Cybersecurity Blog

Attention Students – Devices disappearing across campus – 12/07/17

 

It is a scene that is played out across campus every semester, a student on a laptop studies diligently for exams. She runs out of battery power and looks for a plug in. She finds one just around the corner, plugs in and goes back for her books. When she returns 30 seconds later, the laptop is gone. In 30 sec she has lost all her study notes and all her papers for the term. The theft is reported to security but the laptop is long gone. If only she had thought to back up her papers and notes on iCloud, Onedrive, Dropbox or Google Drive.  Then she would at least be able to study for her final.  Now she has little to work with and exams are looming. Now she has to contact her professors, ask for extensions and hope that they will be granted.  She was hoping to ace this term, now she just hopes to pass. This isn’t hypothetical. This is a real story that has been repeated over and over again.

This semester, don’t repeat the story.  Treat your devices like cash. If you wouldn’t leave a 20$ bill somewhere, don’t leave your device there. It takes less than 30 seconds for a criminal to pocket your smartphone or walk off with your laptop.  It takes less than 30 seconds to jeopardize a grade you have worked all term to achieve.

 

 

 

 

 

 

Passwords are NEVER to be shared – 12/06/17

 

I was shocked and extremely concerned to read about UK members of Parliament sharing passwords with their staff.  How could high ranking members of a government, with a gateway into a network containing super sensitive data be so reckless?  Surely no such thing occurs in other organizations? Surely here at Mount Royal University we are much more cautious with our passwords.

I was dismayed to discover that is not the case. Passwords are being shared  between professors and graduate students, between managers and admins, between colleagues and between students .  Why is this a problem?  Just think for a minute of everything that you access with that login information.  Do you really want to give someone else that much information about you?  Do you really want someone else to be able to access EVERYTHING that you have access to? Your password is the keys to your kingdom.  Don’t give it away.

IT Services is very aware that there are many instances where you need to give people access to your email, documents or an application.  Fortunately, we have many tools at our disposal to do that without giving them access to everything else as well.

My favorite password sharing excuse is, “I can never remember my passwords, I need my admin to know them so she can remind me when I forget” . KeePass is a password manager that is easy to use and it will store your passwords for you.  It is installed on every workstation and it requires you to remember only one password. Still challenged? There are many ways to create a password that is easy to remember but very effective. Contact the IT Security Training Analyst if you are still struggling.

If you are currently sharing your passwords or using someone else’s passwords; please stop, change your password and contact the IT Service Desk to discuss your needs. They will be happy to find a solution for you. Keep your data safe, keep your passwords a secret.

Threatening voicemail left at Mount Royal – 11/21/17

 

Yesterday one of our staff members checked her voicemail and found a nasty message from an “Officer” Robert William asking her or her attorney to call him immediately before “the legal situation unfolds”.  Our quick thinking staff member Googled the number, 905-581-1528 and discovered that it was a phone scam.

Had she called them, she would have been asked her personal information including her SIN.  Armed with that info, the crooks would have applied for credit cards and loans in her name, leaving her on the hook for the payments.  Only after months of paperwork and expensive legal fees would she have been able to clear her credit record and name.

This is just a reminder to never give out information people already should have, over the phone, in an email or text.  If someone calls you and tells you they are from your bank, a vendor, the CRA, RCMP or Calgary Police Service:

  1. Ask for their name.
  2. Tell them you will call them back.
  3. Call the organization’s switchboard directly using a number that you obtain from a Google search or that you have used before.
  4. Ask for the individual by name.

If they insist that the only way to reach them is through a number that they give you, you know that it is not a legitimate call. If they tell you that they may not be available when you call back, you should be able to have your account or file reviewed by someone else in the same department.

Remember, no legitimate agency threatens legal action over the phone.

Latest Windows update patches 62 vulnerabilities – 10/11/17

 

In past posts I have talked about the importance of keeping your computer up to date by shutting it down each night. This week that is more important than ever. On Tuesday MIcrosoft released its latest updates for Windows, Office and other software which includes patches for 62 different vulnerabilities.

What is so important about patching these vulnerabilities? Hackers have known about some of these for a while and have already created malware that takes advantage of them. Keep your machine secure, shut down your machines this afternoon and get your updates.

Criminals could hack your device through Bluetooth – 9/14/2017

 

Researchers have discovered a vulnerability in Bluetooth enabled devices that would allow an attacker to take control of them with no action on the part of the user. The majority of manufacturers have issued updates to patch this vulnerability.  As Bluetooth is a fairly complicated protocol, experts warn that there may be more vulnerabilities not yet discovered. To protect yourself, make sure you:

  • Keep your device updated.
  • Turn off Bluetooth when not using it

Preventing Identify Theft – 09/12/17

 

With the news of the Equifax breach consumers are left reeling, not sure what action to take to prevent identity theft.  There are tons of articles talking about credit freezes, alerts and monitoring. Most of this information refers to laws and services particular to US citizens. Some are not even available in Canada.  As a Canadian, what do you do?

1. Contact Equifax
  • Visit the Equifax site for details.
  • All impacted customers will be contacted directly. If you have not been contacted, call them at 1-866-699-5712.
2. Set up a credit file alert.
  • With a credit file alert, a request for a new credit product or a change in a credit product cannot be approved without confirmation with the consumer who owns the credit.  This prevents fraudsters from signing up for new credit cards or loans as well as preventing them from increasing credit limits.
  • A credit file alert should be set up with both Equifax Canada and TransUnion Canada. Each provider has different types of alerts and they don’t share information. Contact the companies for details.
  • Equifax will be providing free credit monitoring and identify theft protection for 12 months to everyone who is impacted. Equifax will contact you directly with the details.
3. Check your credit report monthly.
4. Sign up for credit monitoring.
  • Be notified of new debts.
If your identify is stolen or accounts are accessed:
  1. Contact your local police department and get a police case number.
  2. Contact all your financial institutions and give them the police case number to  hold in your file.
  3. Call Equifax Canada and TransUnion Canada and have them place the police case number on your credit reports.
  4. Report the incident to the Canadian Anti-Fraud Centre.

Get notified when your email credentials have been stolen – 09/01/2017

As the majority of account providers use email for usernames, a compromised email can give hackers access to all of your accounts.  This is especially true if you tend to use the same password for multiple accounts. Ideally, you should have a unique password for every account  so if one account is compromised the rest are safe. You should also be using a password manager to make storage and generation of passwords easy and secure.  However, being the realist that I am I know many of you are still using the same password across multiple accounts.

Have I Been Pwned to the rescue!! After Adobe was hacked in 2013 the website Have I Been Pwned was created.  The website allows users to enter their email and find out if the associated credentials appear in for sale lists on the Dark Web.  This handy little website also lets you sign up for notifications, informing you the minute they discover that your email credentials have been compromised.

Interestingly enough, many hackers don’t actually use the credentials they steal. Instead they sell them to other hackers who use them at their leisure. This practice gives users a chance to change their credentials before any damage is done. Have I Been Pwned was created with this in mind.

You may be thinking…why sign up for this service, won’t I be notified by the account provider when they have a data breach? Unfortunately, account providers haven’t always been the first ones to detect a data breach and they are sometimes reluctant to inform their users that a breach has occurred.  For this reason, we strongly recommend that you check out www.haveibeenpwned.com and sign up for notifications.  The sooner you are aware that your account has been compromised, the sooner you can take corrective action.

Keep your Privacy, Browse in Private Mode – 08/25/17

 

Planning on using a public computer? Do you have family members or children who also use your machine? You may not want them to know you are planning a surprise trip to Disneyland, that you are concerned about a that mole on your leg or that you belong to the kitten of  the month club.  Browsing in private mode keeps the pages that you have visited out of the history list.  This keeps users that come after you from checking on the history list to see where you have been.

Different browsers have different names for private mode. In Safari and Firefox it is called, Private Browsing. In Chrome it is called Incognito.  Check out the links to find out how to browse privately in your browser of choice.

Android Phones with Preloaded Malware for Sale on Amazon – 08/08/17

 

David Bisson a contributor to grahamcluley.com reports that Trojan malware is being found preinstalled on several Android phone models.  This lovely malware called Triada is undetected by anti-virus applications and is designed to steal banking and login credentials as well as other information. Now you don’t even have to click on a link or download an app.  You can have your phone infected from the point of purchase. Yaaayyyy!!!!  The infected phone models are:

  • Leagoo M5 Plus
  • Leagoo M8
  • Nomu S10
  • Nomu S20

These phones are produced by Chinese OEMs and can be purchased on Amazon.  It is unclear as to whether the malware was installed intentionally or by a disgruntled insider. Regardless, if you are looking for a cheap Android phone I would avoid unrecognizable brands shipped direct from China. It could end up costing you a lot more in the long run.