Cybersecurity Blog

Keep your devices updated with the latest security patches – 01/21/21

 

 

With criminals constantly coming up with new ways to hack into our systems, keeping your devices updated with the latest security patches is more important than ever. When you are on campus keeping your workstation up to date and secure is easy.  Shut down your machine at the end of the day Friday and start it up Monday morning.  However once you are working from home and your computer is always on keeping your machine updated isn’t so straight forward.

If you are remoting in to an MRU workstation you can’t shut it down. Instead, logout of the workstation and disconnect from GlobalProtect at the end of each work day. The updates are downloaded in the background as you work. Once you log out, your workstation is automatically restarted to install them.

If you have an MRU laptop assigned to you, it is setup to automatically download updates as you work. Once the updates are downloaded you are prompted to restart your machine to install them.  As long as you don’t ignore the prompts, you are good to go. If you choose to ignore them and call the Service Desk for support, you won’t be helped until you restart your machine.

If you are using your personal computer, make sure you have automatic updates enabled on Windows/Mac OS and all your applications.  From the Windows Start menu, select Settings>Updates and security to check your Windows update settings.  On a Mac, select System Preferences>Software Update and click the Automatic Updates checkbox. Just like MRU laptops, updates are downloaded in the background and you are asked to restart your machine to install them.

Once you know what to do, installing your security patches is pretty easy. While it can be annoying, it is well worth your time. With a little bit of effort you make it exponentially more difficult for attackers to compromise your data and mess with your life.

 

Keeping voicemail safe from breaches – 01/05/21

 

 

Happy New Year!!  Another year, another security concern. This time it isn’t your email, your workstation or your smart phone. This time it is your voicemail. Hackers are taking over voicemail accounts and using them to impersonate people, make thousands in long distance calls and by-pass two factor authentication. Not only does this cost organizations but it is also embarrassing and can lead to network compromise and data loss.

To prevent this, secure your voicemail just as you would your workstation. Use UNIQUE passwords/PINs at least 8 characters long. Remember you aren’t limited to just the 6 characters we are used to using. You can use up to 64 if you wish. Also, make sure your voicemail password/PIN is not a numeric version of any of your other passwords, your age, your birthday, your pets name or any other personal information.

Lastly keep your voicemail password/PIN secret. That means do not share it with colleagues nor leave it on a post-it on your phone. Once someone has your password/PIN, they can forward calls, change your greeting, make long distance calls, pretend to be you and generally cause problems while making you the fall guy. Even if they don’t have malicious intent, once someone gets ahold of your password/PIN they may not be as careful with it as you are.

If you are away on vacation and need someone else to cover for you, record a vacation message directing people to call your substitute directly. You can have calls forwarded automatically, but if no one answers a message is left on the voicemail that received the call, not the one that the call was forwarded to. If neither of these solutions will work for you contact the IT Service Desk, they will find one that does not involve the sharing of passwords/PINs.

 

Is the etransfer notice from MRU malicious or legit? – 12/07/20

 

 

This past year, Student Fees began issuing refunds through Interac e-transfers.  Although students are notified in advance that a refund is coming, there is still some confusion about the legitimacy of these emails.

A sure fire way to ensure the refund is legitimate is to login to MyMRU and check your account balance. If you have been issued a refund, the amount will be posted there. If it matches the amount in the notification email then you know the e-transfer is legitimate.

If you are still not sure, you can email Student Fees at studentfees@mtroyal.ca and ask them if they sent you an e-transfer.

 

Password Managers, myths and misconceptions – 12/09/20

 

 

Now a days it seems like no matter what you do online, you need to create an account. With all those accounts comes the impossible task of remembering all those passwords. It is understandable why many of you (71%), are reusing password across multiple accounts. Unfortunately, password reuse leaves you vulnerable to credential stuffing.

So how do you create dozens and dozens of strong, unique passwords? The answer is use a password manager. A password manager generates, stores and autofills passwords for you. It saves you time as well as your sanity while ensuring your accounts are secured. It is a win, win. So much so that 73% of security experts use one.

Unfortunately, there are a lot of misconceptions around password managers. As a result, only 24% of non security experts choose to use one. Most of the reluctance is around convenience and security. It is generally thought that password mangers are too cumbersome to bother using and they aren’t secure anyway.  Both of those assumptions are incorrect. I am going to set the record straight by debunking common password manager myths.

Myth #1 – Password managers aren’t secure

While no application is 100% secure, the odds that a password manager would be hacked is less than the odds that the sticky on your monitor will be read.  Password managers store passwords in an encrypted file that can only be unencrypted by the password used to login to the password manager. If a hacker gains access to your password file but doesn’t have the password for it, all they will see is a jumbled mess. So unless you reuse the password for your password manager or use a weak password, the rest of your passwords should remain secure.

Myth #3 – Letting my browser save my passwords is just as secure as a password manager

Unless your browser requires you to enter a separate password to access passwords it stores then no, it is not secure. Your passwords stored in your browser are linked to your browser account. That allows you to take them with you from one device to the next. However if you forget to logout of your browser on a shared device, the next person who uses the device will have access to them.  It is frightening the number of laptops that have been returned to the library displaying the last user’s passwords.

Myth #4 – Password managers are inconvenient to use

Every password manager has different features and works a little bit differently. If you find one that doesn’t work for you, try another. Almost all of them allow you to try them out for free for 30 days. Once you find one that you like, you will find that it actually saves you time and effort. You don’t have to wrack your brain to come up with strong, unique passwords anymore, the password manager does that for you. You don’t have to enter in your login credentials anymore, most password managers do that for you. You don’t have to sort through stickies to find the right password, the password manager finds it for you. You get the idea, all the annoying things you used to have to do to login to an account, website or application are done by the password manager. It makes life so much easier.

So there you have it. Password managers are secure, safer than using your browser and convenient. Most of all they make it easy for you to have a different password for every account. Now you just have to decide which one to use. KeePass is free to download and it is on all MRU workstations. However there are other web based tools that are a bit easier to sync between your devices. You can find a list of them on PC Mag’s website. I suggest that you take a look at them, compare features and pricing and then choose one or two to try for 30 days.

Unfortunately, IT Services does not reimburse you if you purchase a password manager. However, most are very affordable and can be used by your whole family.

 

The annual cybersecurity survey – 12/03/20

 

 

This week you will have received an email asking you to complete the cybersecurity survey for 2020. This annual survey lets us know what the MRU community has learned over the past year and helps us determine the direction and focus for the year ahead.

This year the survey is being administered through the Security Education Platform. This allows us to more easily analyze the data that we collect. The survey appears in your assignment list. Although it looks like an assessment, it is not. Completion is voluntary. No one sees the individual results except the IT security team and the data will be anonymized for reporting purposes.

We want to know what your cybersecurity habits are as well as what you know. The goal is to determine if the information and tips we are giving you are helping you practice cybersafe behavior or if we need to approach things differently to provide you the support that you need.  As a thank you for helping make the program better, everyone who completes the survey by December 21, 2020 receives two contest entry codes into the Cybersecurity Challenge draw for a $250 Best Buy gift certificate.

 

Not sure an MRU email is legit? Contact the sender. – 12/02/20

 

 

With phishing attacks on the rise and everyone being vigilant sometimes legitimate communications are flagged as suspicious. This week we had a student report their e-transfer refund notification. Last month it was Cybersecurity Awareness Month notifications and the month before that it was a survey. While I am absolutely delighted that people are erring on the side of caution, I thought I would share a little tip that might make it easier to determine if a communication is official or not.

Without exception, official communications include who to contact if you have questions. There may not be a name but there will always be a department or email.  Senders know that you may have questions and in true Mount Royal University fashion, we want to be able to help. If you are not sure if an email is legit, look for that contact information. Take note of it and then search the Mount Royal website or directory to find an email that either matches the one in the message or is for the department that sent the email.

Once you know you have legitimate contact information, create a new email asking for verification that the email is official. It only takes a couple of minutes and it will get you an answer faster than if the IT security team does the same thing.

Note that I am not telling you to use the links in the email to contact the sender. That is because some emails are sent using services and the URL for the links take you to that service before you are sent to the final destination rather than directly to the intended URL.  This makes it difficult to determine if the links are legit or not. To be on the safe side, just create a new email to contact the sender for verification.

I am hoping that my little tip, will empower some of you and make you feel more in control of your inbox. That said, we will always be happy to have you report those emails that you just aren’t sure of. Keep up the good work!

 

Beware text messages promising returns from your mobile provider – 11/28/20

 

Just when I thought it was going to be a quiet week, this showed up on my phone.

 

 

Considering how much we pay for cellular service in Canada, this is a mighty enticing message.  I will admit it, I desperately wanted it to be true. I have two university students on my plan so you can just imagine what my monthly bill is. Having money returned to me by my blood sucking mobility provider is a dream. A message like that makes your whole day.

However, there is this little matter of the link…why does it have to have a link?  Crud.  Add to that the vagueness of the term mobility provider and you have a real life smishing attack.  I have to admit though,  I do love how they add the dreaded Data rates may apply in attempt to make it look official. That is rather clever of them.

I am not sure what is more annoying, the fact that I won’t be getting money back from my mobility provider or that the message interrupted my day. Okay I am going to be honest, it’s the money.  That is definitely more annoying.  For one brief moment I had hope.

Let’s take a closer look at how my hopes dissolved into wisps of despair. Firstly, if this was from my mobility provider, the actual name of the company would have been in the text. No organization is going to be coy about refunding you money. They are going to make sure you know who is blessing your day with a shower of funds. Second if they were issuing me a refund, they wouldn’t send me a text with a link. Unless I was closing out my account, they would just deduct the refund from my bill which is much more efficient and economical.

That said, I am an eternal optimist.  I decided to check my account to see if perhaps I had overpaid and the blood suckers were indeed returning funds. I used my mobility provider’s app on my phone to check my account. My assumptions were correct, the text was fake. Nuts.

This is a gentle reminder to never click on links in text messages unless you have asked for the link to be sent to you. Instead access accounts through apps or a bookmark on your computer to verify information. No matter how tempting it is, don’t click.

 

An easy way to see if your Google Drive files are findable by others – 11/03/20

 

 

Documents in Google Drive can just be shared or shared and findable. A shared document is one that you are giving a specified person or group of people access to. If you don’t have the link to the document or the document isn’t shared exclusively with you then you can’t access it. In other words you have to specifically been given permission to see the document.

A findable document is one that anyone with an @mtroyal.ca email address can search for. All they need to do is enter a term in the search field in Google Drive and Google will find all the documents that contain that term in the filename or contents. Therefore they don’t need to have the link to access the document, they can just search for it.

Currently, the option to make a document findable is buried in the settings wheel that is only accessible when you want to generate a document link that can be used by members of the Mount Royal University group.

 

 

This makes it difficult to accidentally make a document findable. However, a few years ago this option was part of a drop down that included other sharing permissions.  This made it much easier to select it when you didn’t intend to.  The good news is, only MRU community members can search for the document. The general public cannot. So if you accidentally made the document findable, you are somewhat protected.

Now for more good news. While there is no easy way to determine which documents have been shared. There is an easy way to determine which of your documents are findable, just type owner:me source:domain in the Google Drive search bar and press Enter on your keyboard. It will bring up all the documents that you own that are marked findable. As a document can’t be findable unless it is shared with the whole campus, this should help you track down some of your accidentally shared documents and folders as well.

You are welcome!

 

Issues with the PhishAlarm button? Clear your cache – 11/03/20

 

 

This week the phishing training program resumed.  This gave everyone a chance to use the new PhishAlarm button to report the suspicious emails.  For most of you, it worked great!. For some of you, not so much.

As the PhishAlarm button is a browser based tool  (it works through your web browser), it can act up when your browser acts up. This is true for all browser based tools. When this happens it can usually be remedied by clearing your cache.

Your cache is where images and content are downloaded and stored. Your browser does this to save time loading a web page. The first time you visit it, it will load some key information into your cache. The next time you visit that page, instead of downloading it from the internet again, it goes to the cache and loads it from there. This makes the webpage load much faster. This is true whether the page is a just a boring website or a web based application.

So the next time the PhishAlarm button gives you an error message or any other web based application gives you trouble, clear your cache.  It will empty all the information stored there and download it from the Internet again.  This basically resets the application and it usually starts working. For details on how to clear your cache, check your browser’s help files.

Happy Reporting!!

Hackers targeting educators – 11/04/20

 

 

There is a new phishing attack that is taking advantage of the widely acknowledged technology issues facing students, families, and educators. It is targeting educators, using infected attachments that masquerade as student assignments.  The attachments contain ransomware that encrypts your files and locks you out of your devices until the ransom is paid.

In this type of attack, the hackers pose as a parent or guardian submitting a student’s assignment on their behalf. They claim that the student was unable to upload the document due to technical issues. The emails are very emotional and are designed to tug on the heart strings of the educator.

The subject lines the attackers have been using are:
• Son’s Assignment Upload
• Assignment Upload Failure for [Name]
• [Name]’s Assignment Upload Failed

Here is an example of the types of emails being used.

 

Often the attachment is a Word document . Once you open it, you are asked to  “enable editing” and “enable content”. If you do, the ransomware is loaded onto your device.

This attack is very targeted, using contact lists available on the school’s websites to determine who to send emails to. Although the attackers are currently focusing on K through 12 schools, it is expected it will move to post secondary institutions next.

To avoid these types of attacks:

  • Only accept assignments submitted through regular channels.
  • Do not open an attachment unless you check the sender’s email address and know who the email is coming from.
  • Verify the sender actually sent the message whenever possible.
  • Do not enable content or editing on Word documents unless you are 100% certain of the sender’s identity.
  • Do not enable macros on Word or Excel documents unless you have talked to the sender of the email to verify it is safe to do so.

If you are unable to contact the sender and aren’t sure of the legitimacy of an email, report is using the PhishAlarm button or by forwarding it to cybersecurity@mtroyal.ca.