As we gear up for a new semester (some of us can’t believe we’re well on the way to 2017), I thought I’d remind folks of a few things that happened over the summer that will affect you (or, in some cases, have already done so).
As you may recall, President Wilson issued a new policy dealing with procedures for traveling internationally on university business (such as attending conferences, giving talks, consulting on aid projects and so on). From now on, you will have to answer a short questionnaire before you can get to TravelWayne, in order to ensure you do not put yourself and the university at risk of violating assorted State Department and Federal Trade Commission travel restrictions. You can read the details here.
Secondly, it is well-known that using security questions to make sure it is you (and not some hacker) resetting your password is not the most secure process. So C&IT replaced the system of security questions with a requirement that everyone provide an alternate email address to which the reset password link may be sent. Most people should already have done this, but here’s some additional information on how it works.
Finally, there are a few things coming up that you will need to be aware of. We will be rolling out a two-factor identification system later in the semester that will make access to critical data sources (your direct deposit bank details, your W2’s and access to Banner for those who have it) more secure. Details on that system will follow in late September. In addition, there will be changes in Banner and a little tighter control on access to sensitive student data.
Hope the beginning of the semester is smooth. And, if you’re new to Wayne State, welcome!
Nowadays it’s easy to lose track of passwords, because we have so many. And if you forget your password, there are various ways that email system owners verify that it’s ‘you’ before allowing you to reset it. For many years Wayne State has provided a series of ‘challenge questions’, which you set answers to. Unfortunately the built-in questions are sometimes ones that make it very easy for a nefarious hacker to guess (by wandering around your Facebook account, for example). So, like many other institutions (Google, Facebook, perhaps your bank) Wayne State has decided to eliminate the Challenge Question system and replace it with a ‘recovery email’ facility.
Some time soon, when you log in to Wayne Connect you will be asked to supply an alternate email address (i.e. one not ending in ‘wayne.edu’). It can be anything else (Gmail, Hotmail, Apple, AT&T…) but it should be one that you actually read, even if only occasionally.
If you forget your Wayne State password, or if you’re asked to reset it because of a hack, an email will be sent to the alternate address. When you open the email it will contain a link to a password reset page. (You’ll also need to enter the last four digits of your social security number if you are an employee.) An additional security measure is that, if you have access to high-risk systems such as Banner or Cognos, you’ll need to be on a Wayne State network (in your office, essentially).
If you would rather not provide an alternate email address, or if you don’t have one, you will need to call the Help Desk, but only during their business hours (M-F 7:30 AM – 8:00 PM).
If you have any questions about this new policy or you need assistance in implementing your recovery email address, please contact the C&IT Help Desk at 313-577-4357 or at firstname.lastname@example.org.
Getting to TravelWayne is going to get a little more complicated if you are planning international travel. Here’s why.
For a number of years the US Department of State, the Department of Commerce and the U.S. Treasury Department have had restrictions on what things can be exported to other countries. These restrictions come from the International Traffic in Arms (ITAR) regulations, the Export Administration Regulations (EAR) and the Office of Foreign Assets Controls (OFAC). However, ‘export’ doesn’t mean what you think it means. The US government defines ‘export’ as moving objects or data out of the country. That includes objects such as laptops that contain data. There are certain kinds of data that cannot be taken to certain countries. Probably most data you would put on a laptop (or tablet, or thumb drive, etc.) would not be restricted. But there is a large list of kinds of data that could get you, and Wayne State into big trouble if the Feds find out you have taken them to China, or Iran, or even France, in some cases.
Just as an example of how faculty members can get into trouble, you can read the University of Hawai`i’s website on the topic
Further complicating things is the fact that some countries forbid encrypted data from being imported into those countries. Here is a map showing which countries restrict the import of encrypted data.
So, to protect everyone involved (travelers and their ‘supervisors’–chairs and such, as well as the Office of Research), there is a new university policy on international travel that is going into effect in a couple of weeks, once the mechanisms are in place.
How will the policy affect the average traveler? If you are traveling within the US, it will have no effect. But if you are travelling internationally, you will see a new button in Academica saying ‘International Travel’. When you click that, you will be taken to a questionnaire that asks what you will be bringing with you. If one of your answers triggers a potential international travel issue, the system will generate an email to the Export Control office at Wayne. You will be urged to contact them so that they can make sure you are not violating laws against Export Control. After you do so, they will send you an email giving you clearance to travel.
For a preview of the questions, just go to ft.wayne.edu. At the moment it’s set up as a test version, so no emails are generated, and it doesn’t record who has visited.
The way the system will work is that when you begin the process of making travel plans (within TravelWayne) for each trip, you will have to go through the questionnaire. Thereafter, for each trip you can go directly to TravelWayne (say, to tweak you hotel reservation or whatever).
The kicker, once the policy goes into effect, is that you will not be reimbursed for your trip if you haven’t received clearance from the Export Control office, so it is definitely in your interest to get that clearance.
Associated with this policy are two helpful FAQ’s that make suggestions about safe ways to travel internationally, one on legal questions, the other on technical issues. These include always using the VPN when connecting to Wayne State resources (such as your email, or files stored on Wayne State sites). Note that you cannot even reach Facebook or Google from certain countries (including China) unless you use the VPN, by decision of the host country. Wayne State has nothing to do with these restrictions, of course.
As I mentioned in an earlier post and also here, a number of Wayne State employees were hit by an IRS hack that stole their identities and attempted to claim refunds. Wayne State C&IT and Internal Audit have investigated these hacks and have found no evidence that the source of the leaks was located at Wayne State, but nonetheless the IRS has volunteered to send an agent to campus to talk about how to avoid this kind of attack in the future.
We have contacted all the victims that we know of, but have also decided to open the IRS agent’s talk to the campus at large. Here are the details:
Tuesday, July 12, 10:00 AM
Partrich Auditorium (located in the Law School).
No need to RSVP—just come.
If you have any questions, you can contact the Office of Internal Audit at (313) 577-2128 or Carolyn Hafner at email@example.com.
A couple of weeks ago I wrote about the income tax fraud cases the security and financial folks at Wayne State University have been hearing about. I want to reiterate several points I made and let you know how the investigation stands at this moment.
From the moment we (the Controller, Payroll, the Provost, the Information Privacy Officer — that would be me, our Information Security Officer, Internal Audit, Senate leadership, etc.) started hearing reports of Wayne State employees finding false reports filed in their name, we began investigating how this might have happened — and whether something or someone at Wayne State might have been responsible.
Let me begin by saying: we DO NOT believe this was caused by any person within WSU or because of a security lapse at WSU itself. To the best of our knowledge, all universities in Michigan have employees who have experienced these hacks, and it has certainly become a nationally-covered news item.
Be that as it may, our security team has been combing logs and looking at our database of phishing attempts to make sure nothing has slipped through the cracks.
Last week, I attended a conference in DC of other university privacy officers and opinion was unanimous — phishing is the source of virtually all security breaches at universities these days. Consequently, our Security Officer and I are offering training on how to recognize and resist phishing attempts. The next two are scheduled for this Friday at 11 a.m. and Tuesday, June 7, at 3 p.m. in Bernath auditorium. Both are free, do not require registration, and are aimed at you, the average computer user.
Finally, let me repeat something I said in my last blog post:
If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy redacted). This is how you do that. Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know. Note: DO NOT TELL ME THE AMOUNT – JUST WHETHER IT MATCHES! I am the Chief Privacy Officer, after all 🙂
On Friday you received a message from C&IT and the VP for Administration talking about the epidemic of income tax fraud that has hit the country. This morning it made the front page of the Free Press:
A large number of Wayne State folks were hit (since my name was listed as contact person I was contacted by a number of people, most of whom I know from other directions).
Unfortunately there’s little you can do, other than following the directions on the IRS website. This is apparently now a feature of our modern, ‘connected’ world.
If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy ‘redacted’). Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know (DO NOT TELL ME THE AMOUNT–JUST WHETHER IT MATCHES–I am the Chief Privacy Officer, after all 🙂 ). This is how you do that.
Meanwhile, welcome to the club (I was hit too, last year).
Last week I wrote about how some (perhaps) rogue apps use your microphone to listen for subsonic signals coming from your TV or laptop to tell advertisers what you are watching or viewing.
You can stop this from happening by denying those apps permission to use your microphone. Here’s what you do.
On iOS (iPhone or iPad)1 open the Settings app and scroll down to Privacy. Touch that, then you’ll see this:
Select Microphone and you’ll see a list of apps that use the Microphone. Here’s mine (somewhat edited):
Slide the on-off switch to the right to deny the app access to the microphone. And the next time you install a new app and it asks you whether to allow it access to your mike, think before you click.™
1 This process is generally similar on a Droid, but may vary depending on version of the operating system.
One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)
It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.
What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it
The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.
The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).
Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.
Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.
Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.
For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.
Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.
Declan McCullagh (well-known IT commentator and software developer) has a take on why software companies are up in arms about the FBI’s request for assistance with breaking into a terrorist’s iPhone.
And, in case you want some sense of how many important contemporary software and hardware companies are frightened by this development, here’s a list of those who have filed Amicus briefs in the case.
A careful reading of the list shows there aren’t many major players who aren’t taking Apple’s side, including many of their rivals. And here’s the inside story on how Apple marshalled their colleagues to join the fray.