Original release date: May 12, 2017

US-CERT has received multiple reports of WannaCry ransomware infections in several countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.

Ransomware spreads easily when it encounters unpatched or outdated software. The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

If you have any questions or concerns on this, please email mlit@ars.usda.gov.

This alert is to notify you of a sophisticated Google Docs phishing attack which is spreading quickly via email. Please be sure to pay extra attention to any shared docs coming your way. If someone invites you to edit a file in Google Docs, don’t open it. If you do open and grant permission, you will be giving access to your email, docs, address book, etc. Google is actively investigating this to disable the app and spreading of this malicious email.

This is a good opportunity to remind everyone that as a general rule, never download an attachment or click on a link you are not expecting. Instead, it is best practice to open a web browser and go to the intended site. Phishing attacks like this reappear from many other services as well so it’s good to remember this in the future.

If you have any questions or concerns on this, please email mlit@ars.usda.gov.

National Cyber Security Awareness Month (NCSAM) – observed every October - was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Since its inception under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation. 2016 marks the 13th year of National Cyber Security Awareness Month.

For more information and training opportunities, click here: https://staysafeonline.org/ncsam/

For information on how to get involved, click here.

As part of the Department's O365 solution, all ARS permanent employees are eligible for Microsoft's Home User Program (HUP). This benefit provides an opportunity to purchase Microsoft Office Suite Professional Plus 2016. For additional information, please see email from Katherine ChuHickman on August 28, 2016 or contact IT support.

To resolve Pulse VPN connection issues on 5/13, do the following:

1. Open Junos Pulse/Pulse Secure and go to File > Connections > Edit
2. In the Server URL field, add the number 1 after the word remote. If you don't see the word remote, stop here and contact Josh.
3. Click Save
4. Connect to VPN like normal.

Note: I cannot put the entire URL on this site for security purposes. If the instructions above do not make sense, please let me know.

We have received a lot of questions regarding mailed letters originating from “OPM Notifications” and whether or not they are legitimate. Office of Personnel Management (OPM) has begun sending letters to individuals who were impacted by the cyber intrusion involving background investigation records. Notifications are being sent over a period of 12 weeks from start to finish.

Here is what we know and can clarify:

1. Letters arrive from “OPM Notifications” with perforated edges and look like junk mail.
2. ID Experts was awarded the monitoring service contract. You must receive a letter with unique pin to sign up.
3. ID Experts coverage is offered for three years.
4. This is not the same as credit monitoring services offered and provided by CSID.
5. At this time, OPM is not aware of any misuse of personal information.
6. 21.5 million individuals were impacted by this.

If the letter you receive looks like one of these two, it’s likely legitimate:

1. If records indicate your fingerprints were not compromised, you notification letter will look like this: https://www.opm.gov/cybersecurity/sample-letter.pdf
2. If records indicate your fingerprints were compromised, your notification letter will look like this: https://www.opm.gov/cybersecurity/fingerprint-letter.pdf

Regardless of what the letter looks like, the only place you should go to enroll for coverage or get information is https://www.opm.gov/cybersecurity/. If you receive a letter directing you to a different website, it’s a scam.

I hope this helps clarify but please let us know if you have any additional questions. Information such as monitoring services and coverage limits can be found here: https://www.opm.gov/cybersecurity/

This is an important awareness alert.  Please read.

Those who wish to attack USDA computer systems often employ the strategy known as “Phishing” where the use official looking email messages to entice users to click links which can either install secretly install malware without the user’s knowledge or prompt them to enter their login credentials that could be captured and used later.  Even a small number of customers falling for these phishing scams can lead to serious security breaches.

Over last night and this morning, we have seen two phishing campaigns targeting USDA customers.  The first was a message regarding an “IT Service: Email Quota Alert”.   Below is an example of the message and it included a link to update information.

The second, and most concerning, is the message sent this morning.  This message was titled “Your Telework Password Has Expired” and contained many hallmarks of an official message.  It also includes a link.

We’d like to take a moment to remind you how to handle messages that you suspect as Phishing.

• Do not click any links of messages which you do not immediately recognize, find suspicious, or unsusual
• Please forward any suspicious message to your IT Service Staff as an attachment and ask for guidance
• Delete the suspicious message from your mailbox

The IT Staff can assist in identifying suspicious messages.  They can then forward those which appear to be phishing to SPAM.ABUSE@USDA.GOV.

It has been brought to our attention that the Department will be removing remote email access to USDA email accounts from trusted networks outside of USDA (i.e. University locations). Additionally they will be requiring two-factor authentication (2FA) to access email. As a result of this, OCIO will be requiring the use of VPN for University locations when accessing their email beginning on September 30th.

More details here: http://usda.wisc.edu/email/mfa/

Apple released its latest operating system (iOS 9.0) for Apple mobile devices today. When you are prompted to install iOS 9.0 on your iPhones and iPads, it is OK to proceed with installation. MobileIron has been tested with iOS 9.0 and is working. As always, I would recommend syncing and backing up your device to iTunes prior to doing the upgrade.

The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the personal information of current and former Federal employees.

Beginning June 8 and continuing through June 19, 2015, OPM will be sending email and U.S. mail notifications to current and former Federal employees potentially impacted by the incident.  Email notices will be sent from opmcio@csid.com.  Standard letters will be sent to individuals for whom OPM does not have an email address.

The communication will contain information regarding services being provided at no cost to individuals impacted by the incident, including credit report access, credit monitoring, identity theft insurance, and recovery services. Additional information will be made available beginning at 8 a.m. CST on June 8, 2015 at www.csid.com/opm.

For more information, you can read the release from OPM’s website.

While USDA is making steady progress in the deployment of the Enterprise Active Directory (EAD) system, ARS has commenced the Active Directory (AD) Migration Project to facilitate our agency’s transition to the EAD. Currently USDA and ARS operate with many disparate Active Directory implementations. This architecture limits use of identity information and inhibits sharing of information across the organization. The Enterprise Active Directory (EAD) provides an infrastructure to standardize, consolidate and integrate disparate groups of users/user accounts into a single, USDA-wide structure. The consolidation efforts mentioned above have an ultimate goal of creating an environment with ubiquitous application access and seamless information exchange for any authorized USDA user.

The project’s scope includes eighty four (84) different locations, fifty (50) distinct Active Directory environments, and a number of sites without Active Directory. EAD Migration is defined as a process and the tasks necessary to migrate existing local Active Directory or Workgroup resources (e.g. user and computer objects, groups, policies, and servers) onto the EAD. ARS’ EAD Migration project team is actively working with Business Service Center and Location IT Specialists on the details of the individual site migrations. Updates on the progress and additional information will be provided throughout the project, specific guidance will be communicated when the location schedule is finalized.

For regular updates on the status of the project please visit our space on Axon.

FY2015 Security Awareness Training Reminder

REMINDER:  Security awareness training is due to be completed in AgLearn no later than January 31, 2015.  If you haven’t already done so, now is a great time to take that training and be reminded of important cyber security best practices.

Prevent virus outbreaks and spam

Viruses are often spread through e-mail. You can greatly reduce the spread of e-mail viruses by using antivirus software, opening e-mail only from trusted sources, opening only attachments you're expecting, and scanning attached files with antivirus software before opening them.

Spam is loosely defined as unsolicited bulk e-mail and loosely correlates to the junk mail that turns up in your home mailbox. But spam represents more than unwanted clutter. It clogs e-mail accounts--and networks and servers--while trying to sell products, spread jokes, or propagate Internet hoaxes.

Reduce the amount of spam you receive by being cautious where you post your e-mail address. Avoid publishing your e-mail address on Web sites or submitting it to every site or organization that requests it.

Never forward chain messages, which often reveal coworkers' and colleagues' e-mail addresses to other parties. Use caution when accepting e-mail offers or agreeing to accept mailings from vendors; subscribe only to Web sites and newsletters you really need.
Don't open unsolicited e-mail. If you accidentally open spam, don't click links offering to unsubscribe or remove you from the mailing list unless the sender is a trusted vendor.

Avoid phishing attacks

Phishing scams are designed to steal consumers' personal information. They often use doctored and fraudulent e-mail messages to trick recipients into divulging private information, such as credit card numbers, account usernames, passwords, and even social security numbers.

Online banking and e-commerce are generally safe, but you should always be careful about divulging personal and corporate information over the Internet. Phishing messages often boast real logos and appear to have come from the actual organization, but those messages are frequently nothing more than copyright infringements and faked addresses. If you suspect a message possesses any credibility, you are much safer calling the company directly--preferably at a telephone number printed on a paper statement or invoice--and talking to an authorized representative.

Make regular backups

A more common type of malicious software available nowadays is called ransomware.  Ransomware attacks the data stored on your computer and encrypts it, thus preventing you from accessing it.  The owner of the ransomware will attempt to extort money from you to decrypt those data files.  Sometimes paying the ransom will get your files back, and other times not.

The best defense against malicious software like this is to maintain regular backups of your critical data files.  If you don’t have a local network-based backup capability at your location, backups should be stored on a device that is not permanently attached to your computer.  Ideally, the backup device is only connected to your computer when (a) a backup is running, or (b) you must restore from a backup.  The backup device should be regularly scanned for viruses and malware to minimize its potential to be compromised.  This step is even more critical if a backup device is shared among more than one computer.  Any one of those computers that share a backup device could have a virus which infects the backup device, and then subsequently infects all other computers that use the backup device.

Keep ALL computers up to date with security patches

Many end users have multiple computers nowadays, perhaps a desktop and a laptop, or a science computer and an administrative computer.  It’s important to regularly turn on each of your computers and make sure that they are receiving critical security updates from operating system and application vendors.  ARS uses IBM Endpoint Manager (formerly Tivoli Endpoint Manager) to ensure that end user computers stay up to date.  Please check with your local IT staff to see if IBM Endpoint Manager is installed on your computer(s).  If not, please encourage your local IT staff to contact your Business Service Center IT staff for more details on IBM Endpoint Manager and how to deploy it.

You may now upgrade your Apple iPhone’s and iPad’s to the latest version if iOS, 8.1.  Please note that the upgrade is not required at this time.  If you wish to upgrade, here are the instructions to do so:

1. Check the App Store for updates to MobileIron (App Store > Updates)
2. Download and install iOS 8.1 (Settings > Software Update)

If you have trouble synchronizing email, calendar, or contacts after the upgrade, please do this:

1. Open the MobileIron App
2. Go to settings
3. Then select Check for Updates
4. Then select Re-Enroll Device
5. Accept the defaults from this point to enroll your device
6. When prompted for your Exchange password, make sure to enter your email password, not the device passcode.

FYI for those of you with Apple iOS devices running MobileIron.  If your connection to MobileIron has been interrupted (lost connection to email, contacts, calendar), please do the following to restore the connection:

1. Open the MobileIron App
2. Go to settings
3. Then select Check for Updates
4. Then select Re-Enroll Device
5. Accept the defaults from this point to enroll your device
6. When prompted for your Exchange password, make sure to enter your email password, not the device passcode

As you may have already heard, a critical vulnerability has been reported in the Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X.  The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.  Systems affected by this vulnerability include Mac OS X, CentOS 5 – 7, Debian, Red Hat 4 – 7, and Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS.

Please ensure your systems are up to date by running Software Update.  Alternatively, these updates can also be installed manually by downloading here:

OS X 10.7 (Lion): http://support.apple.com/kb/DL1767
OS X 10.8 (Mountain Lion): http://support.apple.com/kb/DL1768
OS X 10.9 (Mavericks): http://support.apple.com/kb/DL1769

Yesterday Apple released a new Operating System (iOS 8) for iPhone (4S, 5, 5S) and iPad (2, 3, 4, Air, mini, mini 2).  This update will automatically come to your Apple devices.  When prompted, please do not install the upgrade yet.  MobileIron, which is our device manager for encryption, email, and management will not work with iOS 8 until the server is upgraded.  It is anticipated that this will happen on October 13th, but I will let you know when it’s OK to upgrade.

Also remember whenever you do a major Operating System upgrade like this, please make sure to backup your device (in iTunes) prior to installing.  If you already upgraded to iOS 8, please let me know so we can work on restoring your device (if a backup was done).

We are currently experiencing intermittent loss of connectivity to both USDA email and Office Communicator.  We are also unable to send and receive email to/from outside of USDA.  The Enterprise Operations staff is currently working to resolve the issues.  Once the issues are resolved, all email from outside of USDA will be delivered.

2014-06-24: Update from OCIO

The problem reported earlier today affecting incoming and outgoing Internet e-mail has been successfully resolved.  Within the next 1-2 hours, all delayed Internet e-mail is expected to be processed and delivered.  There is no expectation that any messages have been lost during the service outage.

We appreciate your patience as this problem was addressed.  If you have any questions, please contact the ARS-OCIO Service Desk at HelpDesk@ARS.USDA.GOV.

The majority of you have automatic updates enabled and will not need to take any action because the update will download and install automatically.  For those manually updating (or unsure if you are getting automatic updates), I strongly encourage you to apply this update as quickly as possible.  To do this, go to Start > All Programs > Windows Updates > Check for updates > Install updates.

You may have heard in the media that Microsoft Internet Explorer is subject to a critical security vulnerability that is still unpatched.  Furthermore, the United States Computer Emergency Readiness Team (US-CERT) has recommended that users avoid Internet Explorer browsers until this vulnerability is corrected.

ARS OCIO has confirmed that our network security tools are actively protecting the ARS network from this vulnerability.  As a result, while your computers are connected to ARS’ network, you can safely use Internet Explorer even while the vulnerability still exists.

ARS OCIO recommends that employees take the following computer security precautions:
-          When teleworking, please make extra certain that you are connected to the ARS Virtual Private Network whenever you must use Internet Explorer.  This way, ARS’ network security tools can keep your computer protected against this vulnerability.
-          On personally owned computers at home, download and install a different Internet browser, such as Mozilla Firefox or Google Chrome.  Ensure that the new browser is up to date with all of its security patches.  Then begin using that browser to access the Internet, and continue using it until all of the following events occur: (1) Microsoft releases a patch to correct Internet Explorer’s vulnerability, (2) you have successfully installed that patch on your personal computer, and (3) you have validated that your personal computer was not affected by the vulnerability.  No employee should assume that their personal Internet provider can provide the same level of computer protection as is provided by ARS’ network security tools.
-          If you have not yet upgraded your computer from Windows XP to a newer, more modern operating system, we strongly recommend that you do so as soon as possible.  It is unlikely that Microsoft will release a patch to correct this vulnerability for Windows XP computers.  As more security vulnerabilities are identified in Windows XP and its software applications, it will be nearly impossible to keep Windows XP safe from hackers attempting to exploit those vulnerabilities.

If you have any questions or concerns, please contact your local IT support contacts.

Your cooperation and support are greatly appreciated.

Thank you,
ARS/OCIO
Customer & Technical Services Branch

Some of you have asked about the news of the “Heartbleed” bug.  The intention of this email is to make you aware of what it is, how you may be affected, and what you can do about it.

What is it?
Basically, the “Heartbleed” bug is an information leak.  It affects the encryption technology used to protect online accounts for email, social media, banking, etc.  The bug allows outsiders to peek into personal information that was supposed to be protected from snoopers.  It exposes usernames and passwords even on “secure” sites and, unfortunately, has gone undetected for over two years.

What sites have been affected?
The potential number of affected websites is huge since approximately 66% of websites use the type of encryption technology affected by this.  Please use this website to check if your banking, email, social media, and ecommerce sites are vulnerable:  https://lastpass.com/heartbleed/

What can you do?
Eventually, you will need to change your passwords to any affected website.  Due to the nature of this bug, you will need to wait until affected sites update their servers to patch the vulnerability before you change your passwords.  Changing your username and password before a site patches its servers achieves nothing.  I would presume most popular websites will be patched by the end of this week.  The following website lets you know which sites have patched the bug, when, and if you should update your passwords yet:  https://lastpass.com/heartbleed/

What can I do to protect myself going forward?
Vulnerabilities like this highlight the importance to use different passwords for different websites.  Using the same username and password on multiple sites that hold valuable information is a really bad idea.  Consider using password management software to easily manage your growing number of accounts.  Now is a great time to start using a password manager since you will likely be changing a lot of passwords in the next few days.  For more information on this, please visit the intranet page about KeePass:  http://usda.wisc.edu/software/passwords/keepass.html

The bottom line is to change your banking, email, social media, and ecommerce passwords as soon as possible, but wait until you are sure that particular website is no longer vulnerable.  If you have any questions on this, please contact us.

Apple iPad/iPhone users:

Please take a moment to update your iPads and iPhones as soon as possible.  Apple released an update over the weekend addressing a security vulnerability in iOS.  The vulnerability has to do with the encryption technology within the operating system.  Without the patch your device is susceptible to a “man-in-the-middle” attack which is basically an interception of communications when connected to an insecure network.  Apple released iOS update 7.0.6 to address this problem.  Please install this update as soon as possible by going to:  Settings > General > Software Update.

Mac OS X is also vulnerable to this.  Apple is working on a fix that will be released soon.

For more information, please read the following article:  http://www.networkworld.com/news/2014/022314-major-ssl-flaw-found-in-279004.html

As many of you already know, Microsoft is ending support for Windows XP on April 8th, 2014.  This termination applies to security updates and support services from Microsoft.  Without security updates to an operating system, it leaves computers vulnerable to attacks that exploit software vulnerabilities.  Following suit will be the major software vendors (Adobe, Oracle, Symantec, VMware, etc), ending support for their software running on XP as well.

With the April 8th deadline fast approaching, we have been working on migrating or replacing applicable systems throughout the location to Windows 7.  Many of you have already been upgraded or will be upgraded soon.  The majority of systems left to upgrade are connected to instruments.  This is where we need your help.

For any computer running in your lab that is running Windows XP, please check with your instrument support vendor to see if they have software compatible with Windows 7 to work with your existing equipment.  When contacting them, they will need to know which version of Windows you are running.  In most cases, your answer will be Windows 7, 64-bit (unless we tell you otherwise).  In the past few months we have had some vendors provide free software upgrades and others charging for the upgrade.  We have also had cases where the equipment is no longer supported which means the computer cannot be upgraded until the instrument is.

For computers that require Windows XP (or older) due to software/instrument compatibility and lack of ability to upgrade, we will be creating a waiver for them.  In these instances, a waiver will be submitted to headquarters and network access will be shut off to each of these computers.

Thank you in advance for your patience, help, and cooperation as we complete this migration.  Please let us know if you have questions or concerns on any of this.

From: TeamAgLearn
Sent: Monday, December 16, 2013 10:54 AM
Subject: AGLERAN SERVICE ISSUES UPDATE
Importance: High

The AgLearn issues that surfaced last week have resumed this week, though not quite as seriously as before. This is caused by an extraordinary and unanticipated number of users who are accessing the system to complete their IDPs. Everything is working properly, but the number of IDPs open at any one time, combined with the high database resource demands of the IDP process, has severely affected system speed and responsiveness.

Team AgLearn is monitoring the situation and will provide updates as they become available. In the interim, it is recommended to save all non-essential AgLearn usage until things calm down. Reports should be scheduled to be run after working hours, if at all possible.

In an effort to anticipate the breadth and duration of the issue, please contact Jerome Davin or John Rehberger if your agency is currently encouraging its users to take immediate action on their evaluations and IDPs. We have identified two agencies for which elevated IDP and related usage are contributing to the issue, and need to find out if there are others in order to plan an appropriate response.

Team AgLearn apologizes for any inconvenience.

Team AgLearn

aglearn.usda.gov

THINK GREEN!   
Do you really need to print this e-mail?

After a natural disaster phishing emails and websites requesting donations for bogus charitable organizations begin to appear.  Please be aware of potential email scams and phishing attacks regarding the recent Philippines Typhoon disaster.  Email scams may contain links or attachments which direct you to phishing or malware-laden websites.

Please take the following measures to protect yourself as recommended by US-CERT:

• Do not follow unsolicited web links or attachments in email messages
• Maintain up-to-date antivirus software
• Review the Recognizing Fake Antivirus document for additional information on recognizing fake antivirus.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for additional information on social engineering attacks.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for additional information on avoiding email scams.
• Review the Federal Trade Commission’s Charity Checklist.
• Verify the legitimacy of the email by contacting the organization directly through a trusted contact number.  Trusted contact information can be found on the Better Business Bureau’s National Charity Report Index.

If you see a message similar to the one below, please click OK and verify you are still connected to email (i.e. Connected to Microsoft Exchange).  You may need to log back into Outlook.  If you are still not connected to Exchange after logging back in, please let Bryan or I know.

Microsoft is working on the problem and should be resolved soon.

Last Friday, a number of you received an automatic update for the Cisco AnyConnect client software that is used to connect to the ARS Virtual Private Network (VPN).  That client upgrade was unexpected and unplanned at the time.

As a result, many of you may experience a warning screen like this one when connecting to the default VPN location:

If you are seeing this screen for the first time, please click the "Change Setting…" button as highlighted above.  Then on the ensuing window, please click the "Apply Change" button as highlighted below.

If you have already seen the red screen above, and clicked on the "Keep Me Safe" button, please call the ARS Service Desk on 1-866-802-4877 so that a technician can assist you in troubleshooting the issue and re-installing the Cisco AnyConnect client software if necessary.

Please note that even when the red screen above stops appearing, you will still regularly see see a screen like the one shown below:

When you see the above screen, please click the "Connect Anyway" button to access the VPN.

ARS OCIO appreciates your patience and understanding as we work with you to correct this issue.

Please be aware that historically, scammers, spammers, and other malicious actors capitalize on major news events by registering domain names (website url's) and social networking accounts related to the events.  They do this to take advantage of those interested in learning more details about major events, or target individuals looking to contribute to fundraising efforts.

Pay attention to the information highlighted below and always remember:  do not open unexpected attachments or click on links in suspicious emails.  Be cautious browsing social media websites claiming to represent interests of those involved in any incident.

-----Original Message-----
From: US-CERT
Sent: Wednesday, April 17, 2013 2:51 PM
Subject: US-CERT - Scams Exploiting Boston Marathon Explosion

National Cyber Awareness System
Scams Exploiting Boston Marathon Explosion

Original release date: April 17, 2013

Malicious actors are exploiting the April 15 explosions at the Boston Marathon in attempts to collect money intended for charities and to spread malicious code. Fake websites and social networking accounts have been set up to take advantage of those interested in learning more details about the explosions or looking to contribute to fundraising efforts.

For example, the Twitter account @_BostonMarathon was created shortly after the explosions took place. The account stated it would donate $1 for each retweet and was crafted to closely resemble the legitimate Boston Marathon Twitter account (@BostonMarathon). This account has since been suspended by Twitter; however, the likelihood that similar social media accounts will surface remains high.

Phishing email campaigns are also circulating using subject lines related to the Boston Marathon explosions. Do not open unexpected attachments or click on links in suspicious emails, even if the email appears to be from someone you know.

US-CERT recommends that all persons interested in donating funds should go directly to established charities such as the American Red Cross.
Exercise caution when interacting with social media accounts that claim to represent the best interests of those involved in the incident, and directly visit established news sources rather than conducting general search engine queries, as it can be difficult to tell which search results may lead to scam sites.

USDA Cybersecurity has granted ARS an exception allowing the use of Skype to conduct official Government business.  If you create an account, please ensure you signup using your USDA email account.  For security reasons, there are changes that need to be made on each computer that Skype will be used on.  Prior to using Skype on any computer, please see Bryan or Josh.

For acceptable use of Skype, please reference the OCIO policy and procedure titled “Use of Information Technology Resources”: http://www.afm.ars.usda.gov/ppweb/pdf/253-4rev.pdf

Information coming about new bulletin for personally-owned equipment for telework. Stay tuned for detailed information.

Bulletin 13-007 "Telework Security and Non-Government Furnished Equipment"

This bulletin provides the ARS policy and procedures for securing non-government furnished equipment used for ARS telework programs. You can access this bulletin and the REE Administrative Issuance website at the following URL:

http://www.afm.ars.usda.gov/ppweb/Bulletins/2013/13-007.pdf

**********************************>>>>>>  IMPORTANT ITS SECURITY NOTICE  <<<<<<******************************************

Please Be Advised:

A phishing/spam campaign is underway against USDA email addresses. It began yesterday afternoon, March 11th, at approximately 3:00 CTS. 
This campaign is reaching USDA email addresses in high volumes.  

No malicious payloads have been identified with this spam campaign.  The messages do, however, contain highly suspicious links.  A single click of a link can have severe impacts on our security. Do not click any links or attachments in emails which appear suspicious. 

• The subject of the email message varies and includes but may not be limited to:  Fasting, Halting, Long, From Friends, Hi Again, New, Your Friends, Your Friend, The Best, Hello Friend, Newest, Hello
• The email contains a hyperlink. The names of the link vary and include but may not be limited to: click here, check, watch that, this is what you need, see this, try.
• In many cases the attacker is spoofing USDA email addresses of separated individuals whose accounts are no longer in service. The messages often include the spoofed sender as a recipient of the message.  In addition, the attacker appears to be grouping recipients alphabetically by last name. 
• If you receive this message, delete it immediately. To permanently delete an email message, highlight the message and press Shift + Delete. No further action is necessary.
• If you received this message and did click the link, please contact your local IT Help Desk or Business Service Center IT Branch.  Additional advice will be provided once you’ve contacted your local IT Help Desk.

** If you are on PatchLink, no action is required since you will receive this update automatically. If you are not on PatchLink or are not sure if you are, please keep reading and follow the instructions. **

Who’s affected:  Computers running Windows or Mac OS X (10.7 and higher)
What’s affected:  Java version 7
When:  Immediately
Why:  Java recently reported a critical security vulnerability affecting Java version 7.  Since then Oracle released a security update to help reduce any potential risk.  If you are running Java 7, please make sure to install Java 7, update 11 as soon as possible.  If you are running Java 6, no action is required.  If you are unsure which version of Java you are running, please go to this website to check:  http://www.java.com/en/download/testjava.jsp

How:  To manually install and update your version of Java, please download the applicable update below.  (Note to Windows 7 users:  If you’re unsure which version to download, you can check by going to Start > right click on Computer > Properties > look at “System type”)

Windows 7, 64-bit:  http://144.92.64.228/sw/win/jre-7u11-windows-x64.exe
Windows XP and Windows 7, 32-bit:  http://144.92.64.228/sw/win/jre-7u11-windows-i586.exe
Mac OS X 10.7.3 and above:  http://144.92.64.228/sw/mac/jre-7u11-macosx-x64.dmg (note: OS X 10.6 and earlier do not need updating as Java 7 does not run on earlier versions).

Once downloaded, run and install accepting all defaults except do not allow or agree to any installations of toolbars, third-party software, web browsers, etc.

There may be more to come on this.

TO:  All Customers With iPhone/iPad Devices Linked to USDA Mailboxes

We’ve received word that at 9pm CT on Friday, Jan 4th, the department will be updating a security certificate on the McAfee Enterprise Mobility Management system.  This system allows your Apple mobile device to synchronize with your mailbox. 

This change will require you to take action on your mobile device in order to maintain service after the update.

Please review the attached document which describes the steps that you must take after the update occurs to allow your device to continue syncing with your mailbox.  If you do not follow the directions attached, you will not be able to send and receive mail from your device until it is re-enrolled in the system.  The steps for re-enrollment are also included in the attached document.

If you have any questions about this upcoming change, please contact your local IT staff or the ARS Help Desk at helpdesk@ars.usda.gov.

We have been informed that there is a good chance that GWCC at headquarters will experience a power outage due to Hurricane Sandy.  If this occurs, there are several services that may be impacted.

• If the USDA Washington gateway loses power or the department implements failover to the San Francisco node, our Marshfield and Sturgeon Bay locations may have temporary internet outages and latency.
• ARSnet VPN will most likely be down at GWCC.  If this occurs and you need VPN access during the outage, please use the backup VPN server using this address:  199.133.255.9  (Open Cisco AnyConnect VPN client and change “connect to” to 199.133.255.9 instead of the current server).
• Other services such as ARIS applications may also be impacted depending on failover capabilities.

Specific outages and further information will be posted on our intranet site at this link:  http://144.92.64.228/status

Who:  Anyone currently using ARSnet VPN (travelers, teleworkers, and USDA software users)
What:  Cisco VPN software upgrade
When:  Effective immediately
Why:  ARS has decided to roll out a new version of Cisco VPN software earlier than expected.  In order to login to ARSnet VPN, you will need to do this update.  The update is a new software package called Cisco AnyConnect client.  The login credentials you use will be the same as your USDA email account.
How:  Download and install the software using the links below.

Instructions
Windows:  http://144.92.64.228/software/ciscovpn/index.html
Mac:  http://144.92.64.228/software/ciscovpn/index.html#mac

DFRC has a scheduled power outage on Thursday, May 24th starting at 6:00pm.  The outage could last 2 hours and requires a shutdown of some servers and network equipment in the building.  In preparation for this, we will begin shutting down services starting at 3:00pm Thursday afternoon.

Please make sure you shut down your lab computers, office computers, and equipment before you leave Thursday.  Please do so in this order:

1. Shutdown computers
2. Turn off other devices such as printers, monitors, external hard drives, lab equipment, etc
3. Turn off UPS battery backups attached to computers/equipment (if applicable)

The following services may be unavailable starting Thursday around 3:00pm through the duration of the power outage:

File servers (Public drive/Dropbox, lab drives, user drives, scan drives, etc)
Location intranet site
DFRC website/email
Daisy repository
Admin file servers
Admin VPN
FileMaker databases
DairyComp
SysAid
RefMan/Endnote server
Licensing services (ArcGIS, DNAstar Lasergene, Prism, Creo, Aligner)
VMware virtual remote desktops
CLC genomics server and client workstation
Zimbra calendars
All blog websites
Remote FTP server access

Once power has been restored to the building, network access will be restored first followed by servers.  If everything goes well, all services will be restored Thursday night.

DFRC has a scheduled power outage on Saturday, May 19th starting at 8:00am.  The outage could last 3-6 hours and requires a shutdown of some servers and network equipment in the building.  In preparation for this, we will begin shutting down services starting at 5:00pm Friday evening.

Please make sure you shut down your lab computers, office computers, and equipment before you leave Friday.  Please do so in this order:

1. Shutdown computers
2. Turn off other devices such as printers, monitors, external hard drives, lab equipment, etc
3. Turn off UPS battery backups attached to computers/equipment (if applicable)

The following services may be unavailable starting Friday night around 5:00pm through the duration of the power outage:

File servers (Public drive/Dropbox, lab drives, user drives, scan drives, etc)
Location intranet site
DFRC website/email
Daisy repository
Admin file servers
Admin VPN
FileMaker databases
DairyComp
SysAid
RefMan/Endnote server
Licensing services (ArcGIS, DNAstar Lasergene, Prism, Creo, Aligner)
VMware virtual remote desktops
CLC genomics server and client workstation
Zimbra calendars
All blog websites
Remote FTP server access

Once power has been restored to the building, network access will be restored first followed by servers.  If everything goes well, all services will be restored Saturday afternoon.

DOIT Engineering will be migrating our firewall to a new version on Thursday, May 17th.  The outage should last no more than 1 – 2 minutes during the time window.

The brief outage will result in NO LAN, NO Network Printing, and NO Internet during the small time window.

DFRC has a scheduled power outage on Thursday, May 10th starting at 6:00pm.  This power outage requires a shutdown of some servers and network equipment in the building.  In preparation for this, we will begin shutting down services starting at 2:00pm Thursday afternoon.  Once everything is down, you will not have network access or remote access to the services below for the duration of the outage.

Please make sure you shut down your lab computers, office computers, and equipment before you leave Thursday.  Please do so in this order:

1. Shutdown computers
2. Turn off other devices such as printers, monitors, external hard drives, lab equipment, etc
3. Turn off UPS battery backups attached to computers/equipment (if applicable)

The following services will be unavailable starting Friday night around 5:00 pm through the duration of the power outage:

File servers (Public drive/Dropbox, lab drives, user drives, scan drives, etc)
Location intranet site
DFRC website/email
Daisy repository
Admin file servers
Admin VPN
FileMaker databases
DairyComp
SysAid
RefMan/Endnote server
Licensing services (ArcGIS, DNAstar Lasergene, Prism, Creo, Aligner)
VMware virtual remote desktops
CLC genomics server and client workstation
Zimbra calendars
All blog websites
Remote FTP server access

Once power has been restored to the building, network access will be restored first followed by servers.  If everything goes well, all services will be restored Friday morning.

Once you get into the office following the outage, turn on your UPS (if you have one) and wait at least one minute, then turn on computer, monitor and other devices.  If you have any questions, please let me know.

The Marshfield network will be cutover to a new router (ARSnet 2.0) on Monday, May 14th, starting at 9:00am.  During this time, network access will be unavailable.  Headquarters has scheduled an hour timeframe for the completion of work. Please plan accordingly and let me know if you have any questions.

The Sturgeon Bay network will be cutover to a new router (ARSnet 2.0) on Monday, May 7th, starting at 8:00am.  During this time, network access will be unavailable.  Headquarters has scheduled an hour timeframe for the completion of work. Please plan accordingly and let me know if you have any questions.

DFRC has a scheduled power outage on Saturday, May 5th.  This power outage requires a shutdown of servers and network equipment in the building.  In preparation for this, we will begin shutting down services starting at 5:00 pm on Friday evening (May 4th).  Once everything is down, you will not have network access or remote access to any of the services below for the duration of the outage.

Please make sure you shutdown your lab computers, office computers, and equipment before you leave Friday.  Please do so in this order:

1. Shutdown computers
2. Turn off other devices such as printers, monitors, external hard drives, lab equipment, etc
3. Turn off UPS battery backups attached to computers/equipment (if applicable)

The following services will be unavailable starting Friday night around 5:00 pm through the duration of the power outage:

File servers (Public drive/Dropbox, lab drives, user drives, etc)
Location intranet site
DFRC website/email
Daisy repository
Admin file servers
Admin VPN
FileMaker databases
DairyComp
SysAid
RefMan/Endnote server
Licensing services (ArcGIS, DNAstar Lasergene, Prism, Creo, Aligner)
VMware virtual remote desktops
CLC genomics server and client workstation
Zimbra calendars
All blog websites
Remote FTP server access

Once power has been restored to the building on Saturday, network access will be restored first followed by the servers.  If everything goes well, all services will be restored Saturday evening sometime.

Once you get into the office following the outage, turn on your UPS (if you have one) and wait at least one minute, then turn on computer, monitor and other devices.  If you have any questions, please let me know.

As you may have already heard, there is a Mac OS X Trojan that is circulating called Flashback.  The infection is being exploited by a vulnerability in Java and can come from many different methods.  Please ensure your Mac systems are up to date by running Software Update.  These updates can also be installed manually by downloading here:

Snow Leopard (10.6): http://support.apple.com/kb/DL1516
Lion (10.7): http://support.apple.com/kb/DL1515

News: http://www.pcmag.com/article2/0,2817,2402685,00.asp

** If you are on PatchLink you will receive this update automatically **

Mozilla has blacklisted all unpatched versions of Java in order to protect users from attacks that exploit known vulnerabilities.  Java is the plug-in needed for many web applications including all ARIS applications (CATS, ARMPS, ARIS, etc).  Because of this block, many of you have found out you can’t open CATS or other software that requires Java in Firefox until you upgrade.  Please follow these steps to upgrade Java on your computer:

1. Go to:  http://java.com/en/download/index.jsp
2. Click “Free Java Download” and save the file to a temporary place on your computer
3. Open the downloaded file to begin the install
4. *Important:* when prompted to install any toolbars, uncheck the option so you don’t receive any toolbars
5. Finish the install by accepting the defaults

For those of you on PatchLink, this update has been released and will install automatically by tomorrow Morning.

Microsoft has released a patch to address a critical vulnerability (MS12-020) in Windows’ Remote Desktop Protocol.  This vulnerability applies to all versions of Windows.  Please run Microsoft/Windows updates (http://update.microsoft.com/microsoftupdate/) as soon as possible.  This includes Mac users with Windows running as a virtual machine (VMware View, Fusion, or Parallels).  Again, if you’re on PatchLink, you will receive this update automatically between this afternoon and Monday.

--------------

One of the March Microsoft security bulletins issued last week, MS12-020 is a “Critical” patch to correct a vulnerability in Windows’ Remote Desktop Protocol (RDP).  MS12-020 should to be patched immediately, as proof-of-concept exploit has been discovered online and a known exploit has now been released in the wild to be used against vulnerable systems.
Since Remote Desktop is a significant component of ARS’ current telework environment, it is critical that MS12-020 gets deployed to all devices supporting the patch, both workstation and server alike.  Please include infrequently used computers (laptops, netbooks, Government-furnished telework computers, etc) as well. They should be turned on and updated through your normal enterprise means as soon as possible.

Ideally, personally owned equipment has already received this and all other critical updates through use of the Automatic Updates feature provided by Microsoft.

The following information was provided by SANS:
--Microsoft Patches Critical Remote Desktop Protocol Flaw (March 13 & 14, 2012) Microsoft is urging users to apply a fix released Tuesday, March 13, for a critical vulnerability in the Remote Desktop Protocol (RDP). Microsoft says hackers are likely to release an exploit for the flaw within the next month. In all, Microsoft patched seven vulnerabilities in its monthly security update.
http://www.infoworld.com/t/windows-security/microsoft-urges-firms-focus-severe-rdp-flaw-188693
http://www.computerworld.com/s/article/9225160/Experts_sound_worm_alarm_for_critical_Windows_bug?taxonomyId=85
http://krebsonsecurity.com/2012/03/rdp-flaws-lead-microsofts-march-patch-batch/
http://www.h-online.com/security/news/item/Microsoft-closes-critical-RDP-hole-in-Windows-1471581.html
http://www.darkreading.com/vulnerability-management/167901026/security/application-security/232602627/microsoft-flaw-demonstrates-dangers-of-remote-desktop-access.html
UPDATE: ISC infocon went yellow over the release of exploit code.
https://isc.sans.edu/diary/INFOCON+Yellow+-+Microsoft+RDP+-+MS12-020/12805

We’re receiving reports that some users are receiving this error when opening Outlook:

Outlook is still functional but if you are affected by this issue, please take the following steps:

1. Reboot workstation and try to log in and see if that addresses the error
2. Ensure that Windows is updated (Start > Programs > Windows Update).  Once the updates have completed log in to Outlook and see if that addresses the error.

If this does not resolve the problem, please let me know as soon as possible.

Please be aware that there is a widespread outage occurring globally related to Blackberry devices so you may not be able to rely on Blackberry communications as you are accustomed to doing.  Personally, my Blackberry service has been intermittent all day today.  This has caused a major battery drain as well as communication disruptions.  More info is below to give you details about the situation:

From CNET:

“BlackBerry subscribers throughout the world continued to experience disruptions in service for a third consecutive day as problems with Research In Motion's equipment in its data centers appears to now be affecting North American subscribers as well. Customers using Research In Motion's BlackBerry smartphones in the U.S. and Canada are now also without access to e-mail and BlackBerry messaging in an outage that has already plagued subscribers in Europe, the Middle East, and Africa since Monday. RIM said it has fixed the problem on Monday. But service disruption continued Tuesday with only spotty access to e-mail, BlackBerry Messenger, and Web. At first the problems only affected subscribers mainly in Europe, the Middle East, India, and Africa. But the issues spread to other parts of the world including parts of South America. And this morning customers in the U.S. and Canada also began complaining of e-mails being delayed and sent in batches. One user in the Boston area said he began seeing e-mail delays early this morning. And when batches of e-mail arrived, they were about three hours old. Earlier RIM blamed the disruption to service that affected Europe, the Mideast, India, Latin America, and Africa on a failed switch and backup. The company said the problem had been fixed. But it also added that it might take some time to work through the backlog of data, which had not yet been sent to subscribers' devices. E-mail started to trickle in for some users late yesterday.
"Although the system is designed to failover to a backup switch, the failover did not function as previously tested," the company explained in a statement on Tuesday. "As a result, a large backlog of data was generated and we are now working to clear that backlog and restore normal service as quickly as possible. We apologize for any inconvenience and we will continue to keep you informed."
It's not yet clear whether the issues plaguing customers overseas are what is also affecting service in North America. RIM has acknowledged that there is a problem with its service in the U.S. and Canada. But it didn't provide specific information. "BlackBerry subscribers in the Americas may be experiencing intermittent service delays this morning," the company said. "We are working to resolve the situation as quickly as possible and we apologize to our customers for any inconvenience. We will provide a further update as soon as more information is available." BlackBerry users in Canada and parts of Central and South America also suffered service disruption last month, when RIM's e-mail and messenger services were down. RIM's BlackBerry network architecture is its strength as well as its biggest weakness. Unlike other smartphone platforms, RIM routes all e-mail and messaging traffic through its BlackBerry servers in network operation centers throughout the world. This centralized architecture for the service means that additional encryption and security can be added to the messages that traverse the network. And for many corporate customers, this added security is the main reason they use the service. But the architecture also means there are single points of failure throughout the network. This means that when there is a major infrastructure disruption, it can affect entire regions of service, potentially knocking out service for tens of millions of customers. By contrast competing smartphones, such as the iPhone and Google Android devices, do not suffer from the same types of outages because there is no single point of failure in the network.”

FYI…eAuthentication is currently down.  This means you will not be able to login to the following services until eAuthentication has been restored:  Aglearn, eOPF, Employee Personal Page, FMMI, WebTA, GovTrip, CPAIS, TUMS, and any other site that uses eAuthentication.

USDA has enabled e-Authentication (e-Auth) with the ability to login to the web portal using your LincPass card.  You may already be familiar with some of the e-Auth applications, such as WebTA, myEPP, e-OPF, AgLearn, FMMI, and GovTrip.  You can now access those applications with your LincPass card, your PIN and a card reader.  If you do not yet have an active LincPass card, you can continue using your regular e-Auth ID and password to access the applications.

Make sure that your LincPass card is activated.  By now, you should have a card, be enrolled and know your secret Personal Identification Number (PIN).  Your LincPass PIN should be protected like your banking ATM PIN.  The LincPass PIN will never expire, so make sure you remember it.  If you have forgotten your PIN or need a LincPass card, contact your Area Location LincPass Sponsor.  Go to www.afm.ars.usda.gov/lincpass/ and open the “Area LincPass Sponsor and Security Officer” document to find your LincPass sponsor.

Visit www.afm.ars.usda.gov/lincpass/ for a quick overview on what you need to start using your LincPass card.  You will find several useful documents there, but start with the “Ready, Set, Go LincPass” document.  A link to USDA’s Frequently Asked Questions (FAQs) is also included. 

Next, ensure that your computer has the ability to read a LincPass card.  Some computers have a card reader built into the keyboard like the one pictured below.  Look for a slot that may accept your LincPass card or ask your local IT specialist for assistance. 

If your computer does not have a card reader or if you need a portable card reader for your laptop, a USB card reader, like the one pictured below, can be supplied and plugged into your computer’s USB port.  Please contact your local help desk to have one installed. 

When you are ready to use an e-Auth application, do the following steps:
1. Insert your LincPass card in your card reader
2. Start up your web browser
3. Click on the e-Auth application you want to use
4. Read the login banner and click on “I Agree”
5. Click on the “Login with my LincPass” button
6. You will be presented with a “Confirm Certificate” box.  Click OK
7. At the next box, enter your secret PIN. Click OK
8. Start using your application

Future Functionality: Access to ARS’s email and IAS
Please note that we are developing a technological solution to enable remote access to ARS’s email with your LincPass card, but it is not yet available for the Beltsville Area Office and those outside of the National Capital Region Area.   Only the employees at the George Washington Carver Center, South Building, Portals, Whitten Building and at the National Agricultural Library can access ARSnet email directly with their LincPass card.  Also, USDA’s Integrated Acquisition System (IAS) will soon be accessible through e-Auth.  Rather than having to remember a complex password, all you would need is your PIN.  As more applications are added to e-Auth, you should start using your LincPass cards to ensure your LincPass card works and to become familiar with the log-in process.

If you have any questions about your LincPass cards, please contact your local LincPass sponsor. 
If you have any questions regarding card readers, please contact your local ARS Help Desk.

As you probably know, Apple released its next operating system (Mac OS X 10.7 – Lion) to the public on Wednesday.  Lion is available as a download from the Mac App Store, in-store download, or USB flash drive as an upgrade for Snow Leopard (10.6).  For right now, we recommend that you wait to install OS X 10.7.

As with any major software upgrade, there are numerous incompatibilities that will hopefully be resolved in the near future.  Apple removed Rosetta support with the release of 10.7, so legacy apps will no longer work natively on the o/s.  There are numerous applications that are incompatible with 10.7 right now.  To see a searchable database, click here:  http://roaringapps.com/apps:table

Lion is only available as a 64-bit install.  Many applications will not run on 64-bit operating systems yet, including Cisco’s VPN client which is currently required to access ARS email and various web-based applications.  As the email migration moves forward, we’ll know more in the next couple of weeks about what forms of authentication will be required to access email remotely.  We’ll keep you updated as everything unfolds.

In mid-December, ARS transitioned our incoming message scanning from the previous MessageScreen system to the USDA IronMail service.  This action was taken as a required, preliminary step for the upcoming migration to the new USDA Enterprise Messaging System – Cloud Service (EMS-CS).  Based upon your feedback, we have found that the IronMail system has been unable to meet the business needs of ARS.

Beginning at 8pm ET on Monday, May 2nd, OCIO staff will begin rerouting inbound mail so that it will again be filtered by the MessageScreen gateways.  When completed Monday evening, IronMail will no longer filter incoming email for ARS. 

For customers who still have the MessageScreen plug-in installed in their Outlook client, they will be able to again access their quarantined mail with no changes.  For customers who no longer have the MessageScreen plug-in or are using Entourage, they may access their quarantines by using the URL https://messagescreen1.ars.usda.gov and entering their email address and their ARSnet password.

This change is not expected to result in any email delays for inbound messages and no messages will be lost in the transition.  There are changes which you should be aware of.

• ZIP and other Compressed Formats – Compressed file formats such as ZIP, ARC, RAR will not be directly delivered to your mailbox.  Instead, the attachment will be quarantined by MessageScreen and may be downloaded by clicking the link added to the message.
• Higher Incoming Size Limit – The limit for incoming attachments will return to 100MB vice 50MB.  (Attachments larger than 10MB will be parked on the MessageScreen gateway but can be downloaded by clicking the link added to the message.  Incoming attachments exceeding 100MB in size will be returned to the sender as undeliverable.
• User Quarantine Access – You will again have access to quarantined mail by either using the MessageScreen plug-in or visiting https://messagescreen1.ars.usda.gov 
• Personal Trusted/Blocked Senders Lists – The Personal Trusted/Blocked Senders lists which you had in place prior to the switch to IronMail will remain in place and active for your account.

If you have any questions about this change, please contact your location IT Staff, Area IT Staff or helpdesk@ars.usda.gov.

The General Services Administration (GSA) has scheduled a power outage and electrical maintenance for the George Washington Carver Center (GWCC) on Saturday, April 30th.  This power outage requires the shutdown of the GWCC computer room.

The maintenance window will begin at 6am ET Saturday, April 30th and services will be restored by 11pm ET, barring any unforeseen circumstances.  During this time Exchange, ARIS, SharePoint, VPN, eVault, eForms, REE Directory, and all ARS websites will be unavailable.  The HQ, BA, NAA, SAA will not have Internet service.

HQ staff will not be permitted access to GWCC during the outage.

If you have questions regarding this schedule, please contact the ARS Service Desk at 1-866-802-4877.

Thank you,
ARS/OCIO
Customer & Technical Services Branch

We are currently experiencing problems receiving mail from sources outside of ARS and accessing NFC systems. Network engineers are investigating the issue. Once the cause has been found, we can estimate when this will be resolved.

We appreciate your patience and understanding while this issue is being resolved.

An email containing the subject “Action required : Upgrade New Adobe Acrobat Reader For Your PC” has been getting through filters and arriving in mailboxes this morning (screenshot is below).  This is a phishing attempt soliciting information.  Submitting information to the site may result in identity theft or other fraud.  Please delete the message immediately.  If you entered information into the website, please let me know asap.

A problem has appeared early this morning which has affected a number of HQ systems such as ARIS, SharePoint, REE Directory, eForms and Web Sites.  Other services, such as Exchange, eVault, AD Manager are working normally.  OCIO staff are working to isolate and resolve the problem and will have service restored as soon as possible.

Thank you,
ARIS Staff

On January 31, 2011, all encrypted laptops* will automatically be upgraded to MEE version 5.2.5 without additional user intervention.  However, you will need to connect your laptop to the network and leave it running for at least 20 minutes the first time you use your laptop on or after the date the upgrade is scheduled.

MEE upgrade will improve the following:

1. Improved hibernation and suspend/resume support
2. Built-in error checking and correction for the local encryption database

* Only laptops that will not be encrypted are Dell E-series laptops.

As of 11:46 am (CT), ARS network and email access have been restored. All delayed email is being processed and will be delivered in the next 30-40 minutes.

ARS network and email are currently down on the Fort Collins, CO node. This is affecting all Madison location ARS email access and internet access in Marshfield and Sturgeon Bay. Please be patient while the problem is being worked on. No ETA has been given at this time.

ASOC Cyber Security Alert
eAuth Phishing Scam

The Department is aware of an e-mail phishing attack that is targeting potential users of the USDA eAuthentication system. This e-mail scam appears to come from a legitimate eAuth help desk and advises of “several unsuccessful login attempts” for the recipients account. The scam is an attempt to collect your personal and account logon information. If you receive these notices, do not click on any links.

What to do if you suspect your information has been exposed:
The eAuth system will send legitimate emails regarding issues with your account; however they will never ask you for your password.
If you suspect you are receiving notices from an illegitimate source or have provided your logon or personal information to an illegitimate site, contact the ITS eAuth helpdesk immediately at 1-800-457-3642 or by e-mail at eauthhelpdesk@ftc.usda.gov.
If you have received this scam email, delete it immediately. If you clicked on any links within the email, contact the eAuth helpdesk immediately. And you may always contact your Agency ISSPM if you suspect your information or system has been involved in an incident.

The Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A‑130 require Federal agencies to provide annual security awareness and rules of behavior training to all employees, contractors, and students.

This year’s training, “FY2011 USDA Information Security Awareness and Rules of Behavior”, is now available in all employees’ AgLearn learning plans.  The link to access this training is: http://www.aglearn.usda.gov.

All ARS employees, contractors, and students are to complete this training by January 31, 2011.  Failure to comply with this requirement will result in the loss of network access.  Though it is not necessary to print a certificate because it is recorded in AgLearn.  If you would like a certificate of completion, you must go to your learning history to print it.  For any technical assistance required, please contact your local IT Helpdesk.

Please don’t forget to sign up for the ARSnet password self-reset option.  You must enroll yourself in order to take advantage of the service.

Website to enroll:  https://reset.ars.usda.gov
Enrollment instructions on intranet:  http://www.mlit.wisc.edu/software/passwords/arsnetreset.html

If you have any questions on this, please let me know.

From: ARS-MWA-ALL
Sent: Tuesday, September 07, 2010 8:26 AM
Subject: ARSNet Password Self-Reset

*************************************************
* The following message is being transmitted to you as a   *
* service to all Midwest Area employees.                              *
*                                                                                              *
*** Please do not respond to this mailbox.  Thank you.  ***
*************************************************

ARS has implemented a self-service option for changing user passwords.  This will work for ALL users.

It is a two-step process.  First, you can either place a shortcut on your desktop named ARSnet Password Reset.  The “location of the item” is https://reset.ars.usda.gov .  Alternately, you can create a shortcut in Internet Explorer.

Second, you must enroll to use the service.  Instructions for enrollment are attached. 

This is a very straight-forward package, but I want to warn you that you must click in either the box for “Forgot Your Password?” or “Is Your Account Locked?” to make appropriate changes.

I you have questions, please contact your local IT contact or the MWAHelpDesk@ars.usda.gov .

About NCSAM 2010

Our Shared Responsibility

We lead Web-based, digital lives. 

The Internet has become pervasive; we are online at home, school, work, and play. In addition to the traditional laptop or desktop computer, we now have many more gateways to the Internet. Mobile devices of all shapes and sizes connect us to increasingly complex and useful tools almost everywhere and at anytime. Even when we are not directly connected, the Internet supports our everyday lives through our financial transactions, transportation systems, power grids, emergency response systems and a constant flow of communication, to name a few. This reliance will only increase as digital technology becomes further entwined with how we live. 

If we are to achieve the potential of a digital society for robust and widely available content, community, communication, commerce, and connectivity we must protect the resource that makes it possible. 

The Internet is a shared resource and securing it is our shared responsibility.

Ultimately, our cyber infrastructure is only as strong as the weakest link. No individual, business, or government entity is solely responsible for securing the Internet.  Everyone has a role to secure their part of cyberspace, including the computers, devices and networks they use. We all need to understand how our individual actions have a collective impact on cybersecurity and protecting the Internet.

Our Shared Responsibility means each of us must do our part. The actions we take may differ based on our personal and professional responsibilities.  However, if each of us does our part—whether it’s implementing stronger security practices in our day-to-day online activities, making sure the right tools are in place, raising awareness in the community, educating young people or training employees—together we will be more resistant and resilient, protecting ourselves, our neighbors and our country.

About National Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM), conducted every October since 2004, is a national public awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure.

Cyber security requires vigilance 365 days per year. However, the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary drivers of NCSAM, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data.

What are you doing for National Cyber Security Awareness Month?

The success of National Cyber Security Awareness Month rests on all of us doing what we can do to engage those around us to be safe and secure online. There are opportunities for everyone, from home users and small businesses to major corporations and government entities, to get involved.

 

About NCSAM 2010 (MS Word 51.07 KB)

About NCSAM 2010 (PDF 3326.28 KB)

Due to a power outage in Fort Collins, ARS email is currently down. Please be patient while power is restored.

** If you are on PatchLink you will receive this update automatically **

Microsoft has released an update to address a critical vulnerability in all versions of Windows.  Please run Microsoft/Windows updates (http://update.microsoft.com/microsoftupdate/) asap or at the very least, go to the following site and download the applicable patch:  http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx.  This includes Mac users with Windows running as a virtual machine (Fusion or Parallels).  Again, if you’re on PatchLink, you will receive this update automatically sometime today.

Details from Microsoft (http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx):

This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting validation of shortcut icon references. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update addresses the vulnerability first described in Microsoft Security Advisory 2286198.

From: Nehring, Josh
Sent: Monday, July 26, 2010 10:25 AM
To: ARS-MWA-Madison-All
Subject: RE: Power Outage at ARS headquarters - all systems restored

Power has been restored at HQ.  Services should be fully restored shortly.

HQ’s experienced a major power outage yesterday and has been given no estimate on restoration.  As a result Email and Internet services are unavailable for HQ, BA, NAA, SAA, SPA, and any VPN users.  This is also affecting our access to ARS systems such as ARIS, Sharepoint, VPN, BVAdmin/AD Manager Plus as well as internet access in our Marshfield and Sturgeon Bay locations.  We will keep you posted with any new updates.

The USDA webTA will be unavailable on Wednesday, July 14 beginning at 2:00pm CST. Upgrades will be applied at this time.  The estimated down time to complete this task is 2 hours. 

Thank you for your cooperation.

From: Nehring, Josh
Sent: Monday, July 12, 2010 4:51 PM
To: ARS-MWA-Madison-All
Subject: Scam alert - fraudulent phone calls and emails
Importance: High

Many people have been receiving automated phone calls and emails asking to reveal sensitive personal and banking information.  You should never give out your SSN, credit card numbers, passwords, usernames, etc.

Always keep in mind, legitimate financial institutions will never ask you to reveal sensitive personal or financial information in an unsolicited call or through email.  Please do not submit or communicate the information requested.

Thank you for your attention to this matter.

From: Miller, Andrea
Sent: Tuesday, July 06, 2010 11:28 AM
To: ARS-MWA-3601-ALL
Cc: ARS-MWA-ITCONTACTS-ALL; ARS-MWA-AO-ALL
Subject: FW: Phishing Alert: USDA Cyber Incident Scam
Importance: High

Please take note that a particularly well-crafted email phishing attack has been blocked within ARS.  If you receive an email and have ANY questions regarding its validity, please do not Reply To or click on any of the links in the email.  Rather, forward it to mwahelpdesk@ars.usda.gov and we can verify its validity.

Thank you,

Andrea

From: Butler, Rob
Sent: Tuesday, July 06, 2010 11:23 AM
To: ARS-HQ-OCIO-CTSB-All; ARS-IT Specialists-All
Subject: Phishing Alert: USDA Cyber Incident Scam
Importance: High

All,

Please be aware of an unusually well-crafted phishing attack which has been seen today.  Note that the From: address is a Gmail account and the actual URL in the “EAuth” hyperlink directs the user to http://www.eauthgov.com/change.php?id=4IN8W86LBXY8P3YH7B2S.

The ARS MessageScreen filters have been adjusted and further copies of this particular message will now be blocked.

Please let me know if you have any questions.   Any users that may have fallen for this scam should immediately change their eAuth passwords and Cybersecurity should be notified.

Thanks,
Rob

From: USDA Security Operations Center [mailto:cyber.incidents@gmail.com]
Sent: Tuesday, July 06, 2010 10:50 AM
To: Popham, Holly
Subject: ASOC00000001372 : USDA-ARS - Improper Usage: eAuthentication

USDA Cyber Incident; ASOC00000001372 has been created for your Agency. Available details and information are listed below.
Incident No.: ASOC00000001372 Incident Date/Time Reported: 7/05/2010 1:59:16 PM
For security reasons your eAuthentication account has been locked due to multiple failed login attempts.
Please visit http://www.eauth.egov.usda.gov/ to reset your password.
NOTES: Required Action: Complete the password reset form at the URL above within 24 hours.
The ASOC Incident Number should be retained for reference purposes and contained in the subject line for all email communications sent to the ASOC. Please send all questions, updates, information or reports about this to Cyber.incidents@ocio.usda.gov
To report an incident or inquire about an incident or event: call 1-866-905-6890 or email Cyber.incidents@ocio.usda.gov 24 hours a day.
Yours sincerely,
ASOC

From: Announcement@newsbox.usda.gov [mailto:Announcement@newsbox.usda.gov] On Behalf Of GOVTRIP
Sent: Thursday, June 10, 2010 8:36 PM
To: ANNOUNCEMENT@newsbox.usda.gov
Subject: GovTrip 2.0 Travel System Application Upgrade June 12, 2010

The GovTrip 2.0 Travel System Application upgrade is scheduled to take place for USDA on June 12, 2010.  The Govtrip Production application will be unavailable from 6:00amEDT to 12:00pmEDT on June 12, 2010 to implement this system upgrade.

The GovTrip Travel System is the Web based system which USDA travelers currently use to Authorize, Book and Voucher for Temporary Duty Travel to conduct official USDA business.   Over the last year, user studies were conducted with federal travelers in the GovTrip community. These travelers and preparers guided the development of the GovTrip 2.0 project, with additional feedback from the government travel administrators.

This GovTrip Upgrade modernizes the Web site’s “look and feel” in line with commercial Web sites making it more intuitive and easier to use.  Streamlines, but makes no significant changes to current processes for:  Planning travel, requesting and approving authorizations and vouchers, and obtaining system reports.  It is designed to reduce/eliminate need for detailed training.

We hope you enjoy your experience with the New and Improved GovTrip Travel System.

A San Francisco gateway outage is causing all USDA traffic to be routed through DC.  This is causing all USDA and ARS applications (including CATS) to be very slow.  Please be patient while the issue is being resolved.

Systems affected:

Software affected:

The ARIS (CATS) / Java upgrade has been delayed until May 24th.  Please have Java installed/updated prior to the 24th.

Systems affected:

Software affected:

CATS will be down from 11:00am – 11:15am this morning.

Systems affected:

Software affected:

On May 17th , a change will be made to the way you access your ARIS applications.  You will no longer be using Jinitiator to access ARIS, but will be using Java instead.  Since this is a change at the server level, all ARIS users must make this change. The change is relatively minor, but if you are using Windows 7 you may notice a quicker response from the system after the cutover.  And, this process will work for Mac users. However, not all ARIS applications have been tested with the Mac.

What you need to do:

Before May 17th, use the following link to install Java.  Instructions are attached for your convenience.  Please note that you may experience minor differences depending on your PC configuration.   In addition, you will need to close your browser during the install (the attached instructions include this step).

Java install link: https://arisapp.ars.usda.gov/jinit/JRE.exe

After May 16th, you will not be able to access ARIS without doing the install.

If you have problems with the installation contact your local IT Specialist or email us at aris@ars.usda.gov.

Please be advised that AgLearn will be undergoing system upgrades beginning Wednesday, April 7th  at 8:00PM ET  through Monday, April 12th at 6:00AM ET.

During this time, AgLearn will not be available to all users.  A “Maintenance Outage Alert” will appear on the AgLearn website while AgLearn is down.

Due to the emergency maintenance needed for SharePoint servers, our SharePoint site at https://arsnet.usda.gov will be unavailable for some time, today. OCIO staff members are working on this high priority issue. You will be informed about the status, soon.

US Bank Access Online (AxOL) will be unavailable from Saturday, April 10th (8:00am EDT) to Sunday, April 11th (1:00pm EDT) for scheduled maintenance.

Systems affected: https://secure.arsnet.usda.gov/ChangeMyPassword.aspx

The ARSnet password change website is back online.

Systems affected: https://secure.arsnet.usda.gov/ChangeMyPassword.aspx

The ARSnet password change website is currently down. No ETA is set due to weather conditions in the Beltsville area. If your current password expires during this time, please let me know and I'll reset it for you.

Systems affected:

Software affected:

Microsoft has released an update to address a critical vulnerability in all versions of Internet Explorer.  Please run your Microsoft/Windows updates (http://update.microsoft.com/microsoftupdate/) asap or at the very least, go to the following site and download the applicable patch:  http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx.  This includes Mac users with Windows running in Fusion or Parallels.

Details from Microsoft (http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx):

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.

Systems affected:

Software affected:

Adobe has released software updates to address critical vulnerabilities in Acrobat and Acrobat Reader versions 8 and 9 on Windows, Mac, and Unix computers.  The vulnerability that has been exploited can allow an attacker to take control of a system and was recently used in attacks on more than 30 US organizations.

For those of you on PatchLink, the software updates will be installed on your computer automatically.  For everyone else, please make sure you run Adobe updates or download and install the updates manually using the following links:

Adobe Reader (Windows, Mac, Unix):  http://get.adobe.com/reader
Acrobat Standard and Pro (Windows):  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat Pro Extended (Windows):  http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
Acrobat Pro (Mac):  http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

For detailed information, please visit: http://www.adobe.com/support/security/bulletins/apsb10-02.html

Further prevention measures:

   Disable JavaScript in Adobe Reader and Acrobat
  
   Disabling JavaScript may prevent some exploits. Acrobat JavaScript
   can be disabled using the Preferences menu (Edit -> Preferences ->
   JavaScript; un-check Enable Acrobat JavaScript).
  
   Prevent Internet Explorer from automatically opening PDF documents
   Disable the display of PDF documents in your web browser
  
   Preventing PDF documents from opening inside your web browser will
   partially mitigate this vulnerability. By applying this workaround,
   you may also lessen the possibility of future vulnerabilities.
  
   To prevent PDF documents from automatically being opened in a web
   browser, do the following:
  
   1. Open Adobe Acrobat Reader.
   2. Open the Edit menu.
   3. Choose the preferences option.
   4. Choose the Internet section.
   5. Un-check the "Display PDF in browser" check box.
  
   Do not access PDF documents from untrusted sources
  
   Do not open unfamiliar or unexpected PDF documents, particularly
   those hosted on websites or delivered as email attachments.

Starting at 5:00 pm on Tuesday evening, we will begin shutting down the network and servers in preparation for the power outage on Tuesday night.  Once everything is down, the Dairy Forage building will no longer have network access.

The following servers will be unavailable starting Tuesday night around 5:00 pm through the duration of the power outage: 

ArcGIS
Public drive/Dropbox
Location intranet site
DFRC website (maintenance requests)
DFRC email
DNAStar
Daisy repository
Admin file servers
EZ maintenance
Admin VPN
FileMaker Pro
DairyComp
SysAid

The planned power outage at DFRC has been rescheduled for Tuesday, December 22nd from 7:30pm - 12:00am.

Even though the planned power outage did not take place this morning, the DFRC network and servers were shutdown last night in preparation.  As of 8:00 this morning, servers and network access were restored to the building.

Starting at 6:00 pm on Tuesday evening, we will begin shutting down the network and servers in preparation for the power outage on Wednesday morning.  Once everything is down, the Dairy Forage building will no longer have network access.

The following servers will be unavailable starting Tuesday night around 6:00 pm through the duration of the power outage: 

ArcGIS
Public drive/Dropbox
Location intranet site
DFRC website (maintenance requests)
DFRC email
DNAStar
Daisy repository
Admin file servers
EZ maintenance
Admin VPN
FileMaker Pro
DairyComp
SysAid

Normal Blackberry communication has been restored and you should see your device sync with your mailbox within the next hour.  If your Blackberry does not automatically re-sync, a hard reset may be required (remove and replace battery).  If it still does not work, please let me know.

All ARS email problems have been resolved.  Messages you did not receive an undeliverable for are slowly being sent.  Messages you did receive an undeliverable for, you will need to resend.

There are many problems with ARS email and internet activity.  You are probably receiving undeliverable messages to anyone outside of ARS.  This is due to firewall configuration problems in Fort Collins.  Any messages you sent yesterday to outside of ARS will need to be resent once the problems have been resolved.  Do not resend the messages now, as they will just be returned again.

There is no estimate of when the problems will be resolved.  I will keep you informed as I receive information.

***Update***

ARS OCIO staff is troubleshooting a communications issue preventing the Colorado-based Blackberry users from being able to send and receive e-mail.   This issue is ongoing with staff actively working to identify and resolve the problem.  The following Areas are affected: MWA, MSA, NPA, and PWA.

In addition, mail sent from Colorado-based Exchange users to Internet recipients is not currently being delivered.  The messages are being queued and will be delivered once communications have been restored.  There are approximately 7,100 currently in the message queues. 

Staff members are working on this issue as quickly as possible and hope that it will be resolved soon.  Unfortunately, there is no estimate on when full services will be restored.

We apologize for the inconvenience.

Dave Chab, acting Deputy CIO
Office of the Chief Information Officer, ARS
phone: 301-504-1124
fax: 301-504-1139
email: dave.chab@ars.usda.gov

Please note that we currently cannot receive email through our Blackberrys.  This is being worked on and we’ll let you know when it’s resolved.

The Marshfield network is currently down. A network configuration change has caused problems and the building has no email or internet access.

This morning there were many reports of users receiving an email from noreply@ars.usda.gov with the subject “Password Expiry Notification” indicating their ARSnet password was about to expire.  Even though the information is correct, please ignore this message.  OCIO was testing a new self-service software package for the email expiration alerts and it automatically sent out notifications after a service pack was applied.  It has been disabled so the email message should no longer be generated.

There's a fake email circulating that looks like it's from the Social Security Administration (SSA). If you receive this message, please ignore and delete it. These messages contain a link to a fraudulent SSA website. If you click on this link, you are instructed to enter their social security number and download a social security statement that will infect you with the Zeus Trojan.

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• If you are unsure of the validity of the request, please contact the SSA.

Access to WebTA has been restored. However, any data entered on Thursday, November 19th will need to be re-entered.

The Federal Information Security Management Act and the Office of Management and Budget Circular A-130 require Federal agencies to provide annual security awareness and privacy basics training to all employees, contractors, and students.

This year’s training, “FY 2010 United States Department of Agriculture Information Security Awareness" and "Rules of Behavior,” was placed in all employees’ AgLearn learning plans on October 1, 2009.  The link to access this training is: http://www.aglearn.usda.gov.

All ARS employees, contractors, and students are to complete this training by January 31, 2010.  Failure to comply with this requirement will result in the loss of network access.  In order to receive credit for this training both modules of the course must be completed.  Though it is not necessary to print a certificate, if you want a certificate of completion, you must go to your learning history in order to print this.  For any technical assistance required, please contact your local Information Technology Helpdesk.

Some of you have received the “System upgrade” message below.  It is NOT legitimate.  Please do not click on the link in the message.  Delete the message and empty it from your trash.

New messages from this sender have now been blocked.

-----Original Message-----
From: System [mailto:System@ars.usda.gov]
Sent: Tuesday, October 13, 2009 6:49 AM
To: *****
Subject: Server upgrade warning

Attention!

  On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
 This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.ars.usda.gov.secure.upd1.net/mail/id=7304410-kevin.temeyer@ars.usda.gov-patch81354.exe

 Thank you in advance for your attention to this matter and sorry for possible inconveniences.

 System Administrator

ARS internet access has been restored.

ARS internet access is currently down. This is affecting internet access in all ARSnet locations, including Marshfield (DFRC) and Sturgeon Bay (VCRU). The outage is also affecting ARS applications including: ARIS applications, email access, SharePoint, etc. If you need access to these services, please connect to your ARSnet VPN first. No ETA is set.

From: Shelton, Carol
Sent: Thursday, October 01, 2009 7:19 AM
To: ARS-ALL
Subject: USDA WebTA

The USDA WebTA Production environment will be taken down on  Monday, October 5, 2009, through Wednesday, October  7, 2009,   to load  the webTA 3.8.10 new release and perform the Fiscal Year 2010 roll/update of accounting codes.  Please do not begin validating T&A’s in webTA for PP20 until after the environment is brought back up on October 7/8, 2009. 

Thanks for your patience and continued support of webTA.

About National Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM), conducted every October since 2001, is a national public awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure.

Cyber security requires vigilance 365 days per year. However, the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary drivers of NCSAM, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data.

In 2008, National Cyber Security Awareness Month reached more than 29 million Americans through media, middle school and high school lesson plans, and partnerships with dozens of companies and associations. In addition, the President of the United States declared support for National Cyber Security Awareness Month, the U.S. Senate passed a resolution in support of the month, and 41 state governors signed proclamations recognizing the month.

Our Shared Responsibility

Our lives are becoming web-based.

As the Internet becomes pervasive, we are online from home, school, work, and in between on mobile devices. Even when we are not directly connected, our economy and much of the everyday infrastructure we rely on uses the Web.

Ultimately, our cyber infrastructure is only as strong as the weakest link. No individual, business, or government entity is solely responsible for cyber security. Everyone has a role and everyone needs to share the responsibility to secure their part of cyber space and the networks they use. The steps we take may differ based on what we do online and our responsibilities. However, everyone needs to understand how their individual actions have a collective impact on cyber security.

What are you doing for National Cyber Security Awareness Month?

The success of National Cyber Security Awareness Month rests on all of us doing what we can to engage in awareness activities. There are opportunities for everyone from home users to major corporations and government entities to get involved.

Blackberry Content Protection encryption will be installed on all Blackberry devices on Tuesday, September 22nd. We will be using the BES to remotely push this extra level of data encryption called “Content Protection” to your device.  Your device must be powered on and the wireless service enabled for it to accept this modification.  We do not anticipate any interruption in service and no other action is required.  If the power or the wireless service is not enabled, the device will automatically accept the Content Protection when it is next enabled. 

While we were testing Content Protection we noticed some changes that may interest you. 

1. When the device is locked, a small padlock should appear at the top of the screen.  The appearance of the padlock is important because it indicates that Content Protection is working on your device.  If the padlock does not appear by September 25, please notify the CTSB staff at helpdesk@ars.usda.gov.
2. There is a slight delay when you lock and unlock your device.
3. If the device is locked, the default settings will not allow address book information or caller ID to be displayed.
4. To check or change the default address book setting, go to Options, Security Options, General Settings, scroll until you locate Content Protection, highlight “Include Address Book,” select your Menu button, and change setting to No.  If these options are not available to you, you cannot check or change the default address book setting.” 
5. Of the devices tested, the Blackberry Storm was the only device that prompted for a restart.  Your device may or may not prompt for a restart. Only when prompted, is it necessary to restart.  As discussed in the first item, the eventual appearance of the padlock determines the success of the update.  If the padlock does not appear please email helpdesk@ars.usda.gov, for assistance.

Should you require additional information, please contact the Service Desk at 866.802.4877.

Power has been restored to CCRU building.

On Wednesday, Sept. 9th, CCRU will be without power starting at 8:30am for a planned power outage. The outage is expected to last between 2-3 hours. All server and network access will be unavailable during this time. Please plan accordingly.

The public drive server is back online.  There have been a couple of changes so if you still cannot access the server, please keep reading:

1. Depending on your setup, you might need to setup a new connection to the server.  The server address and shared folders are as follows:
1. Windows:  \\192.168.150.1\Public
2. Mac:  smb://192.168.150.1/Public
2. You may be asked to login to the server to access the files.  Please use the following account to login to the server:
1. Username:  dfrc
2. Username:  usdfrc
3. For instructions on how to have Windows XP automatically log you into the server, please see attached instructions.  Mac users can have keychain remember the login info.
3. If you need assistance with any of this or getting access to the dropbox, please let us know.

The DFRC public drive is down again. It is currently being worked on and we'll have it up later this afternoon.

The DFRC public drive is back up.

The DFRC public drive is currently down. Server is rebuilding and should be up either today or tomorrow.

Systems affected:

As required by OMB Memorandum 06-16, USDA has mandated all our department laptops to be encrypted with McAfee Endpoint Encryption (MEE).  MEE provides full-disk encryption that protects data stored on a laptop.  In the event that a laptop is lost or stolen, it is guaranteed to prevent the data from being accessed by an unauthorized person.
Encryption makes information unintelligible.  Full disk encryption (which USDA and, therefore, ARS are implementing) makes it impossible to inadvertently store information in an unencrypted state.  If you have a password on your unencrypted laptop and it is stolen, the most that a thief has to do to compromise your information is remove the hard drive and access it from another computer.  With encryption, information cannot be compromised.

The deadline to deploy MEE is July 31st.  Some of you already have the encryption installed.  For the rest of you, Kevin or I will be contacting you to setup a date for the install.

Non-Windows based laptops will not be required to have encryption by this deadline.  Encrypting Windows laptops is just the first of many phases in an effort to increase federal computer security.  We appreciate your patience during this process.

For more information, please click here:  http://www.mlit.wisc.edu/software/encryption   
FAQ’s:  http://www.mlit.wisc.edu/software/encryption/faq.html

If you have any questions, please let me know.

Systems affected:

Software affected:

eVault will be down for the entire location tomorrow (June 18th) from 1:00pm - 3:00pm for hardware maintenance.  During this time, you will be unable to store in or retrieve items from the vault.  This outage will not impact email services.

Systems affected:

Software affected:

Outlook users only: Effective Thursday, June 11th, our remote email connectivity via RPC over HTTPS has been restored. Outlook users can now receive email without connecting to the ARSnet VPN when you're at our university or non-ARSnet work locations. You will still need to use the VPN at any other location (at home, on travel, etc). OWA (webmail) and Entourage users still have to use the ARSnet VPN.

To clarify:

• You will be able to access ARS email using the Outlook client WITHOUT using the VPN while you are at your University or non-ARSNet  location.
• You will NOT be able to use Outlook Web Access or Entourage unless you use the VPN.
• You will NOT be able to use either Outlook client, Entourage, or Outlook Web Access while on travel (or at home on a ARS-issued laptop) without the use of the VPN.
• As of right now, E-Vault will not work unless you are connected to the VPN.
• Milwaukee and Marshfield are not affected by this change.
  

Tonight at 6:00 pm (CT) the McAfee Endpoint Encryption Server will be upgraded. Those of you with encrypted laptops with MEE should not have any problems logging in during the outage. However, if a password is changed and then turned off, the password will not synchronize with the server until the server comes back online.  I strongly encourage MEE users NOT to change your password tonight or leave the PC on overnight so that it will synchronize with the server.

Attachments: P2P and IM Guidance.doc

From: McClanahan, Melinda
Sent: Tuesday, May 12, 2009 7:02 AM
To: ARS-ALL
Subject: Prohibited Computer Software

Please see attached memo from Dr. Melinda L. McClanahan, ARS Chief Information Officer, concerning prohibited computer software.  Thank you.

Software affected:

From: Nehring, Josh
Sent: Monday, May 04, 2009 11:24 AM
To: ARS-MWA-Madison-All
Subject: FW: CATS Unavailable today 12:00 - 12:30

FYI…CATS will be down from 12:00 – 12:30pm today.

From: ARIS
Sent: Monday, May 04, 2009 11:00 AM
Subject: CATS Unavailable

We are currently experiencing a problem with the CATS system.

CATS will be unavailable from 1:00pm EST – 1:30pm EST to fix the problem.

Please disseminate to your users.

Thank you for your patience.

ARIS Staff
ARIS@ARS.USDA.GOV

Systems affected:

Software affected:

Microsoft released the latest version of Internet Explorer (version 8) for Windows last month.  They are now pushing the update through their Microsoft Update software as a critical update.  Please do not install IE8 on your computers.  There are many issues with software and websites that are using the browser.  Once the problems are resolved and it’s ok to install version 8, I will let you know.  If you have already installed IE8, please do the following to uninstall:

1. Go to start > control panel > add/remove programs
2. Check the box for “Show updates”
3. Highlight Internet Explorer 8 from the list of installed programs
4. Click Remove
5. Choose yes, when asked “are you sure?”
6. Uninstall any other updates related to IE8 as well, when asked
7. Restart your computer

Those of you on PatchLink have a tool installed that blocks IE8 from installing.

If you have any questions about this, please let me know.

Thanks,
Josh

From: Miller, Andrea
Sent: Monday, April 13, 2009 11:14 AM
To: ARS-MWA-3601-ALL; ARS-MWA-ITCONTACTS-ALL; ARS-MWA-AO-ALL
Subject: Systems Down

One of the main links between Ft. Collins and Beltsville is currently down.  This may disrupt email service to some areas.  In addition, ARS web servers are currently unreachable.  I will let you know if I receive further information.

Andrea Miller
IT Specialist - Midwest Area Office
1815 N. University Street
Peoria, IL 61604
309-681-6574
andrea.miller@ars.usda.gov

Systems affected:

Software affected:

Attachments: ARS-ALL OWA VPN HSPD-12 04-10-09.doc

From: McClanahan, Melinda
Sent: Friday, April 10, 2009 7:26 AM
To: ARS-ALL
Subject: ARSnet and Email Connectivity

Please see the attached letter from Dr. Melinda L. McClanahan, CIO, that discusses ARSnet and email connectivity across ARS.

Click here for information on how to setup Cisco VPN client.

Systems affected:

A new variant of the Conficker (W32.Downadup.C, Conficker.C, B++) worm I warned you about last October is expected to launch attacks on April 1st.  Because of this, you need to ensure your Windows computers and virtual machines have Microsoft patches up-to-date and that your anti-virus programs are updated and running.

• All Microsoft updates:  http://update.microsoft.com/microsoftupdate/ 
• Important update (WinXP):  http://www.dfrc.ars.usda.gov/admin/WindowsXP-KB958644-x86-ENU.exe
• Those who are on PatchLink have already been patched.

If you have any questions on how to perform or check any of this, please let me know.  More information if you want a detailed explanation of the worm:  http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.C

Systems affected:

Software affected:

Microsoft has released the latest version of Internet Explorer (v8) for Windows XP and Vista. Currently IE8 is only available via download. At some point this spring, Microsoft will release the new version through Microsoft updates. It is strongly recommended to wait to install the latest version until testing is completed. To block Microsoft updates from installing Internet Explorer 8 automatically, please download and install this tool.

Systems affected:

GovTrip is now available.

Systems affected:

GovTrip, which handles travel reservations for ARS and many other U.S. government agencies, has been infected with a virus that tried to install malicious software when users visited the site. This has caused GovTrip to shut down all access to the travel website. No estimated time of availability is given.

A couple changes are being made to ARS email spam filtering and distribution groups.

Spam filtering:  For those who are forwarding their WiscMail directly into their ARS email accounts, please continue reading.  Headquarters is going to be more aggressive in an attempt to catch a lot of the spam that is going through WiscMail to your ARS account.  This process will be complete tomorrow (Tuesday) afternoon.  The disadvantage to this is that you might get some false-positives stuck in your MessageScreen quarantine.  Please be sure to check your quarantine regularly for messages you may need:  http://messagescreen1.ars.usda.gov

Distribution groups:  Some of you are still receiving messages from distribution lists in your alternate email.  This will no longer be the case as of today.  Headquarters is forcing us to remove these rules.  You will get these messages through your ARS email account.

Systems affected:

Software affected:

From: Nehring, Josh
Sent: Friday, January 23, 2009 8:49 AM
To: ARS-MWA-Madison-All
Subject: ARS VPN accounts

If anyone is having any issues (too slow, disconnecting, etc) when connected to their VPN account, please let me know via email asap.

Systems affected:

Software affected:

Attachments: ARSnet.pcf | Windows VPN Installation Instructions.pdf | Mac VPN Installation Instructions.pdf

From: Nehring, Josh
Sent: Thursday, January 22, 2009 3:25 PM
To: ARS-MWA-Madison-All
Subject: RE: ARS email access through VPN follow-up

For those connecting through the ARSnet VPN:  You can now use local network drives and printers when connected to the VPN.  Here’s how:

1. Open Cisco VPN client
2. highlight ARSnet
3. click “Modify”
4. click the “Transport” tab
5. put a checkmark next to “Allow Local LAN Access” (see attached screenshot)
6. click Save

Once you do this, you will no longer have to disconnect from ARSnet in order to access network devices.  I have attached a new profile (arsnet.pcf) to automatically make this change for those who have not setup their VPN client yet.

                                                                                                
From: Nehring, Josh
Sent: Wednesday, January 21, 2009 8:13 AM
To: ARS-MWA-Madison-All
Subject: RE: ARS email access through VPN follow-up

Some are having troubles with the ARSnet.pcf file.  To make it easier, I have attached it in this email.

Also, you have another password to keep track of to login to vpn.  These are not the same passwords as your email account.  User ID is your ARS email address but the password I need to give you.  Email me if you need this.

                                             
                                               
From: Nehring, Josh
Sent: Tuesday, January 20, 2009 8:18 PM
To: ARS-MWA-Madison-All
Subject: ARS email access through VPN

** If you currently have access to your ARS email through ARSnet, please ignore this message **

As promised, VPN accounts have finally been setup to allow email access through Outlook, Entourage, and Evolution.  Please reference the links below on how to install and setup Cisco VPN on your computers.  The licenses for the clients are good for home use as well.

Installation Instructions
PC: www.dfrc.ars.usda.gov/admin/software/win-vpninstall.pdf
Mac: www.dfrc.ars.usda.gov/admin/software/mac-vpninstall.pdf

File Downloads
PC: www.dfrc.ars.usda.gov/admin/software/latest-win-vpnclient-win-msi-5.0.04.0300-k9.zip
Mac: www.dfrc.ars.usda.gov/admin/software/latest-mac-vpnclient-darwin-4.9.01.0100-universal-k9.zip

ARSnet profile – www.dfrc.ars.usda.gov/admin/software/ARSnet.pcf - this will open as a bunch of text in your browser.  Simply go to File > “Save As” or “Save page as” to save it as a pcf file.  You will need this file at the end of the installation.

Note: When connected to ARSnet via Cisco VPN, you will not have access to local network drives and printers. To restore access to these network devices, please disconnect.  If you have any questions or need any help with this, please let me know.

Systems affected:

Software affected:

Attachments: Entourage Reconfiguration for ARSnet.pdf

From: Nehring, Josh
Sent: Wednesday, January 21, 2009 8:59 AM
To: ARS-MWA-Madison-All
Subject: Entourage reconfiguration

** If you do not use Entourage for ARS email, please ignore this message **

Mac Entourage users:

If you are having trouble accessing your ARS email after you went through the VPN installation, you will need to reconfigure your Exchange server address to:  CO-Mail-02.arsnet.ars.usda.gov and uncheck “this DAV service requires a secure connection (SSL)”.

Please see attached document for detailed instructions.

Thanks,
Josh

We are currently using our alternate email addresses for communication. To see an updated list of addresses within your unit, please go to the Email page.

From: Nehring, Josh
Sent: Friday, January 16, 2009 2:22 PM
Subject: WiscMail is primary email
Importance: High

Until we hear further information, please use your WiscMail as your primary email for communications.  Any relevant information coming from ARS will be forwarded to the location from the Admin Office.  RL’s, Secretaries, and Admin staff will be the only ones able to receive ARS email but you can also send to their WiscMail accounts.

Many people may not receive this message because they are forwarding their email to ARS.  Please spread the word to your co-workers that they need to disable their forwarding and use WiscMail as their primary email.  Give them these instructions to do so:

WiscMail - Removing a Forward:

1. Log into the NetID Account Modification (https://www.mynetid.wisc.edu/modify)page with your NetID.
2. Scroll down to the Forward Address field, and clear out your ARS email account. Click “Modify Account” to save your changes.
3. All messages sent to your @wisc.edu address will now stay in your WiscMail inbox.

If you have any questions, please let Travis or I know.

Systems affected:

Software affected:

Admin Office and Secretaries:
If the email outage is extended through tomorrow, you will still have access to email once you VPN into ARSnet.  Only the admin office and secretaries will have this option.

Systems affected:

Hopefully this will clear up many of the questions I am receiving:

• If you are not in Marshfield or Sturgeon Bay, your email will be affected by this outage.
• Your current email profile (inbox/folders/calendars/contacts, etc) will be unaffected by this outage.
• You will receive email that is sent to you during this outage when access is restored.
• In other words, you will not lose any email due to this outage.
• Email you receive in Outlook, Entourage or Evolution prior to the outage will be accessible during the outage if you need to read it.  This is not possible for OWA users.
• HQ does not know when access to the email system will be restored…all they know is that it will be going down at 10:00 pm (CT)

From: Nehring, Josh
Sent: Thursday, January 15, 2009 3:26 PM
To: ARS-MWA-Madison-All
Subject: FW: URGENT: Suspension of Outlook Web Access and Other Web-based E-Mail Systems
Importance: High

The email outage noted below indicates that only Outlook Web Access (OWA) users will be affected by the outage.  However, this will affect Outlook, Entourage, Evolution and OWA users in the entire Madison location, not just OWA.  Marshfield and Sturgeon Bay will only have an OWA outage.  Everyone else in the Madison location will be out of email through the duration of the outage.

Starting at 10:00 pm tonight, here is what will be down:
Marshfield and Sturgeon Bay - OWA email only
Everyone else - All email

No estimated time of availability has been set.  If you have any questions, please let me know.  I will follow-up regarding the outage when everything is restored.

Thanks,
Josh

                                                 
                                               
From: McClanahan, Melinda
Sent: Thursday, January 15, 2009 2:39 PM
To: ARS-ALL
Subject: URGENT: Suspension of Outlook Web Access and Other Web-based E-Mail Systems
Importance: High

A severe cybersecurity threat has been identified that requires the U.S. Department of Agriculture and all USDA agencies to immediately shut down the Outlook Web Access (OWA) application.  OWA is the  application that ARS uses to access email from off-site locations through personal computers, laptops, Treos, and other PDA devices by using https://mail.ars.usda.gov.   

USDA CIO Charles R. Christopherson, Jr. issued a memorandum on January 14, 2009 entitled “Suspension of Outlook Web Access and Other Web-based E-Mail Systems.”  To comply with this mandate, ARS OCIO will disable the OWA application for all ARS mailboxes at 11:00 pm Eastern Standard Time today, Thursday, January 15, 2009.  Only web-based access to email through https://mail.ars.usda.gov will be disabled.  You will continue to have normal access to your email from your office desktops/laptops and Blackberry devices. 

I regret this significant inconvenience to you and the Agency.  However, this action is of the utmost importance to protect the integrity of USDA computer systems and to allow USDA to continue to conduct business electronically with other federal agencies.  I assure you that my office is looking for alternative ways to access email remotely, and I will keep you informed on progress.

If you have any questions, please contact Douglas Page, Chief Technical Officer at douglas.page@ars.usda.gov (301-504-5662) or Bob Fletcher, Deputy CIO at bob.fletcher@ars.usda.gov (301-504-1132).

Systems affected:

The ARS SharePoint issue has been resolved.  All SharePoint sites are available.

Systems affected:

The ARS SharePoint server is currently down.  Headquarters is actively working on resolving the issue.  All SharePoint sites will be unavailable until further notice.

Systems affected:

The FDW/BRIO connectivity issues have been resolved.

Systems affected:

FDW/BRIO is currently down. Users are getting a logon screen to the Department’s server, instead of the logon to the website.  The Department is working to resolving the issues.

On October 24, 2008, USDA approved use of the G3 model of the Apple iPhone (see .pdf).  The G3 model has corrected security vulnerabilities that existed with previous Apple iPhone models which are still prohibited for purchase or use by USDA.

During the period that Apple iPhones were banned, the phone and iPhone service were removed from GSA schedules.  GSA, Apple, and AT&T are working toward re-establishing them on the necessary schedules. ARS OCIO advises you not to purchase the Apple iPhone or service until GSA schedules are restored, due to the complexities involved with procurement.    

I will notify you by email as soon as the GSA schedules are restored.

Tom Houston
Acting Chief Technical Officer
Communications Services Staff
USDA-ARS-OCIO

Attachment: iPhone 3G Approval.pdf

Systems affected:

** If you are on PatchLink, please ignore this message as you will receive this update automatically **

Microsoft released another critical update today that we need to apply to all Windows computers asap.  For all Windows users (including Mac users with Windows running in Fusion or Parallels), please run your Microsoft/Windows updates (http://update.microsoft.com/microsoftupdate/) asap or at the very least, go to the following site and download the applicable patch:  http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx

If you have any questions, please let me know.

Systems affected:

Late Sunday afternoon, Yahoo lifted it’s block of our mail servers and we are again able to send e-mail to Yahoo customers without delays.

If you continue to experience problems, please let me know.

Systems affected:

Email sent from ARS users to Yahoo accounts is not being delivered.  Yahoo’s servers are permanently deferring our delivery attempts causing no message to bounce back indicating delivery attempts have failed.  So, if you are emailing anyone with a Yahoo email address and are not getting replies, this is why.

The email administrators in Beltsville are doing all they can to restore delivery service to Yahoo addresses.  So far, Yahoo has been unresponsive to the requests.  Until Yahoo lifts the blocks imposed on our servers, we will not be able to successfully email Yahoo accounts.

The main reason this is happening is because two ARS users responded to the phishing email’s last week.  The individuals provided their usernames and passwords to the hackers.  The hackers logged into the compromised email accounts on Saturday and sent almost 550,000 phishing messages to external addresses.  The accounts were detected and terminated on Sunday night and Monday morning.  Because of all this spamming, ARS gateways were blocked on other email systems use to counter spam.  By yesterday morning, the gateways had been removed from all known blocks except Yahoo.

The issue continues to be addressed with Yahoo and I’ll let you know when this service has been restored.

Systems affected:

There have been a number of Phishing emails associated with USBank or Visa Verification for USBank circulating in USDA and within the REE community.  Please be aware of the following:

• You will NEVER receive an email from USBank requesting verification of an account or for any PII information related to an account. 
• Do not respond or forward these emails. 
• Notify your IT office when you receive these email notifications. 

To reiterate, please never respond to these requests and never provide personal or travel card information to any email request.

Systems affected:

A number of ARS customers have received fraudulent email messages warning of account deactivations due to inactivity or large mailbox sizes.  These messages are often very persuasive and warn users that if they do not provide information such as account IDs and passwords, their accounts will be disabled or otherwise adversely affected.    Two examples of such messages are attached.

If you have responded to any of these or similar messages within the last week and provided your ID and password, take these immediate steps:

1. Change your ARSnet password
2. Contact the ARS Help Desk at 866-802-4877

If you received a message but did not respond, please delete the fraudulent message.  No further action is required.

While these messages may appear to be legitimate, we assure you that ARS/OCIO does not request such account information from ARSnet users. If you receive such a message, please DO NOT send your account ID, password, or any other information to the requester.  Doing so may result in your email account being compromised.   If you receive a suspicious message and have questions about it, please contact the ARS-OCIO Service Desk at 1-866-802-4877.

Attachment 1: Maintenance Notice
Attachment 2: Webmail Help Desk

Systems affected:

** If you are on PatchLink, please ignore this message as you will receive this update automatically on Friday **

Microsoft released a critical update today that we need to apply to all Windows computers asap.  For all Windows users (including Mac users with Windows running in Fusion or Parallels), please run your Microsoft/Windows updates asap or at the very least, download and install the following patch:

Windows XP: www.dfrc.ars.usda.gov/admin/WindowsXP-KB958644-x86-ENU.exe
Windows 2000: www.dfrc.ars.usda.gov/admin/Windows2000-KB958644-x86-ENU.exe

If you have any questions, please let me know.