Cybersecurity Blog

How to avoid having your Google meeting bombed – 04/22/20

 

 

Although Google Meet is a more secure platform than Zoom. It isn’t immune to meeting bombers. This week, an MRU employee had a rather disturbing and unfortunate experience with one of their Google meetings.

As the meeting organizer, they followed a registration process that had been established for their department’s meetings to ensure that all attendees were legitimate. However as this is a new platform and there are special circumstances that arise, they knew that there would be individuals signing in who would not be on the registration list. So when they received a request to join the meeting they were not concerned. That is until they attempted to verify the attendees identity and were rewarded with profanity.

The organizer of the meeting removed the trolling attendee. However there were several other attempts by this same individual to join the meeting again.  In their brief time as an attendee, they had a grabbed a list of other attendees. They then impersonated one of them and repeatedly asked to join. The poor organizer had to keep asking the impersonated attendees if they were attempting to join using another email address.  The whole incident was very disruptive. The organizer handled things very well but wanted to know how to prevent this from happening in the future.

There are a few things that you can do. First if you are using nicknames for your meeting, avoid using common meeting names.  Team meeting, department meeting and math class are examples of nicknames to avoid. This prevents trolls from finding your meeting simply by entering nicknames that are commonly used. Second, if at all possible don’t post meeting links in a public location. Try to limit it to meeting invites if you can. Third, simply deny join requests. Join requests are only required if the attendee isn’t using a Mount Royal email account.  Let your attendees know that they must use their Mount Royal email address to join your Google meetings and you will avoid this problem all together.

If however you are meeting with people outside of the Mount Royal community, then you will have to rely on the other two measures to keep trolls from bombing your meeting. If you are  having meetings of this nature regularly, contact the IT Service Desk to see if another video conferencing solution is available for you to use.

 

How to video conference safely – 04/16/20

 

With everyone working from home, video conferencing has gone from being a novelty to being a necessity. Many of you are working virtually for the first time. With new experiences come new challenges. Mistakes are being made, that is to be expected.

To help you make your video conferencing experience as safe as possible, I have found these terrific tips from SANS on how to keep your data safe and prevent accidental expose of sensitive information.  With a little knowledge, you can become a  video conferencing security expert. As always, feel free to share this information with your family, friends and colleagues.

VideoConferencingTips-ForAttendees-1Pager

 

Only you can use your MRU account – 02/26/20

 

 

When we tabulated our survey results, we were delighted to find a significant reduction in password sharing on campus. However, our victory lap did not last long. Password sharing is happening less but there are scary numbers of people logging in and letting someone else use their account.

We understand that you have guests that come on campus and need wifi access, that you have new employees that you need to train and that sometimes a colleague’s or friend’s account isn’t working.  However regardless of the reason, credentials should not be shared.   Your credentials are only for your use. They give you exactly what you need to have access to, no more and no less.  This protects you, your colleagues and the institution.

Stop for a minute and think about all the things only you can access with your login credentials that no one else has access to. Do you really want someone else to be able to access those things? Think about how embarrassing, uncomfortable or alarmed you would feel if a colleague or friend started exploring. I know what you are thinking, I can trust them. They wouldn’t do anything malicious with my account.

Regularly we hear about horror stories of friendships gone wrong, bitter colleagues, bad breakups and the resulting fallout.  When things go bad it is impossible to predict how someone will react. You would be unpleasantly surprised to know the damage that has been caused when these things occur.

Even if letting someone else use your account doesn’t result in data armageddon,  it is against the Acceptable Use of Computing and Communication Resources Policy. The good news is there is no reason to do so. IT Services can arrange access for anyone for any reason. We have a solution for every situation.  Find yours in the Credential Use Guidelines. If you aren’t sure what to do, just call the IT Service Desk and let them know what your time frame is. They will get back to you right away and provide you with a solution.

Don’t give up control by logging in for someone else. Reserve your account for your use only.

 

 

Someone with your name could hurt your job prospects – 01/31/19

With Data Privacy Day disappearing in the sunset, the calls encouraging you to check your online footprint are also fading. However with many of last semesters graduates hard at work trying to land their very first grown up job, I would like to revive the call. This time I want to add an extra tip, also check out the online footprint of those who share your name.

This little extra bit of advice comes from the experiences of a Mount Royal University employee. She had her new boss tell her to correct her education details on her Facebook page, insisting she had listed the wrong university. Here is the deal, they had looked at the wrong profile. Her information was correct. They had looked at another person’s profile who vaguely looked like her and had similar education. Fortunately, the owner of this other profile had posted information that any employer would be happy with. Our Mount Royal employee was lucky.  It could have gone very badly.

The best way to check your online footprint is to grab a public computer, don’t login and then google yourself. Then check out all the people on the first three pages (most employers don’t have the time to look further) of search results.  If you find someone else with a less than desirable profile that you could be confused with, include a notification of this on your resume. If something is showing up that you want kept private, change your privacy settings for that account or ask the account provider to remove the material.  The last thing you want is to end up like this guy.

 

 

Apps sending Facebook your data even if you aren’t a user – 01/07/19

 

 

It is reasonable to think that if you don’t have a Facebook account, don’t view their web page or otherwise engage with any of their content that they wouldn’t have access to your personal information.  Think again.  Privacy International just completed an investigation that shows Facebook is routinely tracking users, logged out users and non-users.  That’s right, even if you have not signed up with the blue devil you are still being tracked.

They tested a variety of Android apps and found that at least 61 percent of them transfer data to Facebook the instant the user opens them. This holds true regardless of whether the user has a Facebook account, has opted out of receiving Facebook cookies or is logged onto Facebook. How much data is transferred and the nature of that data depends on the app.  Some simply do a quick check in while others continue to send data as the app is used.

The data is transmitted through Facebook’s SDK (software developer kit) which allows a developer to create an app that  interacts with Facebook. This cool tool also lets users login to an app using their Facebook ID. Spotify, Kayak, Duolingo, Indeed Job Search, Yelp and TripAdvisor were just some of the apps implicated.  As you can see by the list, this problem is not limited to obscure hardly used apps. Many well known apps that you thought you could trust are actually spying on you.

What are you supposed to do with this information? Be aware that if you are using a web based application  or smartphone app that gives you the option of logging in using your Facebook ID, your data may be sent to Facebook even if you don’t have an account. If you want to know how much of your data is being transferred, feel free to contact the developer and ask. With the new privacy regulations coming into effect across the globe, they may actually answer. Once you know what you are giving up, you can decide on whether the data lost is worth the convenience gained.

 

Buying tech this Christmas? Check out its creepy factor – 11/20/18

 

 

This year, there are tons of cool tech gadgets on the market. Everything from teddy bears that connect to the internet to personal alarms. As neat as all of these devices are, some of them have the potential to leave the users feeling exposed and violated.

Thankfully, the good folks at Mozilla have put together a terrific website that examines the privacy risks of the hottest tech gifts. At privacy not included you can find out what information a device collects, what is done with that data and what kind of security the device has. They also rate customer service. To make it extra fun, consumers can give each item a creepiness rating based on how comfortable they would be having that device in their home.  Check it out.

 

Watch home owners find out their security cameras are being broadcast worldwide – 10/22/18

 

 

With more and more of the devices in our home connecting to the internet, comes more and more ways for criminals to hack your home network. To show just how easy it is, CBC’s Marketplace teamed up with some white hat hackers and hacked into the home networks of several Canadian homes.  When home owners were shown how vulnerable their privacy and their networks were, they were shocked and disturbed.  Watch the episode and see how easy your network can be hacked and what you can do to prevent it.

This week’s Cyber Security Challenge draw entry code is l4lnwsrt. This is the last entry code.  Make sure you get all your codes entered before 4:00 pm Oct 30.

Must read – changes to Google Team Drive permissions – 10/11/18

 

 

This week Google rolled out the first of two changes to the Google Team Drive permissions.  The names have been changed.  The new names and their permissions are:

  • Manager = full access
  • Contributor =edit access
  • Commenter = comment access
  • Viewer = view access

Please check your Team Drive members list and ensure that the new permissions are correct.  After the name change, I found members who previously had only edit access were  given Manager or full access to the drive.

This week’s contest entry code for the Cyber Security Challenge is w2snl4tr.

Facebook is abusing your phone number – 10/04/18

 

 

All of you who have been on the ball and enabled two factor authentication on your Facebook account are about to get really annoyed.  Some researchers have discovered that the same phone number you gave Facebook to secure your account, is being used to target you with advertising.

When Facebook were called out on the practice, they defended it by suggesting users could simply turn off two factor authentication and opt out of the data sharing.  I know what you are thinking. You shouldn’t have to choose between privacy and security. Fortunately, there is a better solution. In May they released a feature called Code Generator.  It allows you to use two factor authentication without using your phone number.

If you are currently using your phone number for two factor authentication  on your Facebook account and don’t want it used for targeting adds, I suggest you switch to the Code Generator.  The added bonus, it works even if you don’t have text messaging or an Internet connection available.

This week’s contest entry code for the Cyber Security Challenge is n1wsl4tr.