Page tree
Viewable by the world
Skip to end of metadata
Go to start of metadata

IT Spotlight


Just a reminder that on June 1, 2019, Malwarebytes was no longer being offered by Berkeley Lab IT.  Existing clients will continue to function, but will not receive updates. IT recommends that users uninstall Malwarebytes. This can be done manually, or users can wait until they see a BigFix Offer from IT, which will remove the application automatically. For further information, refer to our Malwarebytes FAQ site.

Berkeley Lab computers are constantly under attack, but what should we, as users, do to protect ourselves and our systems? According to research conducted by Google, users and security experts often have different ideas as to what the best steps are to be taken.

To make it easier, Berkeley Lab IT has developed a series of IT Best Practices that all staff should follow when using Lab computers. These best practices address the most important security recommendations, data protection, and performance optimization.

IT Best Practices include:

  1. Install BigFix on ALL computers. BigFix is used to help keep your operating system and common applications up to date. There is even a Passive mode that you can use if don’t want any updates done automatically. 

  2. To make sure that updates are installed, it is also essential that you REBOOT your computer regularly! BigFix will also tell you when your system needs a reboot.

  3. Use LastPass, a password manager which IT provides for free. LastPass makes it easy to make sure you always use strong, unique passwords.

  4. Enroll in the Lab’s Multi Factor Authentication (MFA) system. With MFA enabled, an attacker who knows your Lab password still won’t be able to log in.

  5. Familiarize yourself with the IT FAQ and Cyber Security websites. These sites are updated regularly with important information for users.

  6. Install Sophos on all workstations. Sophos is provided for free by Berkeley Lab IT.

  7. Use Druva inSync to backup your workstation data, $51/yr for up to 10 computers

  8. Use VPN when on public networks (including LBL’s Visitor Wireless) or on travel. It is a good idea to use VPN whenever possible while offsite.

  9. Clean up your computer

  10. Use Google Drive / Google Shared Drive / Google File Stream to store important or shared files.

As most people know, keeping your software updated is the number one thing you can do for cyber security.  What is less well known is how important this is on mobile devices, such as iPhones and Android devices. A recent set of vulnerabilities announced in iPhone devices both makes it a priority to update now and serves as a reminder of the importance of updating regularly. 

You can read more about newly accounced vulnerablities at https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

There is good news, update and reboot your iOS devices now to ensure they are secure.

REFERENCE ARTICLE

On August 13, 2019 Microsoft released a warning to update and reboot your system due to new Microsoft Remote Desktop Services vulnerabilities:

This affects the following operating systems:

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

  • Microsoft Windows Server 2012

  • Microsoft Windows Server 2008

  • Microsoft Windows 10

  • Microsoft Windows 8

  • Microsoft Windows 7

Berkeley Lab IT suggests all Windows users patch and reboot all systems immediately. Updates will also be released using BigFix for systems that were not patched through normal operations.  

Advice: Always keep your system and all software up to date and REBOOT at least once a month.

RELATED ARTICLES

During the renewal process, Adobe made a provisioning error, which impacted the Lab’s Adobe DC Pro licenses. Adobe has acknowledged that this was their mistake and apologizes for the inconvenience.

To correct this error, and reactivate your Acrobat Pro DC license, follow the instructions below:

 Did you receive a message similar to those below?:

1)  Launch Acrobat Pro DC by clicking the Acrobat icon or selecting it from your product list.

2)  If Acrobat access is successful, Sign Out of Acrobat by clicking the (1) Help menu and (2) “Sign Out” (see image below):

3)   Otherwise, you should see the “Sign In Required” dialog box like the one below.  Click the blue “Sign In Now” button in the lower-right (see image below):


4)    You should see the login dialog box below.  If you know the Adobe ID that is associated with your Acrobat Pro DC license, enter the email address (typically your LBL email address) and your password.  If you don’t know your password, click on the “Forgot password?” link in the lower-right of the dialog box (see image below):

5)    If you clicked on “Forgot password?” you will see the forgot password box below.  Just enter the Adobe ID email address associated with your Acrobat Pro DC license (your LBL email address) and click the blue “Next” button and follow the instructions.

IF FOR SOME REASON THE STEPS ABOVE DON’T WORK OR DO NOT COVER WHAT YOU ARE SEEING, TRY THE WORKAROUND BELOW:

1)    Click on https://www.adobe.com/ or type it into your browser.

2)    Click the (1) Icon in the upper-right corner and then (2) click “Sign Out” (see image below):

3)    Then click “Sign In” and enter the Adobe ID that is associated with your Acrobat Pro DC license (typically your LBL email address) and your password.  If you don’t know your password, click on the “Forgot password?” link (see images below):

If you are still experiencing difficulties after completing these steps, please Request Help.   

Berkeley Lab Cyber Security has discovered bad guys exploiting Apple’s Remote Management service to conduct reflected denial-of-service (DoS) attacks. In response, they have temporarily blocked port 3283 UDP at the network border to prevent further abuse.  This should have no noticeable impact to anyone.  

What to do?

In order to protect Berkeley Lab computers from participating in this hostile activity, we require all users to disable Apple Remote Management Service.  To disable this service:

  1. In Apple Menu, select System Preferences
     
  2. Select Sharing
     
  3. Uncheck Remote Management
     

This change will not have any adverse effects for most users and in fact is the Apple default.  You can still use Apple Remote desktop and VNC to connect if you enable "Screen Sharing". If you believe disabling Remote Management will create an adverse situation for you, please contact security@lbl.gov

IT will use BigFix to prompt users to automatically disable the Apple Remote Management Service on all systems running in Active Management Mode. For systems in Passive Management Mode, a BigFix Offer will be provided for users to disable it manually.

              

BigFix can be downloaded from https://go.lbl.gov/DownloadBigFix. For any further inquiries Request Help.

Technical Details



LabTech Everyday Event Coming To You

You asked, we listened! We’re bringing LabTech to you!


Monday, July 22, 2019 @ 10AM
Outside patio between Bldg. 62 and Bldg. 66


Come see us to learn how IT can help you with all your computing needs. We will be offering no-cost consulting on:

  • Scaleable, cost efficient centralized IT services

  • High Performance Computing

  • Virtualization

  • Storage Solutions

  • Software Training

  • Desktop/Laptop/Mobile support

  • Backup and Multi Factor Authentication guidance

For more information, see scienceit.lbl.gov.


Zoom has identified a zero-day vulnerability in its Zoom Meeting Client for Mac.  Zoom released an emergency patch today to address this security issue.  IT requests you upgrade your Mac client as soon as possible to version Version: 4.4.6.  The vulnerability allows any website to open a video-enabled call on a Mac with the Zoom app installed. Information has been posted on several sites:


What you should do:

  • Download the latest version from Zoom download page  OR

  • Launch Zoom and under “zoom.us” menu select Check for Updates and install

Apple recently announced a recall for a small number of MacBook Airs, but unfortunately Apple has not published a website to easily determine if your MacBook Air could be affected. Users can contact Apple directly with their computer serial number to see if they are affected, but if you wish support please feel free to contact the IT Workstation Support Group through a help ticket

There is no cost for the repair, but standard rates apply for IT labor.


Article ID:SN5274

Last Modified: 28 Jun 2019

Published Date: Fri Jun 28 21:22:16 GMT 2019


Apple has identified an issue with the main logic board in a very small number of MacBook Air (Retina, 13-inch, 2018) systems. Apple will replace the main logic board in affected systems, free of charge. Apple will also send an email to customers, who registered their device with Apple, to let them know that their device is eligible for a main logic board replacement.

To learn more about providing this service, read MacBook Air (Retina, 13-inch, 2018) Main Logic Board Service Policy (see below, OP2173).


Article ID:OP2173

Last Modified: 02 Jul 2019


Apple has identified an issue with the main logic board in a very small number of MacBook Air (Retina, 13-inch, 2018) systems. Apple will replace the main logic board in affected systems, free of charge. 

1. Eligibility

A. Affected Product - MacBook Air (Retina, 13-inch, 2018) with specific serial numbers.

B. System Message - When the serial number of an affected MacBook Air is entered into the repair system a message will direct the Technician to replace the main logic board.

C. Coverage - Apple will authorize coverage within four (4) years from original purchase date.

If the customer’s computer has accidental damage they do not want repaired, proceed with the service at no cost as long as the damage does not prevent a Technician from completing the repair. If the damage prevents the repair, the customer must pay for the accidental damage to be repaired, in order to get the main logic board replaced at no cost.

D. Apple will send an email to customers, who registered their device with Apple, to let them know that their device is eligible for a main logic board replacement.

 

2. Create Carry-In Repair

Encourage all customers to backup their data before any repair. Apple assumes no responsibility for customer data.

A. Carry-In Repair is the service strategy for this program.

B. Classifying the repair - Use the serial number of the MacBook Air (Retina, 13-inch, 2018) to create the repair. For the main logic board to be eligible for replacement at no charge, the repair must be properly classified.

  • Symptom - Power
  • Issue - 2018 MacBook Air MLB REP
  • CompTIA - ZA3 2018 MacBook Air MLB REP

C. Parts - Select the service part for the main logic board.

D. Repair Notes - Describe the work to be performed.

E. Perform the repair - Refer to MacBook Air: Logic Board (RP1458) for details about replacing the main logic board. 

F. Ready for Pick up - Once the repair is complete, contact the customer to pick up their computer.

 

3. Mail-In Repair (Japan and U.S. only)

Carry-In service is the preferred strategy for the MLB service policy.

When the MacBook Air requires additional repair, the customer is responsible for any charges related to that additional service.

A. Classify the repair properly.

1. Main logic board replacement under this program:
  • Symptom - Power
  • Issue - 2018 MacBook Air MLB REP
  • CompTIA - ZA3 2018 MacBook Air MLB REP
  • Part - Flat Rate 2 Repair Charge
2. Main logic board replacement and addition repair service:
  • Symptom - Power
  • Issue - 2018 MacBook Air MLB REP (multi-issue)
  • CompTIA - ZA4 2018 MacBook Air MLB REP (multi-issue)
  • Part - Select the appropriate repair rate for the additional issue, as described in Choosing Flat and Tier Rate for Mail-In Repair (OP18).

B. Follow the standard process to complete the repair. 

Apple recently announced a safety recall for a limited number of older generation 15-inch MacBook Pro units. The battery may overheat and pose a fire safety risk. Affected units were sold primarily between September 2015 and February 2017 and product eligibility is determined by the product serial number.

To confirm your computer qualifies for the recall:

If your MacBook Pro qualifies for the recall, you can contact Apple to initiate the repair. Berkeley Lab IT can also facilitate repair through our Apple repair vendor, and can:

  • Advise and/or perform backup of data prior to repair

  • Detag, hold and re-tag DOE numbers for off-site computer repairs (property management requirement)

  • Coordinate repair with Apple certified repair vendor 

  • Provide a loaner computer while repair is being performed

There is no cost for the repair, but standard rates apply for IT labor.

Lastly, always remember to backup your data prior to any repairs. Berkeley Lab IT offers Druva inSync as a cloud-based subscription service for unlimited cloud-based backups for workstations.

Submit Help Ticket

On January 14, 2020, Microsoft will stop releasing updates and critical security patches for Windows 7, leaving them unable to be secured and putting your personal data and the Lab at risk.  Due to this, Windows 7 computer must be updated to Windows 10.

What should I do?

In most cases, upgrading your system to Windows 10 is straightforward, and may not even require you to buy a new Windows license.  Options and instructions for upgrading your system are available at Windows 7 End of Life.

Can IT help me with my upgrade?

Yes, IT can upgrade your system for you. The cost to perform a Windows 10 upgrade is $250 (additional license costs may apply). To get started, email help@lbl.gov.

What if my system is too old to run Windows 10?

IT can help you get a new or used computer. Visit go.lbl.gov/get-a-computer to browse our standard models, and to submit an order. The cost to deploy a workstation is $250.

What if I need my system to keep running Windows 7?

Many computers run equipment or software that is not compatible with Windows 10, and which cannot be replaced or upgraded. Please report such systems to IT by submitting a Windows 7 Exception Request.

What will happen if I don’t upgrade my system?

If and when a critical vulnerability is exposed in Windows 7, LBL IT will block all Windows 7 systems from the network. The most recent vulnerability of this type was discovered in May 2019; fortunately Microsoft had not yet ended support for Windows 7.

Microsoft released on May 14, 2019 the warning to immediately update and reboot your system due to a Microsoft Remote Desktop Services vulnerability, see Microsoft Remote Desktop Services (CVE-2019-0708). Users are advised this is an extremely dangerous vulnerability and should be addressed right away.

This affects the following operating systems:

  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1

  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1

  • Microsoft Windows Server 2008 for x64-based Systems SP2

  • Microsoft Windows Server 2008 for Itanium-based Systems SP2

  • Microsoft Windows Server 2008 for 32-bit Systems SP2

  • Microsoft Windows 7 for x64-based Systems SP1

  • Microsoft Windows 7 for 32-bit Systems SP1

  • Microsoft Windows Server 2003 SP2 x86

  • Microsoft Windows Server 2003 x64 Edition SP2

  • Microsoft Windows XP SP3 x86

  • Microsoft Windows XP Professional x64 Edition SP2

  • Microsoft Windows XP Embedded SP3 x86

Users should know that if their systems are not patched appropriately and an attack is launched against this vulnerability, LBNL will temporarily block access to RDP (3389/tcp) from outside the Laboratory. If this occurs, users must use VPN to access Remote Desktop Services hosted Lab systems.

Users can refer to Cyber Security’s announcement, Critical Remote Desktop Vulnerability. Any questions or concerns can be directed to security@lbl.gov.

Advice: Always keep your system and all software up to date and REBOOT at least once a month.

RELATED ARTICLES

We’ve all heard the stories about major data breaches at some of the largest online businesses.  3 billion Yahoo customers had their usernames and passwords compromised leaving those users vulnerable to hackers. Target was breached in 2013, exposing the information of 41 million customers.

A strong password is no longer enough to protect you and your data. Multi Factor Authentication (MFA) provides a second layer of security beyond your username and password. Think of it this way: your username and password are “something you know.” MFA requires both “something you know” and “something you have.” At Berkeley Lab, the “something you have” is a physical token that will generate a unique one-time password (OTP). Under MFA, a hacker who has your credentials still can’t access your account, because they lack “the something you have.”

Berkeley Lab has implemented MFA protection for your Berkeley Lab Identity. As a computing best practice and to help protect you against credential theft, you can choose to add MFA protection for your Single-Sign-On (SSO) logins, such as Gmail, Google Calendar, Google Team Drive, LETS, HRIS, etc.

To set-up MFA, simply go here.

Detailed instructions are available in the Multi Factor Authentication Instructions page.

For additional help, create a ticket by emailing help@lbl.gov.

Related Sites

Choose a topic from the list on the left, or search for a topic.

For more general LBNL information, please use the Lab's Google Custom Search (GCS)  tool or refer to the A-Z index

If you need to contribute to the IT FAQ's and find you do not have permission, contact the Help Desk and ask that you be added to the Commons faq editors group