Cybersecurity Blog

Keep your devices updated with the latest security patches – 01/21/21

 

 

With criminals constantly coming up with new ways to hack into our systems, keeping your devices updated with the latest security patches is more important than ever. When you are on campus keeping your workstation up to date and secure is easy.  Shut down your machine at the end of the day Friday and start it up Monday morning.  However once you are working from home and your computer is always on keeping your machine updated isn’t so straight forward.

If you are remoting in to an MRU workstation you can’t shut it down. Instead, logout of the workstation and disconnect from GlobalProtect at the end of each work day. The updates are downloaded in the background as you work. Once you log out, your workstation is automatically restarted to install them.

If you have an MRU laptop assigned to you, it is setup to automatically download updates as you work. Once the updates are downloaded you are prompted to restart your machine to install them.  As long as you don’t ignore the prompts, you are good to go. If you choose to ignore them and call the Service Desk for support, you won’t be helped until you restart your machine.

If you are using your personal computer, make sure you have automatic updates enabled on Windows/Mac OS and all your applications.  From the Windows Start menu, select Settings>Updates and security to check your Windows update settings.  On a Mac, select System Preferences>Software Update and click the Automatic Updates checkbox. Just like MRU laptops, updates are downloaded in the background and you are asked to restart your machine to install them.

Once you know what to do, installing your security patches is pretty easy. While it can be annoying, it is well worth your time. With a little bit of effort you make it exponentially more difficult for attackers to compromise your data and mess with your life.

 

How to video conference safely – 04/16/20

 

With everyone working from home, video conferencing has gone from being a novelty to being a necessity. Many of you are working virtually for the first time. With new experiences come new challenges. Mistakes are being made, that is to be expected.

To help you make your video conferencing experience as safe as possible, I have found these terrific tips from SANS on how to keep your data safe and prevent accidental expose of sensitive information.  With a little knowledge, you can become a  video conferencing security expert. As always, feel free to share this information with your family, friends and colleagues.

VideoConferencingTips-ForAttendees-1Pager

 

Must Read – How to print sensitive documents on public printers – 03/07/19

Just don’t. Okay, I admit I am being rather unreasonable. However if you have any other alternative to printing tax receipts, pay stubs, benefits statements and the like, please use it.  We are human beings after all and we get distracted. On a regular basis our techs pick up abandoned print jobs with sensitive information that should not be on public display. Here is the latest one.

With the tax season in full swing, we are seeing a lot of these types of documents left abandoned by their owners.  If you do not have any other means of printing sensitive documents other than using public printers, please take the following precautions:

  1. Check twice to ensure you are sending the print job to the correct printer.
  2. Be standing by the printer as the document is being printed.
  3. If the document does not print, assume you have sent it to the wrong printer and immediately look for it. Do not attempt to print the document again until you are 100% sure it has not been sent to another printer.

Taking these simple inconvenient steps will help prevent miscreants from using  your student number, SIN or other personal information for their gain and your misfortune. It will also keep how much you earn from being the latest water cooler gossip.

 

Do you know how much of your personal information is on the web? – 01/11/19

 

 

January 28th is Data Privacy Day.  It is a day dedicated to taking a closer look at how much of your personal information is on the web.  This is a great time to Google yourself and find out what shows up.  As Google tailors your search results based on your previous activity, this exercise is more effective on a computer you haven’t used before.  If you find the search results are showing more information about you than you are comfortable with,  go into your accounts and change your privacy settings.

This exercise is also a great way to be reminded of old accounts that you have forgotten about and no longer use.  As neglected accounts are more easily taken over by hackers, these accounts should be deleted.  You may not need the account anymore, but I am pretty sure you wouldn’t want someone else using it to impersonate you. Things could get embarrassing or just plain awkward.

Although Data Privacy Day is a great time to check your online footprint. It is an exercise that you should do every few months.  Those clever account providers are constantly changing their privacy settings. Each time they do, there is the possibility that something that was previously private is now public. By checking regularly you will make sure only the personal information that you want exposed is available to the public.

To help the Mount Royal Community out with their Data Privacy Day chores, I will be on Main Street January 31 from 10:00 am to 2:00 pm. Come down to see me and get googled on my computer. Everyone who does gets to spin the prize wheel and walk away with some swag.  I will also be available to answer any questions that you have about privacy settings and minimizing your online footprint. See you there!!

 

 

How to navigate the tricky balance between security and convenience – 01/07/19

 

 

Every week I wade through a hundred news feeds. Two thirds of them containing  tales of horror detailing the latest methods criminals are using to separate us from our data.  The other one third are notices of privacy breaches by legitimate companies who knowingly misuse our data or are negligent in protecting it.  With all the good news that I filter through, no one would fault me if I decided not to turn on a computer or touch a smart phone for the rest of my life.  Yet I still manage to get up every morning, check my smartphone and work on a computer all day feeling at peace.

It isn’t denial that keeps panic at bay. It is being aware of what the risks are and mitigating them. Each time I interact with technology I look at what the real risks are, what the benefits of using it are and then determine whether the convenience outweighs the risk.  Ultimately, it comes down to quality of life. If a piece of technology is going to significantly enhance my quality of life, then I consider the risks and do everything I can to reduce them.

Lets look at a smart thermostat as an example.  I like to sleep in a really cold room. It would be awesome to be able to go to bed in a super cold room and wake up to a nice toasty one.  However, I wake up at the same time every morning. So having a thermostat programmed to cool down at night and warm up during the day is sufficient. I don’t really need to connect it to the internet so I can lay in bed and change the temperature.  It adds nothing to my quality of life. Sure it’s neat, but I won’t use that feature. It would however give criminals another access point to my network. For me, the risk of connecting the thermostat to the internet doesn’t merit the benefit.

Now lets look at my mom.  Her body hurts if it gets cold. She too likes to sleep in a cold room. She is retired and wakes up at a different time every morning. For her being able to change the thermostat from her bed adds considerably to her quality of life. Yes there is a risk associated with it, but I have set her thermostat to update regularly and have changed the default password so the risk is minimal. For her the benefits of connecting the thermostat to the internet definitely outweigh the risks.

The risk vs benefit analysis applies to securing data as well, not just devices. Lets use password managers as an example. There is a small risk that a password manager could be hacked. However, if you reuse passwords or write them down the chances of the passwords being compromised is much greater than the chances of the password manager being hacked.  In this case, the benefits of using a password manager far outweigh the small risk.

By keeping informed of what the technology risks are, how to mitigate them and using thoughtful analysis. You too can use technology and still sleep at night.

 

Browser extensions cause of Facebook data breach – 11/05/18

 

 

The BBC Russian Service has found  data from 81 000 Facebook profiles sitting on the web. The data is apparently just a small sample of what was taken from 120 million accounts by a hacker selling his haul.  It is hard to know if 120 million profiles were indeed hacked or if the breach is limited to what is currently on display.  One would think that Facebook would notice 120 million profiles being accessed, so my guess is they don’t have much more than the small sample. After all, criminals aren’t known for their honesty.

Facebook is blaming malicious browser extensions. They are reporting that the extensions were monitoring user’s Facebook activity while shuttling personal information as well as private conversations to the hackers.  The majority of information taken was from Ukrainian and Russian users, however profiles from all over the world were also pilfered.

This is a reminder to be wary of browser extensions. As with apps, only download ones that:

  • You really need
  • Have good reviews
  • Have lots of downloads
  • Come from reputable sites

Malicious browser extensions can be very difficult to detect as extensions update automatically.  This allows hackers to create extensions that are harmless, until their first update. After that your handy extension starts doing all sorts of nasty things.

To reduce the risk, if you really need a particular browser extension consider disabling it when you aren’t using it.  Lastly once you no longer need the extension, remove it from your browser.

 

Fake sites use HTTPS too – 10/04/18

 

 

As the holiday season approaches, people around the world are getting ready to cruise the internet looking for great gifts at bargain prices.  As you do your online holiday shopping, keep in mind that sites labeled HTTPS guarantee your data is encrypted as it is transmitted between your computer and the web.  It does not guarantee that the site is legitimate.

Criminals have gotten wise. They are now registering their fake web sites so they are tagged as HTTPS.  So now instead of having to worry about your credit card information being intercepted as you purchase the iPhone XS Max for the unbelievable price of $300.00 USD, you can be confident that only the scammer is receiving your data.

So how do you know that a site is legitimate? Stick with retailers that you have used in the past and access their web sites using a bookmark or search result.  If you receive an email with an offer, don’t use the link in the email.  Visit the website directly.

If you are using a new retailer:

  • Check reviews first.  Avoid retailers with large numbers of complaints that haven’t been resolved.
  • Always pay with a credit card or PayPal so you have a method of recourse should things go wrong.
  • Remember to read all the terms & conditions of sale.  Know if they have a return or exchange policy.

Lastly, remember…if it is too good to be true, it probably is a scam.

 

Data backups are no longer optional – 07/30/18

 

With everything going digital, our lives have gotten easier but it has also made us more vulnerable. Losing precious memories or a month of hard work used to require a hungry pet or a natural disaster. Now all it takes is clicking on an email link or visiting the wrong website. While this has long been a hazard, the surge in ransomware has increased the chance of losing precious data exponentially.

With this increase in risk, backing up data to prevent a catastrophic loss has gone from being just a good idea to being critical.  Single data backups reduce the peril significantly, but they really aren’t sufficient. This is especially true if the backup is stored on a portable drive that stays connected to your machine.  When the computer is compromised anything else that is connected to it, including the portable drive, is also exposed.

Thankfully you don’t have to worry about data backups on your Mount Royal workstation as long as you save your data on the H: drive, J: drive or Google Drive.  IT Services backs up multiple copies of files on those servers in multiple locations for you as does Google.  If you are saving files on the C: drive or the Desktop though, they are at risk as files stored there are not backed up.  This is why IT Services is constantly telling people to stop storing files on the C: drive and the Desktop. We aren’t trying to make your life more difficult, we are trying to protect you from data loss.

What about your machine at home? What is the best practice when it comes to backing up your own data? Most professionals will suggest the 3-2-1 strategy. Have three copies of your data, on two different unconnected devices, one of which is off site.

  1. Your first copy is your working copy.  It sits on your computer and is what you mess with every day.
  2. Your second copy is stored on a separate device. You can use a USB key, a portable drive or another computer. It is connected to the internet or your computer only long enough to copy your data and is then disconnected. Ideally you would do this daily, but you can chance it and only do this weekly.
  3. Your third copy is stored off site.  This ensures that if your home or office is flooded, burns down to the ground or is destroyed in some other manner; your data is still safe.  Again, this should be a device or service that you connect to upload your data and then disconnect from. You can use a cloud service or the sneaker net (upload to a portable device that you store in a safety deposit box or other safe location).  Ideally you would also do this daily, but a weekly update can be done as well.

Following 3-2-1 will almost guarantee that you can recover from any kind of data loss. However it does take some time and commitment, all you have to do is determine if your data is worth it. Unfortunately, we usually don’t figure that out until its too late.

 

 

Harrassed online? Here’s what you do- 07/12/18

 

 

If you are on social media, there is a very good chance that at some time you have been attacked by an internet troll.  Usually they can be shut down by simply ignoring them and not responding to their attempts to create conflict.  However, every once in a while the troll continues to harass and they go from being annoying to being abusive.  Thankfully, it is possible to have these people brought up on criminal charges. However, you do need to do some homework. The process is not an easy one. Here are a few tips to get you going:

  1. Get screen shots.
    You never know when a troll is going to cross the line from annoying to abusive, so any harassing posts should be captured in a screen shot. Trolls can delete posts and cancel accounts when they are being investigated. You cannot rely on them being archived. A screen shot preserves the evidence for future prosecution.
  2. Print out your screen shots.
    Technology fails, always have a paper backup.
  3. Record dates and times of harassing.
    You need to create a chronological record of the harassment. If authorities see it escalating over time, they will be more likely to intervene.
  4. Know the terms and conditions as well as the rights and responsibilities of the social media site you are using.
    Be aware of what can and can’t be reported.
  5. Report the bullying to your internet and mobile service providers as well as the social media site.
    Give them your screen shots and record of harassment.
  6. Block the troll from your account.
    Most social media sites allow you to block messages or posts from specific individuals. If the troll creates another account and continues to harass, this further supports your case.
  7. Report the harassment to the police.
    If you continue to be harassed even after you have not responded to their taunts and have blocked them from accounts, you have grounds to report the harassment to the police.

To get help with the documenting process and gain support, visit HeartMob a non profit organization dedicated to ending online harassment.  Their website is full of resources including a twitter bot that replies to harassers with a disincentive.

 

 

 

The password to your internet connected device is on the web – 07/04/18

 

Have a thermostat, doorbell or baby monitor that connects to the internet? How about a router? Have you changed the default password that came with the device? No? Well, you might want to get right on that. Why? Well, the default passwords of most devices can be found on the internet. Yup, that is correct.  You can do a simple search of the make and model of your device and in most cases get its default password.

This is very handy when you are setting up your device for the first time or you have to perform a factory reset. It is also very handy for hackers who count on consumers leaving the default password as is.  Once criminals have the password, they can easily gain control of the device. Numerous instances of baby monitors scanning rooms on their own and devices being turned into bots for deny of service attacks have been documented.

This is just another gentle reminder to change your default password and keep the device firmware up to date on anything that connects to the internet. Want to learn more about internet connected devices? Check out this blog post.