IT Security Blog

Your IoT devices are vulnerable even if you have a firewall – 01/08/19

 

 

If you have been reading this blog at all, you will have seen my plea to change your default password on any device that connects to the internet. Those of you who are more on the ball may have wondered why this is necessary if you have a firewall on your router.  Won’t the firewall keep an intruder out? The answer is yes and no.

Lets look at how an internet connected device works and then it will become more clear. What makes internet connect devices or IoT devices so handy, is through the internet they connect to a server that provides extra functionality. This allows the IoT device to stay small and less expensive as it doesn’t need a bunch of computing power.  It uses the computing power of the server instead. This also allows you to benefit from the data sent by other people’s IoT devices.

All traffic in and out of your network goes through a router which is protected by a firewall. The firewall blocks most malicious traffic, but it can’t stop everything. If it did you wouldn’t be able to connect to the internet at all.  The router acts like a mailman making sure the  data it receives gets sent to the right device. The first time the data is sent the router  doesn’t know who the data is from or where it goes.  It has to check the routing information on the data to figure this out.  This  can slow traffic down considerably if it has to be done every time data is transferred.

To speed the process up, the router remembers the routing information for certain types of data coming from certain types of devices. Once it is remembered, all data from that remembered device outside your network is delivered automatically to the remembered device inside your network . Hackers take advantage of this efficiency by impersonating a remembered device. In the case of an IoT device, the router thinks the data is coming from the IoT server but it is really coming from the hacker’s computer. If this happens the only thing protecting  your IoT device and your network is the device’s password.

So ,yes, your firewall will protect all your devices from an attacker trying to get into your network. However, no, it won’t protect you once an IoT device has communicated with it’s server. This is why it is so important to change the device’s default password and to make sure the new passwords are strong.

 

 

Are your credentials part of the latest data breach? – 01/17/19

 

 

Troy Hunt, the creator of Have I Been Pwned has just found a massive collection of usernames and passwords sitting on the web.  When I say massive, I mean massive. We are talking 1,160,253,228 unique login credentials (usernames and passwords).  We have seen large dumps of credentials for sale on the web before. However there has never been a collection of this size.

This alone is concerning, but when you also consider that the information is not sitting hidden in some dusty corner of the dark web, but being openly discussed in various forums the alarms bells start to sound. Add the fact that the information is being given away and not sold and you have reached DEFCON 1. Now any miscreant with time on his hands can start banging away at websites with a free list of easily found credentials. This greatly increases the chance your account(s) will be compromised.

It’s a like finding a garage door opener while out for a walk with your dog. You may not have been planning on breaking into a garage, but when fortune smiles upon you, you take advantage of it and pick up that sucker and start seeing which doors it opens.

The good news is there are things you can do to protect yourself.

  1. Visit Have I Been Pwned and find out if you are affected.
  2. Change the passwords on affected accounts as well as any accounts using the same password.

If you aren’t reusing passwords, this is a relatively easy task. If you are then it sucks to be you and it may take you a while.  On the up side,  you do get to give those brain cells a good workout trying to remember all the accounts that used that password. I lied, that sucks to.

After changing umpteen passwords and straining to remember the names of all your accounts, you may want to stop reusing them and start using a password manager.  KeePass is sitting on your workstation and is free to download and use at home. Give Verle Winsor a call to find out how to use it.

If you are ready to invest in a more user friendly tool, you may like Dashlane, 1Password, or LastPass .  They all generate effective unique passwords for you and make logging in a breeze on all of your devices.

 

 

Cyber security lecture by Brigadier-General coming to MRU – 01/16/19

 

 

The John de Chastelain Peace Studies Initiative is presenting a public lecture called Cyber Security, Russia and Canadian Democracy on January 21 from 11:30 am to 1:00 pm on campus in room Y222.  The presenters are:

  • Brigadier-General Jay Janzen, CD Director General Military Strategic Communications
  • Dr. Kari Roberts, Associate Professor, Political Science, Department of Economics, Justice, and Policy Studies.

With the upcoming election just around the corner, this should be a fascinating presentation. No registration is required and all are welcome to attend.

 

Must Read – Hard to detect MailChimp phish hits MRU 01/15/19

The latest phishing attack to hit inboxes on campus is absolutely diabolical.  It looks 100% legitimate and contains legitimate looking links. In addition, the technique the clever criminals are using  by-passes our protective measures preventing us from keeping it out of inboxes. If we block it, we block all MailChimp emails.

Lets take a closer look at this bad boy.

 

 

Pretty impressive isn’t it? What is even more impressive is hovering over the links displays Mandrill.com which is MailChimps legitimate tool for tracking clicks, dealing with payments and account settings etc.  However, if you click the link you get sent to:

 

 

While us14-mailchimp kinda looks legit, it is the wrong URL for MailChimp. However, the page looks like a MailChimp login page.  We didn’t follow along further to see what happens after you enter your username and password. However, we are pretty sure the next page would be asking for credit card information.  The crooks are pretty darn smart. If you login and then get wise and not enter your credit card information, they still get access to your MailChimp account which they can use to send out more phishing emails to other unsuspecting users.  It’s brilliantly done.

As smart as the hackers are, Mount Royal employees are smarter. This email was forwarded to abuse@mtroyal.ca by one of our own.  That’s right, one of our own employees tagged this bit of nastiness.  I couldn’t be prouder! They didn’t recall having a paid MailChimp account and recognized that the sent email address was off.

So how do you protect yourself from an attack this well executed? Do what your colleague did, don’t click the links in the email. If you have a MailChimp account, login to it directly using a bookmark or search result. If there is a problem with your account, the information will be available there. If everything turns out to be in order, you know the email is a phish. Forward it in it’s entirety to abuse@mtroyal.ca and your work as a cyber security superhero is done!

 

Do you know how much of your personal information is on the web? – 01/11/19

 

 

January 28th is Data Privacy Day.  It is a day dedicated to taking a closer look at how much of your personal information is on the web.  This is a great time to Google yourself and find out what shows up.  As Google tailors your search results based on your previous activity, this exercise is more effective on a computer you haven’t used before.  If you find the search results are showing more information about you than you are comfortable with,  go into your accounts and change your privacy settings.

This exercise is also a great way to be reminded of old accounts that you have forgotten about and no longer use.  As neglected accounts are more easily taken over by hackers, these accounts should be deleted.  You may not need the account anymore, but I am pretty sure you wouldn’t want someone else using it to impersonate you. Things could get embarrassing or just plain awkward.

Although Data Privacy Day is a great time to check your online footprint. It is an exercise that you should do every few months.  Those clever account providers are constantly changing their privacy settings. Each time they do, there is the possibility that something that was previously private is now public. By checking regularly you will make sure only the personal information that you want exposed is available to the public.

To help the Mount Royal Community out with their Data Privacy Day chores, I will be on Main Street January 31 from 10:00 am to 2:00 pm. Come down to see me and get googled on my computer. Everyone who does gets to spin the prize wheel and walk away with some swag.  I will also be available to answer any questions that you have about privacy settings and minimizing your online footprint. See you there!!

 

 

How to navigate the tricky balance between security and convenience – 01/07/19

 

 

Every week I wade through a hundred news feeds. Two thirds of them containing  tales of horror detailing the latest methods criminals are using to separate us from our data.  The other one third are notices of privacy breaches by legitimate companies who knowingly misuse our data or are negligent in protecting it.  With all the good news that I filter through, no one would fault me if I decided not to turn on a computer or touch a smart phone for the rest of my life.  Yet I still manage to get up every morning, check my smartphone and work on a computer all day feeling at peace.

It isn’t denial that keeps panic at bay. It is being aware of what the risks are and mitigating them. Each time I interact with technology I look at what the real risks are, what the benefits of using it are and then determine whether the convenience outweighs the risk.  Ultimately, it comes down to quality of life. If a piece of technology is going to significantly enhance my quality of life, then I consider the risks and do everything I can to reduce them.

Lets look at a smart thermostat as an example.  I like to sleep in a really cold room. It would be awesome to be able to go to bed in a super cold room and wake up to a nice toasty one.  However, I wake up at the same time every morning. So having a thermostat programmed to cool down at night and warm up during the day is sufficient. I don’t really need to connect it to the internet so I can lay in bed and change the temperature.  It adds nothing to my quality of life. Sure it’s neat, but I won’t use that feature. It would however give criminals another access point to my network. For me, the risk of connecting the thermostat to the internet doesn’t merit the benefit.

Now lets look at my mom.  Her body hurts if it gets cold. She too likes to sleep in a cold room. She is retired and wakes up at a different time every morning. For her being able to change the thermostat from her bed adds considerably to her quality of life. Yes there is a risk associated with it, but I have set her thermostat to update regularly and have changed the default password so the risk is minimal. For her the benefits of connecting the thermostat to the internet definitely outweigh the risks.

The risk vs benefit analysis applies to securing data as well, not just devices. Lets use password managers as an example. There is a small risk that a password manager could be hacked. However, if you reuse passwords or write them down the chances of the passwords being compromised is much greater than the chances of the password manager being hacked.  In this case, the benefits of using a password manager far outweigh the small risk.

By keeping informed of what the technology risks are, how to mitigate them and using thoughtful analysis. You too can use technology and still sleep at night.

 

Apps sending Facebook your data even if you aren’t a user – 01/07/19

 

 

It is reasonable to think that if you don’t have a Facebook account, don’t view their web page or otherwise engage with any of their content that they wouldn’t have access to your personal information.  Think again.  Privacy International just completed an investigation that shows Facebook is routinely tracking users, logged out users and non-users.  That’s right, even if you have not signed up with the blue devil you are still being tracked.

They tested a variety of Android apps and found that at least 61 percent of them transfer data to Facebook the instant the user opens them. This holds true regardless of whether the user has a Facebook account, has opted out of receiving Facebook cookies or is logged onto Facebook. How much data is transferred and the nature of that data depends on the app.  Some simply do a quick check in while others continue to send data as the app is used.

The data is transmitted through Facebook’s SDK (software developer kit) which allows a developer to create an app that  interacts with Facebook. This cool tool also lets users login to an app using their Facebook ID. Spotify, Kayak, Duolingo, Indeed Job Search, Yelp and TripAdvisor were just some of the apps implicated.  As you can see by the list, this problem is not limited to obscure hardly used apps. Many well known apps that you thought you could trust are actually spying on you.

What are you supposed to do with this information? Be aware that if you are using a web based application  or smartphone app that gives you the option of logging in using your Facebook ID, your data may be sent to Facebook even if you don’t have an account. If you want to know how much of your data is being transferred, feel free to contact the developer and ask. With the new privacy regulations coming into effect across the globe, they may actually answer. Once you know what you are giving up, you can decide on whether the data lost is worth the convenience gained.

 

A new year, a new Facebook hoax – 01/03/19

 

 

If you are on Facebook, then undoubtedly you have seen one or more of your friends post the following:

Thanks for the tips to bypass FB – it WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years. Here’s how to bypass the system FB now has in place that limits posts on your news feed. Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste. This will bypass the system. Hi new and old friends!

No Facebook does not have a new algorithm. Even if it did, you wouldn’t be able to bypass it by copying and pasting  a post.  For future reference, copying and pasting a post does just that. It copies and pastes a post.  There is no magical thing that will happen because you copy and paste a special post.  Unless you count making the hoax creator giggle as being magical.

So the next time a post shows up in your news feed promising wonderful things if you copy and paste it, please do all of your followers a favor and ignore it.  You will be saving us all from the agonizing annoyance of having a clogged news feed keeping us from the latest Cats on Catnip update.

 

Hackers thwart two step verification with phishing emails – 01/02/19

Those clever hackers are at it again. They have figured out a way to get around two step verification on Gmail and Yahoo accounts.  They are using fake alerts to lure their victims into giving up verification codes.

The scam works like this.  First you receive an email saying your account may have been compromised. The email includes a button to take you to your account to check its activity.  However, when you click the button you are sent to the hackers web page which looks like an official login page. When you enter your password another fake web page appears asking for a verification code.  All of this seems perfectly normal as the pages look just like the real thing.

Unfortunately, the hacker has recorded your login credentials. They then use those credentials to login to the actual account website which generates a verification code that is sent to your phone. You receive the code seconds after entering your credentials, so you think nothing of it. You enter the verification code into the fake website. The code is recorded by the hackers and they enter it on the real two step verification page. To keep you from getting suspicious, you are sent to another fake web page asking you to change your password.  Once you “change your password” you are redirected to a real account web page. They now have access to your account and you are unaware something is amiss.

How do you protect against this type of attack? Don’t use links in emails to verify possible account compromises. Instead use a bookmark or search result to visit the account website and check the security status or change your password that way.

 

Brazen phishing email asks for passport information – 12/17/18

 

 

This week a new phishing email is popping up in Mount Royal inboxes. The cheeky criminals are coming right out and asking for passport details as well as other personal information. They don’t even bother with links or fancy look a like web pages.  They just ask for your information so they can send you money.  The email looks like this:

 

 

Because this is a low tech scam, people tend to let their guard down and be more receptive to getting hooked. The scammers count on this and hope the victim gets excited enough about the possibility of getting free money to give up their personal information.  Once they have it, they can use to to steal their identity and wreak havoc on their life.

This is definitely a case of, if it seems too good to be true then it probably is. No bank will email you out of the blue to ask you for passport information. If you refuse to accept reality and want to cling onto hope, then contact the bank directly to ask them if they are trying to transfer you some money.  Don’t ever send personal information like passport, driver’s license or credit card information in an email.