Skip to content

Wayne State University

Aim Higher

Sep 2 / Geoffrey Nathan

Has Academica left you apoplectic? Does Wayne Connect leave you feeling disconnected?

New systems come with new puzzles, and our two new connection apps certainly have had that effect. C&IT is offering free training/help over the next few days. All sessions will be held in the Purdy/Kresge Auditorium (use the entrance nearest the Student Center).

The sessions will cover topics from setting up your inbox and syncing Wayne Connect to your mobile device to using streams and getting the most out of our new portal.

Here are the available sessions:

Wednesday, 9/2: 9:00 a.m. – 10:00 a.m.                             Thursday, 9/10: 3:00 p.m. – 4:00 p.m.
Wednesday, 9/2: 10:30 a.m. – 11:30 a.m.                            Monday, 9/14: 9:30 a.m. – 10:30 a.m.
Thursday, 9/3: 1:30 p.m. – 2:30 p.m.                                   Monday, 9/14: 11:00 a.m. – 12:00 p.m.
Friday, 9/4: 10:30 a.m. – 11:30 a.m.                                     Friday, 9/18: 9:00 a.m. – 10:00 a.m.
Thursday, 9/10: 1:30 p.m. – 2:30 p.m.                                 Friday, 9/18: 10:30 a.m. – 11:30 a.m.

You can RSVP for these sessions by logging into Academica and clicking on this link:

https://www.eaa.wayne.edu/event_new/session_registration.cfm?eid=1650

Remember you can always call the Help Desk at (313) 577-HELP or emailing helpdesk@wayne.edu

Aug 25 / Geoffrey Nathan

Cool Tools for Blackboard

For faculty who use Blackboard there is a whole set of resources to help you make the most of this powerful teaching tool. The Faculty Resource Tab:

Blackboard Faculty Tab Location

 

 

Check out the Quick Start Guides on that page, which has one-page guides on the crucial stuff:

  • Work with Respondus Test Building software
  • Request a Combined Course
  • How to copy course materials from one course to another
  • Use Blackboard Collaborate
  • Request a Blackboard Organization
  • Request Echo Personal Capture
  • Respondus LockDown Browser and Respondus Monitor
  • Where to go for help (who to contact)

On the Blackboard Videos tab there are tons of videos that will guide you through how to do things like:

  • How to View the Course Roster
  • How to Apply a Course Theme
  • How to Create the Course Tracking Reports
  • Create a Grade Center Column
  • Delete a Grade Center Column
  • Create Grade Center Color Codes
  • Create New Categories

Remember, if you ever need personal assistance, please contact the Blackboard Support team at bbadmin@wayne.edu.

Aug 20 / Geoffrey Nathan

Some additional notes about Outlook 365

By the time you read this, many of us will have been switched over to the new Microsoft-based email system. And, of course, with any new system, there are both things to learn, new features that are cool, old features whose absence is annoying, and the occasional bug. Here are a few things to be aware of.

The interface (how the program looks) is somewhat configurable. You can choose to have a reading pane on the right, below your list of messages, or not at all. You control this through the pull-down marked by a little gear symbol on the upper right.

Gear

If you click that you can choose ‘Display Settings’. You get two sets of options—where the reading pane appears, and whether the system opens the next message or the previous one if you delete a message.

You can also control a lot more things by choosing ‘Options’ under the same menu. There you can choose a number of items associated with Mail, including automatic replies, what happens when you mark something as ‘read’, and so on. Ignore the button marked ‘Retention policies’—it doesn’t do anything.

Options

Under ‘Layout’ you can choose whether to see ‘Conversations’ (all messages with a common subject line together) or not (all messages solely in chronological order). You can also set up your email signature. If you don’t remember yours, just open an old ‘Sent’ message and copy it, then paste it into the relevant window in the ‘Layout’ area.

I’ll have a few more items in my next posting.

Aug 10 / Geoffrey Nathan

Thoughts and tips on using Academica

Academica has been the University’s official portal for a few days now, and the Feedback section has been filling up with likes, dislikes and assorted comments. I’ve combed through the comments so far and have a few thoughts I’d like to share.

Appearance

First, there is the notion of a ‘portal’. In contemporary computing terms, a ‘portal’ is a webpage that leads you to facilities that permit you to do stuff. It’s different from an organization’s ‘website’, which is a webpage that allows you to find out stuff. So a portal should be interactive, while a website should be like a reference work (an almanac or a phone book, or even an encyclopedia).

Categorization

So, most of the links that appear in Academica are either interactive (‘see my paystub’, ‘check my grades’, ‘search for a journal article in the Library’) or lead to interactive links (‘Benefits and Deductions’).

Of course, some lead to other portals, such as the link to the IRB in the Office of Research, and a few are there even though they are static, simply because of popular demand (‘Campus Map’, ‘Research Compliance’), but the principle distinction was between ‘doing things’ and ‘finding out stuff’.

Finding stuff

If you want to use Academica as your portal for everything, you can use the search box at the top and select (with the drop-down arrow) to search the WSU Website, where you can find anything that is searchable (parking structure maps, English major requirements, General Counsel’s office) on the wayne.edu domain.

Appearance

A number of folks commented on the visual appearance (some in less than complementary terms), and seemed to think Pipeline was more visually appealing—an opinion I’d challenge, myself. However, the main reason Academica looks the way it does it that it was designed from the ground up to be easy to use on any device, and particularly to be easy to use with smaller devices, like phones and tablets. It actually detects the size of your display and customizes itself automatically. The reason for this is that increasing numbers of us use mobile devices as our primary means to access the electronic world. A recent study showed that ninety percent of Wayne State students bring smartphones to their classes, and now they can use their phones to check the status of their bursar’s account, or their final grades, and employees can check their paystubs (I just checked mine with my iPhone 5s in three ‘clicks’).

Why did we do this?

Pipeline is at the end of its development cycle–the company that made it is no longer supporting it. That makes it like a car whose spare parts are unavailable. It could keep running, but if it broke suddenly it can’t be repaired. C&IT decided it was better to replace it before that happened, and our local app-programming gurus built something for the twenty-first century. In addition to being usable on all devices it is very adaptable. It will not break a sweat if twenty thousand students check their grades all at once. Those who used Pipeline over the years know that it tended to roll over if demand got heavy. Academica is pretty resilient and should not do that.

Jul 8 / Geoffrey Nathan

Academica is here

As of July 31, Pipeline is being switched off, and will be replaced by Academica. Everything you used to use Pipeline for can be done through Academica, but faster (i.e. with fewer clicks). You can get to:

  • time sheets
  • registration
  • TravelWayne
  • pay stubs
  • class schedules
  • reporting
  • SET Scores

Academica learns your preferences. While the initial display is generic, after you have clicked on particular links a couple of times they will always appear on the ‘front page’. But if you don’t see something, you can always use the search box, a very powerful search engine that can find any link you might need (Search box is circled in red):

Academica search box

Academica also permits messaging within the Wayne State community. Like Twitter it permits #hashtags and @ mentions (ask someone younger than you if you don’t know what those are :-) ). Academica is also designed to work perfectly on mobile devices of any size screen.

The ‘stuff on the left’ is a series of threaded conversations, akin to comments on Facebook and similar social networking sites. If that kind of thing doesn’t appeal to you, you can ignore it, but it allows you to ‘converse’ with others in the groups to which you are automatically subscribed (such as one for each class you are registered in, if you are a student) or to create new ones on the fly to hold discussions either in private or publicly.

Finally, as always, ignore any email message that says you have to ‘do something’ to transition to Academica. And especially, don’t click on any links in such messages. When in doubt, type the name into your web browser yourself:  academica.wayne.edu or a.wayne.edu for short. That way, you always know where you are. And where you aren’t.

If you have questions, contact the C&IT Help Desk at (313) 577-HELP or helpdesk@wayne.edu.

Jul 1 / Geoffrey Nathan

More on the New Email System

I’ve been asked how folks will know that they have been transferred to the new Wayne Connect. The answer is that there will be notification emails a week before the transition and one (business) day before. Then, once you have been transferred, the new mail page will look like this:

New Email header

 

 

Because the new Wayne Connect is part of a larger suite of applications (email, Word, Excel etc.) your login page may look like this:

New O365 Portal Page

 

So you’ll have plenty of warning and you’ll be able to tell immediately. Finally, you will receive an informative email message as soon as the transition has taken place.

Jun 29 / Geoffrey Nathan

Wayne Connect Powered by Microsoft is almost here

In late April I blogged about the new email/calendaring/collaboration system that was going to replace our current Wayne Connect email and calendar system based on Zimbra.

As of this week the new software is gradually being implemented across campus, so this is a good time to remind everyone about what to expect. The most important point is that you don’t need to do anything to implement this new email system–it will happen automatically. In fact, if you get a message telling you to ‘click here’ to upgrade your email, delete the message immediately, and, whatever you do, don’t clickit’s a scam (there have been several phishing messages with this theme over the past couple of weeks).

There are a few things you should do, but they are all essentially ‘back-up’ procedures. Although all your email, calendar entries and address book data will be transferred automatically, your signature won’t be, so you’ll need to recreate it. You can either make a copy of the wording (and images, if you use them) or just wait till after the transfer and look for some email you’ve sent (all the ‘Sent’ messages will be in the ‘Sent Items’ folder) and just you can just copy it from an earlier message to the Signature section of the ‘Options’ page. You can find the ‘Options’ button by looking for the little gear symbol in the upper right hand corner.

Although everyone uses Signatures, there are a few other things that won’t transfer but that only affect some people. If you use Filters in Wayne Connect, they will need to be recreated in the new system. They are easy to make–right click on a message you want to be the basis of a Rule (say, anything that comes from that email address) and choose ‘Inbox Rules’, then follow the instructions. If your old filters are complicated, you might want to note them down so that you can implement with the Microsoft system, where they are called ‘Rules’.  Also, Tags won’t transfer, so if you tag your mail, that will also need to be rewritten. Tags are called ‘Categories’ and are based on colors.

Remember that, if you have been using the Wayne Connect Notebook, the files in there will be transferred to your OneDrive area.

Jun 24 / Geoffrey Nathan

Log in more safely

Starting today you’ll see a new log-in screen when you go to the web-based version of Wayne Connect. This is part of a long-term project to unify the log-in screens of all of Wayne’s major services, Blackboard, Academica, and Wayne Connect. Although there are esthetic (and ‘branding’) advantages, the main reason is to help all WSU users make sure they are on the right page for logging in. This is crucial because of the innumerable phishing attempts we seem to be getting these days, all of which encourage us to log in to fake WSU pages.
You don’t actually need to do anything different. The log in process is identical—put in your AccessID and password as before. But if you’re worried, look to see that the address bar in your browser is green, it says https, and that there’s a padlock symbol visible. These are the signals that you are actually connecting to Wayne State, and not a sketchy phishing site in Lower Slobbovia.
Here’s what to look for:

Chrome Log-in

 

Another advantage to this system is that our security office will be able to recognize hacking attempts more easily and will be able to recognize when people have forgotten their passwords and therefore help them in a secure fashion.

The new log-in screen now shows up when you go to Academica and Wayne Connect, and will be phased in for Blackboard and other systems shortly.

Jun 9 / Geoffrey Nathan

Don’t share passwords, even with yourself…

You have probably noticed Wayne State has been inundated lately with phishing messages. Some of these have been from ‘compromised’ (that is hacked) computers on campus, while others were disguised to elude our spam filters.

In any case, Provost Winters sent out a message explaining how we can all help keep this deluge down to a manageable level. One of her points, however, might seem strange, and I’d like in this post to explain the rationale behind it.

We all know that passwords are a pain in the neck. Remembering a password is not too difficult, but remembering more than one gets to be a strain on our memories. And, since we have passwords for lots of functions it’s very tempting to reuse them. That is, it’s tempting to use the same (memorable, complex) password for a number of different sites.

Unfortunately, that turns out not to be a good idea, because some websites are not very good at properly protecting your password. Normally passwords are stored on the servers that run websites in an encrypted form (that is, they are scrambled by a computer algorithm that is very difficult to unscramble without a key). There are complex technical details in Bruce Schneier’s first book if you are interested in pursuing this.

The important point is that website owners have a choice about how they store the passwords their customers set up, and they don’t always make the most secure choices. This became clear when a very widely used professional social networking site, which many of us use, LinkedIn was hacked and the encrypted password file was stolen, decrypted and posted online on a Russian site.

While we don’t know exactly how many further breaches and identity thefts occurred because of this break-in, it’s clear that many people got access to pairs of email addresses and passwords. If any of those email addresses were also used to log in to credit card sites, or bank sites hackers had access to lots of sources of money.

So, the ideal solution is not to reuse passwords at all. Just use a different password for every site you visit. This, of course, is highly impractical if that’s all you do. But there are two different ways you can manage this task and still keep your passwords safe.

First, use long passwords that include information about which site they are for. One trick I learned from an IT policy buddy of mine is to start with some string of letters and numbers that is very memorable (your nickname, for example, or your first girl/boyfriend’s name or something) and perhaps the current date, but then to append some reference to the website as part of the password. Say, for example, your first girlfriend’s name was Suzy. Then you could have passwords that look like this:

Facebook: $uzyFB2015
Bank: $uzymybankJune15
Amazon: $uzyBooks15
These are very secure passwords because they have at least ten characters, mixed case and numbers and ‘special’ characters.

Of course, it’s still a non-trivial cognitive task to remember all these passwords, which brings us to the second option: a ‘password wallet’. There are a number of these on the market. They require that you set one memorable, but complex password for the manager itself, and then store all your other passwords in the wallet. They all have the same features—a spreadsheet-like interface that includes the name of the website, its URL and your username and password. They always have some button that copies the password to your computer’s memory, so you can just paste it into the relevant box on the website you’re logging in to. The advantage to this system is that you can have very long, totally non-memorable and therefore completely uncrackable passwords. As long as you can open the wallet, you can just copy the password without your even having seen it. This means you can actually have lots of passwords you don’t even know. Talk about a secure password….

Of course, you really need to remember the password to your manager or you are out of luck. Some of them are free, and some have free and relatively low-cost premium editions. Here are several password wallet apps that I and Kevin Hayes, our Chief Security officer, recommend:

Lastpass https://lastpass.com/
Keepass http://keepass.info/ (this one is free)
PC Magazine recently rated a number of premium managers.

Finally, here’s XKCD’s thoughts on the matter:

https://xkcd.com/792/

May 26 / Geoffrey Nathan

Anatomy of a Phishing Onslaught

Recently Wayne State University was attacked, a small skirmish in a diffuse, ongoing cyberwar, albeit without a single, defined enemy. This is an account of what happened, why it happened, and how the university responded. I have tried to make the explanation of each event relatively non-technical, but a certain amount of geekery seems unavoidable.

On May 11, at 9:48 in the morning 182 University computers received an email message from a computer belonging to a local contractor who was doing work on the WSU campus. The message had the subject line ‘invoice’, and the text of the message said merely ‘Check invoice’. There was a zip file attached. A zip file is a data file that has been ‘compressed’ so it can travel more easily over the tight ‘passages’ of the email system. It’s a perfectly respectable way of making large files (such as pictures, pdf files and such) fit within email size limits.

However, when the recipients clicked on the file labeled ‘invoice123.zip’ it extracted into a file named ‘e9058.pdf’, which showed up on the screen as a file with an attached (blurry) image of the Adobe Acrobat logo, making it look like a real pdf. When the respondents with Windows computers (but notably not Macs or Linux machines) then ‘opened’ the pdf file, the following things happened:

  1. that person’s computer connected to some external websites
  2. from which it then downloaded additional malware, which proceded to search their computer for personal banking logins
  3. it then connected to remote ‘command and control’ servers. passing control of the computer overseas.
  4. finally it looked in the local Outlook address book and used it to send the infecting email message to addresses it found there.

It took about an hour for the first three computers to get infected, but the attack was discovered by the C&IT Security office after the second computer began spreading the virus. Between the time that the second computer was detected and when it was shut off the network, seven minutes elapsed, and during those seven minutes that computer sent out 4462 virus emails.

By the time the third computer was infected, C&IT’s security office was able to take action to stop the further spread of the virus. A set of filters on the WSU email system blocked transmission of the zip file, but by noon 150 computers had been infected, and 111 of them were sending out email with the attached zip file.

You might wonder why our Symantec antivirus software didn’t detect the infection when the attachment was opened. The answer is that Symantec (and all other antivirus systems) rely on known virus ‘signatures’ (identifying features), and this was what is known as a ‘zero-day’ attack—a brand new virus never before seen ‘in the wild’. It takes the antivirus people a day or so to develop the specific tools needed for each new virus and distribute them to their users.

In addition, because the virus relied on Outlook address books, people got email from people they knew, who did occasionally send them invoices.

The spread of the virus was effectively stopped by 11:50. Our security team isolated it and determined that it was connecting our computers to Serbia and Ukraine. The Security team then set the university firewall to block connections there, and identified all of the infected computers.

In order to clean up the infection those machines maintained by C&IT (i.e. managed by the DeskTech unit) were reformatted, and outside of the DeskTech domain local administrators were given guidance on how to clean the machines under their control.

In addition, within the DeskTech domain a program called AppLocker was turned on. This prevents computers from running software that did not have an appropriate signature, or which were installed in nonstandard places in a computer (i.e. not in Program Files). Unfortunately this broke a number of specialized programs that various people around campus relied upon, and special rules had to be written to fix this.

By the evening only a few infected computers were not yet fixed,and the original attacker used that to their advantage. Overnight new instructions were passed down to these few straggling machines, and the next day a new attack was launched, sending attachments with different names, but the same modus operandi. These were blocked within 20 minutes of the first occurrence, but to ensure no further attacks, there was a temporary block placed on all zip files sent through the email system. Since there are many legitimate uses of zip files, this block will be ended shortly.

Meanwhile, everyone who was affected was required to change their WSU passwords. Careful examination of system logs showed that four of those AccessID’s were tried from Russia (while their owners were at work on campus) but none of the logins succeeded, so apparently no passwords were compromised.

What can we learn from this adventure?

The faster the IT security guys can act the less harmful the infection. Forwarding suspicious emails to the Security Office (or dragging them to the Phishing applet in Wayne Connect) is valuable. A delay of even an additional hour could have been catastrophic for the campus.

Smooth coordination between the security office and desktop support enabled the spread of the infection to be halted quickly.

We continually remind folks not to click on attachments they don’t expect from people they don’t know. Now we need to modify this—don’t click on any attachment, regardless of sender, unless you are sure it is safe. The text of the email message should reference the content of the attachment and you should be expecting that content. If it doesn’t either phone the sender or just delete it.

Finally, if you’d like to learn more about how to resist phishing attempts, you can take the anti-phishing training we make available through Accelerate, HR’s online training system. To get there, log in to Academica, then search for ‘Accelerate’ in the search box (unless you’ve already been there, in which case it should show up in your personalized links). Start Accelerate, then Browse the Catalog, C&IT Security Awareness Program, and finally PhishProof (Part 3), Launch.