Happy Cyber Security Awareness Month 2017!

 

Oct. 1 begins National Cybersecurity Awareness Month (CSAM). This is an initiative that was co-founded by the National Cyber Security Alliance and the U.S. Department of Homeland Security. Now in its fourteenth year, this month of watchfulness stretches to countries around the world under the auspices of CSAM. As we move into the month, I want to remind the Warrior community that we are all responsible for our own cyber security. The core message of CSAM is that the, “internet is a shared resource and securing it is our shared global responsibility.”

In order to encourage everyone to take Cyber Security into their own hands, the NCSA has initiated an awareness and education campaign for online safety and protecting your personal information. It is called: STOP. THINK. CONNECT.™ The great thing is that people are in no way being told that the internet is so dangerous that we shouldn’t use it. The campaign is just stating that we all need to stop to think about the consequences of our actions and then enjoy all the benefits the internet has to offer.

The National Cybersecurity Alliance has some pointers I’d like to offer you so that you can remain #cyberaware:

  1. Lock down your login: A password and a username is not really enough to protect your important accounts. Use stronger authentication tools (security keys, biometrics, etc.) whenever possible. Two-step authentication can be your best friend when you want to keep your info safe. (Find info about two-step authentication at Wayne State at kb.wayne.edu/160520.)
  2. Keep a clean machine: Make certain that all software and apps on your mobile devices and computers are up to date. This makes certain that security updates are working in your favor.
  3. When in doubt, throw it out: If you receive an email, tweet or posting that has a link and you do not recognize it, just delete it or mark it as junk.
  4. Back it up: Protect all your digital information by keeping copies in a safe place. You do not want to lose your valuable data if something should happen to one of your devices.
  5. Own your online presence: Make certain that you are comfortable with your privacy and security settings for websites. The site’s default may tell people more about you than you realize. Check your privacy settings.
  6. Share with care: Think before you post anything about yourself or other people online. What is revealed could affect you or your friends and family more than you initially think.
  7. Personal information is like money. Value it. Protect it: Your interests, location, purchase history, etc. is valuable to a lot of people. Be mindful of the apps and websites you are using and what they may be collecting about you.

The internet offers a plethora of information and entertainment. While you are online laughing at cat videos, make certain that you are watching out for your privacy and security. Be #cyberaware

The Equifax cyberattack: Be on the lookout for identity theft

On Thursday, Sept. 7, the national media reported that Equifax, which is one of the three major consumer credit reporting agencies, has been the victim of a cyberattack that affected 143 million customers. Whether you like it or not, this will likely affect you, your spouse, or any number of your family members. Unfortunately, I know many people who seem to walk blindly into what are now the forests that constitute our modern commerce and economy. Some of them feel they are protected because they don’t shop online, or because they don’t pay their bills online, or because they only use their debit card…or, or, or…  That simply is not the case anymore; no one is immune to identity theft.

In the last few years, we have been seeing a rising number of major corporations being hit by this type of attack. We saw the national retailer, Target, experience a security breach in 2013 where the names, credit card numbers, expiration dates, and security codes of approximately 40 million people were stolen by hackers. Yahoo was hit by a couple of these attacks — the information of over one billion account holders was breached.

You may think “I’m not a customer of Equifax; It doesn’t affect me.” This simply is not the case. Whether we like it or not, we are all customers of Equifax. As one of the three major credit bureaus (the other two are Experian and TransUnion), any time you apply for a credit card, a loan, or utilize your bank, your information is being shared with these agencies. They maintain consumer credit information and sell that information to businesses in the form of credit reports. Though they are heavily regulated, they are publicly traded, for-profit agencies.[i]

Media sources have reported that hackers may have gained access to sensitive information, which includes social security and drivers’ license numbers, for 143 million customers. Given that the current adult population of the United States is 245.3 million people, this means that over half the adult population of the U.S. has now had their information stolen and is at risk for identity theft.

A quote from the New York Times indicated that in severity, on a scale from 1 to 10, this attack is a 10. Unlike the Yahoo or Target attacks, thieves were able to acquire information of a more personal nature. They were able to retrieve names, birth dates and addresses; information that would allow access to bank accounts, employee accounts and medical information; the credit card numbers for 209,000 people; and documents used in personal disputes for 182,000.[ii]

What Do You Do? 

It is important that all individuals investigate as to whether their information has been compromised. Equifax has set up a site to help determine whether your data is at risk. That site is: equifaxsecurity2017.com/. You should also acquire a free copy of your credit report from one of the three major agencies. This can be obtained at annualcreditreport.com.  If you think your data has been used, be certain to contact your local law enforcement officials. In addition, if you find that your information was stolen, you should place a fraud alert on your credit files; the FTC has a website with a guide for placing a fraud alert. Equifax is also offering all consumers the ability to freeze their Equifax Credit Reports as well as making use of their Credit Protection Service for free for one year.

It is worth noting that the Attorney General of the state of New York has pointed out that the terms of service for Equifax’s credit monitoring service, TrustedID Premier, say that users give up their right to participate in a class-action lawsuit or arbitration. However, he has also stated that, in the case of this breach, those Terms of Service would not be able to be upheld in a court of law.

As one last point, I would suggest that each of you take the time to contact your elected Representatives and encourage them to examine the policies we have in place for consumer data protection. This type of event demonstrates the importance of making certain that this the industry of sharing your financial data be strictly regulated. The information that these cyber-thieves acquired could affect people for years to come.

Important Websites

 

ADDENDUM

Since my initial writing of this posting, I have read a number of articles on how to best handle the Equifax breach.  In my opinion, the best way to deal with it is to have a freeze put on your credit file with Equifax and the other services.  Because it makes makes it so that no credit report can be run, it stops any thief from opening credit in your name.  If you need to apply for credit you temporarily thaw the account by providing a PIN number (which will need to be kept in a very safe place where you cannot lose it).  Of course, the credit services do not let you freeze an account for free, nor do they thaw it for free.  However, the cost is far less than what you might experience if you are the victim of identity theft.  Equifax has bowed to pressure, however, and will offer credit freezes free for the next 30 days.[iii] If you are still a bit confused about just exactly what to do, I would suggest these articles the New York Times, “Equifaxes Instructions are Coinfusing, Here’s What to Do Now“the Chicago Tribune, “After the Equifax Breach, Here’s How to Freeze your Credit to Protect your Identity.”

 

 

[i] Irby, LaToya. “What You Should Know about the FCRA.” The Balance. 11 May 2016. https://www.thebalance.com/what-you-should-know-about-the-fcra-960639

[ii] Bernard, Tara Siegel, Tiffany Hsu, Nicole Perlroth, Ron Lieber. “Equifax Says cyberattack May have Affected 143 Million Customers” New York Times. 7 September 2017. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html?hpw&rref=business&action=click&pgtype=Homepage&module=well-region&region=bottom-well&WT.nav=bottom-well

[iii] Leiber, Ron. “Equifax, Bowing to Public Pressure, Drops Credit-Freeze Fees for 30 Days.” New York Times. 12 September 2017.  https://www.nytimes.com/2017/09/12/your-money/equifax-fee-waiver.html?mcubz=3

Do you want to be a privacy officer?

After serving as chief privacy officer for the past year and a half, I will be retiring from Wayne State University at the end of the winter semester. We have been given permission to search for a replacement, so I thought I’d use this platform to say a little about what a Privacy Officer does.

The simplest way to describe it is to link to my Educause blog on “A day in the life of a Chief Privacy Officer.”

However, if you’re interested in the tl;dr1 version, allow me to give you the “elevator speech.” Universities, like nearly all other organizations, hold information about any and all people they deal with. For universities this includes data about students, faculty, staff, alumni and visitors. In 2017 it tends to be electronic records, although there are still thousands of pieces of paper with data on them as well.

Some of those records are sensitive. This means that the information could harm the person it refers to if it is released, or that its unauthorized release would subject the university to legal penalties because the data is protected by law. Or both. For example, social security numbers have become toxic (as we say in the privacy world) because those numbers can be used to commit identity theft. Student records such as grades are protected by the federal law known as FERPA and could cost the university embarrassment and money if they are released to unauthorized persons.

The privacy officer’s job is to help the university keep those records safe from inappropriate release by developing policies, by ensuring that employees are trained in how to apply those policies, and by reviewing how new methods of storing data (such as new versions of Banner or Academica) are configured to ensure the data therein is properly locked up.

This means serving on a lot of committees, meeting with administrators and researchers storing sensitive data, and speaking to groups such as the Academic Senate and the Administrative Council. It also means working closely with the Office of General Counsel, Internal Audit, the Associate Provost for Academic Personnel, and serving on the leadership team of C&IT.

If you think you might be interested in learning more about this position, you can find it listed at jobs.wayne.edu under position number 042601.


1 This popular internet acronym stands for ‘too long; didn’t read’. Usually an expression of disapproval.

How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

Privacy in the Twenty-First Century

Privacy policy wordcloud

For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.

In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?

Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.

Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).

The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:

http://events.educause.edu/educause-live/webinars/2017/big-data-whats-the-big-deal

Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.

The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.


Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator

Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.

Another way to make your email more secure

Nowadays it’s easy to lose track of passwords, because we have so many. And if you forget your password, there are various ways that email system owners verify that it’s ‘you’ before allowing you to reset it. For many years Wayne State has provided a series of  ‘challenge questions’, which you set answers to. Unfortunately the built-in questions are sometimes ones that make it very easy for a nefarious hacker to guess (by wandering around your Facebook account, for example). So, like many other institutions (Google, Facebook, perhaps your bank) Wayne State has decided to eliminate the Challenge Question system and replace it with a ‘recovery email’ facility.

Some time soon, when you log in to Wayne Connect you will be asked to supply an alternate email address (i.e. one not ending in ‘wayne.edu’). It can be anything else (Gmail, Hotmail, Apple, AT&T…) but it should be one that you actually read, even if only occasionally.

If you forget your Wayne State password, or if you’re asked to reset it because of a hack, an email will be sent to the alternate address. When you open the email it will contain a link to a password reset page. (You’ll also need to enter the last four digits of your social security number if you are an employee.) An additional security measure is that, if you have access to high-risk systems such as Banner or Cognos, you’ll need to be on a Wayne State network (in your office, essentially).

If you would rather not provide an alternate email address, or if you don’t have one, you will need to call the Help Desk, but only during their business hours (M-F 7:30 AM – 8:00 PM).

If you have any questions about this new policy or you need assistance in implementing your recovery email address, please contact the C&IT Help Desk at 313-577-4357 or at helpdesk@wayne.edu.

Pokémon Go—the best thing since sliced bread (or Tinder)

By now you’ve undoubtedly heard about Pokémon Go, the ridiculously popular new phone app based on the Pokémon franchise. In the relatively new development space of augmented reality it blends fantasy characters with the real world. It uses your phone’s GPS and superimposes Pokémon[1] on a map, like this:

Near CIT

This is a screenshot taken outside my office, standing next to I-94 at Woodward.

It was released last week and is now more popular than Tinder, and is rapidly catching up with active users of Twitter. Since I’ve only just begun playing I can’t report a great deal about what it does (there are various kinds of critters that you can ‘capture’, and there are ‘gyms’ where you can have fights (the platform-like object in the image above is a gym at the church across the street from the main C&IT building at Woodward and 94), and I’m told there’s one near the Science and Engineering Library. In addition there are ‘Pokespots’ all over campus, including one inside UGL.

Here is an excellent, if a little snarky, introduction to the whole thing.

The social fall-out from Pokémon Go has been quite astonishing. There are stories of folks making friends through the app (which is perhaps why it’s surpassed Tinder 🙂 ), and a few cases of accidents of various types. Apparently, in the space of a week some folks have started playing a NSFW[2] version. There was originally a security issue because the first version of the app was able to access all your Gmail contacts if you had an iPhone, but an update has assigned appropriate security levels.

There is going to be a Pokémon Go event here in the Cultural Center on Friday.

So it really seems to be ‘a thing’, and probably worth learning more about. I haven’t yet had a chance to wander around looking for Pokespots yet, but probably will. Don’t forget to be very careful if you are walking around holding your phone. There are two dangers:

  1.  Apple Picking
  2. Immovable objects

In the end, have fun. And let me know what you think. Is this the greatest thing since Twitter? Or a flash in the pan?
_____________________________________________________________________

[1]  Since I’m a linguist you’re gonna get some linguistic commentary here too. Like several other words borrowed from Japanese (emoji, for example), purists insist that the plural is unmarked (that is, that you don’t add an ‘s’). This is analogous to those who insist that ‘data’ is plural and that the correct plurals are ‘stadia’, ‘podia’ and ‘octopi’. Or perhaps it’s analogous to the animals that have what we call ‘zero plurals’, like ‘sheep’ or ‘deer’.

[2] ‘Not safe for work’. You can probably figure out why, given that the game uses your phone’s camera, which can take selfies.

Creepy new smartphone surveillance tricks

One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)

It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.

What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it

The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.

The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).

Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.

Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.

Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.

For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.

Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.