IT Security Newsletter

Kids and cell phones, how to keep them safe – 08/08/18

 

 

As parents gleefully start planning for back to school, one question that may come up is ‘Does my child need a cell phone?’. If your answer is yes, there are some things that you can do to help protect them from cyber bullies, predators and scammers.

  1. Enable the password protected screen lock.  Let your child know that the password should not be shared with anyone but Mom or Dad.
  2. Know every app on your child’s phone, every account that is created and what the passwords are.
  3. Check your child’s phone for disturbing content on a regular basis. Their access to a phone should depend on you having access to it as well. You pay the bills, you make the rules.
  4. Check the privacy and security settings on the phone and apps. Be careful with location tracking. If you can find your child, so can someone else.
  5. Keep the apps and phone software up to date.
  6. Have a talk with your kids about online safety. Teach them to:
    • Never respond to calls, texts or emails from people they don’t know.
    • Talk to them about cyber bullying, harassment and predators. Make sure they know they can come to you for help.
    • Be careful about what they post. Too much personal information can make them vulnerable. Posting the wrong photo or making the wrong comment can mess up your life.
    • Only connect to people through social media that they know.
    • Watch for geo-tagging on photos. They don’t want their exact location to be displayed.

Even if you don’t follow all these guidelines, having a frank and honest discussion about phone safety and modeling desired behavior will go a long way to keeping your kids safe.  For more resources on determining when is the right time for a cell phone and how to keep your kids and teens cyber safe, visit Safe Search Kids by Google.

 

Scam pretends to lock your phone – 08/10/18

 

 

Windows users have heard about the tech support scam that informs them their computer has a virus and they need to call a 1-800 number to unlock it. Creative criminals are now using the same tactic with iphone users. They have seeded several porn sites with malware.  After your visit, a large dialog box appears on your phone informing you that your phone has been locked because you visited an illegal porn site. It all looks very official as it correctly displays the model of your phone and the URL of the porn site. It then gives you a hyperlink to a number to call to get your phone unlocked.

In reality, your phone isn’t locked at all. If you call the number you get connected to a hacker who then attempts to get information and money from you.  Although this scam leverages a visit to a porn site, a similar scam can be set up with any type of website.  It can also target any kind of phone.  It may be iphone users that are currently targeted, but it won’t take long for this scam to show up on Android phones as well.

Never call a number that shows up in an alert or notification on your phone.  Never click on security warning links either. If you do connect to a call center and start to feel uncomfortable, hang up. Apple will never lock your phone and then ask you to call a number to get it unlocked. Come to think of it, neither will Google or Android.

 

Data backups are no longer optional – 07/30/18

 

With everything going digital, our lives have gotten easier but it has also made us more vulnerable. Losing precious memories or a month of hard work used to require a hungry pet or a natural disaster. Now all it takes is clicking on an email link or visiting the wrong website. While this has long been a hazard, the surge in ransomware has increased the chance of losing precious data exponentially.

With this increase in risk, backing up data to prevent a catastrophic loss has gone from being just a good idea to being critical.  Single data backups reduce the peril significantly, but they really aren’t sufficient. This is especially true if the backup is stored on a portable drive that stays connected to your machine.  When the computer is compromised anything else that is connected to it, including the portable drive, is also exposed.

Thankfully you don’t have to worry about data backups on your Mount Royal workstation as long as you save your data on the H: drive, J: drive or Google Drive.  IT Services backs up multiple copies of files on those servers in multiple locations for you as does Google.  If you are saving files on the C: drive or the Desktop though, they are at risk as files stored there are not backed up.  This is why IT Services is constantly telling people to stop storing files on the C: drive and the Desktop. We aren’t trying to make your life more difficult, we are trying to protect you from data loss.

What about your machine at home? What is the best practice when it comes to backing up your own data? Most professionals will suggest the 3-2-1 strategy. Have three copies of your data, on two different unconnected devices, one of which is off site.

  1. Your first copy is your working copy.  It sits on your computer and is what you mess with every day.
  2. Your second copy is stored on a separate device. You can use a USB key, a portable drive or another computer. It is connected to the internet or your computer only long enough to copy your data and is then disconnected. Ideally you would do this daily, but you can chance it and only do this weekly.
  3. Your third copy is stored off site.  This ensures that if your home or office is flooded, burns down to the ground or is destroyed in some other manner; your data is still safe.  Again, this should be a device or service that you connect to upload your data and then disconnect from. You can use a cloud service or the sneaker net (upload to a portable device that you store in a safety deposit box or other safe location).  Ideally you would also do this daily, but a weekly update can be done as well.

Following 3-2-1 will almost guarantee that you can recover from any kind of data loss. However it does take some time and commitment, all you have to do is determine if your data is worth it. Unfortunately, we usually don’t figure that out until its too late.

 

 

Sextortion scam surfaces at MRU – 07/30/18

 

 

Brian Krebs was the first to report on a clever but disturbing sextortion scam making the rounds.  Unsuspecting people everywhere, including members of the Mount Royal community, are receiving a version of this email:

What makes this email so alarming is it correctly displays your password.  In the majority of cases, the password is an old one and has been changed ages ago. However if you have been naughty and this email shows up in your inbox, you may be tempted to pay up and save your reputation.

The good news is, the password was collected from a data breach and not because they have hacked your machine.  The blackmailers do not have a video of you behaving badly, nor do they have your contact list. Your reputation is safe and no one has to be paid off to make sure it stays that way.

 

Must read – Using your @mtroyal email for personal stuff? Please don’t. – 07/20/18

 

 

On a regular basis, account providers are hacked and their customer data is stolen and put up for sale on the dark web in large data dumps. Usernames and passwords are often included in the information.  As over 30% of users reuse passwords and usernames, once a hacker has that information they can access several accounts.  As part of our ongoing efforts to keep Mount Royal’s data safe, we subscribe to a service that lets us know if any @mtroyal.ca email addresses appear in these lists. If an account provider gets hacked and a user used an @mtroyal.ca email address as a username, we get notified about the breach. We then force a password change on the account to ensure it stays secure.

Where things get uncomfortable is when users decide to use their @mtroyal.ca email address for personal accounts.  Many account providers who deliver special interest content do not have the best security practices and are often hacked. We really don’t want to know that you belong to the Jelly of the Month Club or you are a member of Poniverse (those are the G-rated ones). Please save us and yourselves the embarrassment.  Use your @mtroyal.ca account for business purposes only.

 

When a stranger calls, it may not be who you think – 07/19/18

 

 

Have you checked on the computer? *Tech support scams are the bread and butter of many criminals organizations.  The latest version is rather creative.  It starts with you clicking on something you shouldn’t which installs malware on your machine.

The malware waits for you to type “bank” in the browser. When it sees you going to your banking login page, it redirects you to a fake banking web page that records your credentials while you try to login.  It then slows your computer down making you think there is something wrong with it.  Then a pop up conveniently appears telling you that you have a technical problem and asks you for your name and phone number so tech support can call you.

Surprise, a real life bad guy calls and tries to manipulate you into giving them more information so they can immediately transfer money out of your account. It is a rather slick scam. You would admire them if they weren’t stealing money from you.

This is just another reminder that no legitimate tech support company will ever call you or prompt you to call them.  If you get a 1-800 number,  are offered technical assistance without asking for it or have someone call you to offer help; the stranger is there to help themselves, not you.

 

*I am hoping you get the reference. If not, this will help.

Source : https://blog.knowbe4.com/alert-there-is-a-new-hybrid-cyber-attack-on-banks-and-credit-unions-in-the-wild?utm_source=hs_email&utm_medium=email&utm_content=63936946&_hsenc=p2ANqtz–Lu3QkGYcRkjzH-KDpYeGQLy41mfHaS4MgK7rbDIoBHwAw0BrbU5HwxlZAioadMBoGis9xB0uePy8yw7mUMBwXdMNC9Q&_hsmi=63936946

 

Fitness app exposes your location – 07/19/18

 

 

The fitness app Polar Beat allows you plan your workouts, map out and track your workout, analyze how you did and then share your success with friends. The app has sister application on the web called Polar Flow.  You create one account and get access to two services.

Sharper readers will get that the tracking and sharing your workout idea might not be the best one when it comes to protecting personal safety or privacy.  Thankfully the company offers its users the option of enabling private mode so they can keep their location information private.  At least that is what was thought, then researchers started to poke around.

They found that by accessing the API they could get location and tracking information on anyone with an account, even if they had set that account to private.  This is especially concerning because the researchers decided to see if they could locate foreign intelligence  officers and nuclear storage facilities staff.  They could.  As the app had tracked all their activities, once the researchers found their place of work, it was pretty easy to find their home location as well.  Let that sink in for a minute.

Unfortunately this is not the first time a fitness tracking app has made information public that people probably want made private.  As handy as it is to have your fitness tracker tell you how many calories you burned and how far you have run, you might want to reconsider using a tool that purposely tracks your location.  You never know who might be able to get a hold of the data.

Harrassed online? Here’s what you do- 07/12/18

 

 

If you are on social media, there is a very good chance that at some time you have been attacked by an internet troll.  Usually they can be shut down by simply ignoring them and not responding to their attempts to create conflict.  However, every once in a while the troll continues to harass and they go from being annoying to being abusive.  Thankfully, it is possible to have these people brought up on criminal charges. However, you do need to do some homework. The process is not an easy one. Here are a few tips to get you going:

  1. Get screen shots.
    You never know when a troll is going to cross the line from annoying to abusive, so any harassing posts should be captured in a screen shot. Trolls can delete posts and cancel accounts when they are being investigated. You cannot rely on them being archived. A screen shot preserves the evidence for future prosecution.
  2. Print out your screen shots.
    Technology fails, always have a paper backup.
  3. Record dates and times of harassing.
    You need to create a chronological record of the harassment. If authorities see it escalating over time, they will be more likely to intervene.
  4. Know the terms and conditions as well as the rights and responsibilities of the social media site you are using.
    Be aware of what can and can’t be reported.
  5. Report the bullying to your internet and mobile service providers as well as the social media site.
    Give them your screen shots and record of harassment.
  6. Block the troll from your account.
    Most social media sites allow you to block messages or posts from specific individuals. If the troll creates another account and continues to harass, this further supports your case.
  7. Report the harassment to the police.
    If you continue to be harassed even after you have not responded to their taunts and have blocked them from accounts, you have grounds to report the harassment to the police.

To get help with the documenting process and gain support, visit HeartMob a non profit organization dedicated to ending online harassment.  Their website is full of resources including a twitter bot that replies to harassers with a disincentive.

 

 

 

Your TV is tracking you – 07/12/18

 

 

If you have a Sony, Sharp, Magnavox, Toshiba or Philips smart TV, Samba Interactive TV is probably installed on it.  It is a service that recommends shows and provides special offers based on your onscreen content,  or at least that is what they tell you. You are asked to enable it when you turn on your new flat screen for the first time.  As 90% of people say yes, it is probably a good bet that you did to.

If you actually read their privacy policy, what it really does is connect to any device on the same network as your smart TV, such as your phone. This allows the service to track you once you leave the house.  So not only is it tracking what you watch, it is also following you as you go to work, pick up your kids, get groceries and go to the movies. Creepy huh? It uses this information to deliver you customized content. However, the data collected can be used not just by Samba, but by their partners as well. Basically anyone Samba likes can see where you spend your time and what you watch on TV. This is the same kind of tracking  other companies such as Facebook, Google and Apple have been criticized for.

Unfortunately Samba Interactive TV isn’t the only service that tracks what viewers watch. In fact Vizio was fined for using the similar automatic content recognition (ACR) technology to deliver targeted content.  With TVs tracking your every move, how do you protect your privacy? Thankfully, Consumer Reports has a list of smart TVs and how to turn off ACR.

This is just another reminder that as consumers we need to take more interest in privacy policies and terms and conditions before we sign up for a service.  We have the right to choose to trade our privacy for convenience. However, before we make that choice we should be aware of exactly what we are giving up and to whom.

Source:  https://nakedsecurity.sophos.com/2018/07/09/smart-tvs-are-spying-on-you-through-your-phone/

The password to your internet connected device is on the web – 07/04/18

 

Have a thermostat, doorbell or baby monitor that connects to the internet? How about a router? Have you changed the default password that came with the device? No? Well, you might want to get right on that. Why? Well, the default passwords of most devices can be found on the internet. Yup, that is correct.  You can do a simple search of the make and model of your device and in most cases get its default password.

This is very handy when you are setting up your device for the first time or you have to perform a factory reset. It is also very handy for hackers who count on consumers leaving the default password as is.  Once criminals have the password, they can easily gain control of the device. Numerous instances of baby monitors scanning rooms on their own and devices being turned into bots for deny of service attacks have been documented.

This is just another gentle reminder to change your default password and keep the device firmware up to date on anything that connects to the internet. Want to learn more about internet connected devices? Check out this blog post.