Cybersecurity Blog

Password managers the secret weapon against cybercrime – 09/01/22

 

 

Passwords, they are our saviors keeping our data safe while at the same time they are our oppressors clogging our brains and stressing us out. We know we should have long, complicated passwords and that we shouldn’t reuse them. However, who has the time to be that creative every time you sign up for a new service, never mind being able to memorize them all? It isn’t surprising that password reuse is as common as grilled cheese.

Attackers know that, which is why credential stuffing is one of their favorite attack methods. It takes little skill and effort. Just go on the dark web and find a list of stolen credentials, plug them into a software program and let it run. After a few minutes you have a whole list of websites that you can login to hassle free. You don’t even have to buy stolen credentials anymore.  Over a hundred of them are just sitting there, free for the taking.

Thankfully there is a way to have long, strong unique passwords for every service without losing your mind. This magical tool even logs in for you, saving you valuable time and effort.  The best part is you only have to create and remember one password. Yup, only one, the one to gain access to the tool. After that, this gift from the Gods creates passwords for you. They are long, complicated monsters that would take years to brute force hack. They would be impossible for a human mind to remember, but this genius of an application does it for you.

What is this mythical piece of software? It is a password manager. In the past they have been known for their ability to effortlessly store passwords, however their other skills are largely unknown. They are your secret weapon against credential stuffing.

There are many, many types of password managers. On workstations across campus you can find KeePass. While functional, it doesn’t look very user friendly and it strikes terror into the hearts of most. All it takes to tame the beast is a quick training session. However, for those less adventurous there are alternatives. The one we recommend is Bit Warden. It uses a browser extension to enable functionality and offers a full range of features for free.

If you aren’t sure if Bit Warden is for you, PC magazine does a great job of reviewing the most popular password managers every year. All of them allow you to use them for free for at least a week before you buy. I suggest picking three and trying them out one at at time. It works best if you only enter your login credentials for your most used services. That way you don’t invest a lot of time into a tool that you decide you don’t want to use later on.

Which password manager is the best? The one that you use. Each one has it’s own quirks and features. Some you may like, others you may not. If you don’t use the tool, then it isn’t the right one for you. That is why I recommend giving a few of them a try. Ideally you want to find one that fits in so seamlessly with your work that you barely notice it is there.

No that is not a malicious pop up – 01/11/22

In preparation for the implementation of mandatory MFA on February 28, 2022, a new pop-up will appear when you login to Google if MFA is not turned on. It looks like this.

If you click Do this later, you can access your account and enable MFA at a later date. However, we do encourage you to click Enroll instead. The sooner you enable it , the sooner the annoying pop-up goes away. After February 28, 2022 anyone who does not have MFA turned on will have to contact the IT Service Desk to get access to their Mount Royal email account, Google Drive or any other Google Workspace apps.

 

Things to remember now that we are back on campus – 09/08/21

 

It is hard to believe but it has been about 18 months since we were last all on campus. Whether you are thrilled to be amongst students and colleagues or pining for the solitude of your dining room table, you will have developed different work habits while you were working from home.  Now is the time to dust off those old habits again. To help you get back on track, I have a few helpful tips.

Lock your screen

Yes, I know that I was teaching people to keep locking their screens when working from home. However, I know most of you didn’t consider the kids, your spouse or the cat a big threat. Now that we are back, it is time to develop that habit again. When you stand up from your machine, lock it.  If you are in a hybrid work situation, keep up that habit when you are home so you don’t forget when you are on campus.

Watch for tailgaters

Don’t let people you don’t know sneak in behind you into a secured area. If a stranger has forgotten their OneCard, send them to security rather than let them in with yours. With everyone masking up again, it is harder to verify someone is who you think they are. If you aren’t sure, send them to security.  If you have a visitor coming to campus, meet them outside secured areas and then accompany them to the appropriate office or meeting room. Do not leave guests unaccompanied in a secured area.

Don’t let others use your credentials

If you have guests coming on campus, have them bring their own laptop and connect to MRvisitor rather than logging into a workstation for them. If you are training someone new, contact the Service Desk to get them access to what they need rather than logging into an application for them.  Your credentials are for your use alone, not the other 114 people who want to access the network.

Keep storing documents on Google Drive

Even though we are now back at our workstations, it is impossible to know if sometime in the future we will have to return to working from home. Make your life easier, continue to store your documents containing non-sensitive information on the Google Drive. That way you won’t have to scramble should we suddenly get sent home again.

 

Use digital signatures with caution – 04/15/21

 

With everyone avoiding contact with other people at all costs, the use of digital signatures has become more common.  However, some forms of digital signatures are more secure than others.

Services like Adobe or Docusign encrypt your digital signature. This means if someone tries to access it without your password, all they will see is gobbly gook.  As long as you are careful with your passwords, your signature is secure with these types of services.

Other solutions for digital signatures are not as safe.   Pictures of your written signature stored unencrypted or emailed can easily be stolen.  If they are on your Google Drive, Onedrive or Dropbox this makes them even more vulnerable. Likewise, entering your signature into text fields in unencrypted forms is also dangerous.

Remember that your digital signature is used to verify your identify. You should treat it like you do your credit card number. If you wouldn’t store or transmit your credit card number using a particular method or service, then you shouldn’t store or transmit your signature that way either.

 

Keeping voicemail safe from breaches – 01/05/21

 

 

Happy New Year!!  Another year, another security concern. This time it isn’t your email, your workstation or your smart phone. This time it is your voicemail. Hackers are taking over voicemail accounts and using them to impersonate people, make thousands in long distance calls and by-pass two factor authentication. Not only does this cost organizations but it is also embarrassing and can lead to network compromise and data loss.

To prevent this, secure your voicemail just as you would your workstation. Use UNIQUE passwords/PINs at least 8 characters long. Remember you aren’t limited to just the 6 characters we are used to using. You can use up to 64 if you wish. Also, make sure your voicemail password/PIN is not a numeric version of any of your other passwords, your age, your birthday, your pets name or any other personal information.

Lastly keep your voicemail password/PIN secret. That means do not share it with colleagues nor leave it on a post-it on your phone. Once someone has your password/PIN, they can forward calls, change your greeting, make long distance calls, pretend to be you and generally cause problems while making you the fall guy. Even if they don’t have malicious intent, once someone gets ahold of your password/PIN they may not be as careful with it as you are.

If you are away on vacation and need someone else to cover for you, record a vacation message directing people to call your substitute directly. You can have calls forwarded automatically, but if no one answers a message is left on the voicemail that received the call, not the one that the call was forwarded to. If neither of these solutions will work for you contact the IT Service Desk, they will find one that does not involve the sharing of passwords/PINs.

 

Newsletter issued every second week over the summer – 06/18/20

 

We have decided to issue the newsletter every second week over the summer. With people going on vacation, readership tends to die down a bit at this time.  As we are super busy putting together new training materials, writing documentation and generally getting things sorted for September we thought we would step back from the newsletter a bit.

To keep you up to date on the latest phishing threats, we will continue to add new phishing emails to the Phish Bowl as they come in.   Please check it on the weeks that there is no newsletter to stay informed.

You can expect to receive the newsletter on the following dates:

June 19
July 3
July 17
July 31
August 14
August 28

The regular weekly newsletter will return September 4.

See you in two weeks!

 

The online training is changing – 04/24/20

 

If you haven’t completed your cybersecurity or PCI awareness training for 2020 yet, you might want to do that before the end of the month. We have a new training tool that we will be introducing July 1.  As a result we will be losing access to our current training videos and interactive pre-tests on April 30.

To tide us over until the new tool is rolled out, on April 29 I will be uploading new videos with quizzes. However, you will not have the ability to test out of the video and it will take longer to complete the training.  I apologize for the inconvenience, however you can look forward to more targeted training once the new tool is rolled out.

The good news is, you still have a few days to complete the current version of the training.  If you have any questions , please feel free to contact me at bpasteris@mtroyal.ca.

04/27/20  update: There has been some confusion around the security awareness training completion date. The deadline has not changed, you still have until June 30 to complete your mandatory training. The only difference is if you complete it before April 30, it will be easier.

How to prevent a two factor authentication compromise – 03/04/20

 

This week I posted an article telling the horrific tale of a Mount Royal employee who had their phone number ported to another carrier and their email compromised even though they had two factor authentication enabled on their email account.

How was this possible? The authentication method that they had used was an SMS message sent to their phone.  With this method, who ever has control over the phone number receives the authentication codes. The bad news is, if someone impersonates you and either asks for a new SIM card or moves your number to a different carrier they can get access to your email account.  The good news is, there is a way to stop this.

Instead of using a text message sent to your phone as your second step, use an authenticator app or authenticator key. An authenticator app generates an authentication code using wifi, while an authenticator key must be plugged in or waved near a device for you to login.  In both cases you have to be in physical possession of the second factor to get access to your account. Of course if your phone is stolen or your key is lost, you are locked out.  However you can print off backup codes and have an extra key available in case that happens.

 

Campuses seeing the “trusted friend” credential stealing attack – 09/06/19

 

With the start of the new school year scammers and hackers galore begin targeting students once again. Usually though, it is a complete stranger who is compromising our data not someone we trust. Welcome to 2019 when even your friends cannot be trusted to use your credentials for their personal gain.

A Canadian university has seen a student fall victim to a Snapchat credential stealing attack. The unfortunate student was asked by a trusted friend for their Snapchat credentials. When the student handed them over, their friend then send messages to all of his contacts. The messages explained that he was having trouble accessing a class timetable or a library resource and asked for the contact’s username and password to their school account so they could get the information.

Shortly after, the trusted friend attempted to use the victimized student’s credentials to login to their student account. The attempt was blocked and the account was locked down. As of the writing of this article, we are unaware if the trusted friend was sent any other credentials. However, the victimized student had to do some serious damage control with their friends on their contact list.

This is a gentle reminder not to trust anybody with your login credentials. Not your colleague, not your best friend, not your significant other nor that friend looking for help accessing information. If a friend  or colleague is asking for credentials so they can access information, send them to the IT Service Desk. They will be glad to help.

 

Is it spam or is it phishing? 05/23/19

 

I am truly delighted with the number of malicious emails that are being forwarded to abuse@mtroyal.ca.  The Mount Royal community is doing a great job of letting us know what to look for and helping us defend their data. There is one question that people keep asking though, what is the difference between Spam and a phishing email? I thought I would take a moment to clarify.

Spam email
  • Goal is to sell you something.
  • It is sent to hundreds or thousands of people at a time.
  • Reading the email does not generate an emotional response.
  • It may or may not contain links
  • Clicking on the links will take you to the organizations website.
Phishing email
  • Goal is to steal your data or use your workstation as a tool to access data on other people’s devices.
  • It can be sent to thousands of people or just one or two.
  • Reading the email generates an emotional response.
  • It may or may not contain links and or attachments.
  • Clicking on the link or opening an attachment takes you to a fake web page and/or loads malware onto your device.

The easiest way to determine if what you are dealing with is spam or phishing is by examining the purpose of the email. If it looks like they are trying to sell you something, then it is probably spam. If it looks like they are trying to confuse or trick you, then it is likely phishing.

Spam emails should be marked as spam by clicking the stop sign icon in the Gmail menu bar. Phishing emails should be forwarded to abuse@mtroyal.ca. If you aren’t sure which one it is, forward it to abuse@mtroyal.ca and we can let you know.