Duo Again

Roughly two months ago the university introduced Duo, a two-factor authentication system to protect sensitive data held by the university. It did this in response to innumerable phishing attacks, some of which succeeded well enough that faculty paychecks were stolen and systems shut down because some of us opened sneaky emails and followed the instructions therein.

In order to limit the damage that these phishing attacks cause, we decided to make it harder for scammers to break into our systems. By requiring that everyone confirm that it is indeed them, and not a crook from Antarctica (or perhaps someone from closer in), who is attempting to enter grades or change direct deposit banking details, we hope to save the university a lot of money and our employees a lot of heartbreak.

Duo simply provides a simultaneous parallel avenue of logging in, in addition to the combination of AccessID and password. The parallel avenue can be a smartphone, a simple cellphone, an office telephone or several other routes. Think of it as having both a key to the door and facial recognition software. Or someone waiting to hear you say, “Joe sent me.”

For complete instructions on how to use Duo you can see my previous blog, the notice the university sent out in early November, or the computing.wayne.edu information page. Finally, here are step-by-step instructions.

There are a few minor glitches people have discovered. If you want to put the Duo app on your smartphone and your credit card details with the iPhone App Store or Google Play Store have expired, you’ll have to put in current information. Note that this is Apple and Google’s rule, not Wayne State’s or Duo’s. They don’t want you downloading other apps for free, even though Duo itself is, and always will be, free.

Another minor glitch is that some folks apparently missed the Duo roll-out entirely, which indicates that they never looked at anything in Academica that was connected to Banner (such as their paystub, their benefits or their classlists) before final grade submission began. I would strongly recommend reading messages that C&IT sends out — it really might be important 🙂 And we try hard not to overwhelm the campus with email announcements.[1]

[1] True story. Many years ago I was a member of a committee of fairly well-established WSU researchers. One of them told the committee that he instructed his junior colleagues to delete any messages that came from the WSU administration without reading them. He said they should stay away from university politics. My first reaction was, “What if the email message from the Chief Holt was warning them about an active shooter in their building?”

Important IT stuff that you might have missed over the summer

As we gear up for a new semester (some of us can’t believe we’re well on the way to 2017), I thought I’d remind folks of a few things that happened over the summer that will affect you (or, in some cases, have already done so).

As you may recall, President Wilson issued a new policy dealing with procedures for traveling internationally on university business (such as attending conferences, giving talks, consulting on aid projects and so on). From now on, you will have to answer a short questionnaire before you can get to TravelWayne, in order to ensure you do not put yourself and the university at risk of violating assorted State Department and Federal Trade Commission travel restrictions. You can read the details here.

Secondly, it is well-known that using security questions to make sure it is you (and not some hacker) resetting your password is not the most secure process. So C&IT replaced the system of security questions with a requirement that everyone provide an alternate email address to which the reset password link may be sent. Most people should already have done this, but here’s some additional information on how it works.

Finally, there are a few things coming up that you will need to be aware of. We will be rolling out a two-factor identification system later in the semester that will make access to critical data sources (your direct deposit bank details, your W2’s and access to Banner for those who have it) more secure. Details on that system will follow in late September. In addition, there will be changes in Banner and a little tighter control on access to sensitive student data.

Hope the beginning of the semester is smooth. And, if you’re new to Wayne State, welcome!

Additional information on the fraudulent income tax return hacks

badguyMASKA couple of weeks ago I wrote about the income tax fraud cases the security and financial folks at Wayne State University have been hearing about. I want to reiterate several points I made and let you know how the investigation stands at this moment.

From the moment we (the Controller, Payroll, the Provost, the Information Privacy Officer — that would be me, our Information Security Officer, Internal Audit, Senate leadership, etc.) started hearing reports of Wayne State employees finding false reports filed in their name, we began investigating how this might have happened — and whether something or someone at Wayne State might have been responsible.

Let me begin by saying: we DO NOT believe this was caused by any person within WSU or because of a security lapse at WSU itself. To the best of our knowledge, all universities in Michigan have employees who have experienced these hacks, and it has certainly become a nationally-covered news item.

Be that as it may, our security team has been combing logs and looking at our database of phishing attempts to make sure nothing has slipped through the cracks.

Last week, I attended a conference in DC of other university privacy officers and opinion was unanimous —  phishing is the source of virtually all security breaches at universities these days. Consequently, our Security Officer and I are offering training on how to recognize and resist phishing attempts. The next two are scheduled for this Friday at 11 a.m. and Tuesday, June 7, at 3 p.m. in Bernath auditorium. Both are free, do not require registration, and are aimed at you, the average computer user.

Finally, let me repeat something I said in my last blog post:


If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy redacted). This is how you do that. Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know.  Note: DO NOT TELL ME THE AMOUNT – JUST WHETHER IT MATCHES! I am the Chief Privacy Officer, after all 🙂

FYI: Here is a reminder of what you need to do to report a fraudulent return to the IRS.


More on the Tax Fraud Epidemic

On Friday you received a message from C&IT and the VP for Administration talking about the epidemic of income tax fraud that has hit the country. This morning it made the front page of the Free Press:

Detroit Free Press article by Susan Tompor on tax fraud

A large number of Wayne State folks were hit (since my name was listed as contact person I was contacted by a number of people, most of whom I know from other directions).

Unfortunately there’s little you can do, other than following the directions on the IRS website. This is apparently now a feature of our modern, ‘connected’ world.

If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy ‘redacted’). Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know (DO NOT TELL ME THE AMOUNT–JUST WHETHER IT MATCHES–I am the Chief Privacy Officer, after all 🙂 ). This is how you do that.

Meanwhile, welcome to the club (I was hit too, last year).

Taking control of your microphone

Last week I wrote about how some (perhaps) rogue apps use your microphone to listen for subsonic signals coming from your TV or laptop to tell advertisers what you are watching or viewing.

You can stop this from happening by denying those apps permission to use your microphone. Here’s what you do.

On iOS (iPhone or iPad)1 open the Settings app and scroll down to Privacy. Touch that, then you’ll see this:

Microphone Control Panel with marking

Select Microphone and you’ll see a list of apps that use the Microphone. Here’s mine (somewhat edited):

Microphone details

Slide the on-off switch to the right to deny the app access to the microphone. And the next time you install a new app and it asks you whether to allow it access to your mike, think before you click.™


1 This process is generally similar on a Droid, but may vary depending on version of the operating system.

The Debate on Apple Backdoors Continues

Declan McCullagh (well-known IT commentator and software developer) has a take on why software companies are up in arms about the FBI’s request for assistance with breaking into a terrorist’s iPhone.

And, in case you want some sense of how many important contemporary software and hardware companies are frightened by this development, here’s a list of those who have filed Amicus briefs in the case.

A careful reading of the list shows there aren’t many major players who aren’t taking Apple’s side, including many of their rivals. And here’s the inside story on how Apple marshalled their colleagues to join the fray.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

Apple vs. the FBI

If you’re interested in what this Chief Privacy Officer thinks, my colleague and friend Dan Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School has an excellent blog featuring a cartoon he drew that gets at some of the essence of this issue (click that link if the images below aren’t loading for you):





Here’s a nice discussion in Wired of what’s really involved from a technical, but comprehensible point of view.

The Internet of Things will become a Being

In a couple of recent articles Bruce Schneier, the internationally known security and privacy guru has started thinking deeply about what has come to be called The Internet of Things.

The Internet of Things is the label that is being given to the fact that more and more devices are directly talking to the internet. Thermostats, smoke detectors, fitness bands, house door locks, burglar alarms–the list goes on and on. Not to mention cars that can be unlocked, and perhaps even started with our smartphones. And I’m not even bringing up autonomous cars, which, while real, are not yet ready for prime time.

What Schneier is interested in is the fact that these objects could all talk to each other, either about themselves, or about us. Simple things like the fact that many internet-enabled house door locks will unlock when we walk up to the door, if we’re carrying our phones. Already my car allows me to unlock it if my key is in my pocket (and, incidentally, won’t allow me to close the trunk if the key is in the trunk.) At the moment the key doesn’t talk to the web, but I wouldn’t be surprised if some brands already do. And, as Schneier notes, not only do the ‘things’ in the internet sense the world around them, they also act on it, raising the house temperature, shutting off the house fan if the smoke alarm is triggered (the Nest smoke alarm will do this if there’s a Nest thermostat in the loop). So what do you call something that senses the world and then acts on it in a very generalized way? Schneier calls it a ‘robot’. And, he suggests, its properties, and probably its behavior, is no longer predictable. It’s almost autonomous, and, for those who are interested in the behavior of systems, it’s emergent meaning its behavior is no longer totally deterministic.

Here are the articles–food for thought in both of them.

Forbes article (can’t be read if you have an ad-blocker, incidentally)

CNN Article on what this ‘robot’ might be capable of.

Privacy and Big Data–Why everybody should care

As I have mentioned here, I am now the university’s Information Privacy Officer. As part of educating the campus on the increasing importance of privacy, especially as it relates to the electronic data about each of us sprinkled around the world, I’ve invited the University of Michigan’s Chief Privacy Officer, Sol Bermann, to give a talk on why privacy is something we all need to worry about. The talk will be Tuesday January 26 at 2 PM in Bernath Auditorium, UGL.

Here’s a formal notice.

Hope to see you there.