Happy Data Privacy Day!

Keep your messages safe!

January 28 is Data Privacy Day! To honor the day, I thought I would give a little tip to all of you Warriors.

If you are like me, I’m going to guess that you receive countless numbers of email per day. It is likely the most utilized tool for your daily tasks. Statista reported that 269 billion emails were sent and received each day in 2017 and that 293.6 billion will be sent per day in 2019 (Daily number of e-mails worldwide 2017 | Statistic). Though it is an amazingly helpful tool, it needs to be used in the best way possible. More than once, I have learned of personal data via email through the university’s email systems, which sends chills of fear up my spine. Though it may seem like your message goes straight from your computer to whomever will be receiving it, email is far from private.

The best analogy that I can give you to understand the security of email is by posing this question: Would you take your social security number, your date of birth, your contact information, and information for a couple of bank accounts; write it onto a post card; and drop it into a mailbox to be sent to a trusted friend?

I seriously doubt it. Email can easily be intercepted by the least experienced of hackers. Never give any personal, financial, or important information to someone via a regular email message.

You may ask, “So, how can I get this information to someone privately?” Use encrypted messaging!

Our IT Team has set it up so that sending a message using our Outlook service is absolutely simple. Here’s what you do:

  1. Write your message as you normally would.
  2. In your subject line add this before your message’s subject: #secure
  3. Send it!

That’s it! You are done. The recipient will receive an email that has special instructions as to how they can get to the message. Via their browser, they will be sent to a page in WSU’s Outlook account.

Data Privacy Day Bonus!

This is really a reminder for anyone who missed the message I posted for last year’s Data Privacy Day.
You can now never change your WSU password again.

Currently, every six months, you receive a message that informs you that you must change your password to access all the WSU systems (Academica, Wayne Connect, Canvas, STARS, etc.). Then, you rack your brain to come up with something you know you will remember and haven’t used before—blending that perfect amount of lower and upper case letters, numbers, and special characters.

You can now make a password for yourself and never have to do it again.

How, you ask?  Simple. Using the same requirements but make a password that has 15 or more characters in it. If you do that, you’ll never be asked to change your password again.

You ask, “How will I remember a password with 15 characters?”

I suggest choosing random words that are easy for you to remember, add a number and a character. Security experts have learned that using multiple random words (three and up is best) provides a great balance between usability and security.  These types of passwords are actually difficult for hackers to determine.

Next time you are asked to make a password, make one with fifteen characters. It will save you time because you will never have to do it again.

Don’t be a phish, take Google’s security quiz

Phishing graphic

Today I was sent a link by Geoff Nathan, WSU’s former privacy officer. It was a really nifty tool so I thought I would share it with you — Google just released a phishing quiz to test your knowledge on phishing messages. It takes eight minutes; you can finish it quickly.

WSU’s C&IT security team does an amazing job at keeping the majority of email scams out of your inbox, but in the event that you encounter one before we do, it’s best to be prepared. My apologies to any of you who have dreamed of joining the band Phish.

I am issuing a challenge to all of you: take the test.

Take Google’s Phishing Quiz

Vector Graphics by Vecteezy.com

Naughty or nice: Beware privacy policies when you gift tech

Holiday season is in the air. Some of you may have just celebrated Hanukkah; others will be celebrating Christmas, Kwanzaa, or Winter Solstice. If, you are sharing presents as part of those celebrations, you may want to more closely examine the gifts you are giving or receiving.

It is predicted that people in the United States will spend approximately $3.8 billion on smart home devices like Amazon’s Echo or Google’s Home. This does not even include other Internet of Things (IoT) and internet-connected devices. These devices provide almost unimaginable convenience and connectivity. However, cyber-security experts warn that there are risks associated with being plugged in all the time.

Every time you purchase one of these devices, somewhere along the way, you will be presented with a privacy policy issued by the maker of the device. We have all seen these; they are cousins to the end-user license agreements (EULA) that people have waded through with software purchases since sometime in the 1980s. These agreements basically are a use-at-your-own-risk warning that ensures the software maker is not held accountable for anything that goes wrong as you use your computer. A privacy agreement is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy. If you are like most people, you just want to get to using your new device or app, so you scroll to the end of this lengthy document and click accept.

You may want to take a bit more time to look over those privacy notices, though. Smartphones have really pushed consumers to appreciate convenience and connectivity. With that convenience come some costs. Those costs are tied into privacy policies — if the companies making these devices prioritize privacy at all.

Luckily, the Mozilla Foundation  — you likely know them via their subsidiary, which makes the Firefox browser — has a guide to help people as they make gift decisions. As the organization believes “the internet must always remain a global public resource that is open and accessible to all”, it has been highly active in advocating for security and privacy.

Mozilla’s list is known as the “*Privacy Not Included Guide“. To prepare the list, Mozilla allows users to list items on a scale from “Not Creepy” to “Creepy.” It’s an easy-to-navigate website that shows photos of products, lists them in categories and — most importantly — tells consumers whether they feel the gifts maintain a set of minimum security standards for IoT devices. These standards include whether the products use passwords, manage vulnerability, update for security frequently, encrypt all network communications, and make their privacy policies easily accessible and understandable. 

In this list Mozilla works to answer several questions: 

  • Can it spy on me?
  • What does it know about me
  • Can I control it?
  • Does the company show it cares about consumers?

As a tech junkie, I must admit that I enjoy many of the conveniences offered by some of these devices. I do, however, want to know exactly what information is being used so that I can make a choice as to using the device. An example: Our smartphones use location data; unless you turn the service off, they know every place you have been and can actually make predictions as to what you may do next. I was a bit taken aback the first time my Android phone showed me how long it would take to get someplace before I even asked it. Did I turn location services off? Temporarily. I missed the convenience of being told how long it would take to drive to my next appointment. I have read the privacy agreement provided by Google though and decided that I could accept their having this data. I feel better, though, knowing that they encrypt all the data as it goes to the servers that power this artificial intelligence (AI) technology and that I have to use passwords along with multi-factor authentication to access the information. I am taking that risk. 

You, however, may not want to take that risk. Knowing that an Amazon Echo or Google Home must listen to you all the time in order to answer all your needs may be too much for you. You may not feel comfortable with that Fredi baby monitor, which has been hacked in the past and has a default password of “123”. You may feel absolutely fine with knowing that your Fitbit fitness tracker connects to your smartphone or that the cool Parrot Bebop 2 drone uses an open Wifi network as it follows you around taking photos. All of you likely have varying comfort levels; you deserve to be well informed in order to make your choices. Mozilla helps us along with this. 

In the age of Cambridge Analytica, most of you now recognize the importance of your data. Companies and individuals may have both positive and nefarious usages for it. You deserve to know what you may be sharing. 

I highly suggest taking a look at the *Privacy Not Included Guide as you’re making your gift purchases this year.

https://foundation.mozilla.org/en/privacynotincluded/

Eduroam is here (and there, and everywhere)

Former Information Privacy Officer Geoff Nathan got firsthand experience with Wayne State’s new eduroam service this summer. Check out what he had to say.

— Michael Barnes


Wayne State University has joined the international consortium known as eduroam. Eduroam allows anyone with login credentials at member universities to log in to the network at any other member institution.

What does this mean?
It means that if you can log in to the Wayne State wireless network (the secure one), then you can log in to the wireless network at any other academic institution that is also a eduroam member. This means you have a secure Wi-Fi option at hundreds of universities, research institutes and more.

How well does it work?
Very well! This past summer I visited the University of Hawaii (Manoa campus)1,  Tartu University in Tartu, Estonia and Southern Illinois University Carbondale. While on the campus of each place I simply chose eduroam as the network I chose to connect to, entered my Wayne State credentials and immediately got access to their network.

The only drawback is that you may get a mysterious error about certificates, but this only means that the university has made a small configuration error, not that there is a real problem.

So next time you are visiting another academic institution around the world, you probably can use their secure Wi-Fi with your WSU AccessID and password.

Find a full list of every eduroam institution around the world (sorted by country) at eduroam.org/where/. There are over 500 eduroam institutions in the United States alone and there are additional institutions in nearly 100 other countries.


1 Yeah, I know. But I’m an alum. I lived there in the ’70s.

Welcoming our new Information Privacy Officer

Those who know me (or those who occasionally look at the blog listings on Today@Wayne) may know that after 15 years at Wayne State University, I announced my retirement this past spring. I was proud to serve as Wayne State’s first Information Privacy Officer and I’m confident that my successor, Michael J Barnes, will be able to do even more with the role. You already met him when he posted over the weekend about the nasty Equifax security breach. Please join me in welcoming him.

Thanks for reading this blog over the years. I may do a guest post from time to time, so this won’t be the last you hear from me. Now for a few words from Michael:

Hi all. I am an Associate Professor in the College of Fine, Performing & Communication Arts in the Maggie Allesee Department of Theatre and Dance, having served as the Artistic Director and on its Executive Committee since 2011. I’ve served on numerous committees at Wayne State and, as a member of the Academic Senate, served on the Facilities, Support Services, and Technology Committee. Before I came to Wayne State, I was faculty at the University of Miami in the Department of Theatre Arts, also teaching in their School of Law, and at Temple University. I’ve been obsessed with technology since I started learning on the original Macintosh computer.

I’ve worked with Geoff on a handful of projects in my time at Wayne State and I’m excited to become a member of the C&IT team and turn my passion for technology into a position where I can effect change. I’m taking over the ProfTech blog, so keep an eye out here for regular updates about university privacy and how faculty can best use technology resources. You can also reach me at mjbarnes@wayne.edu with questions or comments about university privacy.

Quick info about Wayne State’s cybersecurity

In the wake of the cyberattack on Equifax and the loss of the personal data of millions of U.S. citizens, I thought it would be interesting for the Wayne State community to know a bit more about cybersecurity on our campus.

Wayne State takes your privacy and the storage of your information very seriously. C&IT works constantly to make certain that all information is kept safe. It is a top priority to keep our employees information safe and to make certain that we uphold standards set by regulations like FERPA and HIPAA.

For a brief overview to understand the university’s methods of securing data, Director of Information Security Kevin Hayes shared the active controls utilized here at WSU:

  • Multiple layers of firewalls
  • Regular vulnerability scans check for malware and security issues on our central servers
  • Automatic blocking of new attackers and threats
  • Two-factor authentication for access to sensitive data
  • Manual reviews of servers, systems and processes to ensure data integrity

He also shared metrics to understand just how successful the firewall and security systems have been at Wayne State.

On a typical day, university firewalls block:

  • 187 million connections at the Internet edge
  • 8 million connections for residence halls and housing
  • 7 million connections at the data center
  • 1 million connections at our Disaster Recovery (DR) site
  • 300,000 connections for the President, Provost and Office of General Counsel
  • 200,000 connections for the WSU Police Department

In the month of Aug. 2017, the systems:

  • Dynamically blocked 2,844 attackers attempting to scan our network
  • Blocked 4,373 viruses and malware components
  • Prevented 482,316 outbound connections to other malicious destinations
  • Thwarted 91,793 hacking attempts

Yes, you read that correctly. There are close to 200 million attempts to hack into WSU systems in one day. When I first heard these figures, I was shocked. In our modern world, it is virtually impossible keep information about you completely private. Rest assured, WSU does everything possible to make certain that we are never the source that compromises your personal privacy.

Lessons from the Wannacry Ransomware Attack

My colleague and acquaintance, Bruce Schneier, wrote a good article about what we can learn from the Wannacry attacks of last month. It’s both in the Washington Post and the Metrowest Daily News (the WP article is behind a paywall for me, but you may be able to read it).

P.S. I have recently retired, but will occasionally return to post on important issues related to security and privacy.

What should we do after Congress repealed the privacy law?

I have received many questions from my friends about what to do now that Congress voted to repeal the online privacy rules created last October by the Obama administration.

The first thing to do is to avoid panic. Those privacy laws never took effect, so I believe we are now no worse off than we were before last October, although some commenters are disputing this.

What did the proposed regulations do? They would have forbidden your internet service provider (ISP) from collecting and using data of your online activities. Particularly from selling that data to other merchants (such as Amazon or Facebook).

When you browse the web from home (or from your phone) your ISP (Comcast, AT&T, WOW, Verizon etc.) routes your traffic from your device to the website you are visiting. That information is, of course, stored by your provider and can be aggregated and sold to the highest bidder. And, of course, if the information is stored, it can be subpoenaed, seized through a national security letter or stolen and sold online to somewhat less reputable people than Comcast.

And all of these things have happened already (Schneier’s article cites real examples):

What can you do to prevent your ISP from seeing where you browse and what websites you look at?

The best solution is to use a Virtual Private Network (VPN). A VPN is like a tunnel that routes all your internet browsing through a neutral pathway so that nobody outside the tunnel can see it. Your browsing is encrypted from your computer to the entrance to the tunnel and outsiders can only see traffic from the tunnel to your target website. Thus nobody can tell where you are browsing.

VPN’s were developed to permit protected information being transmitted across the web. If you are a Wayne State employee you can use the Wayne State VPN. If you do so, your computer (or smartphone — the VPN works with those too) talks only to Wayne State, effectively making it part of the Wayne State network. But any browsing traffic (or downloading) is encrypted, so that nobody can snoop on it (with the possible exception of the NSA, although there is some dispute about whether even they can break 64 bit encryption). You can learn about, and use the Wayne State VPN here: computing.wayne.edu/vpn.

Even if you’re not worried about Comcast or AT&T snooping on your web activities, there are good reasons to use the VPN, particularly if you are not at home. Random Wi-Fi connections in public places are notoriously vulnerable to snooping, and the VPN will protect your laptop or smartphone there. And, of course, I have written over the years about international travel and the possibility that other governments might watch over your shoulder to read your email or other activities. A few countries (China in particular) attempt to block the use of VPN’s, although they generally leave universities alone.

When you use a VPN all traffic from your computer to the website you are looking at goes through the Wayne State (or alternative–more below) first, and is encrypted from your computer to the target website. That means if someone snoops on your computer all they see is encrypted  traffic from you to Wayne State. They can’t see where you are browsing.

Here’s a diagram of what happens when you DON’T use a VPN:

 

And here’s a diagram of what happens when you DO use a VPN:

 

 

It should be said that for older machines and slower network connections there might be a slowdown in how fast a page loads, and we don’t recommend using the VPN for streaming movies.

One last thing: be aware that when you visit a website whose URL begins with https: any text you transmit to that site is encrypted, but any site that begins http: is not encrypted. In addition, sites with https: are authentically what they say they are. You can tell this because there is a green padlock in the address bar, and the text sometimes includes the name of the company.

If you don’t have access to Wayne State’s VPN there are .alternatives. Kevin Hayes, our Chief Information Security Officer recommends not using the various free VPN’s on the market, pointing out that ‘if you are not paying, you are not the customer’. However,  PC Magazine has a rating of various commercial VPN options here: pcmag.com/article2/0,2817,2403388,00.asp.

Yes, the IT Services Survey is real—and I’m glad you asked

Much of the campus received a message earlier this week to fill out an IT Services Survey. I have been contacted by many people asking whether the survey was legitimate, or whether it was a phishing attack.

Let me first say that I very much appreciate folks asking me whether this is real. It means our training is having an effect and people are learning to be skeptical of email messages that ask them to click on things. That is exactly the right attitude to have!

That said, let me point out a couple of telltale indicators that this message is real:

If you hover over the link that is provided, a tiny window will pop up (on Firefox it appears in the bottom left corner) showing the actual URL that you will go to if you click the link. Always hover over a link if you are suspicious. If the pop-up address and the one visible in the actual message match, then you are about to go to the website claimed. In this case, the website belongs to techqual, a company many of you already know about — it’s Wayne State’s source for running this survey. Here is a screenshot of what that looks like in my Wayne Connect mailbox — the arrow points to the popup URL.

 


If you are interested in learning more about how to recognize phishing emails, our Chief Information Security Officer, Kevin Hayes and I will be conducting anti-phishing training on Thursday, March 23, at 11 a.m. in the Purdy-Kresge Auditorium. Come and learn all the telltale signs of phishing emails and why we keep getting these attacks. And, of course, what you can do to protect yourself. No advance registration and no technological knowledge is required. Learn more at events.wayne.edu.

Duo Again

Roughly two months ago the university introduced Duo, a two-factor authentication system to protect sensitive data held by the university. It did this in response to innumerable phishing attacks, some of which succeeded well enough that faculty paychecks were stolen and systems shut down because some of us opened sneaky emails and followed the instructions therein.

In order to limit the damage that these phishing attacks cause, we decided to make it harder for scammers to break into our systems. By requiring that everyone confirm that it is indeed them, and not a crook from Antarctica (or perhaps someone from closer in), who is attempting to enter grades or change direct deposit banking details, we hope to save the university a lot of money and our employees a lot of heartbreak.

Duo simply provides a simultaneous parallel avenue of logging in, in addition to the combination of AccessID and password. The parallel avenue can be a smartphone, a simple cellphone, an office telephone or several other routes. Think of it as having both a key to the door and facial recognition software. Or someone waiting to hear you say, “Joe sent me.”

For complete instructions on how to use Duo you can see my previous blog, the notice the university sent out in early November, or the computing.wayne.edu information page. Finally, here are step-by-step instructions.

There are a few minor glitches people have discovered. If you want to put the Duo app on your smartphone and your credit card details with the iPhone App Store or Google Play Store have expired, you’ll have to put in current information. Note that this is Apple and Google’s rule, not Wayne State’s or Duo’s. They don’t want you downloading other apps for free, even though Duo itself is, and always will be, free.

Another minor glitch is that some folks apparently missed the Duo roll-out entirely, which indicates that they never looked at anything in Academica that was connected to Banner (such as their paystub, their benefits or their classlists) before final grade submission began. I would strongly recommend reading messages that C&IT sends out — it really might be important 🙂 And we try hard not to overwhelm the campus with email announcements.[1]


[1] True story. Many years ago I was a member of a committee of fairly well-established WSU researchers. One of them told the committee that he instructed his junior colleagues to delete any messages that came from the WSU administration without reading them. He said they should stay away from university politics. My first reaction was, “What if the email message from the Chief Holt was warning them about an active shooter in their building?”