Students and faculty adjust to multi-factor authentication on Moodle

As the fall semester begins, many will be introduced to the new sign-in system

While new and returning students will adjust to the new log-in system in the fall semester, the summer semesters offered others some perspective into MFA’s accessibility and utility on Moodle.

Multi-factor authentication (MFA), a cyber-security tool which provides alternative verification factors to a user’s log-in information, has been in mandatory service on Moodle since the end of the winter semester. 

“Anytime I’d open Moodle on the computer for exams, or every time I go to a new tab, it asks me [to log in] every time,” said Dom Doesburg, a third-year computer science student at Concordia. “And going back and forth and having to do it each time, it gets frustrating.”

Having spent the summer taking classes, Doesburg acclimated to authenticating his log-ins, but still ran into issues on his part.

Doesburg also expressed his continued frustration with password troubles, having to reset it multiple times over the summer despite saving it on his digital keychain. This eventually forced him to reset his password three times in order to submit an assignment on time.  

“I don’t get it, nobody’s going to log into my Moodle and submit things for me,” he said. “And if they do, frankly I’ll be happy.”

Although Doesburg sees the value in protecting private information on other Concordia services such as the Student Centre, he finds the extra layer of security unnecessary for Moodle.

On the other hand, however, students like Julien Prenevost find the extra measure justifiable. “I’ve got my phone on me 99 per cent of the time, so it’s never been an issue for me,” said Prenevost, a third-year student in sociology. “It’s a nice layer of security and it makes you worry less.”

Prenevost took courses during the summer while working in IT. He said that MFA is familiar to him, as he’d use it at his work frequently.“It just makes sense for Moodle,” he added. “There’s a lot of important documents, and if someone hacks it, well, they could steal them and plagiarize you.”

Despite the ease of access, Prenevost mentioned that an alternative method of authentication to  mobile devices should be offered—- an idea echoed by Ivan Pustogarov, assistant professor at the Concordia Institute for Information Systems Engineering.

“The problem here is that students don’t have enough options to choose their own tools to get [authentication],” said Pustogarov. “From my perspective as well, I’ve wished many times I could just use my computer.” 

Pustogarov is no stranger to cybersecurity, as it’s his main field of research. He explained that MFA is often used to counteract weak passwords which might otherwise be vulnerable to hackers.

“The goal is additional protection […] to decrease the possibility of password stealing attacks,” Pustogarov said.

As an alternative to authentication by mobile phone, Pustogarov suggested implementing recovery codes. These codes would be provided to users upon initial registration to Moodle and kept in case they don’t have access to their phone.   

Concordia’s MFA system is applied through Microsoft, similar to school emails. As such, the first method of authentication is done through the Outlook application.

If the user does not have their phone, the IT service page for MFA provides a guide to log into Moodle and related services. This includes downloading the Authy app, which provides the user with a generated code accessible through any computer. However, in order to activate Authy, a mobile phone is still required. 

As the need for more versatile cybersecurity grows, Concordia is following suit and adapting— even if that means testing our patience.


ConUHacks: coding competition at Concordia sponsors protection against cybersecurity

The Communications Security Establishment was looking for top coders last week at ConUHacks, as risks to cybersecurity increase

Coders from all ranges of experience filled the halls of Concordia’s JMSB and Hall buildings to compete in HackConcordia’s annual hackathon, ConUHacks. The event was host to many sponsors who planted respective booths to receive and recruit promising talent or “hackers.” 

The event was established by Terril Fancott, a computer science and software engineering professor at Concordia, who passed away in 2020. HackConcordia continues to host the hackathon in honour of his memory. 

A hackathon has teams of coders programming a project in a set amount of time. At ConUHacks, participants had 24 hours to finish their work and impress the judges to potentially win prizes. 

This year, the event had the most participants since its start in 2014, with over 800 applications.

However, the presence of the Communications Security Establishment of Canada (CSE) at the event was more than just for recruiting top coders. As  people continue to crowd the internet with their personal information, the CSE hoped to raise awareness of  cybersecurity threats.

Vatsa Shah, co-president of HackConcordia, said students interested in working for the CSE were encouraged to complete their sponsored challenge. Teams that could design programs around cybersecurity — for example, apps that could test password security — would be eligible to win extra prizes. Most importantly, they’d catch the attention of the CSE’s recruiters. 

“The experience they might gain here, that translates to real life,” said Shah. “Pushing to the limit, with challenges they can only get here.”

In a recent article by the CBC, head of the Canadian Centre for Cyber Security Sami Khoury advised to be more cautious than ever when posting personal information online. Khoury singled out TikTok as an application that caught the organization’s attention. 

Darren Holden, a software developer for the CSE, said that his team works towards building and maintaining applications that block malicious domains from Canadian networks. Although Holden couldn’t speak to specific threats on TikTok, he advised caution when using social media. 

“There’s always potential for harm due to poor cybersecurity,” Holden said. 

Holden encouraged those who are concerned about cybersecurity threats to visit the Canadian Centre for Cyber Security advisory website, which offers advice to users on safely using the web. 

The hackathon also gave novel coders the chance to gain experience in a setting that offered new challenges.

Nicolas Pop, a second-year computer science student at Concordia, took advantage of ConUHacks to hone his skills in A.I. programming. He recognized the importance of cybersecurity and expressed interest in applying to the CSE. 

“As we move towards a society that practically lives online, we need to protect the vital information being stored,” said Pop. Although his knowledge of coding for cybersecurity was limited, he took the opportunity to speak with recruiters and further immerse himself in a new field.  

Although he didn’t win, Pop aims to practice his skills to program a project of better quality next year. 


Concordia to co-lead new $160-million Canadian cybersecurity innovation network

How five Canadian universities are paving the way towards safer data and cyber-infrastructure

The Government of Canada recently announced that they will award $76.4 million over four years to the National Cybersecurity Consortium (NCC), with additional funding bringing their total initial budget to $160-million. The NCC is a federally-incorporated non-for-profit partnership that was founded in 2020, which includes five Canadian universities: Concordia University, Ryerson University, the University of Calgary, the University of New Brunswick, and the University of Waterloo. It is intended to be a world-class cybersecurity innovation and talent development network.

This announcement came during a critical time when cybersecurity is being placed at the forefront — it is currently being used as a defense against cyber attacks and part of numerous military operations.

A few weeks before the invasion of Ukraine by Russian military forces, Global Affairs Canada suffered a cyber attack. Canada’s cyber security agency speculates that the attack could have been from Russian or Russian-backed hackers. Mourad Debbabi, a Concordia University professor affiliated with the Concordia Institute for Information System Engineering and the director of Concordia’s Security Research Centre, emphasized the importance of such funding.

“It is everywhere; most companies have digitization and automation initiatives. One of the key factors for the successful deployment of technologies is security. So what’s the point of using technology if it’s not secured? Then you’re going to lose your data,” explained Debbabi.

This seems to be a key question that has potentially been neglected by the government until recently, when recent events, such as the cyber attack on the Global Affairs agency, pointed towards these gaps. Rafal Rohozinski, principal at the SecDev Group, senior fellow at Canada’s Centre for International Governance Innovation and CEO of Zeropoint security, has warned about a future cybergeddon— a conflict or a war that would take place in cyberspace and that would complete destroy society as we know it. This cybergeddon is something many security professionals fear, and have attempted to raise the alarm and point towards strengthening our cybersecurity.

Professor Debbabi states that the solution is in the numbers — and in collaboration.

“Very often, you don’t find that many faculty members with expertise in cybersecurity within one university. You need people that have the ability to defend and protect assets in terms of data, assets in terms of services, in terms of critical infrastructure — such as government networks, internet service providers and financial institutions. This is why creating an inter-university network, it’s an extremely smart idea because we will not work in isolation,” said Debabbi.

The above statement outlines the core mission of the NCC, which is to form a national and international network of cybersecurity research. Debbabi further states that the objective of the network is to advance the cybersecurity agenda — such as the network and the partnership between the universities—  in terms of research and development (R&D), commercialization, innovation and training that is shared among the founder institutions.

“With this network, we can have a strong positive impact on cybersecurity in Canada. It will enhance the landscape of cybersecurity in terms of R&D, training, and innovation,” Debbabi explained.

“The network is giving us the means to bring together the ecosystem and instead of working in isolation, companies and universities will have the means to strategize, to work together and to define activities in these three areas.”

Photo by Catherine Reynolds


What experts think about human rights violations in China

A panel on China’s human rights violations was held in Concordia University’s Faubourg building on Jan. 15.

The experts, who were invited by the Montreal Institute for Genocide and Human Rights Studies (MIGS), expressed concerns about the Uyghur Muslim concentration camps in Xinjiang, an autonomous region in Western China. They also discussed the brutal repression in Hong Kong and Tibet, as well as China’s increasing influence on the Western world and its implication for the future of democracy.

The event took place just days after Human Rights Watch (HRW) executive director Kenneth Roth was denied entry into Hong Kong and HRW’s launch event for its World Report 2020 was disrupted by protestors, according to MIGS executive director Kyle Matthews.

“Human rights issues in China are nothing new,” said speaker Margaret McCuaig-Johnston, Senior Fellow at both the University of Ottawa’s Institute for Science, Society and Policy and the University of Alberta’s China Institute. She listed historical events such as the Cultural Revolution, the Xidan Democracy Wall, and the Tiananmen Square Massacre which she said “trampled on individual human rights in a myriad of ways.”

McCuaig-Johnston continued to explain that although China has lifted more than 800 million people out of poverty since 1978, this is not the same as ensuring individual human rights. She described how the Chinese Communist Party (CCP) uses detention as a pressure tactic against dissidents and the abusive conditions under which they are detained, which were revealed by HRW’s interviews with former prisoners. She also explained the social credit system, in place since 2014, and the CCP’s widespread interference in Western countries.

Both McCuaig-Johnston and Benjamin Fung, a Canada Research Chair in Data Mining for Cybersecurity and an Action Free Hong Kong Montreal activist, highlighted the CCP’s infiltration in Canadian academics and described the pressure on faculty and Chinese students to self-censor criticism of the Chinese government.

The CCP’s use of technology, such as facial and voice recognition for repression, was also extensively discussed by both experts. Fung additionally focused on Chinese companies’ goal to expand the 5G network––he explained that the CCP controls every large corporation in China and that technology companies are obligated to cooperate with Chinese intelligence units.

“It’s about trust, you trust Apple to update your iPhone because it is a private company,” Fung explained, adding that we cannot trust Chinese companies who would introduce malware into the 5G network if the CCP asked them to.

Fung also spoke in detail about China’s one country, two systems policy and the CCP’s broken promise: its decision to maintain control over Hong Kong’s government instead of allowing universal suffrage, which Fung asserts was promised in the 1984 Sino-British Joint Declaration. He described what he called an ongoing humanitarian crisis and a system of police brutality, lengthy prison sentences, sexual assault, and white terror––attacks on pro-democracy activists.

The situation in Tibet was discussed by Sherap Therchin, executive director of the Canada-Tibet Committee, who explained it has been 70 years since China illegally invaded Tibet, and the Western world seems to have forgotten about it. He described the CCP’s reflexive control strategy: how they have been feeding manufactured information about Tibet to target groups so consistently that the Western world now believes their narrative that Tibet was historically part of China.

Therchin continued to explain that in the Western world’s eyes, control over Tibet is now an internal issue––a problem for China to deal with without Western influence.

Finally, Dilmurat Mahmut, a Ph.D. candidate at McGill University’s Faculty of Education, talked about the Uyghur re-education camps in place since 2017. According to documents obtained through an investigation by the International Consortium of Investigative Journalists, an estimated 1 million Uyghur Muslims are detained in these camps, but Mahmut said these numbers could be as high as 3 million. He explained the history of the region of Xinjiang, originally East Turkistan, and the CCP’s labeling of all Turkic Muslims in the region as potential terrorists or pre-criminals.

Mahmut described the conditions in what the CCP calls vocational training centres, and explained that Uyghur children are being forcibly detained and sent to state-run orphanages where they are forbidden from learning the Uyghur language and, instead, only learn the Chinese culture—he called this cultural genocide. Mahmut finished his presentation with a warning from Roth on the dangers of not challenging Chinese human rights abuses and worldwide interference.


Photos by Brittany Clarke


Phishing emails circulated to Concordia students

An email was sent by Concordia University to students on Oct. 3 advising them not to open a phishing email circulating in the student community. The phishing email was sent by, according to a screenshot sent by the university.

The phishing email read: “Concordia University Latest News & Media.” A second line included a hyperlink with the words “Breaking News. Find out more.”

In its message to students, the university asked to “please delete [the email] immediately […] Phishing techniques such as this can spread viruses and malware.”

The message continued: “A recent example of the dangers of this type of email is the WannaCrypt/WannaCry ransomware attack, which paralyzed thousands of computers across the globe.”

Phishing emails and potential cyberattacks have been commonplace in Montreal universities over the past two years. Last May, 120 computers at the Université de Montréal were infected by the WannaCry virus, which encrypted copies of user files before deleting the originals, forcing people to pay a ransom to regain access to their documents.

Phishing emails were sent to Concordia University students by a fake administration email account in early October

On Aug. 31, as previously reported by The Concordian, phishing emails were also sent to McGill University students.

Cyberattacks occurred on two occasions at Concordia in the last two years. In March 2016, keyloggers were installed at the Webster and Vanier libraries. The devices allow hackers to record all the keys pressed by a person, allowing them to remember everything that was typed.

In April 2017, the university’s online course system, eConcordia, was also hacked.

Concordia President Alan Shepard told The Concordian in September that cyberattacks were a “big issue.” “We were lucky in both episodes that we didn’t have any major damage that we’re aware of,” he said, referring to the two incidents at Concordia.

According to Shepard, the university made “some technical changes to try and prevent repeats of these episodes.” The president wouldn’t disclose what these changes were.

Raymond Chabot Grant Thornton, an accounting firm, audited the university’s IT security in 2017, according to Shepard. The IT audit was part of the annual audit presented to the university’s board of governors. Shepard said the audit showed the university’s cybersecurity had strengthened.

The audit differs from a separate project Shepard described as a “large-scale review of cybersecurity.” As the The Concordian previously reported, a call for tenders was sent by the university in July through the publicly accessible Système électronique d’appel d’offre du Québec (SEAO), seeking professional services to assess the university’s cybersecurity risks. Shepard said the result of the assessment will be private.

Eight different companies bidded for the contract, including Bell Canada, Montreal-based GoSecure and Okiok Data. The value of the contract is still unknown.


Concordia looking to evaluate cybersecurity risks

Call for bids unrelated to a particular breach, university claims

Seeking professional services to assess its cybersecurity risks, Concordia University put out a call for bids on July 28, through the publicly accessible Système électronique d’appel d’offre du Québec (SEAO). Companies had until August 28 to send in their bids.

In an email to The Concordian, director of public relations and university spokesperson Mary-Jo Barr claimed the “cybersecurity risk assessment is done as a proactive measure.” She added that the university is “simply managing the information security risk that all institutions and companies are facing nowadays.” According to Barr, the assessment is “part of [Concordia’s] ongoing investment in IT security.”

The objective of the project, the call for bids explains, is to evaluate the cybersecurity risks of all faculties and departments at Concordia University. The IITS director of infrastructure and operations, Mike Babin, was not available for comment.

The scope of the project covers the administration, teaching, research centres, applications, data and infrastructures, along with the support of the latter.

In an interview with The Concordian, Benjamin Fung, a McGill University professor and Canada’s research chair in data mining for cybersecurity, explained universities have different information systems for different purposes, such as a finance system, a payroll system or a system to manage research grants. The role of an IT department, or in Concordia University’s case, IITS, is to “integrate its systems together into one big system in order to support its day-to-day operations.”

“Every system has its own vulnerabilities,” Fung said. “The most difficult part is that different combinations of these systems may create different combinations of vulnerabilities, and this is unavoidable.”

The call for bids lists three deliverables to be provided in the form of reports.

The first is an assessment of Concordia’s maturity in terms of cybersecurity — the people, processes and tools at its disposal — and cybersecurity risks. The second deliverable will require the bid winner to “define the target location in terms of cybersecurity model and architecture,” according to Barr.

The last deliverable will prioritize improvement opportunities and develop a three-to-five-year plan, including “the estimated budget and the level of effort necessary.” The document indicates the bidder will have to present its reports to Concordia’s senior management.

According to the call for bid, the winning company’s evaluation must also include interviews with the central IT department, the IT department of all four faculties (arts and science, engineering and computer science, fine arts and the John Molson School of Business), the libraries’ IT department and at least 12 of the university’s 24 research centres.

Fung said there are multiple ways outside firms can assess a cybersecurity apparatus. One of them consists of having white-hat hackers — also known as ethical hackers — intentionally break into the system to assess the risks. “They are not bad guys,” Fung explained. “They are trying to hack into the system, and then they will inform [the institution] of the vulnerability in the system.”

Another technique, according to the McGill professor, is to hire a network monitoring company to spot suspicious network traffic and inform the university. In April 2017, a job posting for a position called “network security analyst” was posted on Concordia’s website. Accoding to the job post, the employee would report to the manager of IITS’s network services and be responsible of ensuring “that network services are available on a 24/7 basis with minimal interruptions which may be caused by physical or virtual threats.”

Cyberattacks at Concordia

In less than two years, Concordia has been the victim of two cybersecurity breaches. In March 2016, keyloggers — devices that can capture keystrokes — were found on computers in the Vanier and Webster libraries. Keyloggers are able to record all the keys pressed by a person on a computer, allowing them to remember everything that was typed. In a story published on the university’s website at the time, the school indicated it was “taking proactive measures to increase security where public computer workstations are located.”

In April 2017, the university’s online course system, eConcordia, was hacked. In an email to users, the eConcordia management team wrote that “there may have been unauthorized access to the eConcordia/KnowledgeOne information system.”

About a month before, 120 computers at the Université de Montréal were also infected, in this case, by a WannaCry virus attack, which encrypted user files. According to the technology magazine Wired, WannaCry creates “encrypted copies of specific file types before deleting the original, leaving the victims with the encrypted copies which can’t be accessed without a decryption key.”

In an email to The Concordian, Barr said the call for tenders was not related to a specific issue.

One of the ways to minimize the chances of being cyber-attacked, Fung said, is to educate university staff and faculty. “Basically, tell them not to click on some [strange] emails and attachments,” he said. “The most vulnerable attack channel is always humans.”

Exit mobile version