Former Information Privacy Officer Geoff Nathan got firsthand experience with Wayne State’s new eduroam service this summer. Check out what he had to say.
— Michael Barnes
Wayne State University has joined the international consortium known as eduroam. Eduroam allows anyone with login credentials at member universities to log in to the network at any other member institution.
What does this mean?
It means that if you can log in to the Wayne State wireless network (the secure one), then you can log in to the wireless network at any other academic institution that is also a eduroam member. This means you have a secure Wi-Fi option at hundreds of universities, research institutes and more.
How well does it work?
Very well! This past summer I visited the University of Hawaii (Manoa campus)1, Tartu University in Tartu, Estonia and Southern Illinois University Carbondale. While on the campus of each place I simply chose eduroam as the network I chose to connect to, entered my Wayne State credentials and immediately got access to their network.
The only drawback is that you may get a mysterious error about certificates, but this only means that the university has made a small configuration error, not that there is a real problem.
So next time you are visiting another academic institution around the world, you probably can use their secure Wi-Fi with your WSU AccessID and password.
Find a full list of every eduroam institution around the world (sorted by country) at eduroam.org/where/. There are over 500 eduroam institutions in the United States alone and there are additional institutions in nearly 100 other countries.
1 Yeah, I know. But I’m an alum. I lived there in the ’70s.
Those who know me (or those who occasionally look at the blog listings on Today@Wayne) may know that after 15 years at Wayne State University, I announced my retirement this past spring. I was proud to serve as Wayne State’s first Information Privacy Officer and I’m confident that my successor, Michael J Barnes, will be able to do even more with the role. You already met him when he posted over the weekend about the nasty Equifax security breach. Please join me in welcoming him.
Thanks for reading this blog over the years. I may do a guest post from time to time, so this won’t be the last you hear from me. Now for a few words from Michael:
Hi all. I am an Associate Professor in the College of Fine, Performing & Communication Arts in the Maggie Allesee Department of Theatre and Dance, having served as the Artistic Director and on its Executive Committee since 2011. I’ve served on numerous committees at Wayne State and, as a member of the Academic Senate, served on the Facilities, Support Services, and Technology Committee. Before I came to Wayne State, I was faculty at the University of Miami in the Department of Theatre Arts, also teaching in their School of Law, and at Temple University. I’ve been obsessed with technology since I started learning on the original Macintosh computer.
I’ve worked with Geoff on a handful of projects in my time at Wayne State and I’m excited to become a member of the C&IT team and turn my passion for technology into a position where I can effect change. I’m taking over the ProfTech blog, so keep an eye out here for regular updates about university privacy and how faculty can best use technology resources. You can also reach me at email@example.com with questions or comments about university privacy.
In the wake of the cyberattack on Equifax and the loss of the personal data of millions of U.S. citizens, I thought it would be interesting for the Wayne State community to know a bit more about cybersecurity on our campus.
Wayne State takes your privacy and the storage of your information very seriously. C&IT works constantly to make certain that all information is kept safe. It is a top priority to keep our employees information safe and to make certain that we uphold standards set by regulations like FERPA and HIPAA.
For a brief overview to understand the university’s methods of securing data, Director of Information Security Kevin Hayes shared the active controls utilized here at WSU:
- Multiple layers of firewalls
- Regular vulnerability scans check for malware and security issues on our central servers
- Automatic blocking of new attackers and threats
- Two-factor authentication for access to sensitive data
- Manual reviews of servers, systems and processes to ensure data integrity
He also shared metrics to understand just how successful the firewall and security systems have been at Wayne State.
On a typical day, university firewalls block:
- 187 million connections at the Internet edge
- 8 million connections for residence halls and housing
- 7 million connections at the data center
- 1 million connections at our Disaster Recovery (DR) site
- 300,000 connections for the President, Provost and Office of General Counsel
- 200,000 connections for the WSU Police Department
In the month of Aug. 2017, the systems:
- Dynamically blocked 2,844 attackers attempting to scan our network
- Blocked 4,373 viruses and malware components
- Prevented 482,316 outbound connections to other malicious destinations
- Thwarted 91,793 hacking attempts
Yes, you read that correctly. There are close to 200 million attempts to hack into WSU systems in one day. When I first heard these figures, I was shocked. In our modern world, it is virtually impossible keep information about you completely private. Rest assured, WSU does everything possible to make certain that we are never the source that compromises your personal privacy.
On Thursday, Sept. 7, the national media reported that Equifax, which is one of the three major consumer credit reporting agencies, has been the victim of a cyberattack that affected 143 million customers. Whether you like it or not, this will likely affect you, your spouse, or any number of your family members. Unfortunately, I know many people who seem to walk blindly into what are now the forests that constitute our modern commerce and economy. Some of them feel they are protected because they don’t shop online, or because they don’t pay their bills online, or because they only use their debit card…or, or, or… That simply is not the case anymore; no one is immune to identity theft.
In the last few years, we have been seeing a rising number of major corporations being hit by this type of attack. We saw the national retailer, Target, experience a security breach in 2013 where the names, credit card numbers, expiration dates, and security codes of approximately 40 million people were stolen by hackers. Yahoo was hit by a couple of these attacks — the information of over one billion account holders was breached.
You may think “I’m not a customer of Equifax; It doesn’t affect me.” This simply is not the case. Whether we like it or not, we are all customers of Equifax. As one of the three major credit bureaus (the other two are Experian and TransUnion), any time you apply for a credit card, a loan, or utilize your bank, your information is being shared with these agencies. They maintain consumer credit information and sell that information to businesses in the form of credit reports. Though they are heavily regulated, they are publicly traded, for-profit agencies.[i]
Media sources have reported that hackers may have gained access to sensitive information, which includes social security and drivers’ license numbers, for 143 million customers. Given that the current adult population of the United States is 245.3 million people, this means that over half the adult population of the U.S. has now had their information stolen and is at risk for identity theft.
A quote from the New York Times indicated that in severity, on a scale from 1 to 10, this attack is a 10. Unlike the Yahoo or Target attacks, thieves were able to acquire information of a more personal nature. They were able to retrieve names, birth dates and addresses; information that would allow access to bank accounts, employee accounts and medical information; the credit card numbers for 209,000 people; and documents used in personal disputes for 182,000.[ii]
What Do You Do?
It is important that all individuals investigate as to whether their information has been compromised. Equifax has set up a site to help determine whether your data is at risk. That site is: equifaxsecurity2017.com/. You should also acquire a free copy of your credit report from one of the three major agencies. This can be obtained at annualcreditreport.com. If you think your data has been used, be certain to contact your local law enforcement officials. In addition, if you find that your information was stolen, you should place a fraud alert on your credit files; the FTC has a website with a guide for placing a fraud alert. Equifax is also offering all consumers the ability to freeze their Equifax Credit Reports as well as making use of their Credit Protection Service for free for one year.
It is worth noting that the Attorney General of the state of New York has pointed out that the terms of service for Equifax’s credit monitoring service, TrustedID Premier, say that users give up their right to participate in a class-action lawsuit or arbitration. However, he has also stated that, in the case of this breach, those Terms of Service would not be able to be upheld in a court of law.
As one last point, I would suggest that each of you take the time to contact your elected Representatives and encourage them to examine the policies we have in place for consumer data protection. This type of event demonstrates the importance of making certain that this the industry of sharing your financial data be strictly regulated. The information that these cyber-thieves acquired could affect people for years to come.
- Equifax Site to Check Data and Utilize Protection Service: equifaxsecurity2017.com/
- Obtain Your Credit Reports: annualcreditreport.com
- FTC Consumer Information on Placing a Fraud Alert: consumer.ftc.gov/articles/0275-place-fraud-alert
- New York Times “How to Protect Your Information Online”: nytimes.com/interactive/2017/technology/how-to-protect-data-online.html
Since my initial writing of this posting, I have read a number of articles on how to best handle the Equifax breach. In my opinion, the best way to deal with it is to have a freeze put on your credit file with Equifax and the other services. Because it makes makes it so that no credit report can be run, it stops any thief from opening credit in your name. If you need to apply for credit you temporarily thaw the account by providing a PIN number (which will need to be kept in a very safe place where you cannot lose it). Of course, the credit services do not let you freeze an account for free, nor do they thaw it for free. However, the cost is far less than what you might experience if you are the victim of identity theft. Equifax has bowed to pressure, however, and will offer credit freezes free for the next 30 days.[iii] If you are still a bit confused about just exactly what to do, I would suggest these articles the New York Times, “Equifaxes Instructions are Coinfusing, Here’s What to Do Now“the Chicago Tribune, “After the Equifax Breach, Here’s How to Freeze your Credit to Protect your Identity.”
[i] Irby, LaToya. “What You Should Know about the FCRA.” The Balance. 11 May 2016. https://www.thebalance.com/what-you-should-know-about-the-fcra-960639
[ii] Bernard, Tara Siegel, Tiffany Hsu, Nicole Perlroth, Ron Lieber. “Equifax Says cyberattack May have Affected 143 Million Customers” New York Times. 7 September 2017. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?hpw&rref=business&action=click&pgtype=Homepage&module=well-region®ion=bottom-well&WT.nav=bottom-well
[iii] Leiber, Ron. “Equifax, Bowing to Public Pressure, Drops Credit-Freeze Fees for 30 Days.” New York Times. 12 September 2017. https://www.nytimes.com/2017/09/12/your-money/equifax-fee-waiver.html?mcubz=3
My colleague and acquaintance, Bruce Schneier, wrote a good article about what we can learn from the Wannacry attacks of last month. It’s both in the Washington Post and the Metrowest Daily News (the WP article is behind a paywall for me, but you may be able to read it).
P.S. I have recently retired, but will occasionally return to post on important issues related to security and privacy.
Although all Wayne State employees have the ability to download and use the Microsoft Office Suite (including Word, Excel, Powerpoint etc.) it is only available to current employees. When you retire you will probably find that eventually the license will expire. Then what do you do?
One simple possibility is to purchase an individual license for the Suite, which is available from Microsoft for $99/year. If you are not comfortable doing that, there are several options available that I will outline here.
If you really want to stay within the Microsoft environment, all Wayne State employees, students and retirees have access to the online versions of all of these programs. The online versions are not as powerful as the desktop versions (for example the online Word doesn’t have Track Changes, which makes it useless for sharing editing tasks), but they are good enough for most tasks, and are free as long as you have access to Wayne Connect.
Otherwise, if you are comfortable in the Google universe, there is a complete set of tools available for free from Google. These include Google Docs, Sheets, and Slides. They only work online, but all of them allow conversion (and downloading) to the more widely used Microsoft equivalents (and conversion can go both ways). The interface is quite different from the Word (etc.) interface, but does everything that most people need to do (Sheets probably doesn’t do the kind of complex statistical and modeling that Excel can do, nor the complex formatting you can do with Word or similar dedicated word processors). Here’s a screenshot of what a sample CV document looks like in Google Docs:
Second, if you are willing to spend some money there are high-end competitors to Word that do some tasks better than Word. I have for twenty years used Notabene, a powerful academically-oriented word processor written for those in the humanities. It has built-in support for commonly used scholarly languages (anything using the Roman alphabet, Hebrew, Greek, Arabic) including the ability to mix left-to-right and right-to-left orientation in the same line, a powerful, built-in bibliography program that both stores and inserts references following commonly used style sheets, and a textbase app that permits you to index your files and search for anything, then insert the relevant context into a document. But it’s about $400 (although you can try it out for free—it just won’t print). On the other hand, that’s a one-time only expense, since you’re actually buying it, not licensing it. Here’s a screenshot of a multilingual document in Notabene1 :
Finally, there are some decent free alternatives beyond the Google suite. I have been playing with WPS Office for Windows, which is a free download for Windows, iOS, Android and Linux. It has a user-friendly interface that greatly resembles Word (and Excel etc.) and can handle their files with ease. It’s free, although there’s a relatively reasonable subscription version (WPS Office for Windows Premium) that goes for $25/year. You can find it at wps.com/office-free.
Another free competitor comes in at least two flavors: Apache OpenOffice and LibreOffice. They are very powerful office suites, but I find their interfaces somewhat user-unfriendly for those who are used to the Microsoft varieties. These programs are open-source, which means that they are being developed by communities from computer source code that is open to anyone. As with all the other alternatives, these permit conversion to and from the more familiar .docx and .xlsx formats.
Finally, if all you want to do is read Word, Excel and Powerpoint files, you can download viewers that permit you do just that: Word Viewer.
In short, although it’s a little annoying, you can keep working from home after you retire. As I plan to do…
 I am not affiliated with Notabene, but I have been using it since 1987. Another multilingual word processor is Nisus.
I have received many questions from my friends about what to do now that Congress voted to repeal the online privacy rules created last October by the Obama administration.
The first thing to do is to avoid panic. Those privacy laws never took effect, so I believe we are now no worse off than we were before last October, although some commenters are disputing this.
What did the proposed regulations do? They would have forbidden your internet service provider (ISP) from collecting and using data of your online activities. Particularly from selling that data to other merchants (such as Amazon or Facebook).
When you browse the web from home (or from your phone) your ISP (Comcast, AT&T, WOW, Verizon etc.) routes your traffic from your device to the website you are visiting. That information is, of course, stored by your provider and can be aggregated and sold to the highest bidder. And, of course, if the information is stored, it can be subpoenaed, seized through a national security letter or stolen and sold online to somewhat less reputable people than Comcast.
And all of these things have happened already (Schneier’s article cites real examples):
- What the repeal of online privacy protections means for you, The New York Times
- Congress removes FCC privacy protections on your internet usage, Schneier on Security
- Five creepy things your ISP could do if Congress repeals FCC’s privacy protections, Electronic Frontier Foundation
What can you do to prevent your ISP from seeing where you browse and what websites you look at?
The best solution is to use a Virtual Private Network (VPN). A VPN is like a tunnel that routes all your internet browsing through a neutral pathway so that nobody outside the tunnel can see it. Your browsing is encrypted from your computer to the entrance to the tunnel and outsiders can only see traffic from the tunnel to your target website. Thus nobody can tell where you are browsing.
VPN’s were developed to permit protected information being transmitted across the web. If you are a Wayne State employee you can use the Wayne State VPN. If you do so, your computer (or smartphone — the VPN works with those too) talks only to Wayne State, effectively making it part of the Wayne State network. But any browsing traffic (or downloading) is encrypted, so that nobody can snoop on it (with the possible exception of the NSA, although there is some dispute about whether even they can break 64 bit encryption). You can learn about, and use the Wayne State VPN here: computing.wayne.edu/vpn.
Even if you’re not worried about Comcast or AT&T snooping on your web activities, there are good reasons to use the VPN, particularly if you are not at home. Random Wi-Fi connections in public places are notoriously vulnerable to snooping, and the VPN will protect your laptop or smartphone there. And, of course, I have written over the years about international travel and the possibility that other governments might watch over your shoulder to read your email or other activities. A few countries (China in particular) attempt to block the use of VPN’s, although they generally leave universities alone.
When you use a VPN all traffic from your computer to the website you are looking at goes through the Wayne State (or alternative–more below) first, and is encrypted from your computer to the target website. That means if someone snoops on your computer all they see is encrypted traffic from you to Wayne State. They can’t see where you are browsing.
Here’s a diagram of what happens when you DON’T use a VPN:
And here’s a diagram of what happens when you DO use a VPN:
It should be said that for older machines and slower network connections there might be a slowdown in how fast a page loads, and we don’t recommend using the VPN for streaming movies.
One last thing: be aware that when you visit a website whose URL begins with https: any text you transmit to that site is encrypted, but any site that begins http: is not encrypted. In addition, sites with https: are authentically what they say they are. You can tell this because there is a green padlock in the address bar, and the text sometimes includes the name of the company.
If you don’t have access to Wayne State’s VPN there are .alternatives. Kevin Hayes, our Chief Information Security Officer recommends not using the various free VPN’s on the market, pointing out that ‘if you are not paying, you are not the customer’. However, PC Magazine has a rating of various commercial VPN options here: pcmag.com/article2/0,2817,2403388,00.asp.
After serving as chief privacy officer for the past year and a half, I will be retiring from Wayne State University at the end of the winter semester. We have been given permission to search for a replacement, so I thought I’d use this platform to say a little about what a Privacy Officer does.
The simplest way to describe it is to link to my Educause blog on “A day in the life of a Chief Privacy Officer.”
However, if you’re interested in the tl;dr1 version, allow me to give you the “elevator speech.” Universities, like nearly all other organizations, hold information about any and all people they deal with. For universities this includes data about students, faculty, staff, alumni and visitors. In 2017 it tends to be electronic records, although there are still thousands of pieces of paper with data on them as well.
Some of those records are sensitive. This means that the information could harm the person it refers to if it is released, or that its unauthorized release would subject the university to legal penalties because the data is protected by law. Or both. For example, social security numbers have become toxic (as we say in the privacy world) because those numbers can be used to commit identity theft. Student records such as grades are protected by the federal law known as FERPA and could cost the university embarrassment and money if they are released to unauthorized persons.
The privacy officer’s job is to help the university keep those records safe from inappropriate release by developing policies, by ensuring that employees are trained in how to apply those policies, and by reviewing how new methods of storing data (such as new versions of Banner or Academica) are configured to ensure the data therein is properly locked up.
This means serving on a lot of committees, meeting with administrators and researchers storing sensitive data, and speaking to groups such as the Academic Senate and the Administrative Council. It also means working closely with the Office of General Counsel, Internal Audit, the Associate Provost for Academic Personnel, and serving on the leadership team of C&IT.
If you think you might be interested in learning more about this position, you can find it listed at jobs.wayne.edu under position number 042601.
1 This popular internet acronym stands for ‘too long; didn’t read’. Usually an expression of disapproval.
By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.
First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.
But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.
There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:
What you can do
Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.
Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).
For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.
To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.
Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.
1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.
Much of the campus received a message earlier this week to fill out an IT Services Survey. I have been contacted by many people asking whether the survey was legitimate, or whether it was a phishing attack.
Let me first say that I very much appreciate folks asking me whether this is real. It means our training is having an effect and people are learning to be skeptical of email messages that ask them to click on things. That is exactly the right attitude to have!
That said, let me point out a couple of telltale indicators that this message is real:
If you hover over the link that is provided, a tiny window will pop up (on Firefox it appears in the bottom left corner) showing the actual URL that you will go to if you click the link. Always hover over a link if you are suspicious. If the pop-up address and the one visible in the actual message match, then you are about to go to the website claimed. In this case, the website belongs to techqual, a company many of you already know about — it’s Wayne State’s source for running this survey. Here is a screenshot of what that looks like in my Wayne Connect mailbox — the arrow points to the popup URL.
If you are interested in learning more about how to recognize phishing emails, our Chief Information Security Officer, Kevin Hayes and I will be conducting anti-phishing training on Thursday, March 23, at 11 a.m. in the Purdy-Kresge Auditorium. Come and learn all the telltale signs of phishing emails and why we keep getting these attacks. And, of course, what you can do to protect yourself. No advance registration and no technological knowledge is required. Learn more at events.wayne.edu.