Information

BOB’S BACK!

by

It is with great joy that we celebrate the return of Bob Harrison his role as a Tech Coach. Bob brings such great gifts the teaching and learning process. He has reached so many students through his Tech Coach role. Now, he’s back. One of the tenets of our team is try things out. If absolutely everything works out easily, we aren’t stretching enough. This is hard for all. I am extremely thrived that I get the opportunity to work with someone like Bob. He has stretched and found one thing that isn’t for him. (You can head over his Tech Coach Blog post to read his perspective).

Bob brings his passion, skills, gifts, and drive back to the Tech Coach role. Join us in a happy dance! Join us in our celebration! Join us in our Joy! Most of all, join us in challenging Bob to help students learn.

Phishing Season

by
Happy ALMOST Back to School.
​We (and other school districts) are seeing an increase in phishing ​activity.
Phishing is the practice of sending out emails that purport to be from a legitimate, reputable company in order to get users to reveal sensitive information (such as passwords and credit card numbers). 
​We recently deleted a couple of emails received by thousands of Dearborn Public Schools members that were phishing attacks. Unfortunately, a couple of users clicked on the links and entered their information.
Protecting your user name and password is critical to the security and safety of our district. Many users have access to very sensitive data.

Tips for spotting a phishing attack:

  • Do you know the sender? Although it is easy to fake the return email address, you should still check to see if you know the account.
  • Does the language seem appropriate for the person?
  • Does something just seem “funny” about the email?
  • Hover your mouse (if on a computer) over the link without clicking on it. It should reveal the URL of where it is actually going. (So, if it supposed to be sending you to Apple, but the URL is https://apple.scammer.com, that isn’t right).
  • Be wary of links in emails: Type links into the Location bar in your browser instead of clicking on the link in an email.
  • There is some kind of threat or urgent request in the message.

Here is a Phishing Flyer with tips (reposted from a couple years ago).

Securing your accounts

There are several things that you can do to make your account more secure:

  • Be careful on clicking links in email
  • Use a passphrase manager – (this allows you to have a unique password for every site you visit) (Note that most of these are not free). 
  • Turn on 2 Factor Authentication – this will require you to receive a text message or use a known device as an extra step to log in. This means that if someone does know your passphrase, they still can’t sign into your account without that device. 
  • Be very cautious about where you are entering your user name and passphrase.
*This impacts personal as well as work email.
So, how do PHISHERS get your email? There are a couple of ways:
  • from the address book of someone who has had their account phished
  • from breaches of online services
Please note that there have been many breaches of information. Here are a few:
  • Facebook
  • EquiFax – one of the sites that provides credit reports
  • Macy’s
  • Addidas
  • Sears
  • Kmart
  • Delta
  • Best Buy
  • Saks Fifth Avenue
  • Lord & Taylor
  • MyFitnessPal App
  • Panera
  • Forever 21
  • Sonic
  • Whole Foods
  • PumpUp (Fitness App)
  • And more….
Your user name and password to a variety of sites may be available to people with bad intent. The breaches above may have revealed not only your email address (which can be used in future attempts), but also your password to that account. Since many people use the same password over and over, this means that bad guys may have access to other accounts. For example, if someone@somewhere.com uses the password mydogsname for their MyFitnessPal app (which was previously hacked), they may also use that same combination for Amazon. Bad guys will attempt to use that combination on Amazon. Now the bad guys can order from Amazon and someone@somewhere.com will receive the bills.
How can you tell if your email has been breached?
Have I been pwned is a web site where you can enter an email address to see if it is available to phishers.

iLearn Question Tagging

by
Standards disclosed in the tag section.

We are excited to offer the ability to tag your Quiz questions in iLearn with Common Core Standards. The standards (Language Arts, Math and Science) are available under Tags in each question. You can either scroll to find the one that you want (there are an awful lot of them), or enter part of the standard (to filter) and then select. This will allow you to create quizzes with certain standards. This will also allow us to better create questions that are identified as meeting certain standards.

Standards disclosed in the tag section.

Required badges

by

Happy Summer!

Every summer, our current required badges expire on June 30th. We are currently reviewing the courses with a variety of groups to determine updates. We expect the courses will once again be available at the beginning of August.

All of us need to complete the required courses (currently there are four such courses ADA, Bloodborne Pathogens, OCR, and Response to Bullying Behavior). These courses will be available on the MyPD site in August.

Potential SPAM email

by
Several people received an email that they thought was SPAM. They reached out to me to check. Here is my response:
Thank you for reaching out to me with a suspicious email. In this day and age, it is extremely important to make sure that you don’t fall for phishing attempts.
My Dad taught me long ago to “measure twice, cut once”. That advice is relevant here, check twice and make sure before you click on the link.
I thought that I would share what I look for in evaluating this email:
1. The From email address does seem legitimate. However, this is incredibly easy to mask, so not a very strong indicator of legitimacy (hover your mouse over the name on a computer)
2. a “recent change in your work status”. I haven’t had a “recent change in my work status, so my spidey sense is starting to activate.
3. “in the Company’s benefits plans”. Wait a minute, they don’t know which Company that I work for? Spidey sense is tingling.
4. Hm. The link seems familiar. I’ll type this into a browser (NOT CLICK on the link in the email. when I do, I get an error message (This site can’t be reached…) Spidey sense is buzzing like crazy now.
5. The phone number. Hm.

6. “Your Benefits Manager”. Not a real person. I know people who work in the Benefits Department.

Inbox (51) - pattert@dearbornschools.org - Dearborn Public Schools Mail 2018-06-18 07-42-09.png
Given all this information, this is either an incredibly badly written email from a contractor or a Phishing Attempt (a special type of SPAM designed to steal your information).
I would mark this as SPAM and move on.

Security on the Internet

by

Security on the Internet is a bit like Baskin Robbins, there are 31 flavors. Only, on the Internet, there are way more than 31 flavors. One of those flavors are certificates. (This is designated by httpss as opposed to https.) Certificates try to make sure that you are going to the site that you think that you are going to. They do this by issuing a certificate that is installed on the web server AND registered.

Unfortunately, Symantec played a bit fast and loose with certificates. Thus, Symantec certificates are no longer “Trusted”. Any web site that uses Symantec for their certificates will now show up with the scary message that “Your connection is not private”. There will be a big button that may say “Back to safety”. (There is also an ADVANCED button (not highlighted), that will allow you to continue to the site.)

Privacy Error Message screenshot

Unfortunately, some of these are legitimate. For example, the screen shot above is from our Destiny system (Library service from RESA). This is a completely legitimate site. It is safe to visit. However, given the message above, I’m sure that most people would not go on.

We have contacted RESA to update their certificate.

Although you should not automatically trust every site that presents this message, some are OK. It is crucial to know which sites are which. Generally, if there is a concern, don’t move on.

COPPA

by

COPPA is a federal law that impacts Dearborn Public Schools. We must follow COPPA.

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

So, how does COPPA impact us? Well, let’s take a look at a free resource that teachers might find useful with students. PowToon is used to create “awesome videos and presentations”. (Naturally, there is also a paid version).

However, we need to take a look at their Privacy Policy. They will note that they are COPPA compliant, because:

Our website, products, and services are all directed to people who are at least 13 years or older.

This means that students must be at least 13 years old in order to use this service, unless the school and the parents sign off on the creation of that account. Since the district would be responsible for tracking and monitoring that permission, we do not allow students under the age of thirteen to create accounts. (PowToon is one of just thousands of websites that have this requirement).

So, if you work with students who are under the age of thirteen, you need to make sure that any web services that you use are COPPA compliant. (The Department of Technology & Media Services regularly vets sites for compliance).

Online Safety and Security

by

Jim Fisher has a really nice write up about a potential scam. There are several good tips in his post. This also highlights the importance of being vigilant.

I recently received an email from Netflix which nearly caused me to add my card details to someone else’s Netflix account.

He did the right thing in checking the source of the email, but even that was legitimate.

“Odd,” I thought, “but OK, I’ll check.” The email is genuinely from netflix.com, so I clicked the authenticated link to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?

The crux of the scam is to create an account on Netflix and hope that the “real” owner of the account doesn’t notice the billing. However, this is just one way to potentially scam folks. This kind of information could be used in a variety of ways to scam individuals.

I don’t necessarily agree with everything that he says, (Netflix really should do a better job of confirming that you actually have control of the email account), but the message is important.

Just another reminder that in today’s world, it is truly important that you understand what is happening and why.

(*By the way, although the “dot” trick will work with generic Gmail addresses, it will NOT work with our work set up).

Follow this blog

Get every new post delivered right to your inbox.