IT Security Newsletter

See how easily your network can be hacked- 10/22/18

 

 

With more and more of the devices in our home connecting to the internet, comes more and more ways for criminals to hack your home network. To show just how easy it is, CBC’s Marketplace teamed up with some white hat hackers and hacked into the home networks of several Canadian homes.  When home owners were shown how vulnerable their privacy and their networks were, they were shocked and disturbed.  Watch the episode and see how easy your network can be hacked and what you can do to prevent it.

Scammers using voicemail to steal WhatsApp accounts – 10/17/18

 

 

Armed with nothing more than your phone number, criminals can steal your WhatsApp account.  How? By registering your phone number on their phone. Here is how it works.

First the attacker makes a request to have your phone number registered to the WhatsApp application on their phone. When WhatsApp receives the request, they text a verification code to your phone.  The scammers make their request in the middle of the night or when you are on a flight so you don’t see the verification code. With the text not answered, WhatsApp offers to read out the code and leave it in a voicemail.

If your cell phone carrier has a default password set up for voicemail and you have not changed it, the criminal simply enters the default password and boom…they can hear the verification code. Once they enter that code, the account gets transferred over to their phone. The attacker then sets up two step verification on the account and you have no way of getting it back.

The moral of the story, set strong and unique password for your voicemail.  While you are at it, do that with all your accounts.

 

Adobe Flash update also installs malware – 10/17/18

 

 

Criminals have been disguising Adobe Flash updates as malware for a while now.  They are quite fond of compromising a legitimate website with a fake update pop up. Now there is a new twist on this old tactic.  If you choose to install the fake update it actually does update Adobe Flash. however a cryptominer comes along for the ride.

Because the software does what it says it will do, most people don’t notice what is going on in the background. This allows the malware to go undetected. It isn’t until a few days or weeks have passed and the user finally gets fed up with their slow machine that the malware is discovered.

To avoid fake software updates, remember to visit the application’s site directly for downloads or select check for updates from the software’s menu. Those popups that appear while you are browsing are often loaded with malware.

 

Hack the Box a blast!! – 10/16/18

 

Tuesday we had our first Hack the Box event. It was a blast!! The teams were neck and neck for most of the challenge. In the end they finished in under 20 minutes and within a minute of each other.  Both teams walked away with swag, contest codes and smiles.  It was a nice way to take a break in the day.   Oct 25 is your last chance to register for this fun event.  Get together your team of four and register today!!

 

The Cyber Security Challenge contest entry code for this week is s3lwn5tr.

Must read – changes to Google Team Drive permissions – 10/11/18

 

 

This week Google rolled out the first of two changes to the Google Team Drive permissions.  The names have been changed.  The new names and their permissions are:

  • Manager = full access
  • Contributor =edit access
  • Commenter = comment access
  • Viewer = view access

Please check your Team Drive members list and ensure that the new permissions are correct.  After the name change, I found members who previously had only edit access were  given Manager or full access to the drive.

This week’s contest entry code for the Cyber Security Challenge is w2snl4tr.

The Cyber Security Challenge Weekly Update – 10/05/18

We have come to the end of the first week of competition.  Poor weather and the upcoming holiday has meant a slow start.  However we are starting to see entries trickling in.  Facilities management is in the lead as Building Operations has been rallying their team.  They are  working hard on upgrading our little Golden Superhero Award (photos coming soon) and they really want to win it.

Neck and neck are Support Services and Academic Administration in second.  I like to think I had something to do with that.  I made it very clear in the last IT Services department meeting that the trophy was uber cool.  I also pointed out how embarrassing it would be to not make a respectable showing on the Leaderboard.  My team responded.

I would like to thank everyone that braved the weather and came out for the Summit. I emailed codes to those who registered.  If you just dropped in and didn’t register, email me to receive your code.  I know who attended, so don’t try and snow me into saying you were there if you weren’t.  If you were unable to catch the Summit talks, I will be posting the recordings on the Summit web page.  I will let you know once they are up.

Lastly, don’t forget to get your team together for Hack the Box.  I am canceling Oct 9th’s event due to lack of registration.  However the Oct 16 and 25 time slots are filling up.  Book before it’s too late. You don’t want to miss out on a contest entry code.

Happy Thanksgiving!!

 

 

 

 

 

 

Fake sites use HTTPS too – 10/04/18

 

 

As the holiday season approaches, people around the world are getting ready to cruise the internet looking for great gifts at bargain prices.  As you do your online holiday shopping, keep in mind that sites labeled HTTPS guarantee your data is encrypted as it is transmitted between your computer and the web.  It does not guarantee that the site is legitimate.

Criminals have gotten wise. They are now registering their fake web sites so they are tagged as HTTPS.  So now instead of having to worry about your credit card information being intercepted as you purchase the iPhone XS Max for the unbelievable price of $300.00 USD, you can be confident that only the scammer is receiving your data.

So how do you know that a site is legitimate? Stick with retailers that you have used in the past and access their web sites using a bookmark or search result.  If you receive an email with an offer, don’t use the link in the email.  Visit the website directly.

If you are using a new retailer:

  • Check reviews first.  Avoid retailers with large numbers of complaints that haven’t been resolved.
  • Always pay with a credit card or PayPal so you have a method of recourse should things go wrong.
  • Remember to read all the terms & conditions of sale.  Know if they have a return or exchange policy.

Lastly, remember…if it is too good to be true, it probably is a scam.

 

Facebook is abusing your phone number – 10/04/18

 

 

All of you who have been on the ball and enabled two factor authentication on your Facebook account are about to get really annoyed.  Some researchers have discovered that the same phone number you gave Facebook to secure your account, is being used to target you with advertising.

When Facebook were called out on the practice, they defended it by suggesting users could simply turn off two factor authentication and opt out of the data sharing.  I know what you are thinking. You shouldn’t have to choose between privacy and security. Fortunately, there is a better solution. In May they released a feature called Code Generator.  It allows you to use two factor authentication without using your phone number.

If you are currently using your phone number for two factor authentication  on your Facebook account and don’t want it used for targeting adds, I suggest you switch to the Code Generator.  The added bonus, it works even if you don’t have text messaging or an Internet connection available.

This week’s contest entry code for the Cyber Security Challenge is n1wsl4tr.

 

The Cyber Security Challenge is a Go!! – 10/01/18

 

 

It’s October!!  The Cyber Security Challenge begins today!!  For the next 30 days, Mount Royal employees will be attending events, completing training, visiting websites and reading cyber security resources to find the contest entry codes.  Each code is one entry into a draw for a $250 Best Buy gift certificate courtesy of Cisco Systems Limited.  One lucky person will take home the gift certificate while one hard working team will be awarded the Golden Superhero Award!

You can earn contest entry codes by:

  • Reading the IT Security Newsletter every week
  • Attending the Cyber Safety Summit (one code for each talk)
  • Attending the screening of the Cyberwar Threat
  • Participating in Hack the Box
  • Reading the Cyber Security Survival Guide
  • Visiting the General Security Tips page on mru.ca/itsecurity
  • Completing online Security Awareness Training (checkout the updated content)
  • Attending a Security Awareness Workshop (we have 30 min mini-workshops too)

To make things even more fun, the Cyber Security Challenge Leaderboard will be updated by 10:00 am each day with the previous days totals.  Check the leaderboard daily to see how your team is doing.  Not sure which is your team? Check out the Team List.

The contest closes at 4:00 pm on Oct 30.  The draw for the gift certificate will be on Oct 31 at 11:00 am.  The gift certificate winner and the winning team will be contacted by phone and will have their pictures posted on the IT Security Website.

May the most competitive team win!!

 

 

Facebook breach – logout of your account 09/28/18

 

 

Today Facebook announced that they have discovered hackers have stolen 50 million access tokens.  These tokens allow them to take over an account without having to login with a password. They did it by taking advantage of a vulnerability in the View As feature that allows users to see what their account looks like when viewed by others.

To solve the problem, they have logged out all the users who they believe were affected and disabled the View As feature.  As often happens in these types of breaches, there is a possibility that at a later date they may find there are more people affected than originally thought.

To be on the safe side I suggest that you logout of Facebook by going to Settings  and selecting Security and Login. There you can logout of all your devices at once with a single click. Alternatively, this might be a good time to get rid of Facebook all together.