Skip to content

Wayne State University

Aim Higher

Jul 8 / Geoffrey Nathan

Academica is here

As of July 31, Pipeline is being switched off, and will be replaced by Academica. Everything you used to use Pipeline for can be done through Academica, but faster (i.e. with fewer clicks). You can get to:

  • time sheets
  • registration
  • TravelWayne
  • pay stubs
  • class schedules
  • reporting
  • SET Scores

Academica learns your preferences. While the initial display is generic, after you have clicked on particular links a couple of times they will always appear on the ‘front page’. But if you don’t see something, you can always use the search box, a very powerful search engine that can find any link you might need (Search box is circled in red):

Academica search box

Academica also permits messaging within the Wayne State community. Like Twitter it permits #hashtags and @ mentions (ask someone younger than you if you don’t know what those are :-) ). Academica is also designed to work perfectly on mobile devices of any size screen.

The ‘stuff on the left’ is a series of threaded conversations, akin to comments on Facebook and similar social networking sites. If that kind of thing doesn’t appeal to you, you can ignore it, but it allows you to ‘converse’ with others in the groups to which you are automatically subscribed (such as one for each class you are registered in, if you are a student) or to create new ones on the fly to hold discussions either in private or publicly.

Finally, as always, ignore any email message that says you have to ‘do something’ to transition to Academica. And especially, don’t click on any links in such messages. When in doubt, type the name into your web browser yourself:  academica.wayne.edu or a.wayne.edu for short. That way, you always know where you are. And where you aren’t.

If you have questions, contact the C&IT Help Desk at (313) 577-HELP or helpdesk@wayne.edu.

Jul 1 / Geoffrey Nathan

More on the New Email System

I’ve been asked how folks will know that they have been transferred to the new Wayne Connect. The answer is that there will be notification emails a week before the transition and one (business) day before. Then, once you have been transferred, the new mail page will look like this:

New Email header

 

 

Because the new Wayne Connect is part of a larger suite of applications (email, Word, Excel etc.) your login page may look like this:

New O365 Portal Page

 

So you’ll have plenty of warning and you’ll be able to tell immediately. Finally, you will receive an informative email message as soon as the transition has taken place.

Jun 29 / Geoffrey Nathan

Wayne Connect Powered by Microsoft is almost here

In late April I blogged about the new email/calendaring/collaboration system that was going to replace our current Wayne Connect email and calendar system based on Zimbra.

As of this week the new software is gradually being implemented across campus, so this is a good time to remind everyone about what to expect. The most important point is that you don’t need to do anything to implement this new email system–it will happen automatically. In fact, if you get a message telling you to ‘click here’ to upgrade your email, delete the message immediately, and, whatever you do, don’t clickit’s a scam (there have been several phishing messages with this theme over the past couple of weeks).

There are a few things you should do, but they are all essentially ‘back-up’ procedures. Although all your email, calendar entries and address book data will be transferred automatically, your signature won’t be, so you’ll need to recreate it. You can either make a copy of the wording (and images, if you use them) or just wait till after the transfer and look for some email you’ve sent (all the ‘Sent’ messages will be in the ‘Sent Items’ folder) and just you can just copy it from an earlier message to the Signature section of the ‘Options’ page. You can find the ‘Options’ button by looking for the little gear symbol in the upper right hand corner.

Although everyone uses Signatures, there are a few other things that won’t transfer but that only affect some people. If you use Filters in Wayne Connect, they will need to be recreated in the new system. They are easy to make–right click on a message you want to be the basis of a Rule (say, anything that comes from that email address) and choose ‘Inbox Rules’, then follow the instructions. If your old filters are complicated, you might want to note them down so that you can implement with the Microsoft system, where they are called ‘Rules’.  Also, Tags won’t transfer, so if you tag your mail, that will also need to be rewritten. Tags are called ‘Categories’ and are based on colors.

Remember that, if you have been using the Wayne Connect Notebook, the files in there will be transferred to your OneDrive area.

Jun 24 / Geoffrey Nathan

Log in more safely

Starting today you’ll see a new log-in screen when you go to the web-based version of Wayne Connect. This is part of a long-term project to unify the log-in screens of all of Wayne’s major services, Blackboard, Academica, and Wayne Connect. Although there are esthetic (and ‘branding’) advantages, the main reason is to help all WSU users make sure they are on the right page for logging in. This is crucial because of the innumerable phishing attempts we seem to be getting these days, all of which encourage us to log in to fake WSU pages.
You don’t actually need to do anything different. The log in process is identical—put in your AccessID and password as before. But if you’re worried, look to see that the address bar in your browser is green, it says https, and that there’s a padlock symbol visible. These are the signals that you are actually connecting to Wayne State, and not a sketchy phishing site in Lower Slobbovia.
Here’s what to look for:

Chrome Log-in

 

Another advantage to this system is that our security office will be able to recognize hacking attempts more easily and will be able to recognize when people have forgotten their passwords and therefore help them in a secure fashion.

The new log-in screen now shows up when you go to Academica and Wayne Connect, and will be phased in for Blackboard and other systems shortly.

Jun 9 / Geoffrey Nathan

Don’t share passwords, even with yourself…

You have probably noticed Wayne State has been inundated lately with phishing messages. Some of these have been from ‘compromised’ (that is hacked) computers on campus, while others were disguised to elude our spam filters.

In any case, Provost Winters sent out a message explaining how we can all help keep this deluge down to a manageable level. One of her points, however, might seem strange, and I’d like in this post to explain the rationale behind it.

We all know that passwords are a pain in the neck. Remembering a password is not too difficult, but remembering more than one gets to be a strain on our memories. And, since we have passwords for lots of functions it’s very tempting to reuse them. That is, it’s tempting to use the same (memorable, complex) password for a number of different sites.

Unfortunately, that turns out not to be a good idea, because some websites are not very good at properly protecting your password. Normally passwords are stored on the servers that run websites in an encrypted form (that is, they are scrambled by a computer algorithm that is very difficult to unscramble without a key). There are complex technical details in Bruce Schneier’s first book if you are interested in pursuing this.

The important point is that website owners have a choice about how they store the passwords their customers set up, and they don’t always make the most secure choices. This became clear when a very widely used professional social networking site, which many of us use, LinkedIn was hacked and the encrypted password file was stolen, decrypted and posted online on a Russian site.

While we don’t know exactly how many further breaches and identity thefts occurred because of this break-in, it’s clear that many people got access to pairs of email addresses and passwords. If any of those email addresses were also used to log in to credit card sites, or bank sites hackers had access to lots of sources of money.

So, the ideal solution is not to reuse passwords at all. Just use a different password for every site you visit. This, of course, is highly impractical if that’s all you do. But there are two different ways you can manage this task and still keep your passwords safe.

First, use long passwords that include information about which site they are for. One trick I learned from an IT policy buddy of mine is to start with some string of letters and numbers that is very memorable (your nickname, for example, or your first girl/boyfriend’s name or something) and perhaps the current date, but then to append some reference to the website as part of the password. Say, for example, your first girlfriend’s name was Suzy. Then you could have passwords that look like this:

Facebook: $uzyFB2015
Bank: $uzymybankJune15
Amazon: $uzyBooks15
These are very secure passwords because they have at least ten characters, mixed case and numbers and ‘special’ characters.

Of course, it’s still a non-trivial cognitive task to remember all these passwords, which brings us to the second option: a ‘password wallet’. There are a number of these on the market. They require that you set one memorable, but complex password for the manager itself, and then store all your other passwords in the wallet. They all have the same features—a spreadsheet-like interface that includes the name of the website, its URL and your username and password. They always have some button that copies the password to your computer’s memory, so you can just paste it into the relevant box on the website you’re logging in to. The advantage to this system is that you can have very long, totally non-memorable and therefore completely uncrackable passwords. As long as you can open the wallet, you can just copy the password without your even having seen it. This means you can actually have lots of passwords you don’t even know. Talk about a secure password….

Of course, you really need to remember the password to your manager or you are out of luck. Some of them are free, and some have free and relatively low-cost premium editions. Here are several password wallet apps that I and Kevin Hayes, our Chief Security officer, recommend:

Lastpass https://lastpass.com/
Keepass http://keepass.info/ (this one is free)
PC Magazine recently rated a number of premium managers.

Finally, here’s XKCD’s thoughts on the matter:

https://xkcd.com/792/

May 26 / Geoffrey Nathan

Anatomy of a Phishing Onslaught

Recently Wayne State University was attacked, a small skirmish in a diffuse, ongoing cyberwar, albeit without a single, defined enemy. This is an account of what happened, why it happened, and how the university responded. I have tried to make the explanation of each event relatively non-technical, but a certain amount of geekery seems unavoidable.

On May 11, at 9:48 in the morning 182 University computers received an email message from a computer belonging to a local contractor who was doing work on the WSU campus. The message had the subject line ‘invoice’, and the text of the message said merely ‘Check invoice’. There was a zip file attached. A zip file is a data file that has been ‘compressed’ so it can travel more easily over the tight ‘passages’ of the email system. It’s a perfectly respectable way of making large files (such as pictures, pdf files and such) fit within email size limits.

However, when the recipients clicked on the file labeled ‘invoice123.zip’ it extracted into a file named ‘e9058.pdf’, which showed up on the screen as a file with an attached (blurry) image of the Adobe Acrobat logo, making it look like a real pdf. When the respondents with Windows computers (but notably not Macs or Linux machines) then ‘opened’ the pdf file, the following things happened:

  1. that person’s computer connected to some external websites
  2. from which it then downloaded additional malware, which proceded to search their computer for personal banking logins
  3. it then connected to remote ‘command and control’ servers. passing control of the computer overseas.
  4. finally it looked in the local Outlook address book and used it to send the infecting email message to addresses it found there.

It took about an hour for the first three computers to get infected, but the attack was discovered by the C&IT Security office after the second computer began spreading the virus. Between the time that the second computer was detected and when it was shut off the network, seven minutes elapsed, and during those seven minutes that computer sent out 4462 virus emails.

By the time the third computer was infected, C&IT’s security office was able to take action to stop the further spread of the virus. A set of filters on the WSU email system blocked transmission of the zip file, but by noon 150 computers had been infected, and 111 of them were sending out email with the attached zip file.

You might wonder why our Symantec antivirus software didn’t detect the infection when the attachment was opened. The answer is that Symantec (and all other antivirus systems) rely on known virus ‘signatures’ (identifying features), and this was what is known as a ‘zero-day’ attack—a brand new virus never before seen ‘in the wild’. It takes the antivirus people a day or so to develop the specific tools needed for each new virus and distribute them to their users.

In addition, because the virus relied on Outlook address books, people got email from people they knew, who did occasionally send them invoices.

The spread of the virus was effectively stopped by 11:50. Our security team isolated it and determined that it was connecting our computers to Serbia and Ukraine. The Security team then set the university firewall to block connections there, and identified all of the infected computers.

In order to clean up the infection those machines maintained by C&IT (i.e. managed by the DeskTech unit) were reformatted, and outside of the DeskTech domain local administrators were given guidance on how to clean the machines under their control.

In addition, within the DeskTech domain a program called AppLocker was turned on. This prevents computers from running software that did not have an appropriate signature, or which were installed in nonstandard places in a computer (i.e. not in Program Files). Unfortunately this broke a number of specialized programs that various people around campus relied upon, and special rules had to be written to fix this.

By the evening only a few infected computers were not yet fixed,and the original attacker used that to their advantage. Overnight new instructions were passed down to these few straggling machines, and the next day a new attack was launched, sending attachments with different names, but the same modus operandi. These were blocked within 20 minutes of the first occurrence, but to ensure no further attacks, there was a temporary block placed on all zip files sent through the email system. Since there are many legitimate uses of zip files, this block will be ended shortly.

Meanwhile, everyone who was affected was required to change their WSU passwords. Careful examination of system logs showed that four of those AccessID’s were tried from Russia (while their owners were at work on campus) but none of the logins succeeded, so apparently no passwords were compromised.

What can we learn from this adventure?

The faster the IT security guys can act the less harmful the infection. Forwarding suspicious emails to the Security Office (or dragging them to the Phishing applet in Wayne Connect) is valuable. A delay of even an additional hour could have been catastrophic for the campus.

Smooth coordination between the security office and desktop support enabled the spread of the infection to be halted quickly.

We continually remind folks not to click on attachments they don’t expect from people they don’t know. Now we need to modify this—don’t click on any attachment, regardless of sender, unless you are sure it is safe. The text of the email message should reference the content of the attachment and you should be expecting that content. If it doesn’t either phone the sender or just delete it.

Finally, if you’d like to learn more about how to resist phishing attempts, you can take the anti-phishing training we make available through Accelerate, HR’s online training system. To get there, log in to Academica, then search for ‘Accelerate’ in the search box (unless you’ve already been there, in which case it should show up in your personalized links). Start Accelerate, then Browse the Catalog, C&IT Security Awareness Program, and finally PhishProof (Part 3), Launch.

May 12 / Geoffrey Nathan

Don’t open mystery attachments, and don’t send them either

Most people know that a sophisticated phishing attack has hit the campus over the past few days. It came from within the campus, and consisted of a message saying ‘Check invoice’ and had an attachment that was a .zip file. If you clicked on the link (say because it came from someone you knew, and did occasionally receive invoices) your computer was infected and it immediately began spreading the infection further.

So, for right now C&IT is blocking all .zip file attachments. And it just reinforces the message that we have been sending: ‘Don’t click on attachments you aren’t expecting’.

But there’s another lesson also. If you do need to send an attachment (and it’s not inherently a bad thing to do) say something in the email message itself about what the attachment is and why you are sending it. So instead of ‘Check invoice’ say something like ‘Here’s the invoice from the Blixeldorf Corporation that we were waiting for’. That kind of text in an email message is impossible to fake (and, of course, if the recipient wasn’t waiting for that invoice they’ll know it’s fake).

So don’t open mystery attachments, and make sure any that you send aren’t mysteries to the people you send them to.

If you do need to send a .zip file in the coming days, you can do so via Wayne Connect Briefcase.

Apr 29 / Geoffrey Nathan

A New Wayne Connect is Coming

Many of us received a message from C&IT today announcing the new Wayne State email system, which will be called Wayne Connect – Powered by Microsoft. There are a number of new features that everyone will be happy about, and this blog is intended to highlight several of them.

OneDrive

First, everyone will have a personal storage, collaboration and sharing tool called OneDrive. Some of you may use this already, and it’s very similar to competitors such as Dropbox and Box. It has the advantage of being much more secure, but has all the features that have made these tools so popular—you can share specific files with specific people (ending the need to share large files by emailing them), or with groups (making collaborative writing tasks much easier). OneDrive comes with 50GB of storage for all users—way more than the 12 GB we have now.

Skype for Business

The new system also comes with Skype for Business, which is an IM client, but also allows for audio and even video conferencing (if you have a microphone and camera on your computer).

Email, calendars and address books

But, of course, Wayne Connect is also an email and calendaring system. You will have the choice of using the web-based client, which will be very similar to the current Wayne Connect Zimbra-based system (or Outlook 365, if you use that). Alternatively, you can use (or continue to use) the desktop Outlook program instead, or in addition. In fact you can use any email client, including the ones on your phone or tablet, or Mac Mail, or… Each one has advantages and disadvantages. The desktop version allows you to import .ics calendar files, so you can import appointments from, say, Tripit or OpenTable. The web-based version is of course available wherever you can get access to a browser.

What you don’t need to do.

All your current Wayne Connect files will be moved into the new system over the next few months, so all your back email and old appointments will be there, as will your address book, so you don’t need to do anything to keep all that stuff.

What you do need to do

There are a few small wrinkles in some corners of the system. If you use filters they won’t transfer, so you’ll have to rewrite them, and you’ll need to recreate your signature file(s) and any file permissions you might have set up.

If you use Briefcase you’ll need to move all your files into the main folder—any additional folders you might have created won’t transfer.

These details can be found here

Apr 7 / Geoffrey Nathan

Copyright Robots Strike Again

I have written in the past about how Youtube’s copyright robots take Youtube videos down if their digital brains sense a copyright violation. They know nothing of ‘fair use’, ‘parody’ or any reasonable ‘exception’. Today Rand Paul announced he is running for President, and the video announcing it has been taken down:

The strangeness of copyright culture in our country continues. I should add that I am posting this late on Tuesday afternoon, when what shows up when you click on the link is this:

Rand Paul copyright image

For the gory details on why this link is video non grata, incidentally, you can go here.

Mar 12 / Geoffrey Nathan

Insidious phish preys on your fears of being hacked

The phishers have a new trick–they send you an email purporting to be from iTunes or Amazon that tells you someone hacked your account and bought something. ‘Just click here and reset your password’. I got one the other day–it looked like this:

Screen shot of Apple Phishing message

Hovering over the iTunes link reveals eurekaequestrian.com, not ‘apple.com’. Apparently Amazon has been having the same problem. Here’s a page from Amazon explaining that they don’t send that kind of email:

http://www.amazon.com/gp/help/customer/display.html?nodeId=15835501

So, in short, it’s really important to read url’s, both the obvious ones (many of us got one today that was ‘wayneedu.zyro.com’) and the ones that only appear when you hover over them. When in doubt, hover. And when in doubt, don’t click.