April 15 is coming, and so are the IRS scams

Most Wayne State folks have now received their W2 forms and are probably putting off thinking about submitting their income tax returns, so now is the time to start worrying about all the things that could go wrong.

As most readers will remember, Wayne State was one of a number of universities whose employees were hit with fraudulent returns last year. This happens when someone illegally files in your place, fiddling with the numbers so that they will get a refund. Generally speaking, when this happens you are not on the hook, but it can be a pain in the neck to get it sorted out and it will probably interfere with your filing for several years afterwards, so it’s a good idea to take actions that will reduce the likelihood of being a victim.

There is a limit to what you can do, but I’ve collected all the key safety steps here — the major step you can take is to increase your vigilance online. Do not share your social security number (which means it should never appear in an email or anywhere else other than where it is legally required [such as on your tax return]). And although your bank needs to know it, there is no reason it should appear on any bank website or on any paperwork you receive through the mail from your bank. Of course, it will appear in correspondence with the government (such as a dreaded letter from the IRS or correspondence with the state or city about taxes owed or a happy letter about refunds due).

The most effective positive action you can take is to file as early as possible (although a friend of mine posted on their Facebook page a couple of days ago that someone had already filed in their place). I realize it’s as American as apple pie to put it off till the evening of April 14, but it is a good defensive strategy to file really early.

Additionally, it is extremely important you do not let yourself get phished. Phishing (luring victims in with realistic-looking emails) is the most widely used weapon in identity theft. In fact, we will be doing one (or perhaps more) anti-phishing training sessions over the next couple of weeks. Our Chief Security Officer, Kevin Hayes, and I, your Chief Privacy Officer, have a roadshow we’ll be starting shortly. The first presentation will be on Feb. 10 at 1 p.m. in Bernath Auditorium. We’ll explain how phishing works and what you can do to fight back.

Two-factor authentication is coming to your phone (or other device)

As I’m sure you know, the internet is an increasingly dangerous place, and the most frequent source of compromised computers is people responding to phishing emails. The Security office at C&IT is working 24/7 to keep track of phishing and block people’s access to bad sites, but unfortunately it is just not enough, so C&IT is about to introduce two-factor authentication for certain WSU websites.

The danger with phishing is that people will log into websites that are not what they seem to be, and input their credentials (AccessID plus password) . The bad guys running the phony websites then take those credentials and use them to log into sensitive Wayne State sites, like your bank direct deposit setup page, where they redirect your paycheck to a bank of their choosing. And yes, this has indeed happened recently to Wayne State employees. They also use those credentials to install bad stuff on your computer, which they then use to attack other computers within Wayne State.

Since people are easily fooled into clicking on things they shouldn’t, we’re also combating the problem from our end, by beefing up security on certain Wayne State websites—pages within Academica, like PayStub, Direct Deposit etc. We are introducing what is called ‘two-factor’ authentication. (The current system is ‘one-factor’ authentication, where you simply type your password, which is ‘something you know’ into a box). Two-factor authentication adds an additional layer of security by having you touch ‘something you have’1. Wayne State has contracted with Duo, a nationally-known Ann Arbor-based company to implement this additional layer.

How does it work?

If you have a smart phone (iPhone, Droid, Windows phone) you can download a free app on the device, and go through a simple registration process. You get the app in the usual way (from the App Store/Google Play etc., by searching for ‘Duo’). You go through a one-time set-up process, and after that, when you log in to the sites that WSU has protected through Duo, your phone will pop up an ‘Approve’ or ‘Deny’ button:

Duo on iPhone

If you push ‘Approve,’ Timesheet, Pay Stub, and a few other websites, such as native Banner2, will open up. There are additional wrinkles that can simplify your interaction with Duo–you can read about them here.

The process for other flavors of smartphone is the same. See here for Android and scroll down on this page for other devices.

If you would prefer not to use Duo’s app, you have many other choices. You can choose to receive a text message and then type that number into the website, or a phone call (where you can just press # as a response). And there are other ways to do it too. Details can be found here.

If you don’t want to use any device (smart phone, tablet, flip phone, computer) there are other ways to log on (contact the C&IT Help Desk for additional information).

For much more detail on how this works, go to our FAQ.

Many universities and other organizations with sensitive websites that everyone needs to access are moving in this direction. Normally it only adds one or two seconds to the time it takes to log on to Academica or Banner (C&IT employees have been using Duo for a few months, based on the cutely-named  notion that we should ‘eat our own dogfood’).

As always, if you have questions you can contact the Help Desk, or you can add a comment below–I always read and respond to comments.

_______________________________________________________________________________________________

1 You can read about this way of classifying security methods on this website.

2 Technically you will need Duo whenever you access ‘Self-service Banner’. This includes facilities you access from Academica such as Pay Stub, Time Sheet, Direct Deposit, tax forms etc. In short, to get to any page within Academica that looks like this:

Self-service Banner image

 

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.

Anatomy of a Phishing Onslaught

Recently Wayne State University was attacked, a small skirmish in a diffuse, ongoing cyberwar, albeit without a single, defined enemy. This is an account of what happened, why it happened, and how the university responded. I have tried to make the explanation of each event relatively non-technical, but a certain amount of geekery seems unavoidable.

On May 11, at 9:48 in the morning 182 University computers received an email message from a computer belonging to a local contractor who was doing work on the WSU campus. The message had the subject line ‘invoice’, and the text of the message said merely ‘Check invoice’. There was a zip file attached. A zip file is a data file that has been ‘compressed’ so it can travel more easily over the tight ‘passages’ of the email system. It’s a perfectly respectable way of making large files (such as pictures, pdf files and such) fit within email size limits.

However, when the recipients clicked on the file labeled ‘invoice123.zip’ it extracted into a file named ‘e9058.pdf’, which showed up on the screen as a file with an attached (blurry) image of the Adobe Acrobat logo, making it look like a real pdf. When the respondents with Windows computers (but notably not Macs or Linux machines) then ‘opened’ the pdf file, the following things happened:

  1. that person’s computer connected to some external websites
  2. from which it then downloaded additional malware, which proceded to search their computer for personal banking logins
  3. it then connected to remote ‘command and control’ servers. passing control of the computer overseas.
  4. finally it looked in the local Outlook address book and used it to send the infecting email message to addresses it found there.

It took about an hour for the first three computers to get infected, but the attack was discovered by the C&IT Security office after the second computer began spreading the virus. Between the time that the second computer was detected and when it was shut off the network, seven minutes elapsed, and during those seven minutes that computer sent out 4462 virus emails.

By the time the third computer was infected, C&IT’s security office was able to take action to stop the further spread of the virus. A set of filters on the WSU email system blocked transmission of the zip file, but by noon 150 computers had been infected, and 111 of them were sending out email with the attached zip file.

You might wonder why our Symantec antivirus software didn’t detect the infection when the attachment was opened. The answer is that Symantec (and all other antivirus systems) rely on known virus ‘signatures’ (identifying features), and this was what is known as a ‘zero-day’ attack—a brand new virus never before seen ‘in the wild’. It takes the antivirus people a day or so to develop the specific tools needed for each new virus and distribute them to their users.

In addition, because the virus relied on Outlook address books, people got email from people they knew, who did occasionally send them invoices.

The spread of the virus was effectively stopped by 11:50. Our security team isolated it and determined that it was connecting our computers to Serbia and Ukraine. The Security team then set the university firewall to block connections there, and identified all of the infected computers.

In order to clean up the infection those machines maintained by C&IT (i.e. managed by the DeskTech unit) were reformatted, and outside of the DeskTech domain local administrators were given guidance on how to clean the machines under their control.

In addition, within the DeskTech domain a program called AppLocker was turned on. This prevents computers from running software that did not have an appropriate signature, or which were installed in nonstandard places in a computer (i.e. not in Program Files). Unfortunately this broke a number of specialized programs that various people around campus relied upon, and special rules had to be written to fix this.

By the evening only a few infected computers were not yet fixed,and the original attacker used that to their advantage. Overnight new instructions were passed down to these few straggling machines, and the next day a new attack was launched, sending attachments with different names, but the same modus operandi. These were blocked within 20 minutes of the first occurrence, but to ensure no further attacks, there was a temporary block placed on all zip files sent through the email system. Since there are many legitimate uses of zip files, this block will be ended shortly.

Meanwhile, everyone who was affected was required to change their WSU passwords. Careful examination of system logs showed that four of those AccessID’s were tried from Russia (while their owners were at work on campus) but none of the logins succeeded, so apparently no passwords were compromised.

What can we learn from this adventure?

The faster the IT security guys can act the less harmful the infection. Forwarding suspicious emails to the Security Office (or dragging them to the Phishing applet in Wayne Connect) is valuable. A delay of even an additional hour could have been catastrophic for the campus.

Smooth coordination between the security office and desktop support enabled the spread of the infection to be halted quickly.

We continually remind folks not to click on attachments they don’t expect from people they don’t know. Now we need to modify this—don’t click on any attachment, regardless of sender, unless you are sure it is safe. The text of the email message should reference the content of the attachment and you should be expecting that content. If it doesn’t either phone the sender or just delete it.

Finally, if you’d like to learn more about how to resist phishing attempts, you can take the anti-phishing training we make available through Accelerate, HR’s online training system. To get there, log in to Academica, then search for ‘Accelerate’ in the search box (unless you’ve already been there, in which case it should show up in your personalized links). Start Accelerate, then Browse the Catalog, C&IT Security Awareness Program, and finally PhishProof (Part 3), Launch.

This month, learn not to get phished!

As you’ve heard, this month is National Cyber Security Awareness Month. Wayne State has decided to celebrate by helping folks develop awareness of phishing techniques. By now everyone should be familiar with phishing (note I don’t even use ‘scare quotes’ to mark the word). But even though we read about it in the papers, and online, a scary number of our colleagues got phished in the past twelve months. Some of them were tricked into getting their direct deposit checks rerouted to a pop-up bank in Nigeria (really!) while others got their computers infected and had to have them reformatted, occasionally losing the data stored on them. And yes, I’m talking about our Wayne State colleagues, not people somewhere else.

C&IT has developed a quiz designed specifically for the Wayne State community. It is intended to help you recognize the warning signs in a phishing message. We’re hoping that heightened awareness and some training (hidden in the quiz) will help protect not only you, but the entire WSU community.

We will be sending out an invitation by email to participate in the ‘survey’. Every completed quiz will be automatically entered in a drawing to win one of two prizes. Students are eligible for a $100 gift card to Barnes & Noble. Employees are eligible for a Wayne State prize pack. Winners will be notified in early November.

My next blog will include specific tips on how to recognize phishing email messages, such as hovering over any links to see whether what pops up matches the text you can see (and also whether, if it’s claiming to come from Wayne State it has a .wayne.edu address).

So watch your mailboxes for more on this topic.

More goofy password and security stories

We’ve all heard the terrible story about Target’s sloppiness with our credit card data. And one writer for the New York Times says:

Stop asking me for my email address

On the other hand, we now know that the password for the nuclear launch codes was never reset from ‘00000000’. Anything else was hard to remember.

I’m not making this up

Finally, a competitor to TheOnion1 suggests that the NSA has other fish to fry now that they have access to all American’s emails:

The NSA combats insensitive emails

Happy New Year from Proftech.

———————————————————————–

1For those who are unfamiliar with TheOnion, it is a satirical news website. lightly braised turnip is similar.

 

Oxford University Blocks Google Docs

There was an uproar among the university IT security professionals around the world yesterday. Oxford University (yes, that Oxford) blocked access to Google Docs from its campus on Monday.

In case you haven’t heard of it, Google Docs is a very powerful online collaboration tool. You can treat it like an online word processor or spreadsheet, which you can then access from anywhere you can log in to Google (i.e. from any computer anywhere in the world, or from a tablet or smartphone).

But you can also use it to collect data from the web. You can set up a Google Docs form, which you can then publish, and people can visit it and fill out the form, and you’ll get a spreadsheet with all their data. So, for example, you could do an online course evaluation–set up some questions, give your students the URL (web address) and they can fill it out. It does not record who fills it out (assuming you’ve set it up that way), so responses are anonymous. Last semester I set up an informal mid-semester course evaluation because I was teaching a new course in a subject that was new to me (Computers and Linguistics), and the feedback was very valuable. Many faculty around the world are using it for that, and for many other purposes.

However, phishers around the world are using it for something else–they make it look like a log-in screen from the university’s Help Desk, and ask people to enter their AccessID and password. This gives them a nice database of university credentials, which can then be used to take over (in webspeak pwn) many university-based machines. They can then be used to run spam campaigns

Wayne State received such an attack a couple of weeks ago, and we advised anyone who asked us to tell Google about it. They will respond by taking the form down (there is a ‘report abuse’ button on every form)

So what happened at Oxford? The IT security folks there thought it was taking Google too long to react to complaints (a day is way too long–you could collect hundreds of sets of credentials by then), so they thought they’d teach the Oxford community a lesson by temporarily blocking all access to Google Docs. You can read their (very long, but entertaining message here). As you might expect, this caused considerable consternation on the Oxford campus, and around the world. I subscribe to a security listserv and there was a flurry of posts either approving or not about Oxford IT’s decision. It later got picked up in other university news sources, such as Inside Higher Ed and the Chronicle of Higher Education.

Take-away: phishing is getting more sophisticated. NEVER put your credentials into a link provided in an email, not even ‘from’ C&IT.

The access to your email is NOT suspended

Many people today got an email message warning them that access to their email had been suspended. This is, of course, phishing.

The message looked like this:

Phishing Email

It encourages you to click on a link which will take you to a Google Doc which looks like this:

Google Docs phishing site

Needless to say, don’t fill it inIn fact, don’t even click on the link in the first place. Unfortunately, this particular brand of phishing, which uses Google’s resources, can’t be blocked, because lots of us use Google Docs for perfectly legitimate purposes.

Ultimate lesson: never click on a link in an email and then enter your Wayne State AccessID and password. Wayne State will never send you a log-in link. Instead we will tell you to type in the address or use your bookmarks. That way you always know where in cyberspace you are.

October is National Work and Family Month and…

Filipino American History Month  (not to mention LGBT History month )
and several other months too. And October 27 is National Pit Bull Awareness Day

But, seriously, folks,  it’s also National Cyber Security Awareness Month, and C&IT is taking the occasion to ‘raise awareness’ of phishing as an internet danger.

Most people now know what phishing is: an attempt by crooks to get you to visit a website or download a file to your computer that will infect your computer (or your smartphone, or tablet) and either steal data from it or use it to send additional spam, or even help launch Denial of Service attacks.

In 2012 most users have no idea what their computer (tablet, smartphone) is doing ‘behind their backs’. For example, tiny files are deposited on your computer all the time when you visit websites (these files are called ‘cookies’, and they make it easier for you to log in to Wayne Connect, or order stuff from Amazon, or buy airline tickets). Unless you’re geeky, like some of my colleagues, you have no idea what cookies your computer might be harboring, and that’s generally not a danger.

But some websites put much more malicious items on your computer. For example, programs that snatch control of your computer and use it to send out spam. Even porn-based spam. Or the program might send out tens of thousands of messages to a particular, targeted website (say Walmart, or the White House). If enough infected computers do this, the net effect is to break the targeted website so it can’t function. These attacks are called Distributed Denial of Service (DDOS) attacks, and programs downloaded without your knowledge are used to do this.

Another way that your computer can be seized (metaphorically) is through opening attachments that are designed to do the same thing–surreptitiously put programs on your computer. And we all get messages saying things like ‘please see the attachment for important information’ or something like that.

Now, you may think you’d never fall for these tricks, but in early September several of your Wayne State colleagues did, and their computers were ‘pwned’ (cute internet slang for ‘taken over by cybercrooks’) and sent out tons of spam. As a result all of Wayne State email was marked as spam by Microsoft (who run Hotmail and its successors), and nobody at Wayne could contact anyone with a Hotmail or .msn address. Many of us were handicapped by this until we could persuade Microsoft that we were good guys after all.

So, C&IT is going to be running a campaign to teach folks how to recognize phishing messages and what to do when you receive one. And this blog entry is one of the opening salvos in that campaign. Anticipate hearing lots more about this, including an exciting contest with clever prizes.
And happy National Bullying Prevention Month.

There is no ‘WSU news forum’–don’t click!

You probably got an email from ‘Technical Support’ or ‘Helpdesk’  telling you to log-in to the WSU news forum. And there was a link. And, if you weren’t reading really closely, you didn’t notice that it didn’t have a .wayne.edu address, so you clicked on it.

If you’re lucky, as I was, nothing happened. This particular piece of phishing doesn’t seem to come with anything REALLY bad, but still, it’s a scam, so don’t get taken in.

DON’T CLICK ON IT!!!!!