Cybersecurity Blog

Shared/delegated email accounts and MFA – 01/12/22

Google has started sending reminders to those who haven’t yet enabled multi-factor authentication (MFA) on their Mount Royal email account.  For those with a single email account the process is easy. However if you use a delegated, google group or shared email account there may be some confusion. Do you have to enable MFA or not? Well that depends on what type of account you have and how you use it.

Delegated accounts allow you to access emails from your own Mount Royal email account. Neither you nor anyone else that uses the account ever logs into it.  If you click on your profile pic in Gmail and see the account listed with delegated next to it, it is a delegated account.

Even though you may have received a notification to enable MFA on that account, you don’t have to. We know that is confusing so we are working on identifying all the delegated accounts so hopefully you will not get notifications in the future.

Shared accounts require you to login with a separate username and password to access emails.  The username and password are often shared by several people. They are usually set up because the generic account needs a Youtube channel or to set up its own google forms. If you have a shared account, please do not ignore the MFA notifications and contact the IT Service Desk to find out if MFA is required. This will be determined on a case by case basis depending on how the account is used.

Google groups aren’t actually email accounts so you don’t see them listed with your delegated accounts. They are mail lists that you subscribe to or create.  They are often set up to send emails directly to your inbox,  however you can also access the emails from the Google Group app. As Google groups are part of the Google Workspace, you don’t need to MFA them separately.  They are protected when you enable MFA on your MRU email account.

For more information on enabling MFA visit the Multi-factor Authentication web page.

No that is not a malicious pop up – 01/11/22

In preparation for the implementation of mandatory MFA on February 28, 2022, a new pop-up will appear when you login to Google if MFA is not turned on. It looks like this.

If you click Do this later, you can access your account and enable MFA at a later date. However, we do encourage you to click Enroll instead. The sooner you enable it , the sooner the annoying pop-up goes away. After February 28, 2022 anyone who does not have MFA turned on will have to contact the IT Service Desk to get access to their Mount Royal email account, Google Drive or any other Google Workspace apps.

 

The Cyber Guys are coming! – 01/11/22

January 2022 is here! As promised, next week we will be releasing the first Cyber Guys video. This short video is super fun. As a reward for watching you will earn a contest entry code. Have a giggle, get a cybersafety reminder and earn codes. What could be better? Log into the Security Education Platform and check your My Assignments list to find the video link.

The use and care of your MRU email address – 12/07/212

 

 

We are regularly notified that Mount Royal email addresses have been involved in a data breach through Have I been pwned. When we receive that notification, we are told what account provider was affected and which email addresses were involved.  This allows us to contact those who had their accounts compromised and ask them  to change their passwords.

With multi-factor authentication enabled, this is less of an issue. Even if a password is stolen, the attacker will not be able to get into a MRU email account without the second factor.  However it is still important that compromised passwords are changed, especially if the same one is being used for multiple accounts. So we are still receiving data breach notifications.

Usually the data breaches are for work related services. However, once in while we are notified that a gaming site, dating website or a site with adult content has been breached. If you have used your Mount Royal email address to access that site, we will be notified. It is awkward for everyone when that happens.

Please keep your private life private and only use your MRU email address for work purposes. We don’t need to know what you do for hobbies, how you spend your time outside of work or where you shop. Save us all the embarrassment and use another email address for your personal pursuits.  The security team thanks you.

 

Fake TD texts try to nab your banking credentials – 12/15/21

 

Look at what showed up on the phone of an MRU community member.

 

 

The links in this text do not go to the TD Canada Trust website.  The person who received this text does not bank with TD so they knew it was a fake alert right away. However, if you do bank with them and receive this text, the odds are pretty good you will click. The whole alert received thing tends to make people panic. When they panic, they react. Rational thought never has a chance to kick in.

We don’t know for sure what will happen if you click one of the links. However, as it tells you to login, the odds are good that you will be directed to a fake TD login page. When you enter your username and password, the criminals will likely record and store your credentials to either use themselves or sell on the dark web.  Either way, they can drain your bank accounts.

This is a reminder that if you receive an email or text from your bank, count to 10. Then call them directly using a phone number that you know is legitimate to ask them if there is a problem with your account. Resist the urge to click, no matter how great it is.  Salvation is only a phone call away.

 

The return of the Cybercafe – 12/15/21

 

 

To level the playing field for the Cybersecurity Challenge for those working from home, starting in January 2022, the Cybercafe will return. Once a month I will make myself available from 10:00 am to 2:00 pm virtually for questions, MFA support or to discuss the latest cybersecurity threat. Everyone who stops in will get two contest entry codes, the same ones given out at the Cybersecurity Roadshow.  This prevents double dipping, evens things out and gives our working from home folks a chance to catch up.

I am hoping that this will give everyone an equal chance to participate in the challenge and encourage those who may have felt left out to join in. This is an excellent opportunity for your team to catch up and earn some entries.  See you all in 2022!

It is survey time! Participate and win a $50 gift certificate! – 12/06/21

 

 

It is that time of the year when we look back at last year’s program and figure out what worked, what didn’t and where we can improve. To help us determine if we are on the right track, we need your help.  Please take 5 min to complete our survey.  To ensure that we are learning about what people are doing on campus rather than what they know they should be doing, the survey is anonymous. You can freely admit your sins safe in the knowledge we will never know who you are. Your honestly will help us determine the direction of our program next year. You can take the survey here.

The Cybersecurity Newsletter has a new look! – 10/22/21

The cybersecurity awareness program at MRU rebranded earlier this fall. It took us a while, but we have also rebranded the Cybersecurity Newsletter. Gone is the blue background, sections have been reorganized and we have a fancy new header to match our new program branding. We hope it will now be easier to read as well as to find the information that is most useful for you.  Look for the new format newsletter to arrive in your inbox on Friday.

If you aren’t a subscriber, now is the time to do so. Get the latest news on current attacks and how to stay cybersafe. Once you subscribe, you can share what you learn with family and friends. Don’t delay, subscribe now.

 

 

Firefox’s LinkedIn data breach notification – 10/04/21

If you use Firefox with your Mount Royal email address, you may have received this email in your inbox this morning:

 

This is a new feature of Firefox. It is important to note however that this “data breach” isn’t really a data breach. If you look closely, it is titled LinkedIn Scraped Data. Also while it says that the “breach” was added to their system October 2, 2021, the so called “breach” actually took place months ago.

What is scraped data? It is when an attacker scrapes publicly available data off of a website.  So technically it isn’t a data breach as the attackers didn’t break into any servers. However, it does take a lot of time and skill to gather that much data at once. As a result few people do it themselves. It is much easier to wait for someone else to do it and then buy the data from them.

What do they use the data for once they buy it? They use it to target you with phishing emails and other social engineering attacks. While there is no need to worry about your LinkedIn password or username being compromised, this is a good time to double check exactly what you have posted publicly on LinkedIn. Be wary of any communications referencing that information in the future, someone may be trying to use it against you.

October is Cybersecurity Awareness Month – 09/29/21

 

 

It is Cybersecurity Awareness Month!!  To celebrate we have several activities planned.  As always, the Cybersecurity Challenge will run from October 1 to March 31. This year the Challenge has a new sponsor,  WBM! The teams have been reorganized to ensure they are of equal size so the competition should be as fierce as it was last year. Will the Facilities Management team finally be unseated or will they be victorious once again?

The Virtual Treasure hunt that was so popular last year is back with new clues and puzzles. Solve the puzzles and use the clues to find the location of the treasure. Everyone can participate.

We have two new Cybercrime Series talks scheduled as well. Brian Reed from Proofpoint will be discussing insider threats, the horror stories that go with them and how to protect yourself. Jason Kell from Teknologi1 will be discussing attacks to Industrial Control Systems and the repercussion.

Come join in, have fun, earn contest entry codes and learn how to stay cybersafe!