Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

Blackboard is getting more mobile

Blackboard has released the free version of their mobile app. Previously it came with a small charge, but the latest version is free for all WSU faculty, staff and students. It’s available for both major platforms, iOS and Android, in the usual places (iTunes App Store and Google Play Store). Your students can use it to check their grades and assignments, view documents and web links, and create discussion and blog posts. Instructors can also post announcements (handy if you’re snowed in or forgot to mention something in class), create and edit assignments (although not grade them), email your class or create new discussions.

To get it, just go to the relevant store and search for Blackboard Mobile Learn. Once it’s installed, open it and log in using your normal Wayne State credentials (yes, it’s safe–it goes directly to Blackboard).

Some FAQ’s about what you can do with it are here

Celebrate National Cybersecurity Awareness Month by Protecting your Smartphone

OK, so NCSAM isn’t your favorite time of year. But if you were to lose your smartphone, and you hadn’t been careful with it, it would very definitely be your least happy time. And it’s not just the annoyance of having to get a new one, and reinstalling all that stuff…

For many of us, most of our life is accessible from our phones–from dates with our sweeties to bank account access to plane tickets–even blood pressure tracking and lists of meds. How much of that would you like to share with a phone thief? And make no mistake, Wayne State, like everywhere, is a good place for ‘Apple Picking’ (swiping a phone from someone’s hand while they are holding it out and looking at it).

What can you do? There’s a good website that C&IT provides. But the most important thing you can do is to lock your phone. Both iPhones and Android phones can be locked so that you need to type in a PIN before you can do anything other than call 911 (or, in the case of iPhones, take a picture). It’s mildly annoying, but you can set it so that the lock doesn’t take effect for some specified time, say fifteen minutes. That way you can reopen your phone right after you’ve closed it, if you’re like me and forget why you opened it in the first place, and only remember after you’ve closed it again.

In my next post I’ll talk about how you can remotely wipe your phone, so that even if someone breaks into it, they won’t find anything.

Watch a rerun of ‘Are you smarter than your smartphone?’

A couple of weeks ago I mentioned a web broadcast on securing your smartphone that we streamed on campus January 9. The webinar is now available online and you’re welcome to watch it any time. You can find it here:

https://educause.adobeconnect.com/_a729300474/p50gva8h48h/?launcher=false&fcsContent=true&pbMode=normal

If you weren’t able to make the ‘live’ broadcast, take some time to watch it–you’ll make your life a little safer. And while we’re at it, there’s going to be another one, on keeping your online reputation intact. More information will be coming soon, but meanwhile note that it is Wednesday, January 30, at 1 PM in Purdy-Kresge Auditorium.

 

 

January is Data Privacy Month, and we’re celebrating with web broadcasts on privacy

The cybercommunity has proclaimed January to be National Data Privacy Month, and, before you sigh and turn away, you might give some thought to how you are using your smartphone, and, more importantly, how others are using your smartphone. And I’m not just talking about your phone getting hacked or stolen, although both of those things are also real risks these days.
C&IT, through the national university computing organization EDUCAUSE, is streaming a national webinar entitled:

Are you smarter than your phone?

Wednesday, January 9, at 1 PM, in the Purdy-Kresge Auditorium.

There is no need to register–just show up. After the webinar, a few of us from IT will hang around to answer questions and get some dialog going on this topic.

Here’s the official blurb on the webinar:

Nearly everyone on a college campus today has a mobile phone, capable of accomplishing amazing tasks while on the go. But, how SHOULD you make use of your smartphone? You are smarter than your phone if you know that you need to make careful choices about using your geo-location feature. You might post a picture to Facebook while on your European trip if there are other people still living at your address back home. But, if your house is empty while you travel, you would be smarter to wait to post until you get home. Do you really want everyone to know you are out alone at midnight by “checking in” at your local donut shop? You are smarter than your phone if you use sound judgment about revealing your location. You’re smarter than your phone if you know you need to think critically about the sensitivity of the data you put on or access through your phone. Do you use your phone for banking, without password protecting the device? Your phone is happy to do it. But you are smarter than your phone if you protect it with a password. If you’re not thinking critically about what you do with your phone, we’ll help you think again!

Hope to see you there!

Now you have to watch out for QR Codes

What are QR codes? They’re those funny little blotchy squares you see all over the place. They are actually web addresses that you can point your smartphone at, and it will take you there. Many ads in magazines and billboards have them. They’re cool, and they’re handy. But now, they’re also risky. Who would have thought? A recent article on Dark Reading (a website for security geeks like myself) has the info:

http://bit.ly/usGhge

The PC is Dead. Zittrain says so.

I’ve been linking to lots of stuff lately, but this one I think should stir some comment here. It’s certainly stirred up a hornet’s nest on the web in general. See what you think:

The PC is Dead

Jonathan L. Zittrain (born 24 December 1969) is a US professor of Internet law at Harvard Law School and the Harvard Kennedy School, a professor of computer science at the Harvard School of Engineering and Applied Sciences, and a faculty co-director of Harvard’s Berkman Center for Internet & Society. He works in several intersections of the Internet with law and policy including intellectual property, censorship and filtering for content control and computer security. He founded a project at the Berkman Center for Internet and Society that develops classroom tools. (Wikipedia entry).