Cybersecurity Blog

Your TV is tracking you – 07/12/18

 

If you have a Sony, Sharp, Magnavox, Toshiba or Philips smart TV, Samba Interactive TV is probably installed on it.  It is a service that recommends shows and provides special offers based on your onscreen content,  or at least that is what they tell you. You are asked to enable it when you turn on your new flat screen for the first time.  As 90% of people say yes, it is probably a good bet that you did to.

If you actually read their privacy policy, what it really does is connect to any device on the same network as your smart TV, such as your phone. This allows the service to track you once you leave the house.  So not only is it tracking what you watch, it is also following you as you go to work, pick up your kids, get groceries and go to the movies. Creepy huh? It uses this information to deliver you customized content. However, the data collected can be used not just by Samba, but by their partners as well. Basically anyone Samba likes can see where you spend your time and what you watch on TV. This is the same kind of tracking  other companies such as Facebook, Google and Apple have been criticized for.

Unfortunately Samba Interactive TV isn’t the only service that tracks what viewers watch. In fact Vizio was fined for using the similar automatic content recognition (ACR) technology to deliver targeted content.  With TVs tracking your every move, how do you protect your privacy? Thankfully, Consumer Reports has a list of smart TVs and how to turn off ACR.

This is just another reminder that as consumers we need to take more interest in privacy policies and terms and conditions before we sign up for a service.  We have the right to choose to trade our privacy for convenience. However, before we make that choice we should be aware of exactly what we are giving up and to whom.

Source:  https://nakedsecurity.sophos.com/2018/07/09/smart-tvs-are-spying-on-you-through-your-phone/

The password to your internet connected device is on the web – 07/04/18

 

Have a thermostat, doorbell or baby monitor that connects to the internet? How about a router? Have you changed the default password that came with the device? No? Well, you might want to get right on that. Why? Well, the default passwords of most devices can be found on the internet. Yup, that is correct.  You can do a simple search of the make and model of your device and in most cases get its default password.

This is very handy when you are setting up your device for the first time or you have to perform a factory reset. It is also very handy for hackers who count on consumers leaving the default password as is.  Once criminals have the password, they can easily gain control of the device. Numerous instances of baby monitors scanning rooms on their own and devices being turned into bots for deny of service attacks have been documented.

This is just another gentle reminder to change your default password and keep the device firmware up to date on anything that connects to the internet. Want to learn more about internet connected devices? Check out this blog post.

App developers can read your Gmail – 07/04/18

 

It has been known for years, that Google reads Gmail.  Originally they were using the email content to target users with custom ads.  After a tidal wave of complaints and a couple of lawsuits they finally quit doing so last year. The ad targeting has stopped, but the automatic reading of email hasn’t.  What are they doing with that content? Well, they are sharing it with third party apps and you gave them the permission to do so.

Google states within their privacy policy that they share your information with third parties. This allows apps to deliver services based on your information. For example, to automatically book appointments or create travel itineraries, an app will need to scan your email content so it knows what appointments to create or what your travel plans are. Of course, this access isn’t given without your permission. You are asked if this is okay when you install the app.

What you don’t realize is when you give your okay, you are not just giving a machine permission to read your emails, but you are also giving the okay for the app developers to read them to.  So some bored programmer on his lunch break could entertain himself by going through your email.

How is this okay? Well, buried in privacy policies of third party apps is a statement that they will use personal information to monitor, operate and improve services. It doesn’t explicitly say that an actual person can read your emails and it doesn’t have to. To make things more confusing, if the app has other partners you will have to read their privacy policies as well to determine who has access to your information and what is being done with it.

So what is a user to do? First, visit Google’s accounts permissions page to determine what apps have email access and access to your Google account.  Then visit the app’s website and read their privacy policy. If you are okay with how your data is being stored, used and shared, carry on. If you aren’t, revoke the app’s access.

Not really up to spending an hour wading through privacy policies? Then assume that everything the app has access to is being shared elsewhere and can be read by anyone.  Concerning isn’t it? It just may be enough for you to reconsider your Gmail account all together or at least be real careful about what you put in your next email.  Heck it might be enough for you to dump Google.

Messaging stuffed animal a security risk – 06/11/18

 

CloudPets allows kids to send and receive messages through an adorable stuffed animal. Unfortunately, last year hundred of thousands of kids using CloudPets had their data and voice messages exposed. You would think that after such an incident, the company would take measures to fix the vulnerabilities that allowed that to happen. However, researchers have found that over a year later, nothing has changed. The toys remain full of security flaws that can easily be exploited.

Fed up with the companies clear lack of concern over their user’s privacy, Walmart, Target and Amazon have pulled the toys from their stores. If one of your loved ones has a CloudPet, I strongly recommend that you disconnect it from the Internet until the company addresses their security issues.

Some Google Groups are leaking data – 06/05/18

 

Have you checked the settings on your Google Group lately? By default when you create a group, only group members can post and view messages  and people must ask to join the group. However, researchers have discovered that thousands of Google groups have their permissions set to allow the general public to view the group posts.  This would not be an issue if the people posting information to the Google Group understood that their posts could be viewed by the public. However, sensitive and private information has been found within these group posts suggesting that they really have no idea.

If you are the owner of a Google Group, please take a moment to check your permissions. To check permissions:

  1. Open the Google Group.
  2. In the title bar of the Google Group,  click Manage. The left menu changes.
  3. In the left menu, click Permissions. A list of permissions appears.
  4. Click to select each permission type and review its settings.

Please note that if you have selected All organization members, to View topics or Post anyone with an @mtroyal.ca email address may do so. This includes students, staff and faculty. If you have selected All members of the group, users must actually join the group to be able to post or view emails/topics.

If you wish to email/post to a Google Group, check the settings of the group to see who can see the messages you send. To check the settings:

  1. Open the Google Group.
  2. In the title bar of the Google Group, click About.
  3. Scroll down to find the Access section. The posting and viewing permissions of the group are listed here.

If you have questions or concerns about setting permissions, please contact Bernadette Pasteris at bpasteris@mtroyal.ca.

Blu Android phones caught sending user data to China – 05/09/18

 

They’re baaack! Last year, Amazon pulled the ultra cheap Blu brand of smart phones from their site after it was discovered, they were calling home to China without their user’s consent and transferring loads of private data .  Users were completely unaware of the data transfers as the application responsible was installed in the factory and therefore undetectable by anti-virus software.

The company has since come to an agreement with the FTC and promise to never do it again. This has prompted Amazon to once again allow the company to sell their phones on their site.

If Blu violates the agreement with the FTC, it could cost them up to $41, 484 per incident in civil penalties. They will now have their security protocols and record keeping monitored. However considering Blu repeatedly misled consumers and regulators previously by stating they had stopped data collecting when in fact they were still doing it, I am not so sure they can be trusted. Yes their phones are a deliciously cheap, however you might be giving up your personal information in exchange.  Remember, you get what you pay for.

Cyber Safety Summit 2018 – 04/23/18

The Cyber Safety Summit 2018 will be held on October 2, 2018 at the Lincoln Park room in the Main Building of Mount Royal University’s campus.   The summit will include experts speaking on home security, social engineering, fraud protection and how to recover from a cyber attack.  In addition  we are  adding a new topic this year, protecting your privacy.  Registration is free.

Spend the whole day with us or just come by for your favourite session. Either way you have the opportunity to hear from the experts themselves how to keep your family and home cyber safe.  Come with your questions and concerns, leave armed with the knowledge you need to keep hackers at bay.

Can’t attend the summit? We will be live streaming all sessions.  Visit the website to review last year’s program and to sign up for Summit updates.

Mark your calendars now!!  See you on October 2, 2018!!

 

Must Read – Help us keep your data safe – 04/17/18

 

Keeping our digital campus safe is a responsibility shared by the entire MRU community. An important part of that responsibility is for each of us to keep our account passwords secure, private, and not shared with any other person.

Sharing usernames and passwords is never a smart practice, but it’s especially unwise with your MRU account. Your username and password authenticate your identity, proving that you’re you. Many critical University business functions are online these days, and sharing passwords puts all those processes at risk. Whether it’s access to change grades, financial approvals, expense reimbursements, access to staff and student personal information, or simply private emails, your password is how you protect the important work you do from bad outcomes.

Never give your MRU account password to anyone. IT Services will never ask you for it, and neither should anyone else.

If you have a guest that requires a computer for presentations or a meeting, they must bring their own and connect to the “MRVisitor” wifi network. They are not allowed access to admin workstations or private campus networks.

Visiting instructors can log into academic workstations using an SCC account, which allows us to track their activities on our network. The SCC password changes frequently; to get today’s password, please contact the IT Service Desk at itservicedesk@mtroyal.ca, 403.440.6000, or in person at E251.

If you have a situation where you are tempted to share your password, contact the Service Desk and work with them to find a better solution. Together, we can keep our digital resources and online community safe.

 

Those cute quizzes are sucking up data about you – 04/11/18

 

With the fallout from Facebook’s poor choices continuing, this is a great time to remind everyone that big brother is always watching. As fun as those cute little quizzes are on social media, you could be giving hackers everything they need to impersonate you.

Quizzes that ask you the name of your first pet, what was the first car you drove and where you went to school are thinly disguised attempts at getting a hold of the answers to privacy questions.  Outside of privacy questions, even seemingly innocent information about your past can be used against you in the wrong hands.

When it comes to quizzes, just don’t. Your privacy is not worth a few moments of entertainment.

Facebook Android app logging calls and texts – 04/11/18

 

On the heels of an announcement that Facebook allowed Cambridge Analytica to harvest data from users to influence the US elections, users of the Android Facebook app have found that their calls and texts are being logged.  It’s been a tough few weeks for Facebook users concerned about their privacy.

Why on earth would Facebook need to log calls? Apparently to improve our experience of using their products. As alarming as all this seems, Facebook is only doing what their users have allowed them to do. In our desire to connect we have thrown caution to the wind and have accepted any conditions of use that app developers have thrown at us. If this has taught us anything, it has taught us to be more cautious with clicking Allow when an app is asking for permission to access our contacts, our microphones, our photos and anything else they might want to mess with.

The only way things are going to improve is if we users start choosing privacy over convenience and stop downloading intrusive apps. This is a lesson that Facebook is learning the hard way, with users dumping the platform at record speeds. The question is, is anyone else paying attention?