Cybersecurity Blog

Google can track you even if Location History is turned off – 08/15/2018

If you have an Android phone or an IOS phone that has the Google app on it, Google could be following your every move.  Most people are aware that you can turn the Location Services off on your iphone and disable Location reporting on your Android phone.  You may even know how to turn off Location History so Google doesn’t store a record of where you have been.  What you probably don’t know is, Google  has been deceiving you.

AP News has found that when you turn off those services, it only disables the viewable timeline. However every time you open Google Maps, get some weather updates or use Chrome for a search, it tracks you and stores time-stamped location data from your devices.

Fortunately, there is a way to truly turn off the location tracking.  Google buried it deep within their account settings. To keep nosy Google from tracking you in any way:

  1. Open the Google app on your mobile device.
  2. Click the Settings icon in the upper left hand corner.
  3. Select Manage your Google Account.
  4. Select Personal info & privacy.
  5. Select Activity Controls.
  6. Select Web & App Activity.
  7. Click the slider to disable Web & app activity.  It should turn gray.

 

Must read – Using your @mtroyal email for personal stuff? Please don’t. – 07/20/18

 

 

On a regular basis, account providers are hacked and their customer data is stolen and put up for sale on the dark web in large data dumps. Usernames and passwords are often included in the information.  As over 30% of users reuse passwords and usernames, once a hacker has that information they can access several accounts.  As part of our ongoing efforts to keep Mount Royal’s data safe, we subscribe to a service that lets us know if any @mtroyal.ca email addresses appear in these lists. If an account provider gets hacked and a user used an @mtroyal.ca email address as a username, we get notified about the breach. We then force a password change on the account to ensure it stays secure.

Where things get uncomfortable is when users decide to use their @mtroyal.ca email address for personal accounts.  Many account providers who deliver special interest content do not have the best security practices and are often hacked. We really don’t want to know that you belong to the Jelly of the Month Club or you are a member of Poniverse (those are the G-rated ones). Please save us and yourselves the embarrassment.  Use your @mtroyal.ca account for business purposes only.

 

Fitness app exposes your location – 07/19/18

 

 

The fitness app Polar Beat allows you plan your workouts, map out and track your workout, analyze how you did and then share your success with friends. The app has sister application on the web called Polar Flow.  You create one account and get access to two services.

Sharper readers will get that the tracking and sharing your workout idea might not be the best one when it comes to protecting personal safety or privacy.  Thankfully the company offers its users the option of enabling private mode so they can keep their location information private.  At least that is what was thought, then researchers started to poke around.

They found that by accessing the API they could get location and tracking information on anyone with an account, even if they had set that account to private.  This is especially concerning because the researchers decided to see if they could locate foreign intelligence  officers and nuclear storage facilities staff.  They could.  As the app had tracked all their activities, once the researchers found their place of work, it was pretty easy to find their home location as well.  Let that sink in for a minute.

Unfortunately this is not the first time a fitness tracking app has made information public that people probably want made private.  As handy as it is to have your fitness tracker tell you how many calories you burned and how far you have run, you might want to reconsider using a tool that purposely tracks your location.  You never know who might be able to get a hold of the data.

Your TV is tracking you – 07/12/18

 

 

If you have a Sony, Sharp, Magnavox, Toshiba or Philips smart TV, Samba Interactive TV is probably installed on it.  It is a service that recommends shows and provides special offers based on your onscreen content,  or at least that is what they tell you. You are asked to enable it when you turn on your new flat screen for the first time.  As 90% of people say yes, it is probably a good bet that you did to.

If you actually read their privacy policy, what it really does is connect to any device on the same network as your smart TV, such as your phone. This allows the service to track you once you leave the house.  So not only is it tracking what you watch, it is also following you as you go to work, pick up your kids, get groceries and go to the movies. Creepy huh? It uses this information to deliver you customized content. However, the data collected can be used not just by Samba, but by their partners as well. Basically anyone Samba likes can see where you spend your time and what you watch on TV. This is the same kind of tracking  other companies such as Facebook, Google and Apple have been criticized for.

Unfortunately Samba Interactive TV isn’t the only service that tracks what viewers watch. In fact Vizio was fined for using the similar automatic content recognition (ACR) technology to deliver targeted content.  With TVs tracking your every move, how do you protect your privacy? Thankfully, Consumer Reports has a list of smart TVs and how to turn off ACR.

This is just another reminder that as consumers we need to take more interest in privacy policies and terms and conditions before we sign up for a service.  We have the right to choose to trade our privacy for convenience. However, before we make that choice we should be aware of exactly what we are giving up and to whom.

Source:  https://nakedsecurity.sophos.com/2018/07/09/smart-tvs-are-spying-on-you-through-your-phone/

The password to your internet connected device is on the web – 07/04/18

 

Have a thermostat, doorbell or baby monitor that connects to the internet? How about a router? Have you changed the default password that came with the device? No? Well, you might want to get right on that. Why? Well, the default passwords of most devices can be found on the internet. Yup, that is correct.  You can do a simple search of the make and model of your device and in most cases get its default password.

This is very handy when you are setting up your device for the first time or you have to perform a factory reset. It is also very handy for hackers who count on consumers leaving the default password as is.  Once criminals have the password, they can easily gain control of the device. Numerous instances of baby monitors scanning rooms on their own and devices being turned into bots for deny of service attacks have been documented.

This is just another gentle reminder to change your default password and keep the device firmware up to date on anything that connects to the internet. Want to learn more about internet connected devices? Check out this blog post.

App developers can read your Gmail – 07/04/18

 

 

It has been known for years, that Google reads Gmail.  Originally they were using the email content to target users with custom ads.  After a tidal wave of complaints and a couple of lawsuits they finally quit doing so last year. The ad targeting has stopped, but the automatic reading of email hasn’t.  What are they doing with that content? Well, they are sharing it with third party apps and you gave them the permission to do so.

Google states within their privacy policy that they share your information with third parties. This allows apps to deliver services based on your information. For example, to automatically book appointments or create travel itineraries, an app will need to scan your email content so it knows what appointments to create or what your travel plans are. Of course, this access isn’t given without your permission. You are asked if this is okay when you install the app.

What you don’t realize is when you give your okay, you are not just giving a machine permission to read your emails, but you are also giving the okay for the app developers to read them to.  So some bored programmer on his lunch break could entertain himself by going through your email.

How is this okay? Well, buried in privacy policies of third party apps is a statement that they will use personal information to monitor, operate and improve services. It doesn’t explicitly say that an actual person can read your emails and it doesn’t have to. To make things more confusing, if the app has other partners you will have to read their privacy policies as well to determine who has access to your information and what is being done with it.

So what is a user to do? First, visit Google’s accounts permissions page to determine what apps have email access and access to your Google account.  Then visit the app’s website and read their privacy policy. If you are okay with how your data is being stored, used and shared, carry on. If you aren’t, revoke the app’s access.

Not really up to spending an hour wading through privacy policies? Then assume that everything the app has access to is being shared elsewhere and can be read by anyone.  Concerning isn’t it? It just may be enough for you to reconsider your Gmail account all together or at least be real careful about what you put in your next email.  Heck it might be enough for you to dump Google.

Messaging stuffed animal a security risk – 06/11/18

CloudPets allows kids to send and receive messages through an adorable stuffed animal. Unfortunately, last year hundred of thousands of kids using CloudPets had their data and voice messages exposed. You would think that after such an incident, the company would take measures to fix the vulnerabilities that allowed that to happen. However, researchers have found that over a year later, nothing has changed. The toys remain full of security flaws that can easily be exploited.

Fed up with the companies clear lack of concern over their user’s privacy, Walmart, Target and Amazon have pulled the toys from their stores. If one of your loved ones has a CloudPet, I strongly recommend that you disconnect it from the Internet until the company addresses their security issues.

Some Google Groups are leaking data – 06/05/18

 

Have you checked the settings on your Google Group lately? By default when you create a group, only group members can post and view messages  and people must ask to join the group. However, researchers have discovered that thousands of Google groups have their permissions set to allow the general public to view the group posts.  This would not be an issue if the people posting information to the Google Group understood that their posts could be viewed by the public. However, sensitive and private information has been found within these group posts suggesting that they really have no idea.

If you are the owner of a Google Group, please take a moment to check your permissions. To check permissions:

  1. Open the Google Group.
  2. In the title bar of the Google Group,  click Manage. The left menu changes.
  3. In the left menu, click Permissions. A list of permissions appears.
  4. Click to select each permission type and review its settings.

Please note that if you have selected All organization members, to View topics or Post anyone with an @mtroyal.ca email address may do so. This includes students, staff and faculty. If you have selected All members of the group, users must actually join the group to be able to post or view emails/topics.

If you wish to email/post to a Google Group, check the settings of the group to see who can see the messages you send. To check the settings:

  1. Open the Google Group.
  2. In the title bar of the Google Group, click About.
  3. Scroll down to find the Access section. The posting and viewing permissions of the group are listed here.

If you have questions or concerns about setting permissions, please contact Bernadette Pasteris at bpasteris@mtroyal.ca.

Blu Android phones caught sending user data to China – 05/09/18

 

 

They’re baaack! Last year, Amazon pulled the ultra cheap Blu brand of smart phones from their site after it was discovered, they were calling home to China without their user’s consent and transferring loads of private data .  Users were completely unaware of the data transfers as the application responsible was installed in the factory and therefore undetectable by anti-virus software.

The company has since come to an agreement with the FTC and promise to never do it again. This has prompted Amazon to once again allow the company to sell their phones on their site.

If Blu violates the agreement with the FTC, it could cost them up to $41, 484 per incident in civil penalties. They will now have their security protocols and record keeping monitored. However considering Blu repeatedly misled consumers and regulators previously by stating they had stopped data collecting when in fact they were still doing it, I am not so sure they can be trusted. Yes their phones are a deliciously cheap, however you might be giving up your personal information in exchange.  Remember, you get what you pay for.

Cyber Safety Summit 2018 – 04/23/18

The Cyber Safety Summit 2018 will be held on October 2, 2018 at the Lincoln Park room in the Main Building of Mount Royal University’s campus.   The summit will include experts speaking on home security, social engineering, fraud protection and how to recover from a cyber attack.  In addition  we are  adding a new topic this year, protecting your privacy.  Registration is free.

Spend the whole day with us or just come by for your favourite session. Either way you have the opportunity to hear from the experts themselves how to keep your family and home cyber safe.  Come with your questions and concerns, leave armed with the knowledge you need to keep hackers at bay.

Can’t attend the summit? We will be live streaming all sessions.  Visit the website to review last year’s program and to sign up for Summit updates.

Mark your calendars now!!  See you on October 2, 2018!!