For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.
In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?
Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.
Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).
The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:
Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.
The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.
Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator
Roughly two months ago the university introduced Duo, a two-factor authentication system to protect sensitive data held by the university. It did this in response to innumerable phishing attacks, some of which succeeded well enough that faculty paychecks were stolen and systems shut down because some of us opened sneaky emails and followed the instructions therein.
In order to limit the damage that these phishing attacks cause, we decided to make it harder for scammers to break into our systems. By requiring that everyone confirm that it is indeed them, and not a crook from Antarctica (or perhaps someone from closer in), who is attempting to enter grades or change direct deposit banking details, we hope to save the university a lot of money and our employees a lot of heartbreak.
Duo simply provides a simultaneous parallel avenue of logging in, in addition to the combination of AccessID and password. The parallel avenue can be a smartphone, a simple cellphone, an office telephone or several other routes. Think of it as having both a key to the door and facial recognition software. Or someone waiting to hear you say, “Joe sent me.”
For complete instructions on how to use Duo you can see my previous blog, the notice the university sent out in early November, or the computing.wayne.edu information page. Finally, here are step-by-step instructions.
There are a few minor glitches people have discovered. If you want to put the Duo app on your smartphone and your credit card details with the iPhone App Store or Google Play Store have expired, you’ll have to put in current information. Note that this is Apple and Google’s rule, not Wayne State’s or Duo’s. They don’t want you downloading other apps for free, even though Duo itself is, and always will be, free.
Another minor glitch is that some folks apparently missed the Duo roll-out entirely, which indicates that they never looked at anything in Academica that was connected to Banner (such as their paystub, their benefits or their classlists) before final grade submission began. I would strongly recommend reading messages that C&IT sends out — it really might be important 🙂 And we try hard not to overwhelm the campus with email announcements.
 True story. Many years ago I was a member of a committee of fairly well-established WSU researchers. One of them told the committee that he instructed his junior colleagues to delete any messages that came from the WSU administration without reading them. He said they should stay away from university politics. My first reaction was, “What if the email message from the Chief Holt was warning them about an active shooter in their building?”
As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.
The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.
Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.
How does it work?
If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:
If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.
If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.
If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).
For much more detail on how this works, go to our FAQ.
Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named notion that we should ‘eat our own dogfood’).
As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.
1 You can read about this way of classifying security methods on this website.
2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:
You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.
First the facts: According to Reuters, at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.
Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.
So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.
Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).
Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, email@example.com)
This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here
Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.
 This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.
 And, before you can get smart with me, as I am writing this I have already changed it.
As we gear up for a new semester (some of us can’t believe we’re well on the way to 2017), I thought I’d remind folks of a few things that happened over the summer that will affect you (or, in some cases, have already done so).
As you may recall, President Wilson issued a new policy dealing with procedures for traveling internationally on university business (such as attending conferences, giving talks, consulting on aid projects and so on). From now on, you will have to answer a short questionnaire before you can get to TravelWayne, in order to ensure you do not put yourself and the university at risk of violating assorted State Department and Federal Trade Commission travel restrictions. You can read the details here.
Secondly, it is well-known that using security questions to make sure it is you (and not some hacker) resetting your password is not the most secure process. So C&IT replaced the system of security questions with a requirement that everyone provide an alternate email address to which the reset password link may be sent. Most people should already have done this, but here’s some additional information on how it works.
Finally, there are a few things coming up that you will need to be aware of. We will be rolling out a two-factor identification system later in the semester that will make access to critical data sources (your direct deposit bank details, your W2’s and access to Banner for those who have it) more secure. Details on that system will follow in late September. In addition, there will be changes in Banner and a little tighter control on access to sensitive student data.
Hope the beginning of the semester is smooth. And, if you’re new to Wayne State, welcome!
Nowadays it’s easy to lose track of passwords, because we have so many. And if you forget your password, there are various ways that email system owners verify that it’s ‘you’ before allowing you to reset it. For many years Wayne State has provided a series of ‘challenge questions’, which you set answers to. Unfortunately the built-in questions are sometimes ones that make it very easy for a nefarious hacker to guess (by wandering around your Facebook account, for example). So, like many other institutions (Google, Facebook, perhaps your bank) Wayne State has decided to eliminate the Challenge Question system and replace it with a ‘recovery email’ facility.
Some time soon, when you log in to Wayne Connect you will be asked to supply an alternate email address (i.e. one not ending in ‘wayne.edu’). It can be anything else (Gmail, Hotmail, Apple, AT&T…) but it should be one that you actually read, even if only occasionally.
If you forget your Wayne State password, or if you’re asked to reset it because of a hack, an email will be sent to the alternate address. When you open the email it will contain a link to a password reset page. (You’ll also need to enter the last four digits of your social security number if you are an employee.) An additional security measure is that, if you have access to high-risk systems such as Banner or Cognos, you’ll need to be on a Wayne State network (in your office, essentially).
If you would rather not provide an alternate email address, or if you don’t have one, you will need to call the Help Desk, but only during their business hours (M-F 7:30 AM – 8:00 PM).
If you have any questions about this new policy or you need assistance in implementing your recovery email address, please contact the C&IT Help Desk at 313-577-4357 or at firstname.lastname@example.org.
Getting to TravelWayne is going to get a little more complicated if you are planning international travel. Here’s why.
For a number of years the US Department of State, the Department of Commerce and the U.S. Treasury Department have had restrictions on what things can be exported to other countries. These restrictions come from the International Traffic in Arms (ITAR) regulations, the Export Administration Regulations (EAR) and the Office of Foreign Assets Controls (OFAC). However, ‘export’ doesn’t mean what you think it means. The US government defines ‘export’ as moving objects or data out of the country. That includes objects such as laptops that contain data. There are certain kinds of data that cannot be taken to certain countries. Probably most data you would put on a laptop (or tablet, or thumb drive, etc.) would not be restricted. But there is a large list of kinds of data that could get you, and Wayne State into big trouble if the Feds find out you have taken them to China, or Iran, or even France, in some cases.
Just as an example of how faculty members can get into trouble, you can read the University of Hawai`i’s website on the topic
Further complicating things is the fact that some countries forbid encrypted data from being imported into those countries. Here is a map showing which countries restrict the import of encrypted data.
So, to protect everyone involved (travelers and their ‘supervisors’–chairs and such, as well as the Office of Research), there is a new university policy on international travel that is going into effect in a couple of weeks, once the mechanisms are in place.
How will the policy affect the average traveler? If you are traveling within the US, it will have no effect. But if you are travelling internationally, you will see a new button in Academica saying ‘International Travel’. When you click that, you will be taken to a questionnaire that asks what you will be bringing with you. If one of your answers triggers a potential international travel issue, the system will generate an email to the Export Control office at Wayne. You will be urged to contact them so that they can make sure you are not violating laws against Export Control. After you do so, they will send you an email giving you clearance to travel.
For a preview of the questions, just go to ft.wayne.edu. At the moment it’s set up as a test version, so no emails are generated, and it doesn’t record who has visited.
The way the system will work is that when you begin the process of making travel plans (within TravelWayne) for each trip, you will have to go through the questionnaire. Thereafter, for each trip you can go directly to TravelWayne (say, to tweak you hotel reservation or whatever).
The kicker, once the policy goes into effect, is that you will not be reimbursed for your trip if you haven’t received clearance from the Export Control office, so it is definitely in your interest to get that clearance.
Associated with this policy are two helpful FAQ’s that make suggestions about safe ways to travel internationally, one on legal questions, the other on technical issues. These include always using the VPN when connecting to Wayne State resources (such as your email, or files stored on Wayne State sites). Note that you cannot even reach Facebook or Google from certain countries (including China) unless you use the VPN, by decision of the host country. Wayne State has nothing to do with these restrictions, of course.
As I mentioned in an earlier post and also here, a number of Wayne State employees were hit by an IRS hack that stole their identities and attempted to claim refunds. Wayne State C&IT and Internal Audit have investigated these hacks and have found no evidence that the source of the leaks was located at Wayne State, but nonetheless the IRS has volunteered to send an agent to campus to talk about how to avoid this kind of attack in the future.
We have contacted all the victims that we know of, but have also decided to open the IRS agent’s talk to the campus at large. Here are the details:
Tuesday, July 12, 10:00 AM
Partrich Auditorium (located in the Law School).
No need to RSVP—just come.
If you have any questions, you can contact the Office of Internal Audit at (313) 577-2128 or Carolyn Hafner at email@example.com.
A couple of weeks ago I wrote about the income tax fraud cases the security and financial folks at Wayne State University have been hearing about. I want to reiterate several points I made and let you know how the investigation stands at this moment.
From the moment we (the Controller, Payroll, the Provost, the Information Privacy Officer — that would be me, our Information Security Officer, Internal Audit, Senate leadership, etc.) started hearing reports of Wayne State employees finding false reports filed in their name, we began investigating how this might have happened — and whether something or someone at Wayne State might have been responsible.
Let me begin by saying: we DO NOT believe this was caused by any person within WSU or because of a security lapse at WSU itself. To the best of our knowledge, all universities in Michigan have employees who have experienced these hacks, and it has certainly become a nationally-covered news item.
Be that as it may, our security team has been combing logs and looking at our database of phishing attempts to make sure nothing has slipped through the cracks.
Last week, I attended a conference in DC of other university privacy officers and opinion was unanimous — phishing is the source of virtually all security breaches at universities these days. Consequently, our Security Officer and I are offering training on how to recognize and resist phishing attempts. The next two are scheduled for this Friday at 11 a.m. and Tuesday, June 7, at 3 p.m. in Bernath auditorium. Both are free, do not require registration, and are aimed at you, the average computer user.
Finally, let me repeat something I said in my last blog post:
If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy redacted). This is how you do that. Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know. Note: DO NOT TELL ME THE AMOUNT – JUST WHETHER IT MATCHES! I am the Chief Privacy Officer, after all 🙂