National Cyber Security Awareness Month: Get to know WSU’s VPN

In honor of National Cyber Security Awareness Month (NCSAM), I thought it would be helpful to explain three key Wayne State University technology systems that help protect the network and the privacy of employees and students. Keep an eye out all month for this series!

The first technology that I want to discuss is the WSU Virtual Private Network or VPN.

In a recent discussion with a colleague in my home academic department, I was asked: “What is this VPN thing that I’m being asked to use to access STARS?”

Simply put, I explained, once you sign in to the VPN it is the equivalent to being on campus and working on WSU’s network. A VPN provides a secure, encrypted tunnel in which data is transmitted between the remote user and a company’s network. It allows our Wayne State employees to access systems remotely and maintain a secure link to those important systems.

VPNs are becoming more well known since the federal government recently overturned regulations that would have required internet service providers to get your explicit consent before they share or sell your web browsing history and other sensitive information [i]. For this reason, many tech-savvy consumers are choosing to use a private VPN service to protect their identity and online activity. In the same way as described above, this means that no one can eavesdrop or track a user’s online activities.

A VPN is especially useful when accessing public Wi-Fi hotspots that may not be secure or when accessing the internet from another country. They provide you, the consumer, with unfettered internet access, and help to prevent data theft and unblock websites.

As privacy matters are becoming more and more important, secure technologies make certain that the data that we use in our work here at Wayne State is secure. I would also suggest, if you are concerned about your own privacy on the internet, that you consider using these technologies in your everyday usage of the internet. There are many VPN services available to the public and they can do a great deal to protect your information.

The Wayne State VPN has an additional layer of security with two-factor authentication. I’ll share more about how this works next week.

More information

Learn more about the WSU VPN on the Computing & Information Technology knowledge base:

 

[i] http://www.businessinsider.com/trump-fcc-privacy-rules-repeal-explained-2017-4/#is-there-anything-i-can-do-now-to-keep-my-data-private-35

How to prevent your heart from bleeding

By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).

The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.

What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.

The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.

Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here

Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.

If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.

Mashable  has a good summary of which websites you need to worry about.

One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.

———-

1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.

VPN’s–Now on smartphones too!

News flash. In my blog about VPN’s I didn’t mention connecting to the Wayne VPN with a mobile device, such as an iPad or Blackberry. Turns out you can. All you need to do is download a free app (there’s one for each of the major platforms—iOS, Android and Blackberry) called Junos Pulse. Installing it is quite transparent, and it works flawlessly. Instructions for each device can be downloaded from the Juniper/Junos Pulse support website.

VPN—Yet another 3-letter acronym you need to know

VPN (it stands for virtual private network) is a facility available to all Wayne State faculty and staff. It’s accessed via the website vpn.wayne.edu and  it helps keep your computer and your files safe when you’re on the road. It’s a special, secure kind of connection that you set up to Wayne’s networks from wherever you happen to be in the world.
Wayne State’s campus network is protected in various ways—firewalls, intrusion detection software and other technical thingammies. Consequently, it’s a relatively safe place to play. Chances are good that people aren’t rooting around in your computer (presuming you haven’t been visiting websites you shouldn’t, or downloading iffy attachments, but, this being National Cyber Security Awareness Month, I hardly need remind my readers of that), and you don’t have someone electronically looking over your shoulder while you type.

However, when you connect your laptop or similar device to a network outside of Wayne, you can’t be completely sure that your connection is safe. That’s why we have the VPN1. The VPN sets up a virtual tunnel from your computer into the Wayne State network and your computer then behaves as if it were on the Wayne State network. Furthermore, anything that requires that you be on that network will act as if you were. So if you need to connect to Banner, Cognos, or access a Library resource restricted to Wayne faculty and staff, you can do so wherever in the world you are.
What is a virtual tunnel? Every communication (mouse click, typed item, etc.) that leaves your computer when you’re on the VPN is encrypted. That means it’s turned into an unbreakable2 cipher that is unscrambled back at Wayne State.

To get started, go to the VPN website (vpn.wayne.edu) and log in. The screen will then look something like this:

 

VPN Opening Screen



From here you can access websites and file storage sites on the Wayne campus that are restricted to the Wayne network (for example, C&IT has a fileserver that can only be accessed in that way, and your department or college might have one too).
Much more useful, however, is the Network Connect button on the lower left (circled on the above screenshot). If you click the Start button (lower right) a program will begin to run on your computer, setting up a secure tunnel with the Wayne network. A small lock-shaped3 icon will appear on the lower right of your screen (if you’re a PC person)

or, if you use a Mac:

and you can now access Wayne resources wherever you are. That includes being in countries where internet usage is monitored or even restricted by the government. When I was in China in July I used it to access not only my Wayne State email, but also CNN, Facebook, and Google, all of which would otherwise have been blocked.
In general it’s a good idea to use the VPN whenever you are doing anything that might be risky if intercepted—not only reading your mail but logging on to your bank account or credit card site, since it encrypts all traffic, regardless of whether the other end is at Wayne or not.
Running the VPN ‘client’ (program) may cause some programs to behave somewhat oddly. For example, I use AOL’s Instant Messaging program, and it complains that I’m logged on in two places at once, but that doesn’t seem to be a problem–just log off in one of them.
When you are finished, right click on the little bug icon and select End Session and also go back to the web page for the VPN and click Sign Out.

For more instructions, visit http://kb.wayne.edu/index.php?action=article&id=166&relid=26 to see how to use the VPN on a Macintosh and http://kb.wayne.edu/index.php?action=article&id=167&relid=26 for its use on a PC.

 

—————–

1 For the technically minded among us, this is an SSL VPN. You can read the details on how it works here.

2 Well, actually it’s probably not completely unbreakable. If you have the resources of the National Security Agency or the Chinese or Russian equivalent you could probably break it, given enough time. But for the average citizen there’s probably little need to worry.

3 Until I wrote this blog I thought it was a picture of a bug, but when I inserted the above image, which is larger than it appears on the screen down in the bottom right corner, it turns out it’s a lock with things that look like antennae.