Cybersecurity Blog

Travel company hit by data breach – 03/21/18

 

Did you book travel online between January 1, 2016 and December 22, 2017? If so your payment card information, date of birth, phone number, email address, full name, gender and mailing address may be in the hands of hackers. Orbitz online travel has reported hackers have infiltrated an older version of their booking platform, exposing the data of over 800 000 customers.

As Orbitz is used by other companies such as AMEX to book travel, the breach reaches beyond Orbitz’s direct customers.  So how do you know if you have been affected? Orbitz and its business partners will be reaching out to notify you. However, in the meantime keep an eye on your bank statements, credit card balances and credit report.  The good news is Orbitz’s current systems have not been affected. For more details, visit their website.

How to protect your facebook data – 03/22/18

 

With the news that hundreds of thousands of Facebook users had their information collected and distributed without their knowledge, many people are rethinking their Facebook accounts. Especially as it was all done legally in accordance with Facebook’s Data Use Policy and their Terms of Service.

If you are not ready to turf your account altogether, there are some things that you can do to protect your data:

  1. Set up Login Alerts.
  2. Make sure your posts aren’t searchable
  3. Make sure only friends can see your posts.
  4. Only let people that you know contact you, search for you or add you.
  5. Enable two-factor authentication.
  6. Stop using your Facebook account to login to other apps.
  7. Audit apps that currently connect to Facebook.

Whew!! That is quite a list. Kinda makes you wonder if it is really worth all the effort. Maybe it is easier to just pick up the phone and call your friends.

 

Passwords are NEVER to be shared – 12/06/17

 

I was shocked and extremely concerned to read about UK members of Parliament sharing passwords with their staff.  How could high ranking members of a government, with a gateway into a network containing super sensitive data be so reckless?  Surely no such thing occurs in other organizations? Surely here at Mount Royal University we are much more cautious with our passwords.

I was dismayed to discover that is not the case. Passwords are being shared  between professors and graduate students, between managers and admins, between colleagues and between students .  Why is this a problem?  Just think for a minute of everything that you access with that login information.  Do you really want to give someone else that much information about you?  Do you really want someone else to be able to access EVERYTHING that you have access to? Your password is the keys to your kingdom.  Don’t give it away.

IT Services is very aware that there are many instances where you need to give people access to your email, documents or an application.  Fortunately, we have many tools at our disposal to do that without giving them access to everything else as well.

My favorite password sharing excuse is, “I can never remember my passwords, I need my admin to know them so she can remind me when I forget” . KeePass is a password manager that is easy to use and it will store your passwords for you.  It is installed on every workstation and it requires you to remember only one password. Still challenged? There are many ways to create a password that is easy to remember but very effective. Contact the IT Security Training Analyst if you are still struggling.

If you are currently sharing your passwords or using someone else’s passwords; please stop, change your password and contact the IT Service Desk to discuss your needs. They will be happy to find a solution for you. Keep your data safe, keep your passwords a secret.

Watch out for PayPal “Failed Transaction” Emails – 12/05/17

 

With holiday shopping in full swing, cyber criminals have decided to roll out another PayPal phishing email campaign. This one notifies you that they were unable to verify your recent transaction.  With shoppers stressed to the max, the criminals are hoping that you won’t notice a generic salutation is used or that the email doesn’t come from PayPal.  Those who panic and click the Verify button/link are asked for their PayPal login credentials, all their personal information including their mother’s maiden name and their payment card information.

This is a reminder that an organization asking for information that they should already have is a big red flag that something isn’t right. Always visit an organization’s website directly when you receive an email from them that contains links or attachments.  Any concerns with your account or transactions will be accessible from their official site. If you wish to contact the organization directly; use contact information found on their website, not in the email. Safe shopping!!

 

Preventing Identify Theft – 09/12/17

 

With the news of the Equifax breach consumers are left reeling, not sure what action to take to prevent identity theft.  There are tons of articles talking about credit freezes, alerts and monitoring. Most of this information refers to laws and services particular to US citizens. Some are not even available in Canada.  As a Canadian, what do you do?

1. Contact Equifax
  • Visit the Equifax site for details.
  • All impacted customers will be contacted directly. If you have not been contacted, call them at 1-866-699-5712.
2. Set up a credit file alert.
  • With a credit file alert, a request for a new credit product or a change in a credit product cannot be approved without confirmation with the consumer who owns the credit.  This prevents fraudsters from signing up for new credit cards or loans as well as preventing them from increasing credit limits.
  • A credit file alert should be set up with both Equifax Canada and TransUnion Canada. Each provider has different types of alerts and they don’t share information. Contact the companies for details.
  • Equifax will be providing free credit monitoring and identify theft protection for 12 months to everyone who is impacted. Equifax will contact you directly with the details.
3. Check your credit report monthly.
4. Sign up for credit monitoring.
  • Be notified of new debts.
If your identify is stolen or accounts are accessed:
  1. Contact your local police department and get a police case number.
  2. Contact all your financial institutions and give them the police case number to  hold in your file.
  3. Call Equifax Canada and TransUnion Canada and have them place the police case number on your credit reports.
  4. Report the incident to the Canadian Anti-Fraud Centre.

Keep your Privacy, Browse in Private Mode – 08/25/17

 

Planning on using a public computer? Do you have family members or children who also use your machine? You may not want them to know you are planning a surprise trip to Disneyland, that you are concerned about a that mole on your leg or that you belong to the kitten of  the month club.  Browsing in private mode keeps the pages that you have visited out of the history list.  This keeps users that come after you from checking on the history list to see where you have been.

Different browsers have different names for private mode. In Safari and Firefox it is called, Private Browsing. In Chrome it is called Incognito.  Check out the links to find out how to browse privately in your browser of choice.

AirDrop allows strangers to send you files and photos

 

There is a lovely iOS feature called AirDrop which allows you to sent files to anyone within Bluetooth range anonymously. It has facilitated the rather disturbing practice of bluejacking, sending pics of your privates to random strangers in order enjoy the look of shock on their faces. By default this feature is enabled so you can receive files from anyone on your contact list. However some people have inadvertently changed the settings so they can receive files from anyone.

To prevent such unpleasantness,  it is recommended that you disable your AirDrop unless you are using it.  To turn AirDrop off:

  1. Swipe up to view the Control Center.
  2. Select AirDrop Receiving.
  3. Select Receiving Off.

 

Android Phones with Preloaded Malware for Sale on Amazon – 08/08/17

 

David Bisson a contributor to grahamcluley.com reports that Trojan malware is being found preinstalled on several Android phone models.  This lovely malware called Triada is undetected by anti-virus applications and is designed to steal banking and login credentials as well as other information. Now you don’t even have to click on a link or download an app.  You can have your phone infected from the point of purchase. Yaaayyyy!!!!  The infected phone models are:

  • Leagoo M5 Plus
  • Leagoo M8
  • Nomu S10
  • Nomu S20

These phones are produced by Chinese OEMs and can be purchased on Amazon.  It is unclear as to whether the malware was installed intentionally or by a disgruntled insider. Regardless, if you are looking for a cheap Android phone I would avoid unrecognizable brands shipped direct from China. It could end up costing you a lot more in the long run.

New login screen for Google a privacy concern – 04/07/2017

 

On April 10, 2017 Google will start rolling out a new login screen. It will begin with limited release and then widen until all users are converted over. The new screen will no longer give you the option to Stay signed in. Instead all users will automatically be connected to Google/Gmail/Google Drive with this feature enabled.

Why is this a concern? Well, if you are using a public workstation in the library, a classroom or meeting room and you log out of the workstation you will not be logged out of Google/Gmail/Google Drive. The next user who starts up that workstation and opens Google Chrome will see all of your emails and files on display.

Starting today, we are asking that all faculty, staff and students logout of Google/Gmail/Google Drive before they logout of any computer or device that is not their own.

If you have any questions or concerns, please contact the ITS Service Desk.