February 2019 CTS eNews♯
As usual, it's been longer than I intended between my tech missives. Our team has been busy with the normal churn of Winter term -- software to license and deploy, computer labs to move and upgrade, that odd button in the server room that has to be pressed every 108 minutes (or else) -- all of the normal reactive things that always seem to get in the way of more proactive measures. We've recently revamped our site, tech.coe.drexel.edu, in the hopes that being proactive by making our information and documentation more discoverable, accessible, and instantly searchable will save us (and you!) time. While no tech website can ever be considered "complete", our site is still a work in progress. We're continuing to create pages for more of the major software package available to our students, as well as detailed support instructions for the various conference rooms and other Engineering spaces. If you find specific information lacking in depth or breadth, please let me know.
Please read on! There are a few important items: how to stop falling for phishing scams, introducing new hosted virtual server options for research and student groups, and multifactor authentication is coming to your Office365 accounts soon.
As malware being delivered to inboxes has trailed off thanks to improvements in attachment scanning and browser protections, crooks are placing more emphasis on targeted phishing campaigns and other social engineering techniques. We've seen a number of unsuccessful (and a few successful) attempts over the past two years based on variations on the same common theme: an urgent request from what appears to be a trusted colleague.
One variant is a late night request supposedly from a manager to print a document urgently needed first thing in the morning (the document in question was an embedded image of what appeared to be a Microsoft Word error with instructions to "click to fix", which linked to a page that requested Drexel credentials).
In other cases, it was a terse demand appearing to be from someone in the same department to know "if you're on campus and can do a quick favor" -- and then asking the target to buy gift cards and send the card numbers back.
The folks behind these attacks aren't particularly creative, so the good news is that all of these attempts are easy to spot once you know what you're looking for. The bad news is, they are consistent, and are constantly evolving new attacks. With a little bit of forward planning, though, departments can come up with a plan to avoid falling prey to these traps.
Check For Fake Email Addresses♯
The easiest sign that all of these attacks so far have shared is that the emails are not sent from @drexel.edu accounts. The email address usually had some form of the person's name in it (e.g. email@example.com), but was not an address the person had ever used to send email previously. If you receive malicious email from someone's actual
@drexel.edu address, please report it immediately to the MailAbuse team.
Make sure you have alternate contact info for your colleagues when possible
Most departments share cell phone lists of staff and faculty internally -- if you receive a request that strikes you as odd, reach out to the person via phone or text to confirm. Microsoft Teams also makes it easy to chat one-on-one or as a group.
Use A Challenge Phrase♯
Taking a page from a spy novel, it may be helpful for departments to come up with some sort of challenge phrase or word to be provided if questioned (e.g. 'Blue fin tuna's on sale again.' or 'gel electrophoresis')
Use Common Sense: Slow Down and Err On The Side of Caution♯
Don't let an attacker create a false sense of urgency that makes you lower your guard. As important as the work we do at Drexel is, little to none of it is truly life-or-death priority. If someone sends you something attempting to paint a dire picture if you don't act immediately, take the extra minute to check for other warning signs.
The Costs Of Letting Your Guard Down♯
Ask any of the folks who have been fooled by a targeted attack and they'll admit that, in hindsight, the warning signs were there -- something looked fishy. Having your accounts compromised disrupts at least the better part of an entire day, and the effects can linger for weeks. Don't let these hooligans wreak chaos on your digital life! (That being said, some of our staff and faculty have come up with creative ways of leading the phishers on -- it can certainly be amusing to watch them attempt to go off-script).
Multi-Factor Authentication Coming Soon to Office365♯
Speaking of chaos in your digital life, Drexel IT will be turning on multi-factor authentication (MFA) in the coming weeks. Like many other accounts you may have this enabled on, you will now be required to provide a code when logging on from a new device, and then once every 60 days. This will mitigate against phishing attacks, since attackers will need access to more than just someone's username and password.
This was planned months ago, but the rollout was delayed due to integration issues -- DUIT and Microsoft believe these are resolved. We will update this page with additional instructions as they become available.
While we recognize that MFA will be a disruptive change, it is now fairly common across the educational landscape and once configured, makes Drexel.edu accounts far less attractive targets for attack.
Virtual Research Servers♯
Over the past few months, we've been offering to provision virtual research servers to research groups in need of new computational workstations. For a relatively low cost, groups can gain access to a dedicated instance of Windows Server or Linux running on powerful server hardware. This allows a group to have a place to run common software from without having to configure it on each student workstation, and allows for long-running simulations without affecting regular computer use. They can be accessed from off-campus, and are backed up nightly. If your group is interested in setting one up, please let us know.
New Tech Site♯
We've rolled out our new website. Our old site hadn't been updated in some time, and we had been in the process of moving our content to SharePoint. For anyone who has attempted to manage content via SharePoint, we extend our dearest sympathies. While it may be good for lists and forms, it lacks a number of organizational and customization features that prevent easy management (and drive anyone with an eye for design insane).
So, what did we go with instead? Since the focus of our site is documentation, we looked to see what open-source projects used for their documentation, and settled on the open-source site generator MkDocs. It's a powerful, Python-based framework that generates static HTML files from a hierarchical set of text-based Markdown files. We were able to focus on the documentation first and foremost without worrying about the presentation, and had 90% of the site done in less than 4 days.
While we would not necessarily recommend MkDocs as a framework for entire research group websites, it's certainly an interesting project, and one worth a close look for any research group generating documentation as part of a project.
Other Notes and Errata♯
We're now providing some basic web hosting for course materials and ancillary downloads. We also recently purchased a Meeting Owl (it's roost is in Speitel, but it can swoop to other meetings spaces as well.) Faculty refresh computers have been delivered to us by DUIT, and we're about one-third done deploying them. If you are set to receive one, please make sure you schedule a time at your earliest convenience!