My colleague and acquaintance, Bruce Schneier, wrote a good article about what we can learn from the Wannacry attacks of last month. It’s both in the Washington Post and the Metrowest Daily News (the WP article is behind a paywall for me, but you may be able to read it).
P.S. I have recently retired, but will occasionally return to post on important issues related to security and privacy.
Although all Wayne State employees have the ability to download and use the Microsoft Office Suite (including Word, Excel, Powerpoint etc.) it is only available to current employees. When you retire you will probably find that eventually the license will expire. Then what do you do?
One simple possibility is to purchase an individual license for the Suite, which is available from Microsoft for $99/year. If you are not comfortable doing that, there are several options available that I will outline here.
If you really want to stay within the Microsoft environment, all Wayne State employees, students and retirees have access to the online versions of all of these programs. The online versions are not as powerful as the desktop versions (for example the online Word doesn’t have Track Changes, which makes it useless for sharing editing tasks), but they are good enough for most tasks, and are free as long as you have access to Wayne Connect.
Otherwise, if you are comfortable in the Google universe, there is a complete set of tools available for free from Google. These include Google Docs, Sheets, and Slides. They only work online, but all of them allow conversion (and downloading) to the more widely used Microsoft equivalents (and conversion can go both ways). The interface is quite different from the Word (etc.) interface, but does everything that most people need to do (Sheets probably doesn’t do the kind of complex statistical and modeling that Excel can do, nor the complex formatting you can do with Word or similar dedicated word processors). Here’s a screenshot of what a sample CV document looks like in Google Docs:
Second, if you are willing to spend some money there are high-end competitors to Word that do some tasks better than Word. I have for twenty years used Notabene, a powerful academically-oriented word processor written for those in the humanities. It has built-in support for commonly used scholarly languages (anything using the Roman alphabet, Hebrew, Greek, Arabic) including the ability to mix left-to-right and right-to-left orientation in the same line, a powerful, built-in bibliography program that both stores and inserts references following commonly used style sheets, and a textbase app that permits you to index your files and search for anything, then insert the relevant context into a document. But it’s about $400 (although you can try it out for free—it just won’t print). On the other hand, that’s a one-time only expense, since you’re actually buying it, not licensing it. Here’s a screenshot of a multilingual document in Notabene1 :
Finally, there are some decent free alternatives beyond the Google suite. I have been playing with WPS Office for Windows, which is a free download for Windows, iOS, Android and Linux. It has a user-friendly interface that greatly resembles Word (and Excel etc.) and can handle their files with ease. It’s free, although there’s a relatively reasonable subscription version (WPS Office for Windows Premium) that goes for $25/year. You can find it at wps.com/office-free.
Another free competitor comes in at least two flavors: Apache OpenOffice and LibreOffice. They are very powerful office suites, but I find their interfaces somewhat user-unfriendly for those who are used to the Microsoft varieties. These programs are open-source, which means that they are being developed by communities from computer source code that is open to anyone. As with all the other alternatives, these permit conversion to and from the more familiar .docx and .xlsx formats.
Finally, if all you want to do is read Word, Excel and Powerpoint files, you can download viewers that permit you do just that: Word Viewer.
In short, although it’s a little annoying, you can keep working from home after you retire. As I plan to do…
 I am not affiliated with Notabene, but I have been using it since 1987. Another multilingual word processor is Nisus.
I have received many questions from my friends about what to do now that Congress voted to repeal the online privacy rules created last October by the Obama administration.
The first thing to do is to avoid panic. Those privacy laws never took effect, so I believe we are now no worse off than we were before last October, although some commenters are disputing this.
What did the proposed regulations do? They would have forbidden your internet service provider (ISP) from collecting and using data of your online activities. Particularly from selling that data to other merchants (such as Amazon or Facebook).
When you browse the web from home (or from your phone) your ISP (Comcast, AT&T, WOW, Verizon etc.) routes your traffic from your device to the website you are visiting. That information is, of course, stored by your provider and can be aggregated and sold to the highest bidder. And, of course, if the information is stored, it can be subpoenaed, seized through a national security letter or stolen and sold online to somewhat less reputable people than Comcast.
And all of these things have happened already (Schneier’s article cites real examples):
- What the repeal of online privacy protections means for you, The New York Times
- Congress removes FCC privacy protections on your internet usage, Schneier on Security
- Five creepy things your ISP could do if Congress repeals FCC’s privacy protections, Electronic Frontier Foundation
What can you do to prevent your ISP from seeing where you browse and what websites you look at?
The best solution is to use a Virtual Private Network (VPN). A VPN is like a tunnel that routes all your internet browsing through a neutral pathway so that nobody outside the tunnel can see it. Your browsing is encrypted from your computer to the entrance to the tunnel and outsiders can only see traffic from the tunnel to your target website. Thus nobody can tell where you are browsing.
VPN’s were developed to permit protected information being transmitted across the web. If you are a Wayne State employee you can use the Wayne State VPN. If you do so, your computer (or smartphone — the VPN works with those too) talks only to Wayne State, effectively making it part of the Wayne State network. But any browsing traffic (or downloading) is encrypted, so that nobody can snoop on it (with the possible exception of the NSA, although there is some dispute about whether even they can break 64 bit encryption). You can learn about, and use the Wayne State VPN here: computing.wayne.edu/vpn.
Even if you’re not worried about Comcast or AT&T snooping on your web activities, there are good reasons to use the VPN, particularly if you are not at home. Random Wi-Fi connections in public places are notoriously vulnerable to snooping, and the VPN will protect your laptop or smartphone there. And, of course, I have written over the years about international travel and the possibility that other governments might watch over your shoulder to read your email or other activities. A few countries (China in particular) attempt to block the use of VPN’s, although they generally leave universities alone.
When you use a VPN all traffic from your computer to the website you are looking at goes through the Wayne State (or alternative–more below) first, and is encrypted from your computer to the target website. That means if someone snoops on your computer all they see is encrypted traffic from you to Wayne State. They can’t see where you are browsing.
Here’s a diagram of what happens when you DON’T use a VPN:
And here’s a diagram of what happens when you DO use a VPN:
It should be said that for older machines and slower network connections there might be a slowdown in how fast a page loads, and we don’t recommend using the VPN for streaming movies.
One last thing: be aware that when you visit a website whose URL begins with https: any text you transmit to that site is encrypted, but any site that begins http: is not encrypted. In addition, sites with https: are authentically what they say they are. You can tell this because there is a green padlock in the address bar, and the text sometimes includes the name of the company.
If you don’t have access to Wayne State’s VPN there are .alternatives. Kevin Hayes, our Chief Information Security Officer recommends not using the various free VPN’s on the market, pointing out that ‘if you are not paying, you are not the customer’. However, PC Magazine has a rating of various commercial VPN options here: pcmag.com/article2/0,2817,2403388,00.asp.
After serving as chief privacy officer for the past year and a half, I will be retiring from Wayne State University at the end of the winter semester. We have been given permission to search for a replacement, so I thought I’d use this platform to say a little about what a Privacy Officer does.
The simplest way to describe it is to link to my Educause blog on “A day in the life of a Chief Privacy Officer.”
However, if you’re interested in the tl;dr1 version, allow me to give you the “elevator speech.” Universities, like nearly all other organizations, hold information about any and all people they deal with. For universities this includes data about students, faculty, staff, alumni and visitors. In 2017 it tends to be electronic records, although there are still thousands of pieces of paper with data on them as well.
Some of those records are sensitive. This means that the information could harm the person it refers to if it is released, or that its unauthorized release would subject the university to legal penalties because the data is protected by law. Or both. For example, social security numbers have become toxic (as we say in the privacy world) because those numbers can be used to commit identity theft. Student records such as grades are protected by the federal law known as FERPA and could cost the university embarrassment and money if they are released to unauthorized persons.
The privacy officer’s job is to help the university keep those records safe from inappropriate release by developing policies, by ensuring that employees are trained in how to apply those policies, and by reviewing how new methods of storing data (such as new versions of Banner or Academica) are configured to ensure the data therein is properly locked up.
This means serving on a lot of committees, meeting with administrators and researchers storing sensitive data, and speaking to groups such as the Academic Senate and the Administrative Council. It also means working closely with the Office of General Counsel, Internal Audit, the Associate Provost for Academic Personnel, and serving on the leadership team of C&IT.
If you think you might be interested in learning more about this position, you can find it listed at jobs.wayne.edu under position number 042601.
1 This popular internet acronym stands for ‘too long; didn’t read’. Usually an expression of disapproval.
By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.
First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.
But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.
There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:
What you can do
Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.
Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).
For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.
To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.
Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.
1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.
Much of the campus received a message earlier this week to fill out an IT Services Survey. I have been contacted by many people asking whether the survey was legitimate, or whether it was a phishing attack.
Let me first say that I very much appreciate folks asking me whether this is real. It means our training is having an effect and people are learning to be skeptical of email messages that ask them to click on things. That is exactly the right attitude to have!
That said, let me point out a couple of telltale indicators that this message is real:
If you hover over the link that is provided, a tiny window will pop up (on Firefox it appears in the bottom left corner) showing the actual URL that you will go to if you click the link. Always hover over a link if you are suspicious. If the pop-up address and the one visible in the actual message match, then you are about to go to the website claimed. In this case, the website belongs to techqual, a company many of you already know about — it’s Wayne State’s source for running this survey. Here is a screenshot of what that looks like in my Wayne Connect mailbox — the arrow points to the popup URL.
If you are interested in learning more about how to recognize phishing emails, our Chief Information Security Officer, Kevin Hayes and I will be conducting anti-phishing training on Thursday, March 23, at 11 a.m. in the Purdy-Kresge Auditorium. Come and learn all the telltale signs of phishing emails and why we keep getting these attacks. And, of course, what you can do to protect yourself. No advance registration and no technological knowledge is required. Learn more at events.wayne.edu.
Most Wayne State folks have now received their W2 forms and are probably putting off thinking about submitting their income tax returns, so now is the time to start worrying about all the things that could go wrong.
As most readers will remember, Wayne State was one of a number of universities whose employees were hit with fraudulent returns last year. This happens when someone illegally files in your place, fiddling with the numbers so that they will get a refund. Generally speaking, when this happens you are not on the hook, but it can be a pain in the neck to get it sorted out and it will probably interfere with your filing for several years afterwards, so it’s a good idea to take actions that will reduce the likelihood of being a victim.
There is a limit to what you can do, but I’ve collected all the key safety steps here — the major step you can take is to increase your vigilance online. Do not share your social security number (which means it should never appear in an email or anywhere else other than where it is legally required [such as on your tax return]). And although your bank needs to know it, there is no reason it should appear on any bank website or on any paperwork you receive through the mail from your bank. Of course, it will appear in correspondence with the government (such as a dreaded letter from the IRS or correspondence with the state or city about taxes owed or a happy letter about refunds due).
The most effective positive action you can take is to file as early as possible (although a friend of mine posted on their Facebook page a couple of days ago that someone had already filed in their place). I realize it’s as American as apple pie to put it off till the evening of April 14, but it is a good defensive strategy to file really early.
Additionally, it is extremely important you do not let yourself get phished. Phishing (luring victims in with realistic-looking emails) is the most widely used weapon in identity theft. In fact, we will be doing one (or perhaps more) anti-phishing training sessions over the next couple of weeks. Our Chief Security Officer, Kevin Hayes, and I, your Chief Privacy Officer, have a roadshow we’ll be starting shortly. The first presentation will be on Feb. 10 at 1 p.m. in Bernath Auditorium. We’ll explain how phishing works and what you can do to fight back.
For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.
In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?
Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.
Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).
The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:
Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.
The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.
Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator
Roughly two months ago the university introduced Duo, a two-factor authentication system to protect sensitive data held by the university. It did this in response to innumerable phishing attacks, some of which succeeded well enough that faculty paychecks were stolen and systems shut down because some of us opened sneaky emails and followed the instructions therein.
In order to limit the damage that these phishing attacks cause, we decided to make it harder for scammers to break into our systems. By requiring that everyone confirm that it is indeed them, and not a crook from Antarctica (or perhaps someone from closer in), who is attempting to enter grades or change direct deposit banking details, we hope to save the university a lot of money and our employees a lot of heartbreak.
Duo simply provides a simultaneous parallel avenue of logging in, in addition to the combination of AccessID and password. The parallel avenue can be a smartphone, a simple cellphone, an office telephone or several other routes. Think of it as having both a key to the door and facial recognition software. Or someone waiting to hear you say, “Joe sent me.”
For complete instructions on how to use Duo you can see my previous blog, the notice the university sent out in early November, or the computing.wayne.edu information page. Finally, here are step-by-step instructions.
There are a few minor glitches people have discovered. If you want to put the Duo app on your smartphone and your credit card details with the iPhone App Store or Google Play Store have expired, you’ll have to put in current information. Note that this is Apple and Google’s rule, not Wayne State’s or Duo’s. They don’t want you downloading other apps for free, even though Duo itself is, and always will be, free.
Another minor glitch is that some folks apparently missed the Duo roll-out entirely, which indicates that they never looked at anything in Academica that was connected to Banner (such as their paystub, their benefits or their classlists) before final grade submission began. I would strongly recommend reading messages that C&IT sends out — it really might be important 🙂 And we try hard not to overwhelm the campus with email announcements.
 True story. Many years ago I was a member of a committee of fairly well-established WSU researchers. One of them told the committee that he instructed his junior colleagues to delete any messages that came from the WSU administration without reading them. He said they should stay away from university politics. My first reaction was, “What if the email message from the Chief Holt was warning them about an active shooter in their building?”
As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.
The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.
Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.
How does it work?
If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:
If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.
If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.
If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).
For much more detail on how this works, go to our FAQ.
Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named notion that we should ‘eat our own dogfood’).
As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.
1 You can read about this way of classifying security methods on this website.
2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this: