Cybersecurity Blog

What is credential stuffing and why should you care? – 02/14/19

 

 

As I predicted, hackers are starting to take advantage of the huge collections of free user credentials floating on the web. This week both Dunkin’ Donuts and OkCupid have had large numbers of their user accounts hacked with credential stuffing.

Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site.  They use computer programs that allows them to test thousands of login credentials in minutes.  If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.

As those Dunkin’ Donuts and OkCupid users found out, it is almost impossible to prevent hackers from accessing accounts this way. They can block most of the login attempts, but there will always be those that get through.  Although Dunkin’ Donuts’ users originally lost access to their Perks accounts  the company replaced them and ensured customers didn’t loose any value they had accumulated. The poor folks at OkCupid not only lost their accounts, but had to worry about criminals having access to private messages. Ouch!

So how do you protect yourself against credential stuffing?

  1. Don’t reuse passwords. I know, I know, I say this all the time, but I am going to say it one more time. I know it is inconvenient and a pain but it really is the only way to protect yourself.
  2. Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
  3. Use the new Password checkup Chrome extension from Google. This puppy has already saved my bacon once. I had come up with a nice  secure password. Turns out someone else involved in a data breach had come up with the same one. Password checkup let me know so I could change it.
  4. Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
  5. Enable two factor authentication on every account that has is available. Two factor authentication requires you to enter an authentication code or respond to a prompt from an authentication app only when you login to a unknown device.

 

Hotel chain data breach 11/30/18

 

 

Have you stayed at one of the following hotels in the past 4 years?

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Meridien Hotels & Resorts
  • Four Points by Sheraton
  • Design Hotels

Lucky you!!  There is a possibility your name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure data, reservation dates and/or  credit card information were stolen in a data breach.  Marriott has reported an unauthorized access to their guest reservation database was made on or before Sept 10 of this year.  However they acknowledge that the criminals have been inside the company’s network since 2014.

In response they have set up a dedicated website, established a call center to answer questions and will be emailing those affected. To make their customers feel better they are also offering a free on year subscription to an internet monitoring service. When a subscriber’s personal information is found on the web, they are  notified.  This service is available to customers in Canada.

If you think you may have been affected, visit the website for more information and look for signs of identity theft.

 

Dell customer data breached – 11/29/18

 

 

Dell has announced that on November 9 they detected in intrusion into its systems.  Customers’ names, email addresses and passwords were involved in the breach. However, Dell did not find any evidence that any of this information was actually extracted.  To be safe, all customers were forced to reset their passwords.

If you have had financial information stored in your Dell account, keep an eye on your credit card statements.  There is no evidence any of this information was affected, but its not unusual for a company to initially report everything is okay, there is nothing to see and then a month later (after the executives have sold their shares) reveal all your personal data has been stolen .  Yes Equifax, I am talking about you.

 

How we get notified of an account breach – 11/23/18

 

 

Not every hacker makes their money by breaking into  accounts and stealing funds or ransoming your data. Some hackers are content to simply  break into servers and steal usernames. passwords and other personal information that they then sell on the dark web.  It is quite a niche business.

To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale.  You  can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.

This gives you the opportunity to change your password and username or delete the account.   This is an easy process if you don’t reuse passwords. It is a huge headache if you do.  What’s even cooler,  you can subscribe to an alert service so they will automatically notify you when there is a new  account breach.  This is so awesome, Mount Royal even subscribes.

We get notified when anyone with an @mtroyal.ca email is involved in a breach.  We also get told which account was breached.  We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.

So if you are using your @mtroyal.ca account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach.  It gets awkward for everyone.

This is a friendly reminder, only use your @mtroyal.ca email account for business. IT Services thanks you.

 

Browser extensions cause of Facebook data breach – 11/05/18

 

 

The BBC Russian Service has found  data from 81 000 Facebook profiles sitting on the web. The data is apparently just a small sample of what was taken from 120 million accounts by a hacker selling his haul.  It is hard to know if 120 million profiles were indeed hacked or if the breach is limited to what is currently on display.  One would think that Facebook would notice 120 million profiles being accessed, so my guess is they don’t have much more than the small sample. After all, criminals aren’t known for their honesty.

Facebook is blaming malicious browser extensions. They are reporting that the extensions were monitoring user’s Facebook activity while shuttling personal information as well as private conversations to the hackers.  The majority of information taken was from Ukrainian and Russian users, however profiles from all over the world were also pilfered.

This is a reminder to be wary of browser extensions. As with apps, only download ones that:

  • You really need
  • Have good reviews
  • Have lots of downloads
  • Come from reputable sites

Malicious browser extensions can be very difficult to detect as extensions update automatically.  This allows hackers to create extensions that are harmless, until their first update. After that your handy extension starts doing all sorts of nasty things.

To reduce the risk, if you really need a particular browser extension consider disabling it when you aren’t using it.  Lastly once you no longer need the extension, remove it from your browser.

 

Facebook breach – logout of your account 09/28/18

 

 

Today Facebook announced that they have discovered hackers have stolen 50 million access tokens.  These tokens allow them to take over an account without having to login with a password. They did it by taking advantage of a vulnerability in the View As feature that allows users to see what their account looks like when viewed by others.

To solve the problem, they have logged out all the users who they believe were affected and disabled the View As feature.  As often happens in these types of breaches, there is a possibility that at a later date they may find there are more people affected than originally thought.

To be on the safe side I suggest that you logout of Facebook by going to Settings  and selecting Security and Login. There you can logout of all your devices at once with a single click. Alternatively, this might be a good time to get rid of Facebook all together.

 

Netflix, Hulu and HBO Go passwords on the dark web – 08/23/18

 

 

If you have a Netflix, Hulu or HBO Go account, you should reset your password.  Irdeto has reported finding passwords to those services for sale on the dark web.  This is an easy fix if you have a unique password for every account.  If however you reuse passwords, this news is going to ruin your day.  Good luck even remembering all the accounts that you have little own which ones use the same password.

I hate to sound like a broken record, but this is just one more reason to make sure you use unique passwords on all your accounts.  This might also be a good time to break down and start using a password manager to keep track of all of them as well.

 

TeenSafe has leaked data from thousands of account holders – 05/22/18

 

Researchers have stumbled across two of TeenSafe‘s servers containing databases that list parent emails, their child’s Apple ID email address and password, device names and unique identifiers in plain text. Because the information isn’t encrypted, anyone who gains access to the server can read the information.

Once TeenSafe was notified of the leak, the servers were taken off line.  However, if you are a user of TeenSafe, you should change your password and have your child change their Apple ID password.  Of course, if you have reused passwords you will also have to change the password for every account that uses the same password. Just another reminder to use a unique password for every account.

 

ALERT – Mount Royal targeted with fake Sharefile requests – 04/12/18

A college that we communicate with regularly has had one of their email accounts compromised. As a result, several people around campus have received emails with requests to Download Attachments from Sharefile.  The emails look like this:

The name of the college and the email sender have been blurred out to protect their privacy.

 

What makes these emails so devious is that they come from someone that Mount Royal staff have been conversing with recently. This makes it much more challenging to identify them as malicious.

This is a gentle reminder to everyone to contact the email sender when you receive an unexpected email with a link or attachment using a contact number that you have used in the past or have found through Google.  Even if you have been speaking with them recently if you aren’t expecting the email, call to confirm its legitimacy. Just because an email looks like it comes from someone you know, doesn’t mean it does.

That is what our brave Mount Royal employee did and as a result prevented a potentially serious cyber security incident. Had they simply clicked on the Download Attachments button and followed the instructions, they would have given the hacker their Docusign credentials. Who knows what that would have led to.

MyFitnessPal Under Armour App has been Breached – 04/03/18

If you have been using MyFitnessPal from Under Armour, change your password immediately.  On March 25 Under Armour learned that usernames, email addresses and hashed passwords were taken from about 150 million user accounts.

The good news is the passwords were hashed or scrambled and will need to be decoded before they can be used.  The bad new is, the thieves may use phishing emails to acquire your password directly instead of doing the hard work of decoding it.  Change your password directly in the app or through their website instead of using a link in an email.

If you use your MyFitnessPal password for other apps or websites, make sure you change those passwords as well.