I’ve been asked how folks will know that they have been transferred to the new Wayne Connect. The answer is that there will be notification emails a week before the transition and one (business) day before. Then, once you have been transferred, the new mail page will look like this:
Because the new Wayne Connect is part of a larger suite of applications (email, Word, Excel etc.) your login page may look like this:
So you’ll have plenty of warning and you’ll be able to tell immediately. Finally, you will receive an informative email message as soon as the transition has taken place.
In late April I blogged about the new email/calendaring/collaboration system that was going to replace our current Wayne Connect email and calendar system based on Zimbra.
As of this week the new software is gradually being implemented across campus, so this is a good time to remind everyone about what to expect. The most important point is that you don’t need to do anything to implement this new email system–it will happen automatically. In fact, if you get a message telling you to ‘click here’ to upgrade your email, delete the message immediately, and, whatever you do, don’t click—it’s a scam (there have been several phishing messages with this theme over the past couple of weeks).
There are a few things you should do, but they are all essentially ‘back-up’ procedures. Although all your email, calendar entries and address book data will be transferred automatically, your signature won’t be, so you’ll need to recreate it. You can either make a copy of the wording (and images, if you use them) or just wait till after the transfer and look for some email you’ve sent (all the ‘Sent’ messages will be in the ‘Sent Items’ folder) and just you can just copy it from an earlier message to the Signature section of the ‘Options’ page. You can find the ‘Options’ button by looking for the little gear symbol in the upper right hand corner.
Although everyone uses Signatures, there are a few other things that won’t transfer but that only affect some people. If you use Filters in Wayne Connect, they will need to be recreated in the new system. They are easy to make–right click on a message you want to be the basis of a Rule (say, anything that comes from that email address) and choose ‘Inbox Rules’, then follow the instructions. If your old filters are complicated, you might want to note them down so that you can implement with the Microsoft system, where they are called ‘Rules’. Also, Tags won’t transfer, so if you tag your mail, that will also need to be rewritten. Tags are called ‘Categories’ and are based on colors.
Remember that, if you have been using the Wayne Connect Notebook, the files in there will be transferred to your OneDrive area.
Starting today you’ll see a new log-in screen when you go to the web-based version of Wayne Connect. This is part of a long-term project to unify the log-in screens of all of Wayne’s major services, Blackboard, Academica, and Wayne Connect. Although there are esthetic (and ‘branding’) advantages, the main reason is to help all WSU users make sure they are on the right page for logging in. This is crucial because of the innumerable phishing attempts we seem to be getting these days, all of which encourage us to log in to fake WSU pages.
You don’t actually need to do anything different. The log in process is identical—put in your AccessID and password as before. But if you’re worried, look to see that the address bar in your browser is green, it says https, and that there’s a padlock symbol visible. These are the signals that you are actually connecting to Wayne State, and not a sketchy phishing site in Lower Slobbovia.
Here’s what to look for:
Another advantage to this system is that our security office will be able to recognize hacking attempts more easily and will be able to recognize when people have forgotten their passwords and therefore help them in a secure fashion.
The new log-in screen now shows up when you go to Academica and Wayne Connect, and will be phased in for Blackboard and other systems shortly.
You have probably noticed Wayne State has been inundated lately with phishing messages. Some of these have been from ‘compromised’ (that is hacked) computers on campus, while others were disguised to elude our spam filters.
In any case, Provost Winters sent out a message explaining how we can all help keep this deluge down to a manageable level. One of her points, however, might seem strange, and I’d like in this post to explain the rationale behind it.
We all know that passwords are a pain in the neck. Remembering a password is not too difficult, but remembering more than one gets to be a strain on our memories. And, since we have passwords for lots of functions it’s very tempting to reuse them. That is, it’s tempting to use the same (memorable, complex) password for a number of different sites.
Unfortunately, that turns out not to be a good idea, because some websites are not very good at properly protecting your password. Normally passwords are stored on the servers that run websites in an encrypted form (that is, they are scrambled by a computer algorithm that is very difficult to unscramble without a key). There are complex technical details in Bruce Schneier’s first book if you are interested in pursuing this.
The important point is that website owners have a choice about how they store the passwords their customers set up, and they don’t always make the most secure choices. This became clear when a very widely used professional social networking site, which many of us use, LinkedIn was hacked and the encrypted password file was stolen, decrypted and posted online on a Russian site.
While we don’t know exactly how many further breaches and identity thefts occurred because of this break-in, it’s clear that many people got access to pairs of email addresses and passwords. If any of those email addresses were also used to log in to credit card sites, or bank sites hackers had access to lots of sources of money.
So, the ideal solution is not to reuse passwords at all. Just use a different password for every site you visit. This, of course, is highly impractical if that’s all you do. But there are two different ways you can manage this task and still keep your passwords safe.
First, use long passwords that include information about which site they are for. One trick I learned from an IT policy buddy of mine is to start with some string of letters and numbers that is very memorable (your nickname, for example, or your first girl/boyfriend’s name or something) and perhaps the current date, but then to append some reference to the website as part of the password. Say, for example, your first girlfriend’s name was Suzy. Then you could have passwords that look like this:
These are very secure passwords because they have at least ten characters, mixed case and numbers and ‘special’ characters.
Of course, it’s still a non-trivial cognitive task to remember all these passwords, which brings us to the second option: a ‘password wallet’. There are a number of these on the market. They require that you set one memorable, but complex password for the manager itself, and then store all your other passwords in the wallet. They all have the same features—a spreadsheet-like interface that includes the name of the website, its URL and your username and password. They always have some button that copies the password to your computer’s memory, so you can just paste it into the relevant box on the website you’re logging in to. The advantage to this system is that you can have very long, totally non-memorable and therefore completely uncrackable passwords. As long as you can open the wallet, you can just copy the password without your even having seen it. This means you can actually have lots of passwords you don’t even know. Talk about a secure password….
Of course, you really need to remember the password to your manager or you are out of luck. Some of them are free, and some have free and relatively low-cost premium editions. Here are several password wallet apps that I and Kevin Hayes, our Chief Security officer, recommend:
Finally, here’s XKCD’s thoughts on the matter:
Recently Wayne State University was attacked, a small skirmish in a diffuse, ongoing cyberwar, albeit without a single, defined enemy. This is an account of what happened, why it happened, and how the university responded. I have tried to make the explanation of each event relatively non-technical, but a certain amount of geekery seems unavoidable.
On May 11, at 9:48 in the morning 182 University computers received an email message from a computer belonging to a local contractor who was doing work on the WSU campus. The message had the subject line ‘invoice’, and the text of the message said merely ‘Check invoice’. There was a zip file attached. A zip file is a data file that has been ‘compressed’ so it can travel more easily over the tight ‘passages’ of the email system. It’s a perfectly respectable way of making large files (such as pictures, pdf files and such) fit within email size limits.
However, when the recipients clicked on the file labeled ‘invoice123.zip’ it extracted into a file named ‘e9058.pdf’, which showed up on the screen as a file with an attached (blurry) image of the Adobe Acrobat logo, making it look like a real pdf. When the respondents with Windows computers (but notably not Macs or Linux machines) then ‘opened’ the pdf file, the following things happened:
- that person’s computer connected to some external websites
- from which it then downloaded additional malware, which proceded to search their computer for personal banking logins
- it then connected to remote ‘command and control’ servers. passing control of the computer overseas.
- finally it looked in the local Outlook address book and used it to send the infecting email message to addresses it found there.
It took about an hour for the first three computers to get infected, but the attack was discovered by the C&IT Security office after the second computer began spreading the virus. Between the time that the second computer was detected and when it was shut off the network, seven minutes elapsed, and during those seven minutes that computer sent out 4462 virus emails.
By the time the third computer was infected, C&IT’s security office was able to take action to stop the further spread of the virus. A set of filters on the WSU email system blocked transmission of the zip file, but by noon 150 computers had been infected, and 111 of them were sending out email with the attached zip file.
You might wonder why our Symantec antivirus software didn’t detect the infection when the attachment was opened. The answer is that Symantec (and all other antivirus systems) rely on known virus ‘signatures’ (identifying features), and this was what is known as a ‘zero-day’ attack—a brand new virus never before seen ‘in the wild’. It takes the antivirus people a day or so to develop the specific tools needed for each new virus and distribute them to their users.
In addition, because the virus relied on Outlook address books, people got email from people they knew, who did occasionally send them invoices.
The spread of the virus was effectively stopped by 11:50. Our security team isolated it and determined that it was connecting our computers to Serbia and Ukraine. The Security team then set the university firewall to block connections there, and identified all of the infected computers.
In order to clean up the infection those machines maintained by C&IT (i.e. managed by the DeskTech unit) were reformatted, and outside of the DeskTech domain local administrators were given guidance on how to clean the machines under their control.
In addition, within the DeskTech domain a program called AppLocker was turned on. This prevents computers from running software that did not have an appropriate signature, or which were installed in nonstandard places in a computer (i.e. not in Program Files). Unfortunately this broke a number of specialized programs that various people around campus relied upon, and special rules had to be written to fix this.
By the evening only a few infected computers were not yet fixed,and the original attacker used that to their advantage. Overnight new instructions were passed down to these few straggling machines, and the next day a new attack was launched, sending attachments with different names, but the same modus operandi. These were blocked within 20 minutes of the first occurrence, but to ensure no further attacks, there was a temporary block placed on all zip files sent through the email system. Since there are many legitimate uses of zip files, this block will be ended shortly.
Meanwhile, everyone who was affected was required to change their WSU passwords. Careful examination of system logs showed that four of those AccessID’s were tried from Russia (while their owners were at work on campus) but none of the logins succeeded, so apparently no passwords were compromised.
What can we learn from this adventure?
The faster the IT security guys can act the less harmful the infection. Forwarding suspicious emails to the Security Office (or dragging them to the Phishing applet in Wayne Connect) is valuable. A delay of even an additional hour could have been catastrophic for the campus.
Smooth coordination between the security office and desktop support enabled the spread of the infection to be halted quickly.
We continually remind folks not to click on attachments they don’t expect from people they don’t know. Now we need to modify this—don’t click on any attachment, regardless of sender, unless you are sure it is safe. The text of the email message should reference the content of the attachment and you should be expecting that content. If it doesn’t either phone the sender or just delete it.
Finally, if you’d like to learn more about how to resist phishing attempts, you can take the anti-phishing training we make available through Accelerate, HR’s online training system. To get there, log in to Academica, then search for ‘Accelerate’ in the search box (unless you’ve already been there, in which case it should show up in your personalized links). Start Accelerate, then Browse the Catalog, C&IT Security Awareness Program, and finally PhishProof (Part 3), Launch.
Most people know that a sophisticated phishing attack has hit the campus over the past few days. It came from within the campus, and consisted of a message saying ‘Check invoice’ and had an attachment that was a .zip file. If you clicked on the link (say because it came from someone you knew, and did occasionally receive invoices) your computer was infected and it immediately began spreading the infection further.
So, for right now C&IT is blocking all .zip file attachments. And it just reinforces the message that we have been sending: ‘Don’t click on attachments you aren’t expecting’.
But there’s another lesson also. If you do need to send an attachment (and it’s not inherently a bad thing to do) say something in the email message itself about what the attachment is and why you are sending it. So instead of ‘Check invoice’ say something like ‘Here’s the invoice from the Blixeldorf Corporation that we were waiting for’. That kind of text in an email message is impossible to fake (and, of course, if the recipient wasn’t waiting for that invoice they’ll know it’s fake).
So don’t open mystery attachments, and make sure any that you send aren’t mysteries to the people you send them to.
If you do need to send a .zip file in the coming days, you can do so via Wayne Connect Briefcase.
Many of us received a message from C&IT today announcing the new Wayne State email system, which will be called Wayne Connect – Powered by Microsoft. There are a number of new features that everyone will be happy about, and this blog is intended to highlight several of them.
First, everyone will have a personal storage, collaboration and sharing tool called OneDrive. Some of you may use this already, and it’s very similar to competitors such as Dropbox and Box. It has the advantage of being much more secure, but has all the features that have made these tools so popular—you can share specific files with specific people (ending the need to share large files by emailing them), or with groups (making collaborative writing tasks much easier). OneDrive comes with 50GB of storage for all users—way more than the 12 GB we have now.
Skype for Business
The new system also comes with Skype for Business, which is an IM client, but also allows for audio and even video conferencing (if you have a microphone and camera on your computer).
Email, calendars and address books
But, of course, Wayne Connect is also an email and calendaring system. You will have the choice of using the web-based client, which will be very similar to the current Wayne Connect Zimbra-based system (or Outlook 365, if you use that). Alternatively, you can use (or continue to use) the desktop Outlook program instead, or in addition. In fact you can use any email client, including the ones on your phone or tablet, or Mac Mail, or… Each one has advantages and disadvantages. The desktop version allows you to import .ics calendar files, so you can import appointments from, say, Tripit or OpenTable. The web-based version is of course available wherever you can get access to a browser.
What you don’t need to do.
All your current Wayne Connect files will be moved into the new system over the next few months, so all your back email and old appointments will be there, as will your address book, so you don’t need to do anything to keep all that stuff.
What you do need to do
There are a few small wrinkles in some corners of the system. If you use filters they won’t transfer, so you’ll have to rewrite them, and you’ll need to recreate your signature file(s) and any file permissions you might have set up.
If you use Briefcase you’ll need to move all your files into the main folder—any additional folders you might have created won’t transfer.
These details can be found here
I have written in the past about how Youtube’s copyright robots take Youtube videos down if their digital brains sense a copyright violation. They know nothing of ‘fair use’, ‘parody’ or any reasonable ‘exception’. Today Rand Paul announced he is running for President, and the video announcing it has been taken down:
The strangeness of copyright culture in our country continues. I should add that I am posting this late on Tuesday afternoon, when what shows up when you click on the link is this:
For the gory details on why this link is video non grata, incidentally, you can go here.
The phishers have a new trick–they send you an email purporting to be from iTunes or Amazon that tells you someone hacked your account and bought something. ‘Just click here and reset your password’. I got one the other day–it looked like this:
Hovering over the iTunes link reveals eurekaequestrian.com, not ‘apple.com’. Apparently Amazon has been having the same problem. Here’s a page from Amazon explaining that they don’t send that kind of email:
So, in short, it’s really important to read url’s, both the obvious ones (many of us got one today that was ‘wayneedu.zyro.com’) and the ones that only appear when you hover over them. When in doubt, hover. And when in doubt, don’t click.
Many WSU faculty (50% of them, to be precise) have been receiving requests to take part in a national survey of faculty attitudes towards technology at the university. The survey is being run by Educause, the national educational IT organization. This is the second year this survey has been run, and last year’s survey produced some interesting results about faculty interests and desires around everything computing-related.
Last year’s results, which are available in ‘infographic’ format here:
Some relevant findings from last year:
- Nationally, fewer than fifty percent of faculty are satisfied with IT support for research.
- Opinions on the use of smartphones in class are mixed, with about half of faculty banning or discouraging them and only a third encouraging or requiring laptops (I myself don’t see how I could ban smartphones, and I’ve taught classes where laptops were required because we were all learning how to use some online tool).
- Many faculty feel they could be better at using web-based content and online collaboration tools in their courses, but there was less enthusiasm about social media as a teaching tool.
There are two versions of the survey, one that takes about twenty minutes to half an hour, and another that takes only ten minutes. Whichever one you choose, your participation will be greatly appreciated, and will help C&IT plan our investments for the next couple of years.
Look for a reminder and your personalized invitation to join in the survey tomorrow. If you don’t get one, you’ll be asked to participate in a more general survey of IT satisfaction that all other faculty, staff and students will take part in later this semester.