Feed on
Posts
Comments

[lock]

What is Heartbleed?

Many Wesleyan alumni have probably heard about the Heartbleed vulnerability which was announced on April 7. “Heartbleed” is a nickname that refers to a serious flaw in a popular open source security component known as OpenSSL. NPR’s story from April 8 provides an overview of the problem. For a more technical angle see the blog post on Heartbleed by security expert Bruce Schneier. (A popular web comic called xkcd explains the bug visually.)

Wesleyan systems

On April 9 Wesleyan ITS sent an update to the campus community with information on how Heartbleed relates to Wesleyan:

ITS reacted swiftly to the announcement of this threat. We swept all servers and, within 24 hours of this coming to light, completed patching systems by noon on April 8. Our concern for Wesleyan usernames and passwords is very low.

You can read the full text of the message on the ITS System Announcements blog. This response prevents the possibility of information leaks due to Heartbleed in future.

Wesconnect is unaffected by this vulnerability because iModules does not use OpenSSL in its product.

Recommendations for alumni

1. Change your Wesleyan email password

We recommend that alumni change their Wesleyan email passwords as a precaution. Changing your password ensures that you’re no longer vulnerable to any information leaks that may have occurred due to Heartbleed prior to April 8. It is not necessary to change your Wesconnect password, though it never hurts to do so!

2. Change other important passwords

As well as updating your Wesleyan email passwords, everyone should consider updating other important passwords such as other email accounts, online banking accounts, social media accounts, etc.

Update (April 18): software company AgileBits released a handy tool called 1Password Watchtower that helps you check how vulnerable any website is to Heartbleed.

3. Consider using a password manager

We know that choosing and remembering passwords is universally unpleasant to humans! So consider using software that will suggest and remember your passwords for you. This will increase your security and make it easier to use services on a daily basis.

Modern versions of web browsers such as Firefox (how to), Chrome (how to), Internet Explorer (how to) and Safari (how to) have password management features that you can turn on in Options/Preferences.

You might also like to check out dedicated password management tools like LastPassPassword Safe and 1Password.

Get in touch

Let us know if you have any questions and we’ll point you in the right direction.

[lightbulb]The CAPTCHA widget that appears if you mistype your login credentials has been updated and moved closer to the top of the page. The new version asks for two numbers instead of two words. We think these changes will make it easier to notice the CAPTCHA if it pops up, and to provide the correct answer. Here’s what it looks like:

[Wesconnect login page]

New CAPTCHA widget (click for a larger version)

[wrench]

Wesleyan Webmail (also known as Squirrelmail) will be undergoing scheduled server maintenance on Tuesday, February 25. The maintenance window is 5:30–6:30 a.m. Users should not notice any major disruption to their email service, however it is possible that the system will be unavailable at some points during the maintenance window. Alumni from the classes of 2009 and later will not be affected. As always, if you have any questions please let us know by submitting a ticket or writing to alumnihelp@wesleyan.edu.

RESOLVED — February 21, 2014

[gear]

This issue is resolved. Wesconnect is working normally. We experienced typical traffic volumes this week and the site has performed as expected, with no further outages. For more information on the recent outages please see Moving Forward by iModules President Fred Weiss (Feb. 18), and A View From the Trenches by Director of Product Development Steve Williams (Feb. 21).

February 17–20, 2014

Wesconnect is working normally. We will keep a close eye on site performance and mark this issue as resolved once we are confident that the website is functioning normally under typical weekly traffic volumes. Please send any questions via the Alumni Helpdesk Support form, by email to alumnihelp@wesleyan.edu or ask us on Twitter or Facebook. We apologize for the inconvenience to our alumni, students, faculty and staff caused by these connection issues.

February 16, 2014

10:01 a.m.: We pointed DNS for wesconnect.wesleyan.edu back to iModules’ servers yesterday afternoon and Wesconnect appears to be operating consistently since that time. We will keep a close eye on availability and performance and mark this issue as resolved once we are confident that all Wesconnect traffic is successfully reaching iModules’ servers, and that the website is functioning under typical weekly traffic volumes.

February 15, 2014

5:21 p.m.: iModules has identified the root cause of the outages that have affected Wesconnect availability since the DDoS attack on their servers on February 3. We will soon switch DNS for wesconnect.wesleyan.edu back to iModules’ servers. Here’s part of the resolution announcement:

We have successfully identified and corrected the issue causing the outage during the last few days. While a more in-depth report on the issue will follow, to summarize, we had networking environment configurations that were sensitive to traffic volumes coming from individual source IP addresses. When we made the emergency switch to our DDoS filtering service, we essentially consolidated source IP addresses, and there were downstream configuration issues that blocked most traffic and caused the outage. We have been able to recreate the issue and confirm that our change resolves it.

iModules plans to monitor their new networking configurations closely but they are confident that this issue is now resolved. We will also monitor closely and will mark this issue as resolved once we are confident that all Wesconnect traffic is successfully reaching iModules’ servers and the website is functioning normally, under typical weekly traffic volumes.

8:45 a.m.: While Wesconnect availability has improved since Friday morning the root cause of the outages has not yet been identified. iModules continues to investigate. We are passing traffic through to the iModules webserver, but if their host does not respond after 30 seconds we are rerouting traffic to the Wesconnect Outage page. iModules will send an update on progress later today.

February 14, 2014

Please send any questions via the Alumni Helpdesk Support form, by email to alumnihelp@wesleyan.edu or ask us on Twitter or Facebook. We apologize for the ongoing inconvenience to our alumni, students, faculty and staff.

1:11 p.m.: After a period of consistent uptime this morning, yesterday’s intermittent Wesconnect access problems have returned. iModules continues to investigate. We are currently trying to pass traffic through to the iModules host, but if the host does not respond after 30 seconds we are rerouting traffic to the Wesconnect Outage page.

Here is some additional detail from the most recent iModules status communication:

We are proceeding down parallel paths to resolve the situation. The first path is that we have engaged additional resources and expertise to evaluate the situation and ultimately, resolve the outage in our current environment. The second path is looking at creating an additional environment for our U.S. client sites to transition to in the situation that the current issues are not solved in the near term.

We appreciate how frustrating this is for our users and apologize for the ongoing inconvenience.

10:04 a.m.: The Wesconnect outage continues. From the latest iModules status message:

After temporary site availability this morning, the outage affecting U.S.-Hosted Encompass sites continues as of 8:05 a.m. Central. We are actively investigating the cause and will provide updates as they become available.

7:33 a.m.: iModules technical staff believe they have resolved the problems leading to the outage and maintained consistent uptime on their hosts for several hours, so we are now routing traffic back to the main website. Here’s part of a recent email from iModules describing their work overnight:

Yesterday’s outage appears to be due to a particular mix of the load put onto the system between our firewalls, the public internet, and the devices that sit between them. We worked closely throughout the day yesterday and into the evening with multiple partners – our co-location facility, attack mitigation vendor, fire-wall provider, and load-balancer vendor, to review traffic and configurations among and between the systems. We ran sustained tests overnight that exceeded our typical traffic and are no longer able to recreate the circumstances that caused the outage. We are bringing in additional expertise to assess and evaluate the outage.

We will continue to monitor throughout the day and will provide any further updates here, as needed.

February 13, 2014

10:36 p.m.: iModules continues to work on the problem. No resolution as yet.

4:14 p.m.: We are now redirecting all Wesconnect traffic to an information page explaining the outage. When we are confident that service has been restored at iModules end we will re-route traffic to the usual website.

2:30 p.m.: We don’t have any additional information to report except that iModules continues to investigate. Here’s part of a recent email from iModules on the outage:

There are many potential scenarios that might be causing the current outage and we are actively working with our DDoS mitigation provider, firewall provider, and hosting facility to narrow down the problem and a resolution.

Please send any questions via the Alumni Helpdesk Support form, by email to alumnihelp@wesleyan.edu or ask us on Twitter or Facebook. We apologize for the ongoing inconvenience to our alumni, students, faculty and staff.

11:30 a.m.: Wesconnect, the alumni website, is responding sporadically. On campus we are seeing persistent “connection dropped by server” messages. Our platform vendor iModules is aware of the problem and is working to resolve it. We’ll post an update here when we know more. In the meantime, more information may be available at status.imodules.com.

howto_alert_7511:52 p.m.: Wesconnect is currently timing out. Our platform vendor iModules is aware of the problem and is working to resolve it. We’ll post an update here when we know more. In the meantime, more information may be available at status.imodules.com.

1:12 p.m.: iModules has confirmed that another attack on their servers is underway. We’ll post more when we have it. Meanwhile, should you need assistance please contact us using the Support Form on this site.

2/10/14 11:28 AM (Central Time) – We are experiencing another cyber attack that is affecting U.S.-hosted Encompass sites. We will provide updates and any needed client action as soon as we know more. Thank you for your patience.

3:47 p.m.: Access from campus appears to have been restored. Monitoring for now…

5:45 p.m. RESOLVED: Wesconnect is now operating normally. iModules discovered that what initially looked like another DoS attack was the result of a misconfiguration between their servers and those of their DDoS mitigation provider. The misconfiguration only manifested under high traffic conditions.

Things should now be back to normal. Please let us know of any issues or questions.

#mondays

howto_alert_752:12 p.m.: Wesconnect is currently timing out. Our hosting provider’s servers are affected (i.e. multiple websites), apparently due to a high volume of unknown traffic. The technical team is investigating. We’ll provide updates here. In the meantime, Alumni Support Requests can made via the Alumni Helpdesk, on Facebook or on Twitter.

5:02 p.m.: Wesconnect is working normally again. Our platform vendor iModules is researching the cause of this outage. Any further information will be posted here.

5:15 p.m.: The site is unresponsive again. Server status is available at http://status.imodules.com. More as we know it…

7:37 p.m.: iModules has confirmed that their servers are experiencing a Denial of Service (DoS) attack. This is a method of compromising a website by overwhelming the server with inbound traffic. iModules is working with security experts on mitigation. We’ll post further updates when they are available.

2/3/2014 6:12 PM (CST) – iModules is experiencing a Denial of Service (DOS) attack. This is a distributed DOS attack utilizing a network of computers to overwhelm the iModules network with page requests.

The attack is specifically focused on rendering iModules web sites unavailable to the outside. There has been no penetration, breach or corruption of the iModules platform or its databases. At this point, we do not yet know whether iModules was specifically targeted, or whether a specific client was targeted.

The iModules IT team is working on the coordinated response to this attack. We are working with a 3rd party with specialization in DDOS attacks. Some sites are already up-and-running again, and we shortly will be in direct contact with any clients who may need to make changes on their end.

Feb. 4, 7:56 a.m.: We are re-routing DNS and hope to be back online shortly.

Feb. 4, 8:47 a.m.: DNS has been updated and Wesconnect availability is being restored. Those visiting the site from a campus Internet connection should now see it. However, because of how DNS changes work (propagating from server to server across the Internet) it could be up to 24 hours before the site is responding from an off-campus location. In the meantime, please contact us using the Alumni Helpdesk form, Facebook or Twitter. If you need to access the Alumni Directory and Wesconnect is still not working for you, try our mobile app.

Feb. 4, 12:15 p.m. RESOLVED: Service is being restored beyond campus. DNS was changed around 8:30 a.m. EST. The window for most ISPs to update their DNS records for Wesconnect is 6-12 hours depending on their last refresh, so Wesconnect should be accessible from most locations within the next 2-8 hours. The actual window will probably towards the lower end in most cases.

We apologize for any inconvenience caused by this outage. DNS routing changes made by iModules overnight should allow for faster response times if this kind of incident reoccurs. As always, let us know if you have any further problems or questions.

VPN Services

[lock]While Wesleyan provides full-service email accounts for alumni we cannot offer VPN services after graduation because alumni are not licensed to use any of the University’s database or journal subscriptions.

To get you started we’ve compiled a list of pages that contain answers to common questions about VPN. Alumni interested in acquiring a VPN provider might find a search for “vpn” or “vpn services” on one of the following websites useful.

Topic Comments Website to search
What is VPN actually used for? The problem that VPN was originally created to solve Super User
Why you should start using a VPN and how to choose one Identifying a good VPN and five reader-recommended services Lifehacker
How to surf safely with a VPN-for-hire Three VPN service providers and how to use them on Mac OS Macworld
VPN for someone with minimal IT skills? Recommendations from Metafilter users Ask Metafilter
Which VPN service do you use and why? Recommendations from Reddit users Reddit
What are the pros and cons of a VPN for privacy? Privacy considerations and VPN limitations Information Security Stack Exchange

If any alumni have information to share about your experience with VPN services, we’d love to hear from you.

[lightbulb]Alumni sometimes contact Wesleyan seeking access to online databases. Currently, access to Wesleyan Library’s online databases ends upon graduation. However, JSTOR—a digital library of academic journals—has launched a new program called Register & Read.

Register & Read

  • Offers free, read-online access to individual scholars and researchers who register for a MyJSTOR account.
  • Provides access to recent articles from around 1,200 journals.

More information is available at the Register & Read FAQ page.

Directory of Open Access Journals

Alumni may also find the not-for-profit Directory of Open Access Journals to be useful in some cases.

[lightbulb]If you see “The code you entered is not valid” when trying to log in to Wesconnect, even when using the correct username and password, check for a red CAPTCHA box at the bottom of the screen. You will also need to enter the words displayed in the CAPTCHA where it says “Type the two words”, in addition to your username and password, to get in.

[location of CAPTCHA box]

CAPTCHA box screenshot (click for larger version)

Why does this happen?

When Wesconnect sees multiple failed login attempts it adds a CAPTCHA box to the login screen. This is designed to foil programs written by spammers but allow actual people to log in.

[lightbulb]Missing any messages? If you use Gmail you might have noticed the new tabs in the Gmail Inbox. The way Gmail now sorts mail, some messages are routed into one of the tabs (Social, Promotions, Updates, etc.) and won’t appear in your unread message count. If you are missing out on messages and want to make sure they arrive in your Primary Inbox, then you can drag the messages to Primary and confirm that you’d like this change to apply to similar messages. Here are some screenshots to illustrate:

[Promotions tab]

1. New tabs in the Gmail Inbox

[Drag to Primary]

2. Click and drag the message to the Primary tab.

[confirm changes]

3. Click Yes to save this preference.

If you are missing messages from Wesleyan, they could be hidden in one of your new Inbox tabs :)

Google’s Gmail site has more information about the changes.

Older Posts »

Log in