Skip to content

Wayne State University

Aim Higher

Oct 11 / Geoffrey Nathan

Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

Oct 5 / Geoffrey Nathan

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.

Aug 29 / Geoffrey Nathan

Important IT stuff that you might have missed over the summer

As we gear up for a new semester (some of us can’t believe we’re well on the way to 2017), I thought I’d remind folks of a few things that happened over the summer that will affect you (or, in some cases, have already done so).

As you may recall, President Wilson issued a new policy dealing with procedures for traveling internationally on university business (such as attending conferences, giving talks, consulting on aid projects and so on). From now on, you will have to answer a short questionnaire before you can get to TravelWayne, in order to ensure you do not put yourself and the university at risk of violating assorted State Department and Federal Trade Commission travel restrictions. You can read the details here.

Secondly, it is well-known that using security questions to make sure it is you (and not some hacker) resetting your password is not the most secure process. So C&IT replaced the system of security questions with a requirement that everyone provide an alternate email address to which the reset password link may be sent. Most people should already have done this, but here’s some additional information on how it works.

Finally, there are a few things coming up that you will need to be aware of. We will be rolling out a two-factor identification system later in the semester that will make access to critical data sources (your direct deposit bank details, your W2’s and access to Banner for those who have it) more secure. Details on that system will follow in late September. In addition, there will be changes in Banner and a little tighter control on access to sensitive student data.

Hope the beginning of the semester is smooth. And, if you’re new to Wayne State, welcome!

Jul 22 / Geoffrey Nathan

Another way to make your email more secure

Nowadays it’s easy to lose track of passwords, because we have so many. And if you forget your password, there are various ways that email system owners verify that it’s ‘you’ before allowing you to reset it. For many years Wayne State has provided a series of  ‘challenge questions’, which you set answers to. Unfortunately the built-in questions are sometimes ones that make it very easy for a nefarious hacker to guess (by wandering around your Facebook account, for example). So, like many other institutions (Google, Facebook, perhaps your bank) Wayne State has decided to eliminate the Challenge Question system and replace it with a ‘recovery email’ facility.

Some time soon, when you log in to Wayne Connect you will be asked to supply an alternate email address (i.e. one not ending in ‘wayne.edu’). It can be anything else (Gmail, Hotmail, Apple, AT&T…) but it should be one that you actually read, even if only occasionally.

If you forget your Wayne State password, or if you’re asked to reset it because of a hack, an email will be sent to the alternate address. When you open the email it will contain a link to a password reset page. (You’ll also need to enter the last four digits of your social security number if you are an employee.) An additional security measure is that, if you have access to high-risk systems such as Banner or Cognos, you’ll need to be on a Wayne State network (in your office, essentially).

If you would rather not provide an alternate email address, or if you don’t have one, you will need to call the Help Desk, but only during their business hours (M-F 7:30 AM – 8:00 PM).

If you have any questions about this new policy or you need assistance in implementing your recovery email address, please contact the C&IT Help Desk at 313-577-4357 or at helpdesk@wayne.edu.

Jul 20 / Geoffrey Nathan

Booking International Travel is About to Change

Getting to TravelWayne is going to get a little more complicated if you are planning international travel. Here’s why.

For a number of years the US Department of State, the Department of Commerce and the U.S. Treasury Department have had restrictions on what things can be exported to other countries. These restrictions come from the International Traffic in Arms (ITAR) regulations, the Export Administration Regulations (EAR) and the Office of Foreign Assets Controls (OFAC). However, ‘export’ doesn’t mean what you think it means. The US government defines ‘export’ as moving objects or data out of the country. That includes objects such as laptops that contain data. There are certain kinds of data that cannot be taken to certain countries. Probably most data you would put on a laptop (or tablet, or thumb drive, etc.) would not be restricted. But there is a large list of kinds of data that could get you, and Wayne State into big trouble if the Feds find out you have taken them to China, or Iran, or even France, in some cases.

Just as an example of how faculty members can get into trouble, you can read the University of Hawai`i’s website on the topic

Further complicating things is the fact that some countries forbid encrypted data from being imported into those countries. Here is a map showing which countries restrict the import of encrypted data.

So, to protect everyone involved (travelers and their ‘supervisors’–chairs and such, as well as the Office of Research), there is a new university policy on international travel that is going into effect in a couple of weeks, once the mechanisms are in place.

How will the policy affect the average traveler? If you are traveling within the US, it will have no effect. But if you are travelling internationally, you will see a new button in Academica saying ‘International Travel’. When you click that, you will be taken to a questionnaire that asks what you will be bringing with you. If one of your answers triggers a potential international travel issue, the system will generate an email to the Export Control office at Wayne. You will be urged to contact them so that they can make sure you are not violating laws against Export Control. After you do so, they will send you an email giving you clearance to travel.

For a preview of the questions, just go to ft.wayne.edu. At the moment it’s set up as a test version, so no emails are generated, and it doesn’t record who has visited.

The way the system will work is that when you begin the process of making travel plans (within TravelWayne) for each trip, you will have to go through the questionnaire. Thereafter, for each trip you can go directly to TravelWayne (say, to tweak you hotel reservation or whatever).

The kicker, once the policy goes into effect, is that you will not be reimbursed for your trip if you haven’t received clearance from the Export Control office, so it is definitely in your interest to get that clearance.

Associated with this policy are two helpful FAQ’s that make suggestions about safe ways to travel internationally, one on legal questions, the other on technical issues. These include always using the VPN when connecting to Wayne State resources (such as your email, or files stored on Wayne State sites). Note that you cannot even reach Facebook or Google from certain countries (including China) unless you use the VPN, by decision of the host country. Wayne State has nothing to do with these restrictions, of course.

 

Jul 14 / Geoffrey Nathan

Pokémon Go—the best thing since sliced bread (or Tinder)

By now you’ve undoubtedly heard about Pokémon Go, the ridiculously popular new phone app based on the Pokémon franchise. In the relatively new development space of augmented reality it blends fantasy characters with the real world. It uses your phone’s GPS and superimposes Pokémon[1] on a map, like this:

Near CIT

This is a screenshot taken outside my office, standing next to I-94 at Woodward.

It was released last week and is now more popular than Tinder, and is rapidly catching up with active users of Twitter. Since I’ve only just begun playing I can’t report a great deal about what it does (there are various kinds of critters that you can ‘capture’, and there are ‘gyms’ where you can have fights (the platform-like object in the image above is a gym at the church across the street from the main C&IT building at Woodward and 94), and I’m told there’s one near the Science and Engineering Library. In addition there are ‘Pokespots’ all over campus, including one inside UGL.

Here is an excellent, if a little snarky, introduction to the whole thing.

The social fall-out from Pokémon Go has been quite astonishing. There are stories of folks making friends through the app (which is perhaps why it’s surpassed Tinder 🙂 ), and a few cases of accidents of various types. Apparently, in the space of a week some folks have started playing a NSFW[2] version. There was originally a security issue because the first version of the app was able to access all your Gmail contacts if you had an iPhone, but an update has assigned appropriate security levels.

There is going to be a Pokémon Go event here in the Cultural Center on Friday.

So it really seems to be ‘a thing’, and probably worth learning more about. I haven’t yet had a chance to wander around looking for Pokespots yet, but probably will. Don’t forget to be very careful if you are walking around holding your phone. There are two dangers:

  1.  Apple Picking
  2. Immovable objects

In the end, have fun. And let me know what you think. Is this the greatest thing since Twitter? Or a flash in the pan?
_____________________________________________________________________

[1]  Since I’m a linguist you’re gonna get some linguistic commentary here too. Like several other words borrowed from Japanese (emoji, for example), purists insist that the plural is unmarked (that is, that you don’t add an ‘s’). This is analogous to those who insist that ‘data’ is plural and that the correct plurals are ‘stadia’, ‘podia’ and ‘octopi’. Or perhaps it’s analogous to the animals that have what we call ‘zero plurals’, like ‘sheep’ or ‘deer’.

[2] ‘Not safe for work’. You can probably figure out why, given that the game uses your phone’s camera, which can take selfies.

Jul 6 / Geoffrey Nathan

The IRS is coming and they want to help–really!

As I mentioned in an earlier post and also here, a number of Wayne State employees were hit by an IRS hack that stole their identities and attempted to claim refunds. Wayne State C&IT and Internal Audit have investigated these hacks and have found no evidence that the source of the leaks was located at Wayne State, but nonetheless the IRS has volunteered to send an agent to campus to talk about how to avoid this kind of attack in the future.

We have contacted all the victims that we know of, but have also decided to open the IRS agent’s talk to the campus at large. Here are the details:

Tuesday, July 12, 10:00 AM

Partrich Auditorium (located in the Law School).

No need to RSVP—just come.

If you have any questions, you can contact the Office of Internal Audit at (313) 577-2128 or Carolyn Hafner at ab0414@wayne.edu.

May 13 / Geoffrey Nathan

Additional information on the fraudulent income tax return hacks

badguyMASKA couple of weeks ago I wrote about the income tax fraud cases the security and financial folks at Wayne State University have been hearing about. I want to reiterate several points I made and let you know how the investigation stands at this moment.

From the moment we (the Controller, Payroll, the Provost, the Information Privacy Officer — that would be me, our Information Security Officer, Internal Audit, Senate leadership, etc.) started hearing reports of Wayne State employees finding false reports filed in their name, we began investigating how this might have happened — and whether something or someone at Wayne State might have been responsible.

Let me begin by saying: we DO NOT believe this was caused by any person within WSU or because of a security lapse at WSU itself. To the best of our knowledge, all universities in Michigan have employees who have experienced these hacks, and it has certainly become a nationally-covered news item.

Be that as it may, our security team has been combing logs and looking at our database of phishing attempts to make sure nothing has slipped through the cracks.

Last week, I attended a conference in DC of other university privacy officers and opinion was unanimous —  phishing is the source of virtually all security breaches at universities these days. Consequently, our Security Officer and I are offering training on how to recognize and resist phishing attempts. The next two are scheduled for this Friday at 11 a.m. and Tuesday, June 7, at 3 p.m. in Bernath auditorium. Both are free, do not require registration, and are aimed at you, the average computer user.

Finally, let me repeat something I said in my last blog post:

irs-logo

If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy redacted). This is how you do that. Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know.  Note: DO NOT TELL ME THE AMOUNT – JUST WHETHER IT MATCHES! I am the Chief Privacy Officer, after all 🙂

FYI: Here is a reminder of what you need to do to report a fraudulent return to the IRS.

 

Apr 18 / Geoffrey Nathan

More on the Tax Fraud Epidemic

On Friday you received a message from C&IT and the VP for Administration talking about the epidemic of income tax fraud that has hit the country. This morning it made the front page of the Free Press:

Detroit Free Press article by Susan Tompor on tax fraud

A large number of Wayne State folks were hit (since my name was listed as contact person I was contacted by a number of people, most of whom I know from other directions).

Unfortunately there’s little you can do, other than following the directions on the IRS website. This is apparently now a feature of our modern, ‘connected’ world.

If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy ‘redacted’). Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know (DO NOT TELL ME THE AMOUNT–JUST WHETHER IT MATCHES–I am the Chief Privacy Officer, after all 🙂 ). This is how you do that.

Meanwhile, welcome to the club (I was hit too, last year).

Apr 1 / Geoffrey Nathan

Taking control of your microphone

Last week I wrote about how some (perhaps) rogue apps use your microphone to listen for subsonic signals coming from your TV or laptop to tell advertisers what you are watching or viewing.

You can stop this from happening by denying those apps permission to use your microphone. Here’s what you do.

On iOS (iPhone or iPad)1 open the Settings app and scroll down to Privacy. Touch that, then you’ll see this:

Microphone Control Panel with marking

Select Microphone and you’ll see a list of apps that use the Microphone. Here’s mine (somewhat edited):

Microphone details

Slide the on-off switch to the right to deny the app access to the microphone. And the next time you install a new app and it asks you whether to allow it access to your mike, think before you click.™

__________________________________________________________________

1 This process is generally similar on a Droid, but may vary depending on version of the operating system.