National Cyber Security Awareness Month: Get to know two-factor authentication

In honor of National Cyber Security Awareness Month (NCSAM), I thought it would be helpful to explain three key Wayne State University technology systems that help protect the network and the privacy of employees and students. You may have seen my earlier post on the Virtual Private Network (VPN) — keep an eye out later this month for the final post on secure Wi-Fi!

The second technology I’d like to discuss is two-factor authentication (2FA).

If you have used any WSU self service portals in the past year, you’ve probably encountered 2FA. The question, then, is what exactly is it?

Two-factor authentication adds a second level of verification to an account login by requiring additional proof of identity. When you are entering only a username and password, you are using single factor authentication.

The second factor can be…

  • Something you know: An extra password, PIN or pattern.
  • Something you have: An ATM card, fob or your phone.
  • Something you are: Biometrics like a fingerprint, voice print, iris or facial detection.

Wayne State’s 2FA system uses your phone.

How to use 2FA at WSU

When you log in to a WSU system secured with 2FA, you will be presented with a page that looks like this:

You will be given three options for a second factor of authentication.

  1. Call Me: This option will initiate an automated call to your phone. Upon answering, you will be prompted to push any button on your phone to authenticate.
  2. Enter a Passcode: If you choose this method, you will be sent a text message with a numerical code that you then enter in the blank field on your screen to authenticate.
  3. Send Me a Push: To go this route, you need to download the Duo Mobile app on your iOS or Android smartphone. This choice will send you a push notification that you may quickly authenticate with.

If you choose to authenticate with a call or text, you will be encouraged to download the app.

Once you’ve installed the app, click the button I have Duo Mobile installed to proceed to this screen:

Open the app on your phone, aim the camera at the QR code on your screen, and you’ll be connected to WSU. Click the Continue button once you have finished. You’ll then be asked to sign in to the account and a push notification will be sent to your phone; approve it and you will be connected to the WSU system you are trying to access.

After this first set up, you will be able to use the push notification method whenever you want.

2FA beyond WSU

Privacy is an ever-growing concern and Wayne State is not the only place using two-factor authentication to protect information. More and more sites are using 2FA. Google has an authenticator that can be set up for a number of services, Facebook has several 2FA options, as has Twitter. Check your personal email and social media accounts to activate two-factor authentication and stay in charge of your own data.

National Cyber Security Awareness Month: Get to know WSU’s VPN

In honor of National Cyber Security Awareness Month (NCSAM), I thought it would be helpful to explain three key Wayne State University technology systems that help protect the network and the privacy of employees and students. Keep an eye out all month for this series!

The first technology that I want to discuss is the WSU Virtual Private Network or VPN.

In a recent discussion with a colleague in my home academic department, I was asked: “What is this VPN thing that I’m being asked to use to access STARS?”

Simply put, I explained, once you sign in to the VPN it is the equivalent to being on campus and working on WSU’s network. A VPN provides a secure, encrypted tunnel in which data is transmitted between the remote user and a company’s network. It allows our Wayne State employees to access systems remotely and maintain a secure link to those important systems.

VPNs are becoming more well known since the federal government recently overturned regulations that would have required internet service providers to get your explicit consent before they share or sell your web browsing history and other sensitive information [i]. For this reason, many tech-savvy consumers are choosing to use a private VPN service to protect their identity and online activity. In the same way as described above, this means that no one can eavesdrop or track a user’s online activities.

A VPN is especially useful when accessing public Wi-Fi hotspots that may not be secure or when accessing the internet from another country. They provide you, the consumer, with unfettered internet access, and help to prevent data theft and unblock websites.

As privacy matters are becoming more and more important, secure technologies make certain that the data that we use in our work here at Wayne State is secure. I would also suggest, if you are concerned about your own privacy on the internet, that you consider using these technologies in your everyday usage of the internet. There are many VPN services available to the public and they can do a great deal to protect your information.

The Wayne State VPN has an additional layer of security with two-factor authentication. I’ll share more about how this works next week.

More information

Learn more about the WSU VPN on the Computing & Information Technology knowledge base:

 

[i] http://www.businessinsider.com/trump-fcc-privacy-rules-repeal-explained-2017-4/#is-there-anything-i-can-do-now-to-keep-my-data-private-35

Happy Cyber Security Awareness Month 2017!

 

Oct. 1 begins National Cybersecurity Awareness Month (CSAM). This is an initiative that was co-founded by the National Cyber Security Alliance and the U.S. Department of Homeland Security. Now in its fourteenth year, this month of watchfulness stretches to countries around the world under the auspices of CSAM. As we move into the month, I want to remind the Warrior community that we are all responsible for our own cyber security. The core message of CSAM is that the, “internet is a shared resource and securing it is our shared global responsibility.”

In order to encourage everyone to take Cyber Security into their own hands, the NCSA has initiated an awareness and education campaign for online safety and protecting your personal information. It is called: STOP. THINK. CONNECT.™ The great thing is that people are in no way being told that the internet is so dangerous that we shouldn’t use it. The campaign is just stating that we all need to stop to think about the consequences of our actions and then enjoy all the benefits the internet has to offer.

The National Cybersecurity Alliance has some pointers I’d like to offer you so that you can remain #cyberaware:

  1. Lock down your login: A password and a username is not really enough to protect your important accounts. Use stronger authentication tools (security keys, biometrics, etc.) whenever possible. Two-step authentication can be your best friend when you want to keep your info safe. (Find info about two-step authentication at Wayne State at kb.wayne.edu/160520.)
  2. Keep a clean machine: Make certain that all software and apps on your mobile devices and computers are up to date. This makes certain that security updates are working in your favor.
  3. When in doubt, throw it out: If you receive an email, tweet or posting that has a link and you do not recognize it, just delete it or mark it as junk.
  4. Back it up: Protect all your digital information by keeping copies in a safe place. You do not want to lose your valuable data if something should happen to one of your devices.
  5. Own your online presence: Make certain that you are comfortable with your privacy and security settings for websites. The site’s default may tell people more about you than you realize. Check your privacy settings.
  6. Share with care: Think before you post anything about yourself or other people online. What is revealed could affect you or your friends and family more than you initially think.
  7. Personal information is like money. Value it. Protect it: Your interests, location, purchase history, etc. is valuable to a lot of people. Be mindful of the apps and websites you are using and what they may be collecting about you.

The internet offers a plethora of information and entertainment. While you are online laughing at cat videos, make certain that you are watching out for your privacy and security. Be #cyberaware

Quick info about Wayne State’s cybersecurity

In the wake of the cyberattack on Equifax and the loss of the personal data of millions of U.S. citizens, I thought it would be interesting for the Wayne State community to know a bit more about cybersecurity on our campus.

Wayne State takes your privacy and the storage of your information very seriously. C&IT works constantly to make certain that all information is kept safe. It is a top priority to keep our employees information safe and to make certain that we uphold standards set by regulations like FERPA and HIPAA.

For a brief overview to understand the university’s methods of securing data, Director of Information Security Kevin Hayes shared the active controls utilized here at WSU:

  • Multiple layers of firewalls
  • Regular vulnerability scans check for malware and security issues on our central servers
  • Automatic blocking of new attackers and threats
  • Two-factor authentication for access to sensitive data
  • Manual reviews of servers, systems and processes to ensure data integrity

He also shared metrics to understand just how successful the firewall and security systems have been at Wayne State.

On a typical day, university firewalls block:

  • 187 million connections at the Internet edge
  • 8 million connections for residence halls and housing
  • 7 million connections at the data center
  • 1 million connections at our Disaster Recovery (DR) site
  • 300,000 connections for the President, Provost and Office of General Counsel
  • 200,000 connections for the WSU Police Department

In the month of Aug. 2017, the systems:

  • Dynamically blocked 2,844 attackers attempting to scan our network
  • Blocked 4,373 viruses and malware components
  • Prevented 482,316 outbound connections to other malicious destinations
  • Thwarted 91,793 hacking attempts

Yes, you read that correctly. There are close to 200 million attempts to hack into WSU systems in one day. When I first heard these figures, I was shocked. In our modern world, it is virtually impossible keep information about you completely private. Rest assured, WSU does everything possible to make certain that we are never the source that compromises your personal privacy.

How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

April 15 is coming, and so are the IRS scams

Most Wayne State folks have now received their W2 forms and are probably putting off thinking about submitting their income tax returns, so now is the time to start worrying about all the things that could go wrong.

As most readers will remember, Wayne State was one of a number of universities whose employees were hit with fraudulent returns last year. This happens when someone illegally files in your place, fiddling with the numbers so that they will get a refund. Generally speaking, when this happens you are not on the hook, but it can be a pain in the neck to get it sorted out and it will probably interfere with your filing for several years afterwards, so it’s a good idea to take actions that will reduce the likelihood of being a victim.

There is a limit to what you can do, but I’ve collected all the key safety steps here — the major step you can take is to increase your vigilance online. Do not share your social security number (which means it should never appear in an email or anywhere else other than where it is legally required [such as on your tax return]). And although your bank needs to know it, there is no reason it should appear on any bank website or on any paperwork you receive through the mail from your bank. Of course, it will appear in correspondence with the government (such as a dreaded letter from the IRS or correspondence with the state or city about taxes owed or a happy letter about refunds due).

The most effective positive action you can take is to file as early as possible (although a friend of mine posted on their Facebook page a couple of days ago that someone had already filed in their place). I realize it’s as American as apple pie to put it off till the evening of April 14, but it is a good defensive strategy to file really early.

Additionally, it is extremely important you do not let yourself get phished. Phishing (luring victims in with realistic-looking emails) is the most widely used weapon in identity theft. In fact, we will be doing one (or perhaps more) anti-phishing training sessions over the next couple of weeks. Our Chief Security Officer, Kevin Hayes, and I, your Chief Privacy Officer, have a roadshow we’ll be starting shortly. The first presentation will be on Feb. 10 at 1 p.m. in Bernath Auditorium. We’ll explain how phishing works and what you can do to fight back.

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.

Another way to make your email more secure

Nowadays it’s easy to lose track of passwords, because we have so many. And if you forget your password, there are various ways that email system owners verify that it’s ‘you’ before allowing you to reset it. For many years Wayne State has provided a series of  ‘challenge questions’, which you set answers to. Unfortunately the built-in questions are sometimes ones that make it very easy for a nefarious hacker to guess (by wandering around your Facebook account, for example). So, like many other institutions (Google, Facebook, perhaps your bank) Wayne State has decided to eliminate the Challenge Question system and replace it with a ‘recovery email’ facility.

Some time soon, when you log in to Wayne Connect you will be asked to supply an alternate email address (i.e. one not ending in ‘wayne.edu’). It can be anything else (Gmail, Hotmail, Apple, AT&T…) but it should be one that you actually read, even if only occasionally.

If you forget your Wayne State password, or if you’re asked to reset it because of a hack, an email will be sent to the alternate address. When you open the email it will contain a link to a password reset page. (You’ll also need to enter the last four digits of your social security number if you are an employee.) An additional security measure is that, if you have access to high-risk systems such as Banner or Cognos, you’ll need to be on a Wayne State network (in your office, essentially).

If you would rather not provide an alternate email address, or if you don’t have one, you will need to call the Help Desk, but only during their business hours (M-F 7:30 AM – 8:00 PM).

If you have any questions about this new policy or you need assistance in implementing your recovery email address, please contact the C&IT Help Desk at 313-577-4357 or at helpdesk@wayne.edu.

Pokémon Go—the best thing since sliced bread (or Tinder)

By now you’ve undoubtedly heard about Pokémon Go, the ridiculously popular new phone app based on the Pokémon franchise. In the relatively new development space of augmented reality it blends fantasy characters with the real world. It uses your phone’s GPS and superimposes Pokémon[1] on a map, like this:

Near CIT

This is a screenshot taken outside my office, standing next to I-94 at Woodward.

It was released last week and is now more popular than Tinder, and is rapidly catching up with active users of Twitter. Since I’ve only just begun playing I can’t report a great deal about what it does (there are various kinds of critters that you can ‘capture’, and there are ‘gyms’ where you can have fights (the platform-like object in the image above is a gym at the church across the street from the main C&IT building at Woodward and 94), and I’m told there’s one near the Science and Engineering Library. In addition there are ‘Pokespots’ all over campus, including one inside UGL.

Here is an excellent, if a little snarky, introduction to the whole thing.

The social fall-out from Pokémon Go has been quite astonishing. There are stories of folks making friends through the app (which is perhaps why it’s surpassed Tinder 🙂 ), and a few cases of accidents of various types. Apparently, in the space of a week some folks have started playing a NSFW[2] version. There was originally a security issue because the first version of the app was able to access all your Gmail contacts if you had an iPhone, but an update has assigned appropriate security levels.

There is going to be a Pokémon Go event here in the Cultural Center on Friday.

So it really seems to be ‘a thing’, and probably worth learning more about. I haven’t yet had a chance to wander around looking for Pokespots yet, but probably will. Don’t forget to be very careful if you are walking around holding your phone. There are two dangers:

  1.  Apple Picking
  2. Immovable objects

In the end, have fun. And let me know what you think. Is this the greatest thing since Twitter? Or a flash in the pan?
_____________________________________________________________________

[1]  Since I’m a linguist you’re gonna get some linguistic commentary here too. Like several other words borrowed from Japanese (emoji, for example), purists insist that the plural is unmarked (that is, that you don’t add an ‘s’). This is analogous to those who insist that ‘data’ is plural and that the correct plurals are ‘stadia’, ‘podia’ and ‘octopi’. Or perhaps it’s analogous to the animals that have what we call ‘zero plurals’, like ‘sheep’ or ‘deer’.

[2] ‘Not safe for work’. You can probably figure out why, given that the game uses your phone’s camera, which can take selfies.

The IRS is coming and they want to help–really!

As I mentioned in an earlier post and also here, a number of Wayne State employees were hit by an IRS hack that stole their identities and attempted to claim refunds. Wayne State C&IT and Internal Audit have investigated these hacks and have found no evidence that the source of the leaks was located at Wayne State, but nonetheless the IRS has volunteered to send an agent to campus to talk about how to avoid this kind of attack in the future.

We have contacted all the victims that we know of, but have also decided to open the IRS agent’s talk to the campus at large. Here are the details:

Tuesday, July 12, 10:00 AM

Partrich Auditorium (located in the Law School).

No need to RSVP—just come.

If you have any questions, you can contact the Office of Internal Audit at (313) 577-2128 or Carolyn Hafner at ab0414@wayne.edu.