The access to your email is NOT suspended

Many people today got an email message warning them that access to their email had been suspended. This is, of course, phishing.

The message looked like this:

Phishing Email

It encourages you to click on a link which will take you to a Google Doc which looks like this:

Google Docs phishing site

Needless to say, don’t fill it inIn fact, don’t even click on the link in the first place. Unfortunately, this particular brand of phishing, which uses Google’s resources, can’t be blocked, because lots of us use Google Docs for perfectly legitimate purposes.

Ultimate lesson: never click on a link in an email and then enter your Wayne State AccessID and password. Wayne State will never send you a log-in link. Instead we will tell you to type in the address or use your bookmarks. That way you always know where in cyberspace you are.

Some musings on email privacy (yours and mine)

In the fallout from the Petraeus incident there has been much discussion about the privacy of email, and for good reason.

I will assume that everyone knows that CIA Director David Petraeus resigned recently because he was found to be having an affair with his biographer Paula Broadwell. This became ‘known’ in a complex way. A second woman (or third, if you count Petraeus’ wife), Jill Kelley, received some rude anonymous email messages and asked an FBI agent friend (we can presume ‘friend’–he had sent her shirtless pictures of himself) to investigate. Despite the fact that sending weird emails is not a federal crime, the FBI obtained subpoenas for IP logs (i.e. logs identifying which computer address(es) had sent the messages). These turned out to be the same computers that Paula Broadwell had used at various times (and they could then subpoena hotel IP records, WiFi network records and so on).

Note that the FBI obtained all these records without a warrant (and therefore without showing ‘probable cause’ that a crime had been committed). Having shown that Broadwell’s email account contents were ‘relevant’ to their investigation they then subpoenaed, and received access to her Gmail accounts. And within those accounts they found tons of correspondence between her and Petraeus. Interestingly, Broadwell and Petraeus used an old spy’s trick to correspond–they shared an account, and stored the messages as ‘drafts’, thus never sending the actual messages from one account to another. Unfortunately for their romance, you don’t need to send an email message to leave a trail–all you have to do is connect to an email system.

As Julian Sanchez has pointed out, ‘the demand for access to Broadwell’s emails was just one of 6,321 requests for user data—covering 16,281 user accounts—fielded by Google alone in the past six months’.
Aside from the titillating details, why should we care about this? It’s very simple–at least potentially, nothing you put in an email is private. The Feds can look at it whenever they want, and they don’t need a search warrant. Of course, there’s no specific reason to be worried that they will look at your email, especially if you have done nothing to attract their attention.

And, of course, attracting the FBI (or TSA’s) attention is quite unrelated to whether you have done anything wrong (witness screaming toddlers being groped by TSA agents and the FBI’s legendary attempts to blackmail Martin Luther King Jr.)  And, all jokes aside, I myself spent about six months on the TSA’s ‘selectee’ list in 2004-5, which meant that I couldn’t fly without an extensive interview at the gate every time I flew. To the best of my knowledge I have not consorted with bad guys, nor is my name similar to that of someone who is. So I don’t accept the ‘if you have nothing to hide, you have nothing to worry about’ as an answer.

Most of us believe our ‘persons, houses, papers and effects’ are protected against ‘unreasonable search and seizure’ (it’s called the 4th Amendment). However, in a bizarre reinterpretation of that statement, the Electronic Communications Privacy Act (passed in 1986, right at the beginning of widespread use of email) states that email messages stored on servers for more than 180 days are considered to be ‘abandoned’, and hence no judicial review is required for law enforcement to request it’ [1]. This was because in the eighties email was always downloaded to your computer, unlike the current cloud-based email systems (such as Gmail, Wayne Connect and Microsoft’s Live Mail), where many of us keep years of correspondence online. Clearly the ECPA is grossly out of date, and there have been movements in congress to update it. However, law enforcement, never an interest group to give itself more obstacles, has been lobbying heavily to make retrieval of stored email even easier for an alphabet soup of government agencies. As this is written there are conflicting reports[2] on whether Sen. Patrick Leahy is trying to prevent this or to encourage it in a new bill being discussed in the lame-duck congress.

Notes:

[1] http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act

[2] http://news.cnet.com/8301-13578_3-57552687-38/leahy-scuttles-his-warrantless-e-mail-surveillance-bill/ (Declan McCullagh)

Additional references:

http://www.nytimes.com/2012/11/14/us/david-petraeus-case-raises-concerns-about-americans-privacy.html (New York Times coverage)
http://www.sfgate.com/news/article/Privacy-law-can-t-keep-up-with-digital-age-4047236.php
http://www.thenewamerican.com/usnews/politics/item/13710-sen-leahy-drops-controversial-warrantless-e-mail-surveillance-bill

SPAM—More than you ever wanted to know about how we block it

Over the past week or two there’s been a brief bump in the amount of spam you received (if you were one of about 500 lucky individuals). C&IT now seems to have the situation under control, but I thought folks would be interested in how we attempt to control SPAM. It’s a complex process, involving what security folks call defense in depth, and, as with most modern warfare, it’s an arms race.
The Wayne Connect email system uses three different kinds of anti-spam protection, acting in serial (i.e. each one operates on the output of the previous one).
The first layer, Cisco Ironport Senderbase (known sometimes simply as Ironport, which was the name of the company before Cisco acquired it several years ago) filters out mail from any source that has a bad ‘reputation’. This machine relies on a continuously maintained national database of known spammers. That database is assembled from all the other Ironport machines located around the world.  Believe it or not, about ninety percent of the email messages that reach Wayne State are blocked at the outermost wall by this ‘appliance’.
Mail that gets through this filter is then submitted to the second layer, the Quarantine filter you probably know about. This has an algorithm to guess whether things might be spam based on various characteristics of the messages. Messages that ‘look’ suspicious to the software are placed in quarantine and you get a message every morning from the machine telling you what has been quarantined in the past 24 hours. You can then tune the system by telling it which domains (such as ‘wayne.edu’ or ‘freep.com’) you want to permit, and it establishes what is known as a whitelist.
The third layer is Wayne Connect itself, which has another algorithm, and places suspicious mail in your Junk folder. I find there is very rarely anything in there, but if something does show up, I look at it (when I remember) and either delete it or mark it as ‘not junk’ and it moves to my Inbox.
The result is that, although the occasional message slips through, over ninety percent never reaches you. And all of this is totally automatic, incidentally—no human being ever sees any message the system blocks.
In case you are wondering what happened last week, incidentally, the first layer was modified (to make it faster by doubling the number of machines it runs on, simplifying somewhat) and the new machine needed a little tinkering to get the filter to work correctly, so anybody’s mail that went through the new machine was not properly filtered for a few days.
For those of you who were spammed, you now can see what kind of stuff we normally shield you from. I was one of those who got some hair-raising messages during. I imagine you want us to keep the shields up.
Just for fun, here’s a graph produced by the anti-spam system showing what got through, and what was blocked by each layer.

Proportion of mail blocked, by category

Notice, incidentally the number in the top right-hand column. That represents messages received over a recent twenty-four hour period. Mail comes in to Wayne at a peak rate (at noon) of roughly 140,000 messages per hour!

Have You Tried Turning It Off And On Again?

Those of you familiar with British sitcoms might be aware of the show The IT Crowd, about an IT support office for a huge but mysterious company. Their catchphrase is the title of this blog. The reason I’m bringing this up is that C&IT is going to do just that this coming Sunday. Everything you know and love will go away from midnight Saturday night till 10 AM Sunday morning, and this blog is intended to provide a sense of why this is being done and what effects it will have.

As you might imagine, C&IT has hundreds of servers, running Pipeline, Blackboard, Banner and even each other. The last bit is because much of the C&IT infrastructure runs on virtual machines rather than having one operating system per machine, and there is also complex load balancing going on. When there are thousands of people visiting Blackboard at the same time a ‘traffic cop’ assigns them to different routes to the basic Blackboard files.
Consequently, the electrical power demands of these hundreds of units are very large, and require  a very elaborate system to assure continuous power. The system includes an enormous battery back-up system, and beyond that, a natural gas-powered generator to power the entire building independently when power problems occur. All this is necessary to deal with the vagaries of electrical supply in the city of Detroit, especially during the peak-demand summer months.

The electricity comes into the primary room to the un-interruptable power supply (UPS) system and is then routed to power distribution units (PDU’s) where the power is transformed from 480 volts to 208 volts before being distributed through panels that are similar to the circuit breaker panels in your basement. Over the years the number of servers has increased, and it’s time to rewire the PDU’s  in order to make sure that servers are connected redundantly to the PDU’s and subsequently the breakers. But, as you know if you’ve ever thought about doing this at home, you need to shut off the entire power supply before you touch anything. So, early on Sunday morning (specifically 12:01 AM) we’ll start shutting down all the computers. Because they are all interconnected, this is a complex and slow process. Then the electrical guys will do the rewiring, and finally we’ll turn it all back on again, which is again, a very slow and careful process. This is why we’re allocating ten hours for the complete change. It’s possible it will take less time, but just to be sure, we’re being very cautious.

So, everything you normally use (Blackboard, Pipeline, Banner, Wayne Connect email…) will be turned off between midnight and 10 AM Sunday morning. We’re hoping, because the university is closed Monday in observance of Martin Luther King Day, that this will not be too disruptive.

Is your computer hiding toxic substances? What about your iPad? Your Droid? Your email?

In the computer security field, confidential data is informally referred to as ‘toxic’. This is data that, if it falls into the wrong hands, could cause harm. Toxic data includes social security numbers, driver’s license numbers, patient health information, credit card numbers, student records, and other data protected either by state or federal law. Data is toxic because it could be used to steal from people, or to steal their identity. Toxic data must be properly protected.

Beware the toxic data!

Not only is this common sense, it’s also university policy. Policy 07-2 states that confidential information such as this must be stored on password-protected computers and transmitted only in encrypted or password-protected form. What this means is that if you have this kind of data on your electronic device (not just your desktop computer, incidentally, but also your smartphone, your tablet or your laptop) that device should be password-protected (see Proftech on mobile security for suggestions on how to do this for smartphones). And furthermore, you should never send this kind of information by email, because email is not a secure pathway. Email messages are no more secure than postcards.

Two other things you can do:

  • Make sure everything you use has a strong password (see this page for some suggestions)
  • Use WSU-SECURE to connect your laptop when on campus (and even some smartphones). Instructions here

Another reason to be careful with toxic data: State law requires that specific steps be taken to protect access to social security numbers, and that the entity responsible for releasing them must notify everyone whose data was released. This is an extremely expensive process, and the University can ill-afford this kind of unnecessary expenditure in these harrowing budget times.

So, stay away from toxic data. If you must meddle with it, make sure you keep it safe, both at rest and ‘in motion’. Don’t send it by email, and password-protect any file with toxic data if you are transporting it anywhere.

Follow-up on FOIA’s

You may recall a blog post from last winter about FOIA requests for email. There’s considerable disagreement about whether faculty email is ‘FOIA-ble’. There’s a nice post on the AAUP website summarizing all the issues and court cases on the topic. It’s long but worth reading. And thinking about. I found it through Inside Higher Ed, a daily university-oriented news site.
http://www.acslaw.org/publications/issue-briefs/academic-freedom-and-the-public%E2%80%99s-right-to-know-how-to-counter-the-chillin