need to migrate your email
account as per the announcement made earlier this week (referenced at
https://helpdesk.eoas.ubc.ca/news/posts/new-email-system-launch). Once you
have your EOAS user name and password and have completed the migration
process, you can access ownCloud at https://owncloud.eoas.ubc.ca.

This service is a direct response to requests made by you, our user
community. Over the next few days additional information will be posted on
our knowledge base web site with steps to install the ownCloud desktop
client on Windows, Mac, and Linux operating systems. If you have any
questions or concerns about this service, please contact us at
helpdesk@eoas.ubc.ca or email me directly at tyerex@eoas.ubc.ca.

Thank you,

Tom Yerex.

"Wax on, wax off." ~ Pat Morita as Mr. Miyagi in The Karate Kid (1984)