Episode Transcript
Brent Warner 0:00
What happens when there’s a cybersecurity breach in your LMS? Is there anything the average faculty or staff can do when it happens? We’re discussing it all in the wake of cybersecurity breakdowns across academia. This is the HigherEdTech podcast Season 7, Episode 19.
Tim Van Norman 0:28
Welcome to today’s higher ed tech Podcast. I’m Tim Van Norman, the Interim Assistant Director of Technology Services at Irvine Valley College and Adjunct Professor of Business at Cypress College.
Brent Warner 0:39
And I’m Brent Warner, Professor of ESL here at IVC. We both enjoy integrating technology into the classroom, which is what this show is all about.
Tim Van Norman 0:47
Welcome. We’re glad you’re here with us.
Brent Warner 0:50
All right, so Tim, I know you’ve been vibe coding a little bit everything going along with that.
Tim Van Norman 0:56
Oh yeah, I’m having fun. After the last episode, we talked about vibe coding, and went into Google and ai studio.google.com, and just played with that a little bit. Actually created a game for my students to play a simulation. This is build your business simulation. And then also created an accessibility trainer for people. And so, yeah, it was a lot of fun. Other people played it a little bit to try it out, see what people thought. And was I was impressed. For hour, two hours worth of work, I had something that actually I felt good enough to let somebody else look at, yeah, and that’s, that’s impressive.
Brent Warner 1:40
Yeah, that does not happen for me normally after two hours of work. But so last time when we did all that vibe coding, we were talking a little bit about one of the concerns, which is like, hey, you know, there could be ways to sneak into websites or do all these other things. And so this is my very smooth transition into our topic today, which is a bunch of news is coming out right now, especially around canvas. It’s not we can talk about it, but there have been some cyber attacks going on around canvas. There have been some cyber attacks going on in San Diego, a few other things going on in some of the academic settings. And so we are going to be talking just a bit today, some kind of, hopefully maybe put people’s minds at ease a little bit, or maybe maybe more, maybe just help you prepare a little bit as we talk a little bit today about cybersecurity, and a few things that you can do to Deal with it.
Tim Van Norman 2:38
Absolutely so as we look at cyber security, we’re not going to get into the net nitty gritty and the nuts and bolts of how to be safe and all of that stuff. Yeah, we’ll talk about it, but understand that every time we have, oh, this is how you’re can be 100% safe. You’re not so but there’s things that you can do to protect yourself. You don’t have to live in, live in a hole. You can use email. You can get on the internet and still be pretty safe. Just pay attention to what’s going on. Yeah, just like
Brent Warner 3:16
the real world, you know, it’s watch, look around, keep an eye out for things, and you’re good. So all right, so Tim, what happened here? Because I know we I’m getting all these emails on, like the in the California Community Colleges, we have the district distance ads listserv, all sorts of people are sending. They’re like, Hey, we got emails saying we’re breached. Like, we got all the what’s going on and kind of somewhat unclear. I think Canvas is trying to communicate some information around it to be a little bit more clear, but it’s this is like right now happening, right? And so there’s still some, quite a bit of missing information. So we’re kind of talking broad level. But what, what happened, you know, recently?
Tim Van Norman 3:56
So first of all, let’s start with this is what we know as of the fifth of mayo, yes, and the reason I say that is because, literally, over the last five days I have four or five days I have gotten, I don’t know, eight emails, 10 emails About this from from Canvas and from other sources. And so things will change very rapidly. But what we know as of right now, as we know April 25 Instructure experience, the cybersecurity incident, I love how, and by the way, I’m reading out of an email that I got from them, so that I’m not going to misquote something here, okay, perpetuated by a criminal threat actor. They detected the attacker on April 29 immediately revoked the access. On April 30, as the investigation expanded, they revoked additional suspicious access and addressed the underlying vulnerability. They found no indicators of on. Ongoing threat. Okay, so it looks like something happened on the 25th by the 30th, it’s over. This is what based on their statements. I’m not judging right or wrong. I’m saying that’s their statement. Okay, so what did they do? They hired a third party forensic firm to take a look and see what was going on, which is exactly what? If they didn’t do that, everybody would be going, why? Okay, okay, what are they trying to cover up? Okay? So, so that is, if they don’t say something like that, you’re Wait, what’s going on? They notified law enforcement. Well, that’s good, because that’s actually a legal requirement whenever there’s a risk of purpose stuff that it’s got to be noted. A lot of people got to be notified, so including the FBI, US cyber security, CISA, it’s an infrastructure security agency, Ed and wait, lots of different people, law enforcement were notified, right? They disabled some compromised accounts, revoked all associated access token and tokens. Then they fixed what they think is wrong, and then they rotated what’s called internal keys and restricted token creation across the platform. So what does that mean?
Brent Warner 6:13
Yeah, we need the little like the simpletons guide to tokens and keys. What does that mean?
Tim Van Norman 6:18
Yeah. So when, when we install a new LTI. So think a publisher, think turn it in. Think anything that gets added into canvas that’s called an LTI,
Brent Warner 6:33
like your Google assignments, etc.
Tim Van Norman 6:35
Yes, if you’re familiar with API’s, it’s the learning equivalent of that. So it’s, it’s a tool that integrates into Canvas. When you, when we install that, we use what’s called a key, a developer key. To do that, it also creates a token. And basically, tokens allow that you don’t have. Nobody has to every time they’re going to run turn it in. They don’t have to log in to turn it in and then upload a student submission and log in to turn it in and download the the the grade. You don’t have to do that every time it’s through a system called tokens. Okay? And so what they did is they with the keys and tokens, they disabled a bunch of them. And so it meant that, for instance, for me, my class that I teach at Cypress, Cengage, I use Cengage, which we’ve talked about, and so I had to go back in on Saturday morning and reestablish the connection to Cengage. And all the assignments worked. Everything worked. It was not a big deal, okay? So this day I had to log in again.
Brent Warner 7:47
This was you were affected by this same breach, though, and this was a disconnect. So Canvas went in and kind of said, Hey, we’re rotating these tokens. We’re swapping these things. So your only responsibility to fix that was basically to go in and click a reconnect button, right?
Tim Van Norman 8:05
And by the way, that was not for everybody. A lot of people did not have any problems at all. Okay. Some people also had problems with turn it in that we heard about as an ancillary thing. So I looked in my class, turn it in was fine. I looked in other people’s classes, turn it in was fine. So there’s it was kind of like, oh, there was a hiccup in Canvas. Reconnect, okay, it’s working next.
Brent Warner 8:32
So almost to the point where, if you weren’t told it was a cyber security incident, you would just be like, oh, there’s just a glitch at some level.
Tim Van Norman 8:41
And by the way, I wasn’t told. I didn’t know there was a cyber security incident when I heard about it in the first place. Yeah, okay, so, so, yeah, it didn’t. I said, Hey, you know, contact the publisher, and then it went away. So I’m really comfortable that that it didn’t make major disruptions for people. Now, is it possible students weren’t able to submit homework during that time? Well, if something’s disconnected, yeah, that can happen. Yeah. So does it mean that it’s completely innocuous, nothing happened? No. But also it doesn’t mean that the world is falling apart.
Brent Warner 9:19
Yes. Okay, so, so maybe, you know, take a breath when you see these news announcements. Step back a little bit. You know, of course, reach out if you’re not at IVC, if you’re somewhere else, reach, you know, reach out to your it, or look out for, you know, emails or whatever else it is. But if it was super serious, the contact would be quite, very different, quite different, right? And so this is kind of more almost like they’re almost reaching out and kind of like business terminology, language. And so because of the way that it’s positioned as kind of professional and clear, and like all these things, it’s almost like, Okay, this is, I mean. It’s a problem, but it’s not a big deal, I guess, right?
Tim Van Norman 10:04
And understand that like Canvas in their communication, one of the lines that they kept saying is there’s nothing you need to do. Okay? It wasn’t you need to contact your police department. It wasn’t you know, you need to change all your passwords. In fact, it lists the things that were compromised and were not so, for instance, some of the things that were not compromised was passwords. Well, at our institution, we don’t give Canvas passwords anyway, so we have to log in through MFA, single, single sign on SSO, MFA, lots of those terms. Basically it means we keep the password and we just send it a token and say, Oh yes, this this person’s valid. This is Tim Van Norman. This is Brent Warner. That’s all it not knows. Passwords go back and forth.
Brent Warner 10:55
It’s a good reminder, because I think a lot of us, you know, at IVC anyways, it’s like, we feel like we log into Canvas multiple times every day, whatever else it is, but really we’re logging into IVC’s page. And then IVC’s page is the one that says you have the right to access this site, right? And so that is a different thing than logging directly into Canvas.
Tim Van Norman 11:18
Correct, correct. Another thing that it said is no financial information, no social security numbers and stuff like that, were compromised. Well, you wouldn’t know it necessarily, but from our perspective, we don’t give canvas that information, so there’s no way that it could have been even if they had said, Oh, this was compromised. I don’t know how it could have been. It wouldn’t have been from us. Meaning, there is no place in Canvas that I have seen that your social security number, Brent, or my social security number is in Canvas at all.
Brent Warner 11:53
So it’d be like, it’d be like, me, my house gets broken into, and I say, no gold watches were stolen. And I’m like, Yeah, I don’t have any gold watches, but they weren’t stolen, right? So it’s good, you know? It’s like, it’s kind of a, you know, I mean, and that might be different for different people, right? Or different schools, or however they’ve got their information running in through things. So again, you know, your IT team will know. But maybe some of the things that get your, you know, put your hair up on end and make you worried about things are not necessarily applicable to your situation, right?
Tim Van Norman 12:27
They did talk about, and I don’t want to minimize this, because they did say that names, email addresses and student IDs were potentially compromised, and then also that some messages,
Brent Warner 12:45
okay, well, that, I mean, that is plenty of PII.
Tim Van Norman 12:48
That’s not – I’m not like I said. I’m not trying to minimize this, but just when you get these messages read through them and even ask, Do they even have this information? Okay? Because a lot of places will say we, we did not have this, like you use the example of a gold watch. There were no gold watches stolen from my house. Well, that would be really difficult to have a gold watch stolen from my house, because I don’t have any. And so just understand that. And by the way, that’s a lot of times, because we don’t want to give that to them. There is no need for a social security number to be in Canvas. Yeah, for us. So it’s things like that that that just be aware as you’re reading it. Yes. So they have asked institutions to make sure that you have that MFA higher level of security on all privileged accounts, security and privacy and legal teams review the organization’s own notification obligations under FERPA. So hey you you might have to notify people that’s for your legal department to take a look at, and then watch for their follow up organization specific information. So basically, they’ve let the world know that there was a problem, and then they’ve said, hey, if we found a problem with your institution, we will contact you directly and let you know. Okay, so that’s it’s their way of protecting themselves as well as us. So at this point, like I said, as of, you know, Cinco de Mayo, we haven’t gotten notified, notified that our information was in any way, any way affected. So doesn’t mean it wasn’t, I’m just saying that as of right now, there hasn’t been a notification. So to us, yeah, other institutions likely have been notified or will be notified very shortly on that, because they want to protect us as well. Yeah.
Brent Warner 14:52
So, I mean, it’s in their interest to make sure that that you’re okay too. So okay, so there’s a you. Know, I mean, if we’re looking at all of this like it’s really good to know all this information, but this particular case, you know, maybe depending on different groups and things, but it’s not, it’s not the concern that might be showing up, you know, across some of the listservs, or across, you know, maybe social media people are posting about it, or whatever else it is, right? So just, you know, take, take a breather on it. Not good to have the personally identifiable information taken. Of course, as you said, and it might not be the end of the world that you know, for better or worse, that type of information gets breached from many different companies all the time. And so, you know, we see those things with like the target and the blah, blah, blah, you know, like all these different ones. So, okay, so Tim, but what else is going on here? Because it’s not just this, this attack, right? There are other issues going on. So let’s take a little look at San Diego.
Tim Van Norman 16:02
Yes, so San Diego Community College District, as of, I don’t know, a few hours ago, as we’re recording they’re fighting a major cyber attack. It started basically it looks like on on Saturday, and now we’re recording this on Tuesday, and so just to give you some perspective there this particular cyber attack, they haven’t given much information. We have a link to the San Diego Union Tribune. So this, we’re not sharing any information that isn’t available for public knowledge on this or anything like that. But the reality is that there, there’s been a lot of different things going on in different areas. This particular cyber attack, the campus remains open. Nearly all classes are continuing as scheduled, but it is affecting a lot of the digital content, and so they’re trying to figure out what’s going on, how to stop it. There’s not a whole lot of information really known at this point. It looks like it’s really well organized, and unfortunately, you know, it’s things like this that we’re all in technology highly concerned. What does this mean? An attack? I mean, the reality is that we, to a certain extent, get attacked every day. What does that mean? People try to break into different people’s passwords. We block it. People try to send spam messages in we block those. There’s a lot of things like that that happen literally every single day, so that’s one side. But that said that also means that we as consumers, we as employees, we as students, we need to pay attention to what’s going on and what we can do to try to minimize the effects of something like that for ourselves. Yeah, yeah.
Brent Warner 18:10
So and, and those are good, right? Like, you know, that’s what we want to be doing. We want to make sure that we’re, you know, again, same, same type of thing. It’s like, hey, there’s definitely something going on inside of here. This one is a different setup. And so you might see, you know, they’re going to the admin up there. Or, you know, the the district offices are really going to have to deal with that a lot. The average teacher probably not have to worry about it so much.
Tim Van Norman 18:37
Yeah, and they’ve, they may do things like shut down internet access for a little while, or or stuff like that, which, by the way, does provide disruption, whether you’re in person or online. If you’re in person and you’re relying on google, google slides presentation to present and all of a sudden your internet goes down. Yeah, your internet’s down. You don’t have a Google slide presentation, so like,
Brent Warner 19:03
you have old episodes on what to do when the internet goes down. So
Tim Van Norman 19:07
Yes, we do, absolutely – and like I said, we’re not trying to minimize but also be aware that internet can go down for a lot of different reasons, not related to a cyber attack. Yeah, yeah, too. So okay, so just pay attention.
Brent Warner 19:23
Yeah, yeah. So paying attention kind of watching things out. Is there anything that the average teacher, or you know, staff member who’s accessing Canvas for, if we’re talking about Canvas anyways, is there anything that they can or need to do like in terms of just like, Can you be more proactive in terms of protecting your in yourself, or what’s going on in your Canvas course? Or are you just kind of like, hey, if it happens, it happens. There’s not much else we can do.
Tim Van Norman 19:55
So I would say, not just in your Canvas course, but in your life. Pay a 10. Attention to communication that you receive that you did not expect to receive. Mm, okay, well, what do I mean by that? If you get a an offer from a Nigerian Prince of $10 million if you simply send them a link to your your account probably not something you’re expecting, and therefore probably something that is going to harm you. So pay attention to those types of things. If something doesn’t make sense, ask questions. By the way, don’t reply to emails. If the email doesn’t make sense to you, send an email directly to the person, and here’s what I mean. So I actually had this happen to me and that I was a, this is a few years ago. I was a a treasurer for a club. And the, supposedly, the president of the club, sent me an email saying, Hey, we I need to spend 750 bucks on this thing. You know, can you go ahead and wire the money to to this account so that we can spend money on it? And I went, Okay, why? And I replied. And then when I got a reply back, I looked and I realized it was not from that person. And so then I had fun, actually, and and the same thing happened again, a year later, exactly the same, everything. And so then, of course, I really was paying attention. But it can happen to anybody where you look at it and something, something doesn’t look quite right. So ask those questions and see who really replies. Ask them a question that maybe doesn’t make any sense to anybody except that one person
Brent Warner 21:59
or text them separately, if you can
Tim Van Norman 22:01
Text them separately – absolutely anything that will make sure it validates that this is real. And by the way, if that, if you have nothing to do with that. Anyway, I was a treasurer, and so asking me for money was a possibility, but there was a whole procedure to go through, and this person had not gone through that procedure. Yeah. So, you know, kicking stuff back meant that it put enough delay in that I was able to check it out and find out that, no, this was not a real a real incident. So pay attention to that type of thing. If something looks off, it probably is. Another one is, watch what information you give out. Yeah, you it might be, some people are extra cautious about it. I’m not going to give out my email address. Well, okay, that might be something that you do need to give out to things, but you don’t necessarily need to give out every email address. I’ve known people who create a separate email address just for all of the things that they have to sign up for. And you know, you have to have an email address to get into this account. And so they’ll create a completely junk email address that they never check, and that one’s their public email address that everybody gets, and then they have their own private email addresses. That’s a great thing to do. Anything that separates you a little bit from the data and the day to day tools, the day to day things that you don’t need a real email address for. I don’t understand why you have to have a real email address for. I don’t know every website I go to in order to find out information. Like, yeah, it doesn’t matter to me. I don’t need that. I don’t want them contacting me. So do think about how often you’re giving out personally identifiable information, and especially information that really could wind up being useful to somebody if they knew it.
Brent Warner 24:05
Yeah, I like it. So a couple different ways, basically, essentially, you’re saying homemade two factor authentication, right? Like, different ways of contacting people who maybe are reaching out, different ways of blocking access for yourself, right? By the way, some of these, you know, like Apple has options A lot of times to, like, use the hidden Apple email address, right? Like, they have a an option in the iPhone, if you’re you know, when you sign up for things, it’s like, do you want to use your email address, or do you want to use, like, the Apple generated one time email address that still saves unless you get information, they just kind of become a filter through and let you and then you can just choose to block it off or not. So there’s lots of different options for these types of things. But yeah, you know, if it happens at the school level, pay attention to what your team is saying. You know, follow those things this level, maybe not. The worst of all. Possible outcomes in this situation, still not great, but also not as bad as maybe some people are making it out to be. And I think that, you know, just again, we talk about these things occasionally, because it’s just important to be aware and to kind of refresh your knowledge on it, not because it’s necessarily, you know, end of days right here because of this one event, Right exactly?
Tim Van Norman 25:23
Thank you for listening today. For more information about this show, please visit our website, at tTheHigherEdTechPodcast.com
Brent Warner 25:33
as always, we do want your feedback, so please go to TheHigherEdTechPodcast.com and let us know your thoughts
Tim Van Norman 25:39
for everyone at IVC that’s listening. You need help with technology questions. Please contact IVC technical support. If you have questions about technology in your classroom, please contact me. Tim Van Norman AT T van norman@ivc.edu
Brent Warner 25:51
and if you want to reach out to me about the show, you can find me on LinkedIn at @BrentGWarner.
Tim Van Norman 25:57
I’m Tim Van Norman
Brent Warner 25:59
and I’m Brent Warner and we hope this episode has helped you on the road from possibility to actuality. Take care, everybody.
What happens when there’s a cybersecurity breach in your LMS? Is there anything the average faculty or staff can do when it happens? We’re discussing it all in the wake of cybersecurity breakdowns across academia. This is the HigherEdTech podcast Season 7, Episode 19.
Tim Van Norman 0:28
Welcome to today’s higher ed tech Podcast. I’m Tim Van Norman, the Interim Assistant Director of Technology Services at Irvine Valley College and Adjunct Professor of Business at Cypress College.
Brent Warner 0:39
And I’m Brent Warner, Professor of ESL here at IVC. We both enjoy integrating technology into the classroom, which is what this show is all about.
Tim Van Norman 0:47
Welcome. We’re glad you’re here with us.
Brent Warner 0:50
All right, so Tim, I know you’ve been vibe coding a little bit everything going along with that.
Tim Van Norman 0:56
Oh yeah, I’m having fun. After the last episode, we talked about vibe coding, and went into Google and ai studio.google.com, and just played with that a little bit. Actually created a game for my students to play a simulation. This is build your business simulation. And then also created an accessibility trainer for people. And so, yeah, it was a lot of fun. Other people played it a little bit to try it out, see what people thought. And was I was impressed. For hour, two hours worth of work, I had something that actually I felt good enough to let somebody else look at, yeah, and that’s, that’s impressive.
Brent Warner 1:40
Yeah, that does not happen for me normally after two hours of work. But so last time when we did all that vibe coding, we were talking a little bit about one of the concerns, which is like, hey, you know, there could be ways to sneak into websites or do all these other things. And so this is my very smooth transition into our topic today, which is a bunch of news is coming out right now, especially around canvas. It’s not we can talk about it, but there have been some cyber attacks going on around canvas. There have been some cyber attacks going on in San Diego, a few other things going on in some of the academic settings. And so we are going to be talking just a bit today, some kind of, hopefully maybe put people’s minds at ease a little bit, or maybe maybe more, maybe just help you prepare a little bit as we talk a little bit today about cybersecurity, and a few things that you can do to Deal with it.
Tim Van Norman 2:38
Absolutely so as we look at cyber security, we’re not going to get into the net nitty gritty and the nuts and bolts of how to be safe and all of that stuff. Yeah, we’ll talk about it, but understand that every time we have, oh, this is how you’re can be 100% safe. You’re not so but there’s things that you can do to protect yourself. You don’t have to live in, live in a hole. You can use email. You can get on the internet and still be pretty safe. Just pay attention to what’s going on. Yeah, just like
Brent Warner 3:16
the real world, you know, it’s watch, look around, keep an eye out for things, and you’re good. So all right, so Tim, what happened here? Because I know we I’m getting all these emails on, like the in the California Community Colleges, we have the district distance ads listserv, all sorts of people are sending. They’re like, Hey, we got emails saying we’re breached. Like, we got all the what’s going on and kind of somewhat unclear. I think Canvas is trying to communicate some information around it to be a little bit more clear, but it’s this is like right now happening, right? And so there’s still some, quite a bit of missing information. So we’re kind of talking broad level. But what, what happened, you know, recently?
Tim Van Norman 3:56
So first of all, let’s start with this is what we know as of the fifth of mayo, yes, and the reason I say that is because, literally, over the last five days I have four or five days I have gotten, I don’t know, eight emails, 10 emails About this from from Canvas and from other sources. And so things will change very rapidly. But what we know as of right now, as we know April 25 Instructure experience, the cybersecurity incident, I love how, and by the way, I’m reading out of an email that I got from them, so that I’m not going to misquote something here, okay, perpetuated by a criminal threat actor. They detected the attacker on April 29 immediately revoked the access. On April 30, as the investigation expanded, they revoked additional suspicious access and addressed the underlying vulnerability. They found no indicators of on. Ongoing threat. Okay, so it looks like something happened on the 25th by the 30th, it’s over. This is what based on their statements. I’m not judging right or wrong. I’m saying that’s their statement. Okay, so what did they do? They hired a third party forensic firm to take a look and see what was going on, which is exactly what? If they didn’t do that, everybody would be going, why? Okay, okay, what are they trying to cover up? Okay? So, so that is, if they don’t say something like that, you’re Wait, what’s going on? They notified law enforcement. Well, that’s good, because that’s actually a legal requirement whenever there’s a risk of purpose stuff that it’s got to be noted. A lot of people got to be notified, so including the FBI, US cyber security, CISA, it’s an infrastructure security agency, Ed and wait, lots of different people, law enforcement were notified, right? They disabled some compromised accounts, revoked all associated access token and tokens. Then they fixed what they think is wrong, and then they rotated what’s called internal keys and restricted token creation across the platform. So what does that mean?
Brent Warner 6:13
Yeah, we need the little like the simpletons guide to tokens and keys. What does that mean?
Tim Van Norman 6:18
Yeah. So when, when we install a new LTI. So think a publisher, think turn it in. Think anything that gets added into canvas that’s called an LTI,
Brent Warner 6:33
like your Google assignments, etc.
Tim Van Norman 6:35
Yes, if you’re familiar with API’s, it’s the learning equivalent of that. So it’s, it’s a tool that integrates into Canvas. When you, when we install that, we use what’s called a key, a developer key. To do that, it also creates a token. And basically, tokens allow that you don’t have. Nobody has to every time they’re going to run turn it in. They don’t have to log in to turn it in and then upload a student submission and log in to turn it in and download the the the grade. You don’t have to do that every time it’s through a system called tokens. Okay? And so what they did is they with the keys and tokens, they disabled a bunch of them. And so it meant that, for instance, for me, my class that I teach at Cypress, Cengage, I use Cengage, which we’ve talked about, and so I had to go back in on Saturday morning and reestablish the connection to Cengage. And all the assignments worked. Everything worked. It was not a big deal, okay? So this day I had to log in again.
Brent Warner 7:47
This was you were affected by this same breach, though, and this was a disconnect. So Canvas went in and kind of said, Hey, we’re rotating these tokens. We’re swapping these things. So your only responsibility to fix that was basically to go in and click a reconnect button, right?
Tim Van Norman 8:05
And by the way, that was not for everybody. A lot of people did not have any problems at all. Okay. Some people also had problems with turn it in that we heard about as an ancillary thing. So I looked in my class, turn it in was fine. I looked in other people’s classes, turn it in was fine. So there’s it was kind of like, oh, there was a hiccup in Canvas. Reconnect, okay, it’s working next.
Brent Warner 8:32
So almost to the point where, if you weren’t told it was a cyber security incident, you would just be like, oh, there’s just a glitch at some level.
Tim Van Norman 8:41
And by the way, I wasn’t told. I didn’t know there was a cyber security incident when I heard about it in the first place. Yeah, okay, so, so, yeah, it didn’t. I said, Hey, you know, contact the publisher, and then it went away. So I’m really comfortable that that it didn’t make major disruptions for people. Now, is it possible students weren’t able to submit homework during that time? Well, if something’s disconnected, yeah, that can happen. Yeah. So does it mean that it’s completely innocuous, nothing happened? No. But also it doesn’t mean that the world is falling apart.
Brent Warner 9:19
Yes. Okay, so, so maybe, you know, take a breath when you see these news announcements. Step back a little bit. You know, of course, reach out if you’re not at IVC, if you’re somewhere else, reach, you know, reach out to your it, or look out for, you know, emails or whatever else it is. But if it was super serious, the contact would be quite, very different, quite different, right? And so this is kind of more almost like they’re almost reaching out and kind of like business terminology, language. And so because of the way that it’s positioned as kind of professional and clear, and like all these things, it’s almost like, Okay, this is, I mean. It’s a problem, but it’s not a big deal, I guess, right?
Tim Van Norman 10:04
And understand that like Canvas in their communication, one of the lines that they kept saying is there’s nothing you need to do. Okay? It wasn’t you need to contact your police department. It wasn’t you know, you need to change all your passwords. In fact, it lists the things that were compromised and were not so, for instance, some of the things that were not compromised was passwords. Well, at our institution, we don’t give Canvas passwords anyway, so we have to log in through MFA, single, single sign on SSO, MFA, lots of those terms. Basically it means we keep the password and we just send it a token and say, Oh yes, this this person’s valid. This is Tim Van Norman. This is Brent Warner. That’s all it not knows. Passwords go back and forth.
Brent Warner 10:55
It’s a good reminder, because I think a lot of us, you know, at IVC anyways, it’s like, we feel like we log into Canvas multiple times every day, whatever else it is, but really we’re logging into IVC’s page. And then IVC’s page is the one that says you have the right to access this site, right? And so that is a different thing than logging directly into Canvas.
Tim Van Norman 11:18
Correct, correct. Another thing that it said is no financial information, no social security numbers and stuff like that, were compromised. Well, you wouldn’t know it necessarily, but from our perspective, we don’t give canvas that information, so there’s no way that it could have been even if they had said, Oh, this was compromised. I don’t know how it could have been. It wouldn’t have been from us. Meaning, there is no place in Canvas that I have seen that your social security number, Brent, or my social security number is in Canvas at all.
Brent Warner 11:53
So it’d be like, it’d be like, me, my house gets broken into, and I say, no gold watches were stolen. And I’m like, Yeah, I don’t have any gold watches, but they weren’t stolen, right? So it’s good, you know? It’s like, it’s kind of a, you know, I mean, and that might be different for different people, right? Or different schools, or however they’ve got their information running in through things. So again, you know, your IT team will know. But maybe some of the things that get your, you know, put your hair up on end and make you worried about things are not necessarily applicable to your situation, right?
Tim Van Norman 12:27
They did talk about, and I don’t want to minimize this, because they did say that names, email addresses and student IDs were potentially compromised, and then also that some messages,
Brent Warner 12:45
okay, well, that, I mean, that is plenty of PII.
Tim Van Norman 12:48
That’s not – I’m not like I said. I’m not trying to minimize this, but just when you get these messages read through them and even ask, Do they even have this information? Okay? Because a lot of places will say we, we did not have this, like you use the example of a gold watch. There were no gold watches stolen from my house. Well, that would be really difficult to have a gold watch stolen from my house, because I don’t have any. And so just understand that. And by the way, that’s a lot of times, because we don’t want to give that to them. There is no need for a social security number to be in Canvas. Yeah, for us. So it’s things like that that that just be aware as you’re reading it. Yes. So they have asked institutions to make sure that you have that MFA higher level of security on all privileged accounts, security and privacy and legal teams review the organization’s own notification obligations under FERPA. So hey you you might have to notify people that’s for your legal department to take a look at, and then watch for their follow up organization specific information. So basically, they’ve let the world know that there was a problem, and then they’ve said, hey, if we found a problem with your institution, we will contact you directly and let you know. Okay, so that’s it’s their way of protecting themselves as well as us. So at this point, like I said, as of, you know, Cinco de Mayo, we haven’t gotten notified, notified that our information was in any way, any way affected. So doesn’t mean it wasn’t, I’m just saying that as of right now, there hasn’t been a notification. So to us, yeah, other institutions likely have been notified or will be notified very shortly on that, because they want to protect us as well. Yeah.
Brent Warner 14:52
So, I mean, it’s in their interest to make sure that that you’re okay too. So okay, so there’s a you. Know, I mean, if we’re looking at all of this like it’s really good to know all this information, but this particular case, you know, maybe depending on different groups and things, but it’s not, it’s not the concern that might be showing up, you know, across some of the listservs, or across, you know, maybe social media people are posting about it, or whatever else it is, right? So just, you know, take, take a breather on it. Not good to have the personally identifiable information taken. Of course, as you said, and it might not be the end of the world that you know, for better or worse, that type of information gets breached from many different companies all the time. And so, you know, we see those things with like the target and the blah, blah, blah, you know, like all these different ones. So, okay, so Tim, but what else is going on here? Because it’s not just this, this attack, right? There are other issues going on. So let’s take a little look at San Diego.
Tim Van Norman 16:02
Yes, so San Diego Community College District, as of, I don’t know, a few hours ago, as we’re recording they’re fighting a major cyber attack. It started basically it looks like on on Saturday, and now we’re recording this on Tuesday, and so just to give you some perspective there this particular cyber attack, they haven’t given much information. We have a link to the San Diego Union Tribune. So this, we’re not sharing any information that isn’t available for public knowledge on this or anything like that. But the reality is that there, there’s been a lot of different things going on in different areas. This particular cyber attack, the campus remains open. Nearly all classes are continuing as scheduled, but it is affecting a lot of the digital content, and so they’re trying to figure out what’s going on, how to stop it. There’s not a whole lot of information really known at this point. It looks like it’s really well organized, and unfortunately, you know, it’s things like this that we’re all in technology highly concerned. What does this mean? An attack? I mean, the reality is that we, to a certain extent, get attacked every day. What does that mean? People try to break into different people’s passwords. We block it. People try to send spam messages in we block those. There’s a lot of things like that that happen literally every single day, so that’s one side. But that said that also means that we as consumers, we as employees, we as students, we need to pay attention to what’s going on and what we can do to try to minimize the effects of something like that for ourselves. Yeah, yeah.
Brent Warner 18:10
So and, and those are good, right? Like, you know, that’s what we want to be doing. We want to make sure that we’re, you know, again, same, same type of thing. It’s like, hey, there’s definitely something going on inside of here. This one is a different setup. And so you might see, you know, they’re going to the admin up there. Or, you know, the the district offices are really going to have to deal with that a lot. The average teacher probably not have to worry about it so much.
Tim Van Norman 18:37
Yeah, and they’ve, they may do things like shut down internet access for a little while, or or stuff like that, which, by the way, does provide disruption, whether you’re in person or online. If you’re in person and you’re relying on google, google slides presentation to present and all of a sudden your internet goes down. Yeah, your internet’s down. You don’t have a Google slide presentation, so like,
Brent Warner 19:03
you have old episodes on what to do when the internet goes down. So
Tim Van Norman 19:07
Yes, we do, absolutely – and like I said, we’re not trying to minimize but also be aware that internet can go down for a lot of different reasons, not related to a cyber attack. Yeah, yeah, too. So okay, so just pay attention.
Brent Warner 19:23
Yeah, yeah. So paying attention kind of watching things out. Is there anything that the average teacher, or you know, staff member who’s accessing Canvas for, if we’re talking about Canvas anyways, is there anything that they can or need to do like in terms of just like, Can you be more proactive in terms of protecting your in yourself, or what’s going on in your Canvas course? Or are you just kind of like, hey, if it happens, it happens. There’s not much else we can do.
Tim Van Norman 19:55
So I would say, not just in your Canvas course, but in your life. Pay a 10. Attention to communication that you receive that you did not expect to receive. Mm, okay, well, what do I mean by that? If you get a an offer from a Nigerian Prince of $10 million if you simply send them a link to your your account probably not something you’re expecting, and therefore probably something that is going to harm you. So pay attention to those types of things. If something doesn’t make sense, ask questions. By the way, don’t reply to emails. If the email doesn’t make sense to you, send an email directly to the person, and here’s what I mean. So I actually had this happen to me and that I was a, this is a few years ago. I was a a treasurer for a club. And the, supposedly, the president of the club, sent me an email saying, Hey, we I need to spend 750 bucks on this thing. You know, can you go ahead and wire the money to to this account so that we can spend money on it? And I went, Okay, why? And I replied. And then when I got a reply back, I looked and I realized it was not from that person. And so then I had fun, actually, and and the same thing happened again, a year later, exactly the same, everything. And so then, of course, I really was paying attention. But it can happen to anybody where you look at it and something, something doesn’t look quite right. So ask those questions and see who really replies. Ask them a question that maybe doesn’t make any sense to anybody except that one person
Brent Warner 21:59
or text them separately, if you can
Tim Van Norman 22:01
Text them separately – absolutely anything that will make sure it validates that this is real. And by the way, if that, if you have nothing to do with that. Anyway, I was a treasurer, and so asking me for money was a possibility, but there was a whole procedure to go through, and this person had not gone through that procedure. Yeah. So, you know, kicking stuff back meant that it put enough delay in that I was able to check it out and find out that, no, this was not a real a real incident. So pay attention to that type of thing. If something looks off, it probably is. Another one is, watch what information you give out. Yeah, you it might be, some people are extra cautious about it. I’m not going to give out my email address. Well, okay, that might be something that you do need to give out to things, but you don’t necessarily need to give out every email address. I’ve known people who create a separate email address just for all of the things that they have to sign up for. And you know, you have to have an email address to get into this account. And so they’ll create a completely junk email address that they never check, and that one’s their public email address that everybody gets, and then they have their own private email addresses. That’s a great thing to do. Anything that separates you a little bit from the data and the day to day tools, the day to day things that you don’t need a real email address for. I don’t understand why you have to have a real email address for. I don’t know every website I go to in order to find out information. Like, yeah, it doesn’t matter to me. I don’t need that. I don’t want them contacting me. So do think about how often you’re giving out personally identifiable information, and especially information that really could wind up being useful to somebody if they knew it.
Brent Warner 24:05
Yeah, I like it. So a couple different ways, basically, essentially, you’re saying homemade two factor authentication, right? Like, different ways of contacting people who maybe are reaching out, different ways of blocking access for yourself, right? By the way, some of these, you know, like Apple has options A lot of times to, like, use the hidden Apple email address, right? Like, they have a an option in the iPhone, if you’re you know, when you sign up for things, it’s like, do you want to use your email address, or do you want to use, like, the Apple generated one time email address that still saves unless you get information, they just kind of become a filter through and let you and then you can just choose to block it off or not. So there’s lots of different options for these types of things. But yeah, you know, if it happens at the school level, pay attention to what your team is saying. You know, follow those things this level, maybe not. The worst of all. Possible outcomes in this situation, still not great, but also not as bad as maybe some people are making it out to be. And I think that, you know, just again, we talk about these things occasionally, because it’s just important to be aware and to kind of refresh your knowledge on it, not because it’s necessarily, you know, end of days right here because of this one event, Right exactly?
Tim Van Norman 25:23
Thank you for listening today. For more information about this show, please visit our website, at tTheHigherEdTechPodcast.com
Brent Warner 25:33
as always, we do want your feedback, so please go to TheHigherEdTechPodcast.com and let us know your thoughts
Tim Van Norman 25:39
for everyone at IVC that’s listening. You need help with technology questions. Please contact IVC technical support. If you have questions about technology in your classroom, please contact me. Tim Van Norman AT T van norman@ivc.edu
Brent Warner 25:51
and if you want to reach out to me about the show, you can find me on LinkedIn at @BrentGWarner.
Tim Van Norman 25:57
I’m Tim Van Norman
Brent Warner 25:59
and I’m Brent Warner and we hope this episode has helped you on the road from possibility to actuality. Take care, everybody.
What happens when there’s a cybersecurity breach in your LMS? Is there anything the average faculty or staff can do when it happens? Brent & Tim discuss it all in the wake of cybersecurity breakdowns across academia.
Resources
- Tech Radar – Canvas maker Instructure reveals data breach — confirms user personal information leaked
- San Diego Union Tribune – San Diego Community College District fighting major cyberattack