Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

Pokémon Go—the best thing since sliced bread (or Tinder)

By now you’ve undoubtedly heard about Pokémon Go, the ridiculously popular new phone app based on the Pokémon franchise. In the relatively new development space of augmented reality it blends fantasy characters with the real world. It uses your phone’s GPS and superimposes Pokémon[1] on a map, like this:

Near CIT

This is a screenshot taken outside my office, standing next to I-94 at Woodward.

It was released last week and is now more popular than Tinder, and is rapidly catching up with active users of Twitter. Since I’ve only just begun playing I can’t report a great deal about what it does (there are various kinds of critters that you can ‘capture’, and there are ‘gyms’ where you can have fights (the platform-like object in the image above is a gym at the church across the street from the main C&IT building at Woodward and 94), and I’m told there’s one near the Science and Engineering Library. In addition there are ‘Pokespots’ all over campus, including one inside UGL.

Here is an excellent, if a little snarky, introduction to the whole thing.

The social fall-out from Pokémon Go has been quite astonishing. There are stories of folks making friends through the app (which is perhaps why it’s surpassed Tinder 🙂 ), and a few cases of accidents of various types. Apparently, in the space of a week some folks have started playing a NSFW[2] version. There was originally a security issue because the first version of the app was able to access all your Gmail contacts if you had an iPhone, but an update has assigned appropriate security levels.

There is going to be a Pokémon Go event here in the Cultural Center on Friday.

So it really seems to be ‘a thing’, and probably worth learning more about. I haven’t yet had a chance to wander around looking for Pokespots yet, but probably will. Don’t forget to be very careful if you are walking around holding your phone. There are two dangers:

  1.  Apple Picking
  2. Immovable objects

In the end, have fun. And let me know what you think. Is this the greatest thing since Twitter? Or a flash in the pan?
_____________________________________________________________________

[1]  Since I’m a linguist you’re gonna get some linguistic commentary here too. Like several other words borrowed from Japanese (emoji, for example), purists insist that the plural is unmarked (that is, that you don’t add an ‘s’). This is analogous to those who insist that ‘data’ is plural and that the correct plurals are ‘stadia’, ‘podia’ and ‘octopi’. Or perhaps it’s analogous to the animals that have what we call ‘zero plurals’, like ‘sheep’ or ‘deer’.

[2] ‘Not safe for work’. You can probably figure out why, given that the game uses your phone’s camera, which can take selfies.

The terrorist’s iPhone is probably just a ruse.

Now that it’s getting national play, people have noticed that this isn’t the first time the Government has attempted to get Apple to break their own iPhone security. Months before the San Bernadino attacks they tried a couple of times to get Apple to do the same thing. A  judge for the US District Court refused the same order in a case unrelated to national security in October of last year.

So one could conclude that the government’s purpose here is to wrap itself in the flag because it really doesn’t like the idea of security without back doors. If they win this case, of course, the world will continue to write secure software. Since the number of iPhones in the world is nearly 50 million that’s an enormous market for truly secure smartphones, and if the the US government breaks them I’m sure there will be Chinese, Indian or Finnish companies eager to supply truly secure phones we can use for online banking, shopping at Amazon, remote desktop connections and other totally legitimate reasons to have security without back doors floating around waiting to be exploited.

Amazon and Bestbuy are following me, and it’s creeping me out

BeAwareofWhatsBeingSharedYesterday I needed to find a price for a box of inkjet printer cartridges I have but no longer need (the printer broke and I bought a new one that uses different cartridges). I was trying to sell them.
This morning I visited my favorite political blog site, Reason Magazine’s Hit and Run and guess what showed up on the right hand side of the page–ads for Canon printers and HP inkjet cartridges. How did Hit and Run know?

Of course, they didn’t. But Amazon and Best Buy purchase ad space on lots of web pages, and my IP address is stored in various cookies, so totally unrelated sites know who I am and their ads target me. And what’s worse, one of those searches was on my iPhone, but the ad showed up on my office desktop.

So remember–if you’re searching for something sensitive, use an anonymized browser page (on Firefox select ‘New Private Window’, ‘New incognito window’ in Chrome, or in Safari a ‘Private Window’–these choices are usually available under the File menu, or at the three horizontal lines icon at the top left). Otherwise you may find ads for pregnancy tests or online tests for symptoms of schizophrenia showing up in your USA Today.

Bruce Schneier, my favorite IT security and privacy guru has a great column about how our mobile devices are now talking to our laptops and desktops and vice versa–long but worth a read:

Bruce Schneier on the Internet of Things

If this bothers you, or you are just interested in learning more about the relationship between privacy and Big Data, come hear Sol Bermann on January 26.

 

A New Wayne Connect is Coming

Many of us received a message from C&IT today announcing the new Wayne State email system, which will be called Wayne Connect – Powered by Microsoft. There are a number of new features that everyone will be happy about, and this blog is intended to highlight several of them.

OneDrive

First, everyone will have a personal storage, collaboration and sharing tool called OneDrive. Some of you may use this already, and it’s very similar to competitors such as Dropbox and Box. It has the advantage of being much more secure, but has all the features that have made these tools so popular—you can share specific files with specific people (ending the need to share large files by emailing them), or with groups (making collaborative writing tasks much easier). OneDrive comes with 50GB of storage for all users—way more than the 12 GB we have now.

Skype for Business

The new system also comes with Skype for Business, which is an IM client, but also allows for audio and even video conferencing (if you have a microphone and camera on your computer).

Email, calendars and address books

But, of course, Wayne Connect is also an email and calendaring system. You will have the choice of using the web-based client, which will be very similar to the current Wayne Connect Zimbra-based system (or Outlook 365, if you use that). Alternatively, you can use (or continue to use) the desktop Outlook program instead, or in addition. In fact you can use any email client, including the ones on your phone or tablet, or Mac Mail, or… Each one has advantages and disadvantages. The desktop version allows you to import .ics calendar files, so you can import appointments from, say, Tripit or OpenTable. The web-based version is of course available wherever you can get access to a browser.

What you don’t need to do.

All your current Wayne Connect files will be moved into the new system over the next few months, so all your back email and old appointments will be there, as will your address book, so you don’t need to do anything to keep all that stuff.

What you do need to do

There are a few small wrinkles in some corners of the system. If you use filters they won’t transfer, so you’ll have to rewrite them, and you’ll need to recreate your signature file(s) and any file permissions you might have set up.

If you use Briefcase you’ll need to move all your files into the main folder—any additional folders you might have created won’t transfer.

These details can be found here

Help us help you–participate in the ECAR survey

Many WSU faculty (50% of them, to be precise) have been receiving requests to take part in a national survey of faculty attitudes towards technology at the university. The survey is being run by Educause, the national educational IT organization. This is the second year this survey has been run, and last year’s survey produced some interesting results about faculty interests and desires around everything computing-related.

Last year’s results, which are available in ‘infographic’ format here:

http://net.educause.edu/ir/library/pdf/ers1407/eig1407.pdf

Some relevant findings from last year:

  • Nationally, fewer than fifty percent of faculty are satisfied with IT support for research.
  • Opinions on the use of smartphones in class are mixed, with about half of faculty banning or discouraging them and only a third encouraging or requiring laptops (I myself don’t see how I could ban smartphones, and I’ve taught classes where laptops were required because we were all learning how to use some online tool).
  • Many faculty feel they could be better at using web-based content and online collaboration tools in their courses, but there was less enthusiasm about social media as a teaching tool.

There are two versions of the survey, one that takes about twenty minutes to half an hour, and another that takes only ten minutes. Whichever one you choose, your participation will be greatly appreciated, and will help C&IT plan our investments for the next couple of years.

Look for a reminder and your personalized invitation to join in the survey tomorrow. If you don’t get one, you’ll be asked to participate in a more general survey of IT satisfaction that all other faculty, staff and students will take part in later this semester.

Blackboard is getting more mobile

Blackboard has released the free version of their mobile app. Previously it came with a small charge, but the latest version is free for all WSU faculty, staff and students. It’s available for both major platforms, iOS and Android, in the usual places (iTunes App Store and Google Play Store). Your students can use it to check their grades and assignments, view documents and web links, and create discussion and blog posts. Instructors can also post announcements (handy if you’re snowed in or forgot to mention something in class), create and edit assignments (although not grade them), email your class or create new discussions.

To get it, just go to the relevant store and search for Blackboard Mobile Learn. Once it’s installed, open it and log in using your normal Wayne State credentials (yes, it’s safe–it goes directly to Blackboard).

Some FAQ’s about what you can do with it are here

More on leaking selfies

I just read a particularly good discussion of the (now dying down) controversy over the leaking of celebrities’ sexted photos. It makes a number of points that haven’t been raised elsewhere:

  1. Saying ‘don’t take revealing pictures of yourself’ because they might leak is like saying ‘don’t use a credit card because your identity might get stolen’.
  2. Phones are a new kind of sex toy, and they and their use is not going away.
  3. People don’t know where their photos go when they use their phones. Almost all phones (iPhones, Androids, at least) automatically, and without our noticing, back photos up to the cloud.
  4. Cloud providers need to get their security act together, but probably won’t, because there isn’t enough shrieking going on.

Just FWIW….

http://www.forbes.com/sites/kashmirhill/2014/09/01/sext-abstinence-education-doesnt-work/

Replace Pipeline with Academica in your Bookmarks, soon

Pipeline is about to be replaced with a totally new, social-media-oriented website/portal called Academica. It is device-agnostic, which means it works with all computers, all tablets and most smartphones (something people have been requesting for almost as long as there have been smartphones).

It’s also smart itself. It remembers the tasks within the system that you use most, and bubbles them up to the front page so that most common tasks are always one click away. For example, if you’re a faculty member it will put Download Classlists and TravelWayne up front and center, but if you have to approve timesheets that link will be right there as well. In general most tasks should be no more than one, or at most two clicks away.

It also comes with a built-in messaging system that is similar in features to Twitter. It allows you to use hashtags (#hashtag) and mentions (@GeoffNathan). There will be streams associated with a number of common topics of discussion, as well as streams for departments and one for each class being taught.

Academica is still being developed (technically it’s in beta), but you’re welcome to try it right now. Just go to academica.wayne.edu and log in as usual. You will have the option to switch to exclusive use of Academica (instead of Pipeline), but there is always a button available to switch back to the old Pipeline interface if you need to.
Since it’s still under development, C&IT is looking for feedback, which you can send by writing to academica@wayne.edu, or by going to http://computing.wayne.edu/academicafeedback .

The official roll-out will be some time in the fall, but feel free to play with it now. Who knows, you may never want to switch back to Pipeline. Academica and Pipeline will both be available at first, but Pipeline will be shut down in the 2014-2015 academic year when we are confident that Academica can support all of our campus needs.

Here’s a preview of what the interface looks like, showing only the links part:

Academica Links Section