As you’ve heard, this month is National Cyber Security Awareness Month. Wayne State has decided to celebrate by helping folks develop awareness of phishing techniques. By now everyone should be familiar with phishing (note I don’t even use ‘scare quotes’ to mark the word). But even though we read about it in the papers, and online, a scary number of our colleagues got phished in the past twelve months. Some of them were tricked into getting their direct deposit checks rerouted to a pop-up bank in Nigeria (really!) while others got their computers infected and had to have them reformatted, occasionally losing the data stored on them. And yes, I’m talking about our Wayne State colleagues, not people somewhere else.
C&IT has developed a quiz designed specifically for the Wayne State community. It is intended to help you recognize the warning signs in a phishing message. We’re hoping that heightened awareness and some training (hidden in the quiz) will help protect not only you, but the entire WSU community.
We will be sending out an invitation by email to participate in the ‘survey’. Every completed quiz will be automatically entered in a drawing to win one of two prizes. Students are eligible for a $100 gift card to Barnes & Noble. Employees are eligible for a Wayne State prize pack. Winners will be notified in early November.
My next blog will include specific tips on how to recognize phishing email messages, such as hovering over any links to see whether what pops up matches the text you can see (and also whether, if it’s claiming to come from Wayne State it has a .wayne.edu address).
Several folks asked me how to go about making sure you are you, and not your license plate. I’m going to give some detailed instructions here to help. This assumes you are using the Web-based version of Wayne Connect, through Firefox, Internet Explorer, Chrome or Safari. If you use Outlook, Mac Mail or Thunderbird you’ll need to use a slightly different procedure.
First, make sure that your normal return address is your real name. You do this by going to ‘Preferences’ on the top menu and selecting ‘Accounts’.
On the right you will see Primary Account Settings.
Put your preference for how your name will be displayed in the two left-hand boxes and click Save (at the top of the screen). Now what you have chosen as your name will always show up as the sender, whether you use your license plate or not.
If you need to keep a license plate return address (say because you are subscribed to a listserv with that address) you need to establish a Persona. This is essentially an alias that you can choose before you send a message.
To do this, click the ‘Add Persona’ button, and you will see this:
Choose the address you need to establish (normally your license place) from the drop-down menu on the right. Click the appropriate boxes (When replying to…), give it a name, and click Save.
Then, whenever you send a message (and particularly when you are writing to a listserv which uses your license plate ID) you will see a little drop-down box in the ‘From’ area.
Now, every time you send an email you have the choice of which return address to use.
One more thing. Just today I got a message with lots of unidentified license plates. In fact, there were probably fifty out of maybe a hundred addresses in all. Mine was one of them–I have no idea why (this was neither a ‘reply’ nor any other automatic isertion of addresses). That’s what I’m talking about….
Most people now know what phishing is: an attempt by crooks to get you to visit a website or download a file to your computer that will infect your computer (or your smartphone, or tablet) and either steal data from it or use it to send additional spam, or even help launch Denial of Service attacks.
In 2012 most users have no idea what their computer (tablet, smartphone) is doing ‘behind their backs’. For example, tiny files are deposited on your computer all the time when you visit websites (these files are called ‘cookies’, and they make it easier for you to log in to Wayne Connect, or order stuff from Amazon, or buy airline tickets). Unless you’re geeky, like some of my colleagues, you have no idea what cookies your computer might be harboring, and that’s generally not a danger.
But some websites put much more malicious items on your computer. For example, programs that snatch control of your computer and use it to send out spam. Even porn-based spam. Or the program might send out tens of thousands of messages to a particular, targeted website (say Walmart, or the White House). If enough infected computers do this, the net effect is to break the targeted website so it can’t function. These attacks are called Distributed Denial of Service (DDOS) attacks, and programs downloaded without your knowledge are used to do this.
Another way that your computer can be seized (metaphorically) is through opening attachments that are designed to do the same thing–surreptitiously put programs on your computer. And we all get messages saying things like ‘please see the attachment for important information’ or something like that.
Now, you may think you’d never fall for these tricks, but in early September several of your Wayne State colleagues did, and their computers were ‘pwned’ (cute internet slang for ‘taken over by cybercrooks’) and sent out tons of spam. As a result all of Wayne State email was marked as spam by Microsoft (who run Hotmail and its successors), and nobody at Wayne could contact anyone with a Hotmail or .msn address. Many of us were handicapped by this until we could persuade Microsoft that we were good guys after all.
So, C&IT is going to be running a campaign to teach folks how to recognize phishing messages and what to do when you receive one. And this blog entry is one of the opening salvos in that campaign. Anticipate hearing lots more about this, including an exciting contest with clever prizes.
And happy National Bullying Prevention Month.
Those of you familiar with British sitcoms might be aware of the show The IT Crowd, about an IT support office for a huge but mysterious company. Their catchphrase is the title of this blog. The reason I’m bringing this up is that C&IT is going to do just that this coming Sunday. Everything you know and love will go away from midnight Saturday night till 10 AM Sunday morning, and this blog is intended to provide a sense of why this is being done and what effects it will have.
As you might imagine, C&IT has hundreds of servers, running Pipeline, Blackboard, Banner and even each other. The last bit is because much of the C&IT infrastructure runs on virtual machines rather than having one operating system per machine, and there is also complex load balancing going on. When there are thousands of people visiting Blackboard at the same time a ‘traffic cop’ assigns them to different routes to the basic Blackboard files.
Consequently, the electrical power demands of these hundreds of units are very large, and require a very elaborate system to assure continuous power. The system includes an enormous battery back-up system, and beyond that, a natural gas-powered generator to power the entire building independently when power problems occur. All this is necessary to deal with the vagaries of electrical supply in the city of Detroit, especially during the peak-demand summer months.
The electricity comes into the primary room to the un-interruptable power supply (UPS) system and is then routed to power distribution units (PDU’s) where the power is transformed from 480 volts to 208 volts before being distributed through panels that are similar to the circuit breaker panels in your basement. Over the years the number of servers has increased, and it’s time to rewire the PDU’s in order to make sure that servers are connected redundantly to the PDU’s and subsequently the breakers. But, as you know if you’ve ever thought about doing this at home, you need to shut off the entire power supply before you touch anything. So, early on Sunday morning (specifically 12:01 AM) we’ll start shutting down all the computers. Because they are all interconnected, this is a complex and slow process. Then the electrical guys will do the rewiring, and finally we’ll turn it all back on again, which is again, a very slow and careful process. This is why we’re allocating ten hours for the complete change. It’s possible it will take less time, but just to be sure, we’re being very cautious.
So, everything you normally use (Blackboard, Pipeline, Banner, Wayne Connect email…) will be turned off between midnight and 10 AM Sunday morning. We’re hoping, because the university is closed Monday in observance of Martin Luther King Day, that this will not be too disruptive.
VPN (it stands for virtual private network) is a facility available to all Wayne State faculty and staff. It’s accessed via the website vpn.wayne.edu and it helps keep your computer and your files safe when you’re on the road. It’s a special, secure kind of connection that you set up to Wayne’s networks from wherever you happen to be in the world.
Wayne State’s campus network is protected in various ways—firewalls, intrusion detection software and other technical thingammies. Consequently, it’s a relatively safe place to play. Chances are good that people aren’t rooting around in your computer (presuming you haven’t been visiting websites you shouldn’t, or downloading iffy attachments, but, this being National Cyber Security Awareness Month, I hardly need remind my readers of that), and you don’t have someone electronically looking over your shoulder while you type.
However, when you connect your laptop or similar device to a network outside of Wayne, you can’t be completely sure that your connection is safe. That’s why we have the VPN1. The VPN sets up a virtual tunnel from your computer into the Wayne State network and your computer then behaves as if it were on the Wayne State network. Furthermore, anything that requires that you be on that network will act as if you were. So if you need to connect to Banner, Cognos, or access a Library resource restricted to Wayne faculty and staff, you can do so wherever in the world you are.
What is a virtual tunnel? Every communication (mouse click, typed item, etc.) that leaves your computer when you’re on the VPN is encrypted. That means it’s turned into an unbreakable2 cipher that is unscrambled back at Wayne State.
To get started, go to the VPN website (vpn.wayne.edu) and log in. The screen will then look something like this:
From here you can access websites and file storage sites on the Wayne campus that are restricted to the Wayne network (for example, C&IT has a fileserver that can only be accessed in that way, and your department or college might have one too).
Much more useful, however, is the Network Connect button on the lower left (circled on the above screenshot). If you click the Start button (lower right) a program will begin to run on your computer, setting up a secure tunnel with the Wayne network. A small lock-shaped3 icon will appear on the lower right of your screen (if you’re a PC person)
or, if you use a Mac:
and you can now access Wayne resources wherever you are. That includes being in countries where internet usage is monitored or even restricted by the government. When I was in China in July I used it to access not only my Wayne State email, but also CNN, Facebook, and Google, all of which would otherwise have been blocked.
In general it’s a good idea to use the VPN whenever you are doing anything that might be risky if intercepted—not only reading your mail but logging on to your bank account or credit card site, since it encrypts all traffic, regardless of whether the other end is at Wayne or not.
Running the VPN ‘client’ (program) may cause some programs to behave somewhat oddly. For example, I use AOL’s Instant Messaging program, and it complains that I’m logged on in two places at once, but that doesn’t seem to be a problem–just log off in one of them.
When you are finished, right click on the little bug icon and select End Session and also go back to the web page for the VPN and click Sign Out.
1 For the technically minded among us, this is an SSL VPN. You can read the details on how it works here.
2 Well, actually it’s probably not completely unbreakable. If you have the resources of the National Security Agency or the Chinese or Russian equivalent you could probably break it, given enough time. But for the average citizen there’s probably little need to worry.
3 Until I wrote this blog I thought it was a picture of a bug, but when I inserted the above image, which is larger than it appears on the screen down in the bottom right corner, it turns out it’s a lock with things that look like antennae.
In a very scary story covered in the Chronicle of Higher Education last week a world-renowned cancer researcher was demoted from Full to Associate Professor by UNC Chapel Hill for failing to keep her servers patched.
Yes, you read that right.
I’ll summarize briefly here, but the full story can be found in these links:
Professor Yankaskas was running a large, NIH-funded research project on breast cancer, part of a national consortium. Apparently the server on which her data was stored was not properly patched (meaning the operating system hadn’t been kept up to date) and, as a result, it was hacked (electronically broken into). It’s not clear whether the data (which included names, addresses and social security numbers) was actually taken, but the University notified all the subjects in any case.
The exact details of what happened are a little unclear, but it seems that her techie assistant had not been doing his/her job properly, and the Provost held her responsible and tried to fire her. A faculty committee recommended a lesser punishment, which ended up being this demotion (with accompanying reduction in pay). She is fighting the decision.
Discussion on the web of whether she is being treated fairly is inconclusive, and we don’t know enough of the details to be able to tell exactly what happened when. But this should be a wake-up notice to everyone at Wayne (or anywhere else) who keeps sensitive research data on a computer. Do you know whether the machine is appropriately protected? Is its operating system up to date? Does it have a firewall enabled? Does it have Symantec Endpoint Protection installed (if it’s a Mac or Windows PC–see previous post)?
The take-away here is not that that administrators can be mean-spirited bullies (although some commenters seem to think so), or that faculty are goofy airheads who can’t be trusted to maintain their own machines (although different commenters are saying that). The main point is that we all need to take responsibility for ensuring the data we are collecting is properly secured, especially if it is sensitive data that we have promised HIC we will be careful with it.
How much do you use your office phone? Does anyone ever call you there? Do you call anyone from there? Do you have a cellphone? Do you need a distinctive Wayne State phone number?
These are questions Wayne State and other universities are starting to wrestle with as the landscape of telephone technology changes out from under us.
Like most large organizations, Wayne has a telephone system that operates over copper wire, sending analog signals that are routed via switching stations. Chances are the system in your home no longer works that way. You may have migrated your telephone service to VOIP (‘voice over IP’) where the telephone signal travels over the Internet, just like e-mail and web pages. If you have Comcast or AT&T phone service your home phone probably works this way now, and you probably didn’t notice much difference in voice quality (it probably is a little better with a digital connection).
C&IT, which is responsible for the phone system, has been throwing around the idea of switching to a VOIP system, at least in limited contexts. The advantage to VOIP phones is that they essentially work through a computer, so they can be configured to do much more interesting things than just ring. For example, VOIP systems come with an integrated voicemail facility. But the voicemail doesn’t just sit on a server somewhere. It can be configured to be turned into an e-mail message and sent to you as an attachment (usually a .wav file, for the technically inclined). Then you could check your e-mail, double-click on the attachment, and hear the message.
Another thing you could do would be to tell your phone account to forward any calls to your cellphone, or your home phone, or your Google phone number (if you have one–that’s another subject).
So, suppose we install such a system at Wayne. If you have a computer in your office you could get any messages as fast as e-mail can deliver them. Or you can have your calls routed to your cellphone and be able to pick up anywhere you happen to be. You could even configure the system in more fine-grained ways. You could have your ‘office’ number routed to your cellphone from 9-5, Monday to Friday, and routed to voicemail the rest of the time. Given all of this, do you still need a physical phone in your office? Currently you (or your chair, or your dean) pays a lot per month for a phone in your office, a phone which is silent almost all the time if it’s anything like the phone in my English office. So who needs it? What if you (or whoever’s responsible) were to pay a lot less for a ‘virtual phone’ like the one I described in the previous paragraph?
Geoff Nathan is a Professor of Linguistics in the English Department, and the Faculty Liaison to C&IT, a dual role he has held since 2002. For almost fifteen years he has schooled himself in the technology, politics and sociology of university computing. In addition to serving on the C&IT Leadership Team he is active in the national university computing organization EDUCAUSE.
ProfTech will have several goals. I expect to serve as a conduit to and from C&IT on issues of importance to Wayne, and especially with respect to faculty. I hope to highlight aspects of C&IT’s services that might be of interest to faculty, explore new technologies and also convey your concerns in these areas to C&IT’s management team. In addition I will talk about some of the issues facing IT nation- and world-wide. Many of these issues have larger ramifications in philosophy, politics and lifestyles, and I follow these developments and wory about how they affect academia.
Under most circumstances I will welcome comments on my blog, with the sole restriction being that civility should be maintained.