Scams and Unsecured malone.edu email accounts

Hello Students, Faculty, Staff, & Alumni:

This week's post is a little more serious because it pertains to several phishing emails that have made it past our filters because of mismanaged and insecure malone.edu email accounts. We are evaluating the best way to move forward so that less accounts are compromised so we can reduce the chance of our user community being scammed. 

The best way for you to prevent your account being hacked is to:

1. make sure you set up good multi-factor authentication methods for your accounts.
2. Be extremely suspicious of offers that are too good to be true or ANYTIME someone asks you to purchase things on their behalf. Scammers often ask you to buy gift cards or order equipment for them.
3. Report when you see suspicious activity. Mark it as SPAM in the web mail interface or - for faculty and staff - report suspicious emails using the orange phishing hook so that IT can review the message. You can also contact the Help Desk if you want assistance to verify a message is legitimate. DO NOT forward the message to HelpDesk. We will review it using administrative interfaces.

In the past week, we received the third instance of this particular attack. Here's the rough outline of how this particular attack works.

1) Compromised account

An account which did not yet have multifactor authentication set up had its password guessed by an attacker. In this case, it was an alumnus' account from ten years ago. The attacker set up the alumnus' MFA and logged into his account using a ToR web browser. ToR is a darkweb tool which obfuscates the user's location. We can see in our logs that the login traffic appeared to come from no less than three different countries.

How does an attacker guess a password? There are many ways, but here are a few:

1. The password is part of security breach from another site.
2. The user uses the same password on all of his or her web sign-ins.
3. The user has a pattern to their passwords. If their original password is 'BobWhite14,' then the next one they use is 'BobWhite15.' If the previous password is subject to a breach, then the attacker can guess what password might come next.
4. The user's computer/device is hacked and they store their passwords on an unsecured file on the hacked device. This would be the equivalent of saving all your passwords in the Notes app on your iPhone instead of using the password storage found in Settings. Some folks store their passwords in a Word document saved on their hard drive; this is also extremely insecure.

2) Phishing emails sent

The attacker sent out something like the following message to 240 email addresses:

The Department of Business and Technologies at Malone University is looking for research assistants who are interested in working remotely and receiving a salary of $450 per week. Students (Previous or Present Students) from any department in the university can  participate in the research. Please contact Professor Shawn Campbell as soon as possible by text (999)999-9999 with your full name, email address, year of study, and department to obtain the position description and further application requirements.

 

Best Regards.  

C/O Professor Dr. Spamislaw McPhishterson

Title: Professor of Underwater Basket Weaving, Malone University

What are the indications that this is a Phish? 

1. First red flag is that they want you to start texting them instead of replying to the email.
2. Second is that if you responded to the email then the reply comes from an entirely different email address (especially not a malone.edu email address). Once the communication leaves our systems, it cannot be easily tracked if we need to investigate it.

3) Hooked!

One or more people text the attacker or reply to the email. The attacker get the victim off of our network and systems as soon as possible to thwart any attempts at figuring out who they are. 

4) Reeling in the victim

The attacker starts to email or text the victim impersonating the professor and telling them about the internship opportunity. They tell them that they sound like a good candidate for the internship and text them the image of a check that has our name and logo on it, but is totally bogus.

Once they 'hire' the victim, they ask he or she to purchase gift cards or items which can easily be returned to a store (office supplies or non-perishable items). They instruct the victim to make the purchases and either dropship them to a location or send pictures of the cards with the pin codes scratched off. 

The victim follows instructions and places the orders. The victim tries to cash the fake check and it bounces.

More red flags:

1. Why would Malone ask an intern to use their personal account to buy stuff? We don't. We wouldn't.
2. Asking to buy or transmit gift cards are a major red flag. They are untraceable and easily sent/received with people snapping pictures.
3. Texting a picture of a check. That is not how checks work. Checks are typically printed with special magnetic ink and on paper that is copy-resistant. The bank is bogus, the signature is bogus, and they simply copied and pasted our logo on the check.

If you've fallen victim to a scheme like this

First you should file a police report immediately. While it is nearly impossible to identify the attacker and recover your funds, sometimes it can be done. Let them know all of the circumstances around the attack. 

These attacks are getting more and more sophisticated which means they are harder to detect both for humans and for computers. The appeal of easy and/or quick money has drawn many a cash-strapped student in. Don't feel ashamed such that you don't let the authorities know about it.

What did we do and what are we doing to prevent this from happening in the future?

One huge thing we are doing to prevent this from happening in the future is our implementing multifactor authentication [MFA]. Once it is set up, then attackers have a harder time taking over a malone.edu account. In this case, the alumnus did not set up his MFA yet, so once they got his password, they set it up for themselves and had full access to his account.

Google detected that it was a phishing attempt and disabled his account. Diligent community members reached out to IT and we further locked out the hacked account and pulled all instances of the email from our servers. We have no way of knowing how many people started to text the attacker, but we are aware of at least one person who did and was bilked out of their money and time.

The future of alumni accounts is in question. We have offered this service to alumni to retain their malone.edu email as long as they are actively checking it. But we are reviewing whether to continue to offer the service in lieu of folks who may not be managing their alumni accounts well. More to come on this front and be sure to send us feedback through helpdesk@malone.edu if you have thoughts.

image credit: https://www.publicdomainpictures.net/en/view-image.php?image=240518&picture=scam 

Google Meet Use - recording and presentation tools

Hello Everyone (especially Teaching Faculty):

We have gotten several calls this past week about recording in Google Meet. This week's post (a little late) shows you

• How to schedule a recurring Google Meet for a class and who can and cannot record a meeting
• Where the recording tools are located in Google Meet 
• How to generate transcripts and information on attendance tracking.
• Other activities like whiteboard, Q&A, and polling features.
• Where recordings are stored (Your google drive "meet recordings" folder) and how long they're retained.

This week's post is about Google Meet use. Google changed the location of the recording mechanism; moving it into the activity menu. I created a brief video on how to schedule a Google Meet and how to navigate to the activity tools and record your presentation.

Who can Record?

Anyone who is listed as an instructor in a current or upcoming course has the ability to record. This is programmatically set. If you are an instructor, but you lack the ability to record your presentation, make sure that the meeting was scheduled by you and not someone else. 

Recording management

All Google Meet recording are stored in a folder on Google Drive called "Meet Recordings". Recording will last ninety (90) days after which they will be automatically discarded. If you want to keep a recording longer than that, you will need to download it from your Google drive to another location. It can then be re-uploaded into another location on Google Drive. You cannot just move the recording to another location in drive. 

Reach out to the IT Help Desk if you are having any trouble recording or have any questions about Google Meet use. We can be reached via email at helpdesk@malone.edu , via the web at https://helpdesk.malone.edu or by phone at 330.471.8428.

Quick Start for Using Google Meet for recording of synchronous meetings

A less than seven minute tutorial on Google meet recording including transcript and attendance files.

More Resources for Google Meet

There is a fairly exhaustive list of resources located in Google's Help documentation for Google Meet. Pay especial attention to the "during the meeting" section to learn how to use the different features.

SSO Transition #5 - Why are we doing this and good news!

Greeting Malone Community!

Today we learn more about the SSO [Single Sign On] and MFA [Multi Factor Authentication] setup we have adopted at Malone:

• Google 2 factor error resolved for faculty and staff
• How often do I need to do the extra MFA step?
• How do I change my MFA and password rescue options?
• Description of password rescue and MFA Options
• Why are we doing this?
• Places to launch your apps!

Google 2 factor error resolved for faculty and staff

Good news! We worked with Google Engineers and Support yesterday and were able to fix the error that many faculty and staff would get when they tried to sign into the malone.edu email. The, "Your sign-in settings don't meet your organization's 2-step Verification policy" should no longer be a problem. Please contact the IT Help Desk if you continue to have this problem.

How often do I need to do the extra MFA step?

Remember that MFA makes it harder for a bad actor to gain access to your account and the sensitive data that your account allows you to access. MFA is something you know (like a password) and something you have (like a cell phone with an authenticator app or that gets sent a text message with a code).

How often you are prompted to perform the second MFA step will depend on a number of factors. We are still formulating the balance between ease of access and security and have already made some changes to reduce the number of times each user must use a second factor to authenticate. 

Here are some broadly applicable guidelines of how often you will need to use a second factor [MFA] when authenticating:

• When it is the first time that you log into Malone services on a new computer or a different web browser on that computer.
• When using a laptop and your physical or logical (Internet) location changes significantly. This could be as drastic as logging on in Canton and then flying to Chicago and reconnecting or as simple as connecting to Malone wifi and then later connecting with a Verizon wireless hotspot.
• Depending on who you are, you might be prompted more often. If you have a job responsibility that gives you extra access to sensitive info, you may be prompted more often. If you are VP or the President, you may get prompted more often than if you are a student.
• Depending on what service you are using, you may get prompted more often. Example: If you are using our VPN to connect to campus to perform remote work (faculty and staff), you will be asked to MFA EVERY TIME you connect.
• As of this writing on Friday, 13 January 2023 and in most cases (except for those mentioned above), your MFA will last seven days. 

How do I change my MFA and password rescue options?

I have had a number of staff and faculty tell me that they set up their office phone to be called as one of their MFA options. This is fine as long as the only place you log into Malone systems is in your office. The next section of this post tells about the different options for MFA and password rescue, but if you want to change your MFA selections, you can do this from any Microsoft screen, say office.com . can also click the Here are the steps to access your security settings click by click:

1. From any Microsoft service, click your avatar/account icon in the top right corner:
   
   
   
   
   
2. Click "View account" from the menu that appears.
3. Find the card for "Security Info" and click it the "Update info" link on that card. You may need to MFA to access and change the settings.
4. Review and update your sign-in methods.

The direct link to manage your Malone MS Azure account's security settings is:

https://mysignins.microsoft.com/security-info

If you have lost access to your MFA methods and are unable to access your account, you can contact the Help Desk and we will reset your MFA options so that you can re-enroll. 

Recommendation

Set up more than one MFA option in case one is unavailable.

Description of Password Rescue and Multifactor Options

We put together this slideshow to help guide folks through the MFA enrollment process. Click on the links to read about the different password rescue and MFA options.

Why are we doing this?

We know that this new process makes it take longer to sign into our systems. We know that it is inconvenient to have to carry or otherwise access that second factor to complete your sign-in. There are a few reasons we are doing this:

1. To protect our data
2. To enhance our online presence
3. For regulatory compliance

To protect our data

Students, faculty, and staff have access to varying degrees of personal identifiable information [PII] and non-public personal information [NPI]. MFA prevents a would-be attacker from accessing your account because they do not have the second factor.

It also encourages good account behavior in that it is harder for people to share an account. Remember that you are responsible for any actions taken while your account is logged in. Never share your username and password credentials with others. 

To enhance our online presence

Adding this additional layer of security allows us to make more systems available securely online. More to come in this area, but we are excited to offer additional tools in the next couple years to students, faculty, and staff!

For regulatory compliance

Malone University is beholden to multiple federal and state regulations. Letter spaghetti includes but is not limited to GLBA, FERPA, HIPAA, HIPAA HITECH, FSA of DOE, Sarbanes-Oxley, etc. Many of these regulatory agencies and legislation require MFA in addition to other compliance regulations.

Places to launch your apps!

If you've read this far down, we hope these links made it worth it all! There are three places from which you can switch between applications. In many cases, you can get back and forth between the three.

• The Launchpad on Malone Xpress: https://jics.malone.edu
• The Microsoft Myapps platform: https://myapps.microsoft.com OR the grid icon while you are in a Microsoft app. It's located in the top left corner and looks like this: 
  
  
  
  
  
• The Google Workspace App chooser located in the top right corner of a Google Workspace app:
  
  
  
  
  

SSO Transition Update #4 Google Workspace and Moodle

Happy New Year Malone Students, Faculty, and Staff!

We are moving both Moodle and Google Workspace (email, docs, etc.) over to the new single sign on [SSO] system this week - 3-6 January 2022. This means that all major systems will be using the new AzureAD SSO system prior to the beginning of the Spring semester.

As a reminder, you will need to set up BOTH your password recovery options as well as one or more multi-factor authentication [MFA] options.

Many of the questions we have been getting revolve around the particular screen shown above. Microsoft is encouraging you to download and install their Authenticator app. Here are the common questions and answers related to this screen:

1. Some folks click through to download the app and choose the first option. This first option is an ad which is NOT from Microsoft. It is a third party authenticator app which, while legitimate, wants you to pay for its use. YOU DO NOT NEED TO PAY FOR AN APP TO USE MFA.
2. If you are already using an MFA app, you do not need to download another one. Ones that we know work are LastPass, Google Authenticator, Salesforce Authenticator; the list is growing. Click the option that "I want to use a different authenticator app" and scan the QR code with your existing authenticator app (top arrow).
3. You can use a different MFA method such as a text message. Use the link indicated by the bottom arrow and follow the prompts.

NEW PHONE WARNING!

If you get a new phone, remember to transfer your MFA settings to the new device BEFORE you reset the old phone. The instructions will vary depending on which app you are using, but typically you will need to select the option to "export accounts" to another device. You will then be shown a QR code (on your old phone) which you can scan with your new phone.

Not correctly transferring your settings to the new phone before you give up the old device makes resetting your MFA more complex. 

Recovery Codes

When you first set up MFA for a service or system, you will also be given a "recovery code." Be sure to write this down or store it somewhere. Print it out and put it in a safe place. We do not recommend that you save it electronically. This recovery code can be used to reset MFA if your phone is lost, damaged, or no longer available. 

When you record that recovery code, make sure you mark it both for what it is and for which system, e.g., "Malone Single Sign On - username: jdoe1@malone.edu recovery code: h@jkd JKHGJ H1234 322." You will end up with a recovery code for each service with which you have set up MFA (banking, github, government id.me, social media accounts, etc.). Remember that you can use the same authenticator app for many, if not all, of your online systems.

This and other Malone IT systems changes

You can view our Maintenance calendar which shows planned changes to Malone IT systems as well as unplanned outages using this calendar. This calendar is also published on Malone Xpress.

Please contact the IT Help Desk if you have any questions or issues. We can be reached via email at helpdesk@malone.edu , via the web at https://helpdesk.malone.edu or by phone at 330.471.8428.

New policies announcement "Required Employee Training Policy" and "Adobe Sign Configuration and Use Policy" effective 1 January 2023

 Dear Faculty and Staff:

Merry Christmas to you all. We are emailing you to announce two new policies which were recently approved by the President's Cabinet. 

• "Required Employee Training Policy" from the Human Resources and Information Technologies offices. https://helpdesk.malone.edu/helpdesk/WebObjects/Helpdesk.woa/wa/FaqActions/view?faqId=415
• "Adobe Sign Configuration and Use Policy" from the Business Office and Information Technologies. https://helpdesk.malone.edu/helpdesk/WebObjects/Helpdesk.woa/wa/FaqActions/view?faqId=416

Both policies will be in effect in the new calendar year 1 January 2023. Brief summaries of both policies are below.

What do I need to do?

1. Catch up on your training and encourage your peers to catch up on their training! To see what has been assigned to you, log into Malone Xpress and click the KnowBe4 training link from the launchpad. The icon looks something like this:
   
   
   
   
   
2. If you are a department chair or manager, you will be able to see a "Team Dashboard" which shows you what your team has due. If you are manager of managers or a dean of chairs, you will see a drop down menu to view the different team dashboards which answer to you. The "second warnings" will start to be sent in mid to late January (see policy section 3.3.2). Let us know if you see employees which need removed or added to your team dashboards.
   
3. If you are interested in using Adobe Sign, please follow the guidelines in the policy and let the Help Desk know who in your department you want to be set up to use it.

Please contact the IT Help Desk if you have any questions or issues. We can be reached via email at helpdesk@malone.edu , via the web at https://helpdesk.malone.edu or by phone at 330.471.8428.

Required Employee Training Policy - full policy found in FAQ415
Approved By: President’s Cabinet
Date Approved: Thursday, 17 November 2022, effective 1 January 2023
Date Last Amended: Tuesday, 13 December 2022
Date of Next Review: 15 May 2025
Team[s] Responsible: Human Resources, Information Technologies

1. Purpose
Employee training is a vital and required part of working at Malone University. This policy defines the process of compliance and enforcement for Malone employee training

2. Overview

• All employees of Malone University must take regularly assigned training related to their working with the students, faculty, staff, and larger University community.
• This policy applies to all Malone University employees whether full or part-time. It will selectively apply to student workers, members of student organizations, volunteers, contractors, and others who might work with our student body or information related to the operation of the University.
• As an employer and institution of higher education in the United States of America, there are a variety of regulations and legislation to which we are beholden. Regular employee training is one way in which the University can remain compliant with those rules.
  
  Engaging and completing regular training demonstrates a care for the students, faculty, staff, and the larger Malone University community and aligns well with the University’s foundational principles in that, “We value and foster intellectual breadth and virtue, believing that individuals who seek Christ's Kingdom First are called to embark on a lifelong process of learning.”

Adobe Sign Configuration and Use Policy - full policy found in FAQ416
Approved By: University Cabinet
Date Approved: 8 December 2022, effective 1 January 2023
Date Last Amended: Tuesday, 6 December 2022
Date of Next Review: 10 May 2024
Team[s] Responsible: Business Office and Information Technologies1. 

1. Purpose
This policy governs the set up, configuration, and management of Adobe Sign on Malone University’s campus. This includes billback for each department’s use of the system.

2. Overview

• Adobe Sign is available for use by all academic and administrative departments on campus.
• We have a contracted per use transaction cost established between Malone and Adobe through the AICUO.
• This policy is built so that all parties understand the abilities and the cost structure.
• The service page is https://na4.documents.adobe.com/

SSO Transition update #3 - MFA methods and Authenticator Apps

Hello Malone University Students, Faculty, and Staff:

Malone Xpress was converted to the new SSO system on Wednesday. This was a day later than expected because of some technical glitches in Malone Xpress. We have fielded several calls about the best way to set up your multi factor authentication so this post is dedicated to the types of questions that we have received from you in the past week or two.

There is no cost for MFA

You DO NOT NEED TO PAY for any services related to MFA at Malone. We have fielded several calls where users are being prompted to sign up for a subscription for their MFA authenticator apps. When I search the IOS App Store for “Microsoft Authenticator,” the first result is an ad for a third party app. The second result is the actual “Microsoft Authenticator App” the link to the correct iOS download is here. The Android app is here.

You can use any compatible authenticator app. I personally use Google’s authenticator app (download for iOS or Android). 

Whichever app you choose, this same app can be used for any service - banking, services, social media, etc. - that supports authenticator MFA.

More than one MFA method

There are four different mechanisms for multi-factor authentication which can be used. We recommend you set up at least two in case one fails or isn't available to you when you need it:

• An authenticator app such as the ones from Microsoft or Google <--most secure and recommended.
• Phone - you can be called or texted a verification code.
• Alternate phone - a backup method in case the phone you set up is not available.
• Office phone - this would call a third number you specify and read a code to you.

Even after you have completed the initial set up of your MFA methods, you can update which methods for MFA you want to use in your Microsoft profile's security section: https://mysignins.microsoft.com/security-info

How do Authenticator apps work?

When setting up a new service in your authenticator app, the most common method is for you to scan a QR code that the service will show to you during the set up. If you choose to use a different authenticator app than Microsoft’s, you will need to select that option during set up.

The process requires you set up a connection between your chosen authenticator app and whatever service(s) requires MFA. This connection is unique and is based on your smartphone’s hardware, a secure key managed by that service, and the current time. Every minute or so, a new valid key is generated by the app using these three pieces of information. That code expires every minute so that even if it was somehow stolen, it would stop working within sixty seconds. 

How the code is calculated is created is based on some very clever math that Kyle Calderhead, David Hahn, or Shawn Campbell could explain to you. If you take the algorithms course, you would be able to explain it like they can!

Things to watch for when using an Authenticator App

• When moving to a new phone, be sure to transition your MFA set up to the new device. This usually  means opening the authenticator app on the old and new phones at the same time and scanning a code shown on the old phone screen with the camera from the new phone. This migration cannot be done just by restoring your device from a backup because it is unique to the hardware of your device. Remember to completely wipe your old device before discarding, reselling, or giving it to someone else.
• Many services will give you backup or rescue codes that can be used instead of the MFA app. Be sure to store these securely someplace. We suggest printing these rescue codes and storing them in your files somewhere. Do not save them to a digital file on your computers or devices. These codes can be used to recover your ability to log in say, if you drop your phone in a lake or it is stolen.

SSO transition update - Malone Xpress scheduled for Tuesday, 6 December

Dear Students, Faculty, and Staff:

We are making steady and positive progress moving all of our services and systems to our new SSO platform (Microsoft Azure AD). 

Malone Xpress is scheduled to be moved over to the new system early Tuesday morning, 6 December 2022. This will be when most students, faculty, and staff will be required to set up their password reset and authentication factors.

At this point, you may want to review our last message. It contains more details about what we are doing. But here is a shorter version that tells you only what you need to know and what to do...

1. Go to https://login.microsoftonline.com/ and sign in with your Malone.edu email address. If you are prompted to log in using your "personal" or "work or school" account, choose "work or school" account.
2. Set up your password self-service reset options and your multi-factor authentication options. 

You can do this now so you won't need to do it later. You can also choose to wait, but later you will be required to set it up. This would not be fantastic if you were forced to do this during a time-crunch, e.g., about to take a test, late for a meeting, assignment deadline.

You can review a complete schedule of services which are completed or scheduled in this Google Sheet (Malone.edu account required to access).

More information

As of writing this message, about a 100 users have completely set up themselves with MFA and password reset. Nearly 300 of you have set up your password reset information.