Christmas and Winter Break (for faculty and staff)

Hello Faculty and Staff:

With only a few days remaining before Christmas and New Year's break, we are providing a checklist of tasks you might do to prepare you, your accounts, and your offices before you leave!

Communication with students and customers

• Set your away message (vacation responder) on your email. You can set this ahead of time to start and stop on certain dates!
• Set your alternative greeting in your voicemail. While you can't set this one ahead of time, you can set a stop date. We are back to the office on Wednesday, 3 January 2024 at 8am!

Tips for your away messages. Include when you will be back or whether and how often you are checking your messages. Be careful with the wording of your message since it will be playing before, during, and after Christmas and New Years.

Power savings for individual offices

• Unplug or turn off any power strips. 
• Unplug any AC adapters. AC adapters still draw some energy even if they are not in use. These are sometimes called "electricity vampires"

Power savings for the office suite

 If you are the last one out of the office...

• Shut down your office copier and printer. Unplug them too!
• Empty out, clean out, and unplug your office fridge. Depending on your office, this is not for the feint of heart :-). Open a ticket or call Physical Plant if you need assistance with this; especially if you have a fridge that requires defrosting.
• If you have a thermostat in your office, turn it off or set it to medium. Building HVAC systems will be placed into "unoccupied" mode during the break unless an office has made arrangements with Physical Plant to stay open.

userid.malone.edu shutdown

Hello Students, Faculty, and Staff:

It has been about a year since we started moving our Single Sign On [SSO] system to Microsoft Azure AD (now rebranded/marketed as Microsoft Entra ID). Just a few weeks ago, we successfully transitioned the last service still using the old one. Now it is time to say goodbye to https://userid.malone.edu .

On Tuesday, 10 October 2023 at 10:10am - that's 10/10 at 10:10 - we will turn off the old userid system. 

We took a look at the logs and nearly 300 of you have logged into the old SSO system in the past two weeks. This means that you are logging in only to have to log in a second time to the new SSO system. That is too many logins!!

Update your bookmarks!

Take a look in your web browsers and phones. You will want to remove or update any bookmarks to userid.malone.edu. We recommend that you instead bookmark Malone Xpress at https://jics.malone.edu or https://myapps.microsoft.com which is the Microsoft SSO page which is roughly the equivalent of the old userid system.

Questions?

We can help! Reach out to us via the web at https://helpdesk.malone.edu or by phone at 330.471.8428.

Setting Up an Appointment Calendar for Advising or Something Else

Dear Faculty, Staff, and Students (but especially Faculty for today's post):

Are you and your advisees having trouble finding a time to meet? Good news! There is a feature in your Google calendar called "Appointment Schedules" which can be used to schedule meetings. 

Here are the Google Instructions or you can take a look at Google marketing propaganda page for appointments which gives a nice overview.

Once an appointment calendar is set up, you can copy and send the link to your advisees and ask them to sign up for an appointment. Your appointment calendar is tied to your personal calendar, so you will not accidentally double-book a time.

We have recorded a short (no audio) step-by-step video showing how to set up appointment slots for advising.

Please contact the IT Help Desk if you have any questions or issues. We can be reached via the web at https://helpdesk.malone.edu or by phone at 330.471.8428.

Required Security Training for Malone Employees

Dear Faculty and Staff:

You may remember that back in December 2022 we announced a new "Required Training Policy." You can read and review this policy in FAQ415. You may also have seen some different training assigned to you this week namely, AED training. I thought it a good opportunity to talk about what is happening.

While the policy is published where the IT policies are usually placed, required training delivered on the KnowBe4 platform, in person, or otherwise will cover a variety of topics including:

• Information security
• Campus safety (workplace assailant, AED locations and use, etc.)
• Title IX
• Manager training, e.g., "lead Malone"
• Other training deemed important and necessary by leadership.

We have committed (read it in the policy section 3.1!) to, "carefully select training which is useful to our employees, which meet the specifications of the regulations the university is beholden to, and also honor the time of our employees."

AED training

The most recent example is the AED training that has been assigned to all users in KnowBe4. If you attended the in-person training that Jack Angelo hosted in the Spring, you are not required to take it again. You will have received the email invitation, but you will notice that it is marked as "complete" when you sign into KnowBe4. You are welcome to review the presentation as well as the Youtube video (linked in knowbe4) giving instructions on their use again.

Action Items. What do I need to do?

The bottom line is this training is required. Please sign into Malone Xpress and click on the "KnowBe4 Training" button in the Launchpad.

Take any training that is listed for you. 

Overdue training

Any employees with overdue training are subject to section 3.3.2 of the policy which is progressive; from warnings, warnings with chair/director cc'd, account suspension, etc.

We encourage you to please take your training as soon as you see it assigned. If you are nervous or have questions about it, please let us know. Remember that you can sign into Malone Xpress and launch the KnowBe4 training site.

Managers/Chairs/Directors

Please sign into KnowBe4 and view your "team dashboard."

and review:

• anyone on your team who has training due or overdue. Send a note to your team members reminding them that they have training due.
• make sure the list is inclusive of your entire team and that there are no folks who should not be listed as part of your team (let HR and IT know if you have any of these).

Scams and Unsecured malone.edu email accounts

Hello Students, Faculty, Staff, & Alumni:

This week's post is a little more serious because it pertains to several phishing emails that have made it past our filters because of mismanaged and insecure malone.edu email accounts. We are evaluating the best way to move forward so that less accounts are compromised so we can reduce the chance of our user community being scammed. 

The best way for you to prevent your account being hacked is to:

1. make sure you set up good multi-factor authentication methods for your accounts.
2. Be extremely suspicious of offers that are too good to be true or ANYTIME someone asks you to purchase things on their behalf. Scammers often ask you to buy gift cards or order equipment for them.
3. Report when you see suspicious activity. Mark it as SPAM in the web mail interface or - for faculty and staff - report suspicious emails using the orange phishing hook so that IT can review the message. You can also contact the Help Desk if you want assistance to verify a message is legitimate. DO NOT forward the message to HelpDesk. We will review it using administrative interfaces.

In the past week, we received the third instance of this particular attack. Here's the rough outline of how this particular attack works.

1) Compromised account

An account which did not yet have multifactor authentication set up had its password guessed by an attacker. In this case, it was an alumnus' account from ten years ago. The attacker set up the alumnus' MFA and logged into his account using a ToR web browser. ToR is a darkweb tool which obfuscates the user's location. We can see in our logs that the login traffic appeared to come from no less than three different countries.

How does an attacker guess a password? There are many ways, but here are a few:

1. The password is part of security breach from another site.
2. The user uses the same password on all of his or her web sign-ins.
3. The user has a pattern to their passwords. If their original password is 'BobWhite14,' then the next one they use is 'BobWhite15.' If the previous password is subject to a breach, then the attacker can guess what password might come next.
4. The user's computer/device is hacked and they store their passwords on an unsecured file on the hacked device. This would be the equivalent of saving all your passwords in the Notes app on your iPhone instead of using the password storage found in Settings. Some folks store their passwords in a Word document saved on their hard drive; this is also extremely insecure.

2) Phishing emails sent

The attacker sent out something like the following message to 240 email addresses:

The Department of Business and Technologies at Malone University is looking for research assistants who are interested in working remotely and receiving a salary of $450 per week. Students (Previous or Present Students) from any department in the university can  participate in the research. Please contact Professor Shawn Campbell as soon as possible by text (999)999-9999 with your full name, email address, year of study, and department to obtain the position description and further application requirements.

 

Best Regards.  

C/O Professor Dr. Spamislaw McPhishterson

Title: Professor of Underwater Basket Weaving, Malone University

What are the indications that this is a Phish? 

1. First red flag is that they want you to start texting them instead of replying to the email.
2. Second is that if you responded to the email then the reply comes from an entirely different email address (especially not a malone.edu email address). Once the communication leaves our systems, it cannot be easily tracked if we need to investigate it.

3) Hooked!

One or more people text the attacker or reply to the email. The attacker get the victim off of our network and systems as soon as possible to thwart any attempts at figuring out who they are. 

4) Reeling in the victim

The attacker starts to email or text the victim impersonating the professor and telling them about the internship opportunity. They tell them that they sound like a good candidate for the internship and text them the image of a check that has our name and logo on it, but is totally bogus.

Once they 'hire' the victim, they ask he or she to purchase gift cards or items which can easily be returned to a store (office supplies or non-perishable items). They instruct the victim to make the purchases and either dropship them to a location or send pictures of the cards with the pin codes scratched off. 

The victim follows instructions and places the orders. The victim tries to cash the fake check and it bounces.

More red flags:

1. Why would Malone ask an intern to use their personal account to buy stuff? We don't. We wouldn't.
2. Asking to buy or transmit gift cards are a major red flag. They are untraceable and easily sent/received with people snapping pictures.
3. Texting a picture of a check. That is not how checks work. Checks are typically printed with special magnetic ink and on paper that is copy-resistant. The bank is bogus, the signature is bogus, and they simply copied and pasted our logo on the check.

If you've fallen victim to a scheme like this

First you should file a police report immediately. While it is nearly impossible to identify the attacker and recover your funds, sometimes it can be done. Let them know all of the circumstances around the attack. 

These attacks are getting more and more sophisticated which means they are harder to detect both for humans and for computers. The appeal of easy and/or quick money has drawn many a cash-strapped student in. Don't feel ashamed such that you don't let the authorities know about it.

What did we do and what are we doing to prevent this from happening in the future?

One huge thing we are doing to prevent this from happening in the future is our implementing multifactor authentication [MFA]. Once it is set up, then attackers have a harder time taking over a malone.edu account. In this case, the alumnus did not set up his MFA yet, so once they got his password, they set it up for themselves and had full access to his account.

Google detected that it was a phishing attempt and disabled his account. Diligent community members reached out to IT and we further locked out the hacked account and pulled all instances of the email from our servers. We have no way of knowing how many people started to text the attacker, but we are aware of at least one person who did and was bilked out of their money and time.

The future of alumni accounts is in question. We have offered this service to alumni to retain their malone.edu email as long as they are actively checking it. But we are reviewing whether to continue to offer the service in lieu of folks who may not be managing their alumni accounts well. More to come on this front and be sure to send us feedback through helpdesk@malone.edu if you have thoughts.

image credit: https://www.publicdomainpictures.net/en/view-image.php?image=240518&picture=scam 

Google Meet Use - recording and presentation tools

Hello Everyone (especially Teaching Faculty):

We have gotten several calls this past week about recording in Google Meet. This week's post (a little late) shows you

• How to schedule a recurring Google Meet for a class and who can and cannot record a meeting
• Where the recording tools are located in Google Meet 
• How to generate transcripts and information on attendance tracking.
• Other activities like whiteboard, Q&A, and polling features.
• Where recordings are stored (Your google drive "meet recordings" folder) and how long they're retained.

This week's post is about Google Meet use. Google changed the location of the recording mechanism; moving it into the activity menu. I created a brief video on how to schedule a Google Meet and how to navigate to the activity tools and record your presentation.

Who can Record?

Anyone who is listed as an instructor in a current or upcoming course has the ability to record. This is programmatically set. If you are an instructor, but you lack the ability to record your presentation, make sure that the meeting was scheduled by you and not someone else. 

Recording management

All Google Meet recording are stored in a folder on Google Drive called "Meet Recordings". Recording will last ninety (90) days after which they will be automatically discarded. If you want to keep a recording longer than that, you will need to download it from your Google drive to another location. It can then be re-uploaded into another location on Google Drive. You cannot just move the recording to another location in drive. 

Reach out to the IT Help Desk if you are having any trouble recording or have any questions about Google Meet use. We can be reached via email at helpdesk@malone.edu , via the web at https://helpdesk.malone.edu or by phone at 330.471.8428.

Quick Start for Using Google Meet for recording of synchronous meetings

A less than seven minute tutorial on Google meet recording including transcript and attendance files.

More Resources for Google Meet

There is a fairly exhaustive list of resources located in Google's Help documentation for Google Meet. Pay especial attention to the "during the meeting" section to learn how to use the different features.

SSO Transition #5 - Why are we doing this and good news!

Greeting Malone Community!

Today we learn more about the SSO [Single Sign On] and MFA [Multi Factor Authentication] setup we have adopted at Malone:

• Google 2 factor error resolved for faculty and staff
• How often do I need to do the extra MFA step?
• How do I change my MFA and password rescue options?
• Description of password rescue and MFA Options
• Why are we doing this?
• Places to launch your apps!

Google 2 factor error resolved for faculty and staff

Good news! We worked with Google Engineers and Support yesterday and were able to fix the error that many faculty and staff would get when they tried to sign into the malone.edu email. The, "Your sign-in settings don't meet your organization's 2-step Verification policy" should no longer be a problem. Please contact the IT Help Desk if you continue to have this problem.

How often do I need to do the extra MFA step?

Remember that MFA makes it harder for a bad actor to gain access to your account and the sensitive data that your account allows you to access. MFA is something you know (like a password) and something you have (like a cell phone with an authenticator app or that gets sent a text message with a code).

How often you are prompted to perform the second MFA step will depend on a number of factors. We are still formulating the balance between ease of access and security and have already made some changes to reduce the number of times each user must use a second factor to authenticate. 

Here are some broadly applicable guidelines of how often you will need to use a second factor [MFA] when authenticating:

• When it is the first time that you log into Malone services on a new computer or a different web browser on that computer.
• When using a laptop and your physical or logical (Internet) location changes significantly. This could be as drastic as logging on in Canton and then flying to Chicago and reconnecting or as simple as connecting to Malone wifi and then later connecting with a Verizon wireless hotspot.
• Depending on who you are, you might be prompted more often. If you have a job responsibility that gives you extra access to sensitive info, you may be prompted more often. If you are VP or the President, you may get prompted more often than if you are a student.
• Depending on what service you are using, you may get prompted more often. Example: If you are using our VPN to connect to campus to perform remote work (faculty and staff), you will be asked to MFA EVERY TIME you connect.
• As of this writing on Friday, 13 January 2023 and in most cases (except for those mentioned above), your MFA will last seven days. 

How do I change my MFA and password rescue options?

I have had a number of staff and faculty tell me that they set up their office phone to be called as one of their MFA options. This is fine as long as the only place you log into Malone systems is in your office. The next section of this post tells about the different options for MFA and password rescue, but if you want to change your MFA selections, you can do this from any Microsoft screen, say office.com . can also click the Here are the steps to access your security settings click by click:

1. From any Microsoft service, click your avatar/account icon in the top right corner:
   
   
   
   
   
2. Click "View account" from the menu that appears.
3. Find the card for "Security Info" and click it the "Update info" link on that card. You may need to MFA to access and change the settings.
4. Review and update your sign-in methods.

The direct link to manage your Malone MS Azure account's security settings is:

https://mysignins.microsoft.com/security-info

If you have lost access to your MFA methods and are unable to access your account, you can contact the Help Desk and we will reset your MFA options so that you can re-enroll. 

Recommendation

Set up more than one MFA option in case one is unavailable.

Description of Password Rescue and Multifactor Options

We put together this slideshow to help guide folks through the MFA enrollment process. Click on the links to read about the different password rescue and MFA options.

Why are we doing this?

We know that this new process makes it take longer to sign into our systems. We know that it is inconvenient to have to carry or otherwise access that second factor to complete your sign-in. There are a few reasons we are doing this:

1. To protect our data
2. To enhance our online presence
3. For regulatory compliance

To protect our data

Students, faculty, and staff have access to varying degrees of personal identifiable information [PII] and non-public personal information [NPI]. MFA prevents a would-be attacker from accessing your account because they do not have the second factor.

It also encourages good account behavior in that it is harder for people to share an account. Remember that you are responsible for any actions taken while your account is logged in. Never share your username and password credentials with others. 

To enhance our online presence

Adding this additional layer of security allows us to make more systems available securely online. More to come in this area, but we are excited to offer additional tools in the next couple years to students, faculty, and staff!

For regulatory compliance

Malone University is beholden to multiple federal and state regulations. Letter spaghetti includes but is not limited to GLBA, FERPA, HIPAA, HIPAA HITECH, FSA of DOE, Sarbanes-Oxley, etc. Many of these regulatory agencies and legislation require MFA in addition to other compliance regulations.

Places to launch your apps!

If you've read this far down, we hope these links made it worth it all! There are three places from which you can switch between applications. In many cases, you can get back and forth between the three.

• The Launchpad on Malone Xpress: https://jics.malone.edu
• The Microsoft Myapps platform: https://myapps.microsoft.com OR the grid icon while you are in a Microsoft app. It's located in the top left corner and looks like this: 
  
  
  
  
  
• The Google Workspace App chooser located in the top right corner of a Google Workspace app: