Critical Zoom Updates

Dear SJSU campus community,

As we move into summer and as we’ve mentioned in previous communications, SJSU IT is implementing improvements to Zoom. As usual, we hold off on any changes through finals to minimize any possible disruption for our faculty and students. Both of the items in this email will greatly enhance the security of Zoom for our university and both will impact how you use Zoom.

Authentication with SJSU

Your Zoom meetings have passwords by default, but anyone with the meeting link can still join your Zoom. That’s fine until your link gets shared with a malicious person outside your class or meeting. This is where authentication comes in, providing an additional layer of security on top of using meeting passwords.

Zoom meetings hosted by SJSU users can now require that all attendees be authenticated through SJSU’s single sign-on. Authenticated attendees are individuals who have signed in to Zoom and been verified as valid Zoom users. For SJSU authentication, this means they’ve logged in to Zoom using the SJSU single sign-on portal. SJSU authentication is a great security precaution when everyone in the meeting or class is an SJSU. We’re implementing this setting to enhance security at SJSU. Remember to double-check this setting whenever you schedule a meeting, as different Zoom clients have different default settings.

LEARN MORE

There are a number of cases where you may not need or want to use authentication and may consider changing this setting: classes with a visiting lecturer, meetings with off-campus vendors, or collaborative research discussions with other institutions, to name a few. To read about how to change this setting, please visit our Zoom Authentication website.

This change will go live Thursday, 5/28/2020. Take a moment before then to review our Zoom Authentication website so you’ll know the extra steps you may need to take before joining a class or meeting. It’s also a good idea to give yourself an extra couple minutes before meetings and classes once this change goes live, just in case.

Zoom 5.04

Beginning May 30, Zoom will require everyone to upgrade to the newer version of their client, Zoom 5.04. This new version has a handful of new features, but most importantly it uses a more secure encryption standard.

If you’re using a university machine, then the update will be automatically installed for you. If you’re currently working remotely on a home device, Zoom will notify you of the new version and help you download and install. You can update early by visiting Zoom’s Download Center and downloading and installing the latest Zoom Client for Meetings.

You’ll still be able to use Zoom without updating, but it will launch in the web interface. Zoom on the web is much less secure and has a very restricted feature set. That’s why SJSU IT is recommending that everyone update Zoom to this new version.
Student Conduct & Ethical Development
Lastly, I want to let you all know that we will be sending an email to students shortly informing them of our university processes around disciplinary action for Zoom Bombing. SJSU IT and the Office of Student Conduct and Ethical Development have been working closely on the issue of Zoom Bombing. Our university has only had a handful of cases, a testament to the integrity of our student population.
If you have any questions about the updating process or need help, please contact the SJSU IT Service Desk online or at 408-924-1530.
Thank you,
Bob Lim
VP of Information Technology and CIO

End of Spring 2020 Update

Dear colleagues,

As we close this historic semester at San José State University, I want to thank each and every one of you for coming together to support each other and our community. I know that for many of you, the online resources you’ve been relying on to work, teach, and research for the past two months were entirely new. We all face uncertainty as we look not just into summer, but into fall as well. That’s why I want to take a moment to share and provide clarity on the technology initiatives we have implemented and will be implementing in the next couple of months to support you as we prepare for the “New Normal,” whatever it may bring.

Accelerating & Extending Strategy

For the last three years, SJSU IT’s strategy has been to enhance the mobility and agility of our university, including enabling remote learning and remote working. To continue our strategy, we’re looking to accelerate many of the programs that were in the pipeline, providing even more support for the New Normal and, more importantly, creating a realized modern digital campus.

We’re moving projects up the priority list that will help maintain safe practices once a gradual return to campus is possible. We are working on developing a queue management system that will let people get in line virtually, ping them when it’s their turn at the window, and let them step back in line. We’re also looking into virtual event platforms for all the things Zoom and Hangouts Meet just can’t do — things like job fairs, onboarding, and commencement.

Another example of acceleration is how we’re ramping up our collaboration with other departments across campus. SJSU IT recently completed Phase I with University Personnel to digitize the process for managing and storing PAF. UP can now consolidate many existing documents into a single PAF document and enable review by chairs, admins, and individual faculty online. This will eliminate rows of documents in filing cabinets that would need to be hand-carried to reviewers across campus. Most importantly, the entire process can now be done anywhere, on or off campus.

In the past few years, SJSU IT has digitized over 65% of the university’s business processes online. Our goal is to be close to 100% within the next three years. If you have more ideas for digitization, please reach out to SJSU IT at it-solution-development-group@sjsu.edu.

Enhancing Security and Privacy

Security and privacy have always been a top priority. Maintaining our security and privacy standards while faculty, staff, and students are operating from locations across the country (and internationally), on home devices and home networks, presents new challenges.

We’ve opened up the option for SJSU students to opt into Multi-Factor Authentication (MFA) through Duo. Making Duo required for all SJSU faculty and staff immediately raised the security profile of our university and added convenience by extending password renewals from six months to two years. In January 2020, SJSU was the target of a concentrated phishing attack, with over 1,600 phishing emails detected. Because of Duo, there were no incidents on our campus. Our data also shows that 630 logins from this attack were denied access through Duo. We know that turning on Duo for students will have just as profound of an impact. We’re encouraging students to sign up by going to this page.

For the 600-plus folks using the VPN to connect to campus, we will be sending out another email soon detailing new measures to enhance VPN security even more.

Customer Service

The shelter-in-place order is changing so much about where, when, and how we work, learn, and research. Just because you aren’t on campus doesn’t mean we can’t be there to help. We’re building customer service models that will enable us to support your home devices and home networks. We also want to be available when you need us, so we’re exploring options beyond our normal support hours to provide 24/7 desktop and virtual classroom support.

Zoom Security

If you have any questions about Zoom security settings, you can always call the support desk for real-time help with Zoom. If you’re looking for some extra peace of mind, sign up for our new Personalized Zoom Security Check-up. Our SJSU IT service staff will work with you one-on-one remotely to ensure all your Zoom security settings are correctly set. Once you sign up, we’ll reach out to you to set up a specific time.

We’ve updated our SJSU Zoom Security Checklist website so you can quickly check your security settings. Here are just some of the key tips:

Scheduling Hosting
The Do’s

  • DO keep meeting passwords on.
  • DO use automatically-generated meeting IDs.
  • DO keep meeting links private if your meeting is private.
  • DO control who you distribute classroom meeting join links to.
  • DO verify your Google Calendar sharing settings.
  • DO set your meeting to mute new people on entry if you’re running a large class or meeting.
  • DO enable registration if you’re running a public meeting or event.
  • DO enable the waiting room if you’re running a public event or a large class.
The Do’s

  • DO use your waiting room to welcome attendees if you have enabled it.
  • DO disable annotation in your meeting.
  • DO consider locking your meeting or class after everyone has joined.
  • DO become familiar with the security options on the toolbar.
  • DO use the “On hold” and “Remove” features when necessary

The Don’ts

  • DON’T use your Zoom Personal Meeting ID (PMI)
  • DON’T host alone if you’re running a large meeting or class.
  • DON’T enable Screen Sharing unless necessary

I’m sure you’ve all seen some of the SJSU IT communications about Zoom from the past two months. Enabling remote modalities means making sure the tools and online resources you’re using are secure as well. You may have seen that Zoom has upgraded to 5.02 and included a slew of additional security features. SJSU IT will be requiring this latest version for all SJSU-connected devices to take advantage of Zoom’s newer security encryption. SJSU IT will also be expanding Zoom’s security even further. We’re going to be turning on the option for Zoom meetings to require SJSU authentication through single sign-on. This feature will be implemented after finals have been completed.

Thank You

Thank you all for your patience as the entire university tries to move forward in a way that provides some stability. We’ll be sure to keep you up to date on what’s happening over the summer. Lastly, I want to take a moment to thank all of my colleagues in SJSU IT, all the IT staff across campus, and the multiple SJSU IT consultation boards who have helped shepherd the transition to remote modalities.

I hope you all stay safe and stay healthy.

Best regards,

Bob Lim

Vice President of Information Technology and CIO

Alert: COVID-19 Phishing Scams on the Rise

Dear SJSU faculty and staff,

The COVID-19 pandemic has impacted almost everything about our lives, changing how we work and interact every day. It’s also created a rapidly-changing environment where hackers and scammers are trying to capitalize on our fears and anxieties. Attacks related to COVID-19 started circling as early as January and have only proliferated since.

COVID-19 Phishing
The most recent trend has been focused on the upcoming stimulus package, with emails featuring subject lines like “URGENT: COVID-19 stimulus check delivery blocked. Please accept delivery here to continue with shipment.” Other recent email attempts include:
  • Posing as the government and asking you for banking information before sending your stimulus money
  • Posing as aid organizations and accepting donations, but taking your money instead
  • Sending links to “information” about COVID-19 cures/vaccines that install malware when you open them

This type of attack, called “phishing,” is an attempt by criminals to gain access to your SJSU and personal accounts. As many of you are currently working and lecturing from home, it’s especially important to be vigilant. Home computing devices and home networks do not have the security defenses of our campus network and systems. Duo Two-Factor Authentication can effectively help protect your account from these kinds of attacks. Students, faculty, and staff can also download Sophos Anti-Virus for free on home computers.

Reputable Resources
  • The Federal Trade Commission is a reputable source of information on this topic and has multiple posts about how to identify and avoid COVID-19 scams.
  • Additionally, the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency and United Kingdom’s National Cyber Security Centre issued a joint activity alert titled, “COVID-19 Exploited by Malicious Cyber Actors.” The alert discusses the exploitation of virtual private networks, phishing emails and text messages about COVID-19, and websites deceptively advertised as COVID-19 sites.
  • For more approachable security awareness content, NINJIO is offering a series of 10 free videos about being data secure while working from home.

Phishing Awareness Program
You can also visit SJSU IT’s  How to Spot a Phishing Attempt page to read about our ongoing Phishing Awareness Program. As part of this program, you will periodically receive simulated phishing emails that imitate real attacks. These emails are designed to give you a realistic experience without putting you or the university at risk for a security breach. If you fall for our fake messages, there’s no judgment. We’ll just send you tips and tricks to improve your phishing recognition skills. We have run this program many times over the last few years and the response has been great.

If you ever receive a request for your login information, you can always contact the SJSU IT Service Desk at (408) 924-1530. Visit our blog or website for more information on How to Spot a Phishing Attempt or sign up for our ongoing phishing education program. You can also visit Google’s site to see how reporting phishing emails in Gmail helps prevent future attempts. For tips on how to use Zoom securely, download our Zoom FAQ PDF.

Best regards,

Hien Huynh
Information Security Officer
Division of Information Technology

Proactive Zoom Security Measures

Dear Colleagues: 

You may have read recent articles and news stories regarding security and privacy concerns with Zoom. As much of what we previously did face-to-face is now happening over Zoom, it’s important we understand what potential security issues exist within this platform, how some of these concerns may be addressed by enabling existing Zoom security features, and the new measures Zoom is taking to protect its users. SJSU IT and eCampus is committed to working with faculty, students, and staff to ensure appropriate security precautions are in place and to relaying our community’s concerns to Zoom.     

SJSU IT is actively monitoring news coverage of Zoom. Our Information Security Officer and Zoom account administrator are reviewing reports from information security researchers who have uncovered and documented vulnerabilities as they are published. We are in daily contact with other CSU Zoom administrators, Information Security Officers, and security industry leaders to ensure we understand the ramifications of any issues.  

eCampus and SJSU IT Resources
SJSU IT and eCampus have created an extensive Zoom FAQ, available here, answering questions found on various websites and forums. Ongoing training for Zoom is available from eCampus and within the next few days. eCampus will also be rolling out new training for faculty on Zoom security, privacy, and the Do’s & Don’ts of working with Zoom. We’re also sharing a quick-reference Do’s and Don’ts sheet.

SJSU IT Proactive Changes to Zoom Defaults
To improve overall Zoom meeting security and control who joins a Zoom meeting, we will be changing the default setting to only allow authenticated users to join meetings. This will require all participants to authenticate to SJSU Single Sign On before entering a meeting. Hosts will be able to change this default setting to not requiring authentication when scheduling a meeting with external participants. Please look for a message in the next few days with additional details and the specific date this change will be made. 

Zoom’s New Security Toolbar Icon for Hosts
Meeting hosts will now see an option in the Zoom meeting controls called Security. Visible only to hosts and co-hosts of Zoom Meetings, the new Security icon provides easy access to several existing Zoom security features. The Security icon replaces the Invite button in the meeting controls. The Invite button has been moved to the Manage Participants panel, and hosts can add additional guests there. This new icon will help hosts quickly find and enable many of Zoom’s in-meeting security features.

Zoom toolbar with new security button

By clicking the Security icon, hosts and co-hosts have an all-in-one place to quickly:

  • Lock the meeting
  • Enable the Waiting Room (even if it’s not already enabled)
  • Remove participants
  • Restrict participants’ ability to:
    • Share their screens
    • Chat in a meeting
    • Rename themselves
    • Annotate on the host’s shared content

Google Hangouts Meet Added to Canvas
In order to provide our faculty with additional options who are hosting small-session discussions, eCampus and SJSU IT have enabled Hangouts Meet as an option in Canvas.

It is also important to note that the Chancellor’s Office carefully assessed Zoom’s security provisions during the procurement process and ensured that the systemwide contract prohibits the company from selling personal data from any member of our CSU community. Based on what is known today, the Chancellor’s Office does not perceive that Zoom puts students’ staff or faculty members’  privacy at risk when used with good practices.   

While we use Zoom as part of our CSU-provided and vetted set of online tools, we are not advocating for Zoom. It is up to individual community members to decide if Zoom is the appropriate tool for their needs. To assist you in making this important decision, SJSU IT has developed and shared a frequently asked questions and answers document relating to Zoom use, privacy, and security and will keep you up-to-date on any Zoom issues that may impact our SJSU community. If you have any questions, please do not hesitate to reach out to us.  

 

Best regards, 

Hien Huynh
Information Security Officer

Simon Rodan
Professor, College of Business, Statewide Senator and liaison to the statewide Information Technology Advisory Committee  

Bob Lim
VP Information Technology and Chief Information Officer 

Ahmed Banafa
Cybersecurity Expert and Faculty member at the College of Engineering

Leslie Albert
Associate Professor, College of Business, Director of the Center for Organizational Resilience

SJSUOne Password Extension with Duo – It’s Free

We’ve heard the feedback from faculty and staff about password security and have made changes to how often password renewals will be required. Starting with our initial pilot rollout, if faculty or staff have Duo Two-Factor Authentication (2FA) active on their SJSUOne account, their password won’t expire for two years. That means no more email reminders every 180 days and no more locking yourself out when you inevitably forget it the next morning. Our goal is to always find technology solutions that add more value — that’s the competitive advantage that SJSU IT offers.

Two-Factor Authentication adds a second layer of security to your SJSUOne account. By verifying your identity using a second factor (such as a key fob or your mobile device), 2FA makes it much more difficult for anyone else to log into your account, even if they know your password.

Signing up for Duo is easy and free. Learn more about Duo 2FA and fill out the registration form on our Duo@SJSU webpage. We’ve already made enrollment mandatory for university staff, and we’re aiming to have all faculty enrolled in Duo by December 1, 2019.

We greatly appreciate everyone’s diligence and support in protecting our students’ data and enhancing the security of our campus. Thank you for your continued help and support.

Thank you,
Bob-