News

S.W.A.N.

As part of the main telecommunications team on campus, Kamil Dharshi is tasked with responding to “a volume of requests from users all over” regarding mobility services. On any given day, the telecommunications analyst could be ordering, troubleshooting or assisting with general mobile phone inquiries. During specific times of the year, he is busy fielding requests on the newest cell phones being released.

Not one to remain in a single specialty, Kamil thrives on embracing new opportunities and assisting fellow team members, “anything I can do … to collaborate, come up with ideas and make everything more efficient for our customer interactions”.

The role provides Kamil, above all, with freedom from the typical IT position to build client relationships through personal interactions, “some people think IT work is behind the scenes, you’re emailing, you’re on the phone, but I’ve tried to branch out from that and I’ve tried to go and meet the client; anything I can do to see the client in person and chat with them.”

Leveraging Success

As Director of IT Service Management in IST, Tunde Obatolu manages a team of 10 which “looks after the aspects of different IT service management processes for IST” and works with IST’s operational teams “to see that as much as possible we leverage the processes in serving the University”. Tunde and his team support the IST teams by “enabling them to leverage the ticket-tracking tool [ServiceNow] and also to leverage the governance forums that we have in place for some of the processes, for example, the Change Advisory Board”. While his team looks after “specific processes” such as incident, change and problem management, Tunde feels that the “most important part of [his] job is mentoring and coaching [his] team members with regards to improving their skill sets and capabilities in order to continually improve”.

Tunde’s career in IT began at the University of Technology, Akure in Nigeria where he completed a Bachelor of Computer Systems. After a few Microsoft and Cisco certifications , on coming to Canada, Tunde completed his MBA at the University of New Brunswick, as well as “getting certified as a management accountant to get further exposure to strategy and the application of strategic approaches in an IT business context”.

After working with a number of multinational companies, including Blackberry where he worked on a 2-year, $30- million service management project, Tunde has been “able to leverage the experience from that and other engagements” in his current role with IST. He has used his “background to better leverage his team” to success with the implementation of ServiceNow, and he is sure that together they will continue to “further enable the actualization of the goals of executive management for the seamless delivery of IT services at the University of Alberta”.

Poodlebleed Vulnerability

What is this vulnerability?

There is a vulnerability in Secure Sockets Layer version 3 (SSLv3), a standard encryption protocol used on many servers and appliances. Current web encryption protocols (called Transport Layer Security, or “TLS”) are backwards compatible with SSLv3 and can be forced into a “downgrade dance” where they eventually revert to using this protocol.

The traffic sent between the browser and web server can be acquired by an attacker using this vulnerability. TLS securely encrypts this traffic so an attacker cannot harvest user info from this traffic. However SSLv3 uses encryption that can be easily decrypted. Therefore an attacker can capture traffic from an SSLv3 connection and decrypt the results, obtaining user information.

Why is this vulnerability called Poodle Bleed?

Poodle is an acronym for Padding Oracle On Downgraded Legacy Encryption. This describes the exploit methodology for the vulnerability. Bleed refers to the partial exposure of data to unauthorized parties.

What IST is doing about it?

IST is taking precautionary actions across all our teams. Deskside Analysts will be addressing the issues in Faculties and Departments, ensuring users are using invulnerable protocols in browsers such as Chrome and Firefox. Server teams will be updating web servers so they are not allowing the use of SSLv3 on HTTPS connections. The Service Desk will be helping any on-campus users configure their browsers to keep their information safe. The Service Desk is located on the 2nd floor of GSB and can be reached at 780-492-9400. More contact information can be found here.

IST strongly encourages our clients to update their web browsers and their browsers configuration to prevent this vulnerability from being exploited.

Directions for disabling SSLv3 in browsers can be found here.

What should a normal user do?

This exploit could affect anyone using HTTPS when browsing the web. This attack is only possible when both the browser and web server support the downgrade to SSLv3. Patches for this vulnerability have not yet been released. To make sure you are not vulnerable, disable SSLv3 in your browser. You can test if your browser is vulnerable.

Directions for disabling SSLv3 in browsers can be found here.

For additional assistance, please contact Information Services and Technology at 780-492-9400, or visit us in our new location on the 2nd floor of the General Services Building. Please don’t hesitate to contact the IST or your local IT support for assistance.

What should system administrators be doing?

IT Staff who manage servers should be mindful and disable SSLv3 on their servers proactively. This can be done through Apache by adding the following line to a config file.

# enable all available TLSv1 flavors, but not SSLv2, SSLv3
SSLProtocol All -SSLv2 -SSLv3

Resources online are available to assist with updating configuration on various other server platforms.

How can I get more information?

More details about this vulnerability and its impact, can be found under CVE-2014-3566 in the Vulnerability Database maintained by the US National Institute of Standards and Technology at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566.

If you are running Linux, more information on patching can be found here.

The report released by the developers who found the vulnerability can be found here.

Learning Everyday

As an Intermediate Developer at IST, Sepideh Emam feels comfortable collaborating and working alongside fellow team members. “I really like my team,” Sepideh says of the Application Development team, led by Team Lead, John Komick, “they really help me feel like I am a team member".

Of all the programming projects Sepideh has been involved with, she has found a particular passion for quality assurance and data analysis. She says the goal is to, “produce higher quality applications by assessing risk and providing business intelligence to fix issues, prior to deploying the application”. As her education has tended to concentrate on software verification, the focus is a natural fit and she adds, “I love finding bugs”.

Sepideh finds computer science is a field where, “everyday you can learn something new” and is a concentration that almost necessitates continual learning, “new things always come up and you have to be updated”.

Within IST, Sepideh is content to be in an environment where she can apply her educational knowledge and where she “can grow everyday”.

‘Who you gonna call’

For Ryan Williams, a help desk analyst, “it’s really important to me that I do work I can believe in, and work in a workplace that I can feel proud about—and I found that here” with IST.

Day-to-day, Ryan helps students, staff, faculty, “and lots of alumni and professors emeriti” with password resets, email setups, software and technical issues. He also knows when to pass on requests he cannot resolve to IST’s other teams, such as Apps Supports, Large-Format Printing and ITSM to name a few. The issues Ryan does deal with are often repetitive but that does not mean his work is easy. When the Heartbleed bug led to the University’s password reset initiative, the Help Desk team was extremely busy, fielding over 600 calls on the first day of the initiative. Ryan, who became very quick at resetting passwords, can reset one in less than 2 minutes.

And, sometimes “something more unusual comes up” such as the call from a professor emerita who needed to send email from her computer but only had a cell connection at her cabin in Jasper. Ryan “helped her set up the phone as a wireless hotspot so she could connect to it”. Now, that professor makes a point of asking for Ryan when she calls the Help Desk because he was patient and took the time to help her resolve her long-distance IT issue.

Ryan, who arrived at IST’s Help Desk “from a non-technical background with some interest in IT and some skills”—his degree is in Sociology from Simon Fraser University and he worked at the Apple Store—understands that not everyone is comfortable with or knowledgeable about IT. And, although he “does a lot of technical work, the biggest part of [his] job isn’t technical; it’s the ability to communicate with clients”.