After serving as chief privacy officer for the past year and a half, I will be retiring from Wayne State University at the end of the winter semester. We have been given permission to search for a replacement, so I thought I’d use this platform to say a little about what a Privacy Officer does.
The simplest way to describe it is to link to my Educause blog on “A day in the life of a Chief Privacy Officer.”
However, if you’re interested in the tl;dr1 version, allow me to give you the “elevator speech.” Universities, like nearly all other organizations, hold information about any and all people they deal with. For universities this includes data about students, faculty, staff, alumni and visitors. In 2017 it tends to be electronic records, although there are still thousands of pieces of paper with data on them as well.
Some of those records are sensitive. This means that the information could harm the person it refers to if it is released, or that its unauthorized release would subject the university to legal penalties because the data is protected by law. Or both. For example, social security numbers have become toxic (as we say in the privacy world) because those numbers can be used to commit identity theft. Student records such as grades are protected by the federal law known as FERPA and could cost the university embarrassment and money if they are released to unauthorized persons.
The privacy officer’s job is to help the university keep those records safe from inappropriate release by developing policies, by ensuring that employees are trained in how to apply those policies, and by reviewing how new methods of storing data (such as new versions of Banner or Academica) are configured to ensure the data therein is properly locked up.
This means serving on a lot of committees, meeting with administrators and researchers storing sensitive data, and speaking to groups such as the Academic Senate and the Administrative Council. It also means working closely with the Office of General Counsel, Internal Audit, the Associate Provost for Academic Personnel, and serving on the leadership team of C&IT.
If you think you might be interested in learning more about this position, you can find it listed at jobs.wayne.edu under position number 042601.
1 This popular internet acronym stands for ‘too long; didn’t read’. Usually an expression of disapproval.
By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.
First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.
But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.
There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:
What you can do
Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.
Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).
For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.
To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.
Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.
1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.
Much of the campus received a message earlier this week to fill out an IT Services Survey. I have been contacted by many people asking whether the survey was legitimate, or whether it was a phishing attack.
Let me first say that I very much appreciate folks asking me whether this is real. It means our training is having an effect and people are learning to be skeptical of email messages that ask them to click on things. That is exactly the right attitude to have!
That said, let me point out a couple of telltale indicators that this message is real:
If you hover over the link that is provided, a tiny window will pop up (on Firefox it appears in the bottom left corner) showing the actual URL that you will go to if you click the link. Always hover over a link if you are suspicious. If the pop-up address and the one visible in the actual message match, then you are about to go to the website claimed. In this case, the website belongs to techqual, a company many of you already know about — it’s Wayne State’s source for running this survey. Here is a screenshot of what that looks like in my Wayne Connect mailbox — the arrow points to the popup URL.
If you are interested in learning more about how to recognize phishing emails, our Chief Information Security Officer, Kevin Hayes and I will be conducting anti-phishing training on Thursday, March 23, at 11 a.m. in the Purdy-Kresge Auditorium. Come and learn all the telltale signs of phishing emails and why we keep getting these attacks. And, of course, what you can do to protect yourself. No advance registration and no technological knowledge is required. Learn more at events.wayne.edu.
Most Wayne State folks have now received their W2 forms and are probably putting off thinking about submitting their income tax returns, so now is the time to start worrying about all the things that could go wrong.
As most readers will remember, Wayne State was one of a number of universities whose employees were hit with fraudulent returns last year. This happens when someone illegally files in your place, fiddling with the numbers so that they will get a refund. Generally speaking, when this happens you are not on the hook, but it can be a pain in the neck to get it sorted out and it will probably interfere with your filing for several years afterwards, so it’s a good idea to take actions that will reduce the likelihood of being a victim.
There is a limit to what you can do, but I’ve collected all the key safety steps here — the major step you can take is to increase your vigilance online. Do not share your social security number (which means it should never appear in an email or anywhere else other than where it is legally required [such as on your tax return]). And although your bank needs to know it, there is no reason it should appear on any bank website or on any paperwork you receive through the mail from your bank. Of course, it will appear in correspondence with the government (such as a dreaded letter from the IRS or correspondence with the state or city about taxes owed or a happy letter about refunds due).
The most effective positive action you can take is to file as early as possible (although a friend of mine posted on their Facebook page a couple of days ago that someone had already filed in their place). I realize it’s as American as apple pie to put it off till the evening of April 14, but it is a good defensive strategy to file really early.
Additionally, it is extremely important you do not let yourself get phished. Phishing (luring victims in with realistic-looking emails) is the most widely used weapon in identity theft. In fact, we will be doing one (or perhaps more) anti-phishing training sessions over the next couple of weeks. Our Chief Security Officer, Kevin Hayes, and I, your Chief Privacy Officer, have a roadshow we’ll be starting shortly. The first presentation will be on Feb. 10 at 1 p.m. in Bernath Auditorium. We’ll explain how phishing works and what you can do to fight back.
For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.
In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?
Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.
Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).
The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:
Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.
The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.
Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator
Roughly two months ago the university introduced Duo, a two-factor authentication system to protect sensitive data held by the university. It did this in response to innumerable phishing attacks, some of which succeeded well enough that faculty paychecks were stolen and systems shut down because some of us opened sneaky emails and followed the instructions therein.
In order to limit the damage that these phishing attacks cause, we decided to make it harder for scammers to break into our systems. By requiring that everyone confirm that it is indeed them, and not a crook from Antarctica (or perhaps someone from closer in), who is attempting to enter grades or change direct deposit banking details, we hope to save the university a lot of money and our employees a lot of heartbreak.
Duo simply provides a simultaneous parallel avenue of logging in, in addition to the combination of AccessID and password. The parallel avenue can be a smartphone, a simple cellphone, an office telephone or several other routes. Think of it as having both a key to the door and facial recognition software. Or someone waiting to hear you say, “Joe sent me.”
For complete instructions on how to use Duo you can see my previous blog, the notice the university sent out in early November, or the computing.wayne.edu information page. Finally, here are step-by-step instructions.
There are a few minor glitches people have discovered. If you want to put the Duo app on your smartphone and your credit card details with the iPhone App Store or Google Play Store have expired, you’ll have to put in current information. Note that this is Apple and Google’s rule, not Wayne State’s or Duo’s. They don’t want you downloading other apps for free, even though Duo itself is, and always will be, free.
Another minor glitch is that some folks apparently missed the Duo roll-out entirely, which indicates that they never looked at anything in Academica that was connected to Banner (such as their paystub, their benefits or their classlists) before final grade submission began. I would strongly recommend reading messages that C&IT sends out — it really might be important 🙂 And we try hard not to overwhelm the campus with email announcements.
 True story. Many years ago I was a member of a committee of fairly well-established WSU researchers. One of them told the committee that he instructed his junior colleagues to delete any messages that came from the WSU administration without reading them. He said they should stay away from university politics. My first reaction was, “What if the email message from the Chief Holt was warning them about an active shooter in their building?”
As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.
The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.
Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.
How does it work?
If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:
If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.
If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.
If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).
For much more detail on how this works, go to our FAQ.
Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named notion that we should ‘eat our own dogfood’).
As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.
1 You can read about this way of classifying security methods on this website.
2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:
You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.
First the facts: According to Reuters, at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.
Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.
So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.
Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).
Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, email@example.com)
This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here
Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.
 This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.
 And, before you can get smart with me, as I am writing this I have already changed it.
As we gear up for a new semester (some of us can’t believe we’re well on the way to 2017), I thought I’d remind folks of a few things that happened over the summer that will affect you (or, in some cases, have already done so).
As you may recall, President Wilson issued a new policy dealing with procedures for traveling internationally on university business (such as attending conferences, giving talks, consulting on aid projects and so on). From now on, you will have to answer a short questionnaire before you can get to TravelWayne, in order to ensure you do not put yourself and the university at risk of violating assorted State Department and Federal Trade Commission travel restrictions. You can read the details here.
Secondly, it is well-known that using security questions to make sure it is you (and not some hacker) resetting your password is not the most secure process. So C&IT replaced the system of security questions with a requirement that everyone provide an alternate email address to which the reset password link may be sent. Most people should already have done this, but here’s some additional information on how it works.
Finally, there are a few things coming up that you will need to be aware of. We will be rolling out a two-factor identification system later in the semester that will make access to critical data sources (your direct deposit bank details, your W2’s and access to Banner for those who have it) more secure. Details on that system will follow in late September. In addition, there will be changes in Banner and a little tighter control on access to sensitive student data.
Hope the beginning of the semester is smooth. And, if you’re new to Wayne State, welcome!
Nowadays it’s easy to lose track of passwords, because we have so many. And if you forget your password, there are various ways that email system owners verify that it’s ‘you’ before allowing you to reset it. For many years Wayne State has provided a series of ‘challenge questions’, which you set answers to. Unfortunately the built-in questions are sometimes ones that make it very easy for a nefarious hacker to guess (by wandering around your Facebook account, for example). So, like many other institutions (Google, Facebook, perhaps your bank) Wayne State has decided to eliminate the Challenge Question system and replace it with a ‘recovery email’ facility.
Some time soon, when you log in to Wayne Connect you will be asked to supply an alternate email address (i.e. one not ending in ‘wayne.edu’). It can be anything else (Gmail, Hotmail, Apple, AT&T…) but it should be one that you actually read, even if only occasionally.
If you forget your Wayne State password, or if you’re asked to reset it because of a hack, an email will be sent to the alternate address. When you open the email it will contain a link to a password reset page. (You’ll also need to enter the last four digits of your social security number if you are an employee.) An additional security measure is that, if you have access to high-risk systems such as Banner or Cognos, you’ll need to be on a Wayne State network (in your office, essentially).
If you would rather not provide an alternate email address, or if you don’t have one, you will need to call the Help Desk, but only during their business hours (M-F 7:30 AM – 8:00 PM).
If you have any questions about this new policy or you need assistance in implementing your recovery email address, please contact the C&IT Help Desk at 313-577-4357 or at firstname.lastname@example.org.