Cybersecurity Blog

The Cyber Security Challenge Weekly Update – 10/05/18

We have come to the end of the first week of competition.  Poor weather and the upcoming holiday has meant a slow start.  However we are starting to see entries trickling in.  Facilities management is in the lead as Building Operations has been rallying their team.  They are  working hard on upgrading our little Golden Superhero Award (photos coming soon) and they really want to win it.

Neck and neck are Support Services and Academic Administration in second.  I like to think I had something to do with that.  I made it very clear in the last IT Services department meeting that the trophy was uber cool.  I also pointed out how embarrassing it would be to not make a respectable showing on the Leaderboard.  My team responded.

I would like to thank everyone that braved the weather and came out for the Summit. I emailed codes to those who registered.  If you just dropped in and didn’t register, email me to receive your code.  I know who attended, so don’t try and snow me into saying you were there if you weren’t.  If you were unable to catch the Summit talks, I will be posting the recordings on the Summit web page.  I will let you know once they are up.

Lastly, don’t forget to get your team together for Hack the Box.  I am canceling Oct 9th’s event due to lack of registration.  However the Oct 16 and 25 time slots are filling up.  Book before it’s too late. You don’t want to miss out on a contest entry code.

Happy Thanksgiving!!

 

 

 

 

 

 

Adware Doctor and Trend Micro apps quietly uploading data – 09/13/18

 

 

Adware a very popular app on the macOS  App Store, has been quietly sending browser history, a list of software you have downloaded and a list of processes running on your computer to  a server in China.  Unfortunately, this is only one of several apps that are collecting user data  without our knowledge, a clear violation of Apple’s policies. You can add Trend Micro’s Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr Unarchiver, Dr. Battery and Duplicate Finder to the list.

The good news is they have been removed from the App Store.  The bad news is, you may have downloaded an app that is behaving badly.  Just like Android and PC users, Mac users must be cautious when downloading apps. Just because it is in the App Store, doesn’t mean it is safe.  Reviews and the number of downloads aren’t always reliable either.  Always be wary of apps that access data that it really doesn’t need to function.

Thankfully, the next version of the macOS, Mojave is supposed to require apps to get the explicit approval of users before they start collecting and shipping off sensitive data.  Yet another reason to keep your eye out for it and update as soon as it comes out.

Kids and cell phones, how to keep them safe – 08/08/18

 

 

As parents gleefully start planning for back to school, one question that may come up is ‘Does my child need a cell phone?’. If your answer is yes, there are some things that you can do to help protect them from cyber bullies, predators and scammers.

  1. Enable the password protected screen lock.  Let your child know that the password should not be shared with anyone but Mom or Dad.
  2. Know every app on your child’s phone, every account that is created and what the passwords are.
  3. Check your child’s phone for disturbing content on a regular basis. Their access to a phone should depend on you having access to it as well. You pay the bills, you make the rules.
  4. Check the privacy and security settings on the phone and apps. Be careful with location tracking. If you can find your child, so can someone else.
  5. Keep the apps and phone software up to date.
  6. Have a talk with your kids about online safety. Teach them to:
    • Never respond to calls, texts or emails from people they don’t know.
    • Talk to them about cyber bullying, harassment and predators. Make sure they know they can come to you for help.
    • Be careful about what they post. Too much personal information can make them vulnerable. Posting the wrong photo or making the wrong comment can mess up your life.
    • Only connect to people through social media that they know.
    • Watch for geo-tagging on photos. They don’t want their exact location to be displayed.

Even if you don’t follow all these guidelines, having a frank and honest discussion about phone safety and modeling desired behavior will go a long way to keeping your kids safe.  For more resources on determining when is the right time for a cell phone and how to keep your kids and teens cyber safe, visit Safe Search Kids by Google.

 

Sextortion scam surfaces at MRU – 07/30/18

 

 

Brian Krebs was the first to report on a clever but disturbing sextortion scam making the rounds.  Unsuspecting people everywhere, including members of the Mount Royal community, are receiving a version of this email:

What makes this email so alarming is it correctly displays your password.  In the majority of cases, the password is an old one and has been changed ages ago. However if you have been naughty and this email shows up in your inbox, you may be tempted to pay up and save your reputation.

The good news is, the password was collected from a data breach and not because they have hacked your machine.  The blackmailers do not have a video of you behaving badly, nor do they have your contact list. Your reputation is safe and no one has to be paid off to make sure it stays that way.

 

Watch out for fake vacation deals – 06/14/18

 

 

With summer just around the corner, scammers are setting the bait with deals on cheap flights, huge discounts and hotel bargains. These too good to be true offers are often exactly that. If you receive an unsolicited email or text advertising a holiday deal use your cyber safety skills. Visit websites of companies you know directly and search for reviews on those you do not. If you are tempted to take the bait, pause and make sure:

  • you are dealing with a reputable known company
  • you have read the negative as well as the positive reviews
  • the domain name is correct and typosquatting isn’t being used
  • you read all terms and conditions
  • there is a way to contact the company should things go wrong
  • the site URL displays https before you enter payment information
  • payment is made with a credit card

University of Regina breach due to weak passwords – 05/28/18

 

Last year when a University of Regina engineering professor was checking grades, he noticed the class average had changed.  When he investigated he found that some students’ grades had been changed and it appeared as though the Dean had done it.  When the Dean was questioned, it was determined that his account had been compromised.

The University has conducted a thorough investigation into the hack over the last year and have determined that weak passwords and the faculty use of default passwords were responsible for the security breach.  The student responsible was expelled.

As a result of the breach, the University has made several changes to their systems and have recommended mandatory training for all employees.

This a reminder to keep your accounts secure with strong passwords that are unique for each account.   If you would like to learn how to create strong passwords that are easy to remember or learn how to easily and safely store passwords, sign up for a workshop, complete the online training or contact me at bpasteris@mtroyal.ca and I would be happy to help.

Alexa secretly records and messages a private conversation – 05/28/18

 

 

A couple in Oregon thought Amazon’s Echo was just the thing to make their life easier.  They purchased the device and then connected it to their environmental controls, lights and security.  With Echo, they could use the Alexa voice assistant to control their whole home with voice commands. Everything was wonderful until they received a panicked phone call from someone on their contact list telling them to unplug their Alexa device.  Without the couple’s knowledge, a message had been sent to him containing a recording of their private conversation.  He was sure they had been hacked.

Unfortunately, that wasn’t the case.  No hack had occurred. In fact, Alexa had become ‘confused’. According to Amazon, the voice assistant ‘heard’ a word similar to Alexa that caused it to start recording. It then ‘heard’ a string of requests that resulted in the recorded conversation being sent to the panicked caller. Amazon has since assured the public, that occurrences such as this are very rare and that they are working to reduce the odds even more.

For this Oregon couple though, the trust has been broken.  Feeling violated, they will never be plugging the device in again. They are choosing the privacy of their home over the convenience of a voice assistant.

Sources:

  • (2018, May25) ‘Alexa are you recording this?’ The Calgary Herald,  NP6
  • http://business.financialpost.com/technology/personal-tech/amazons-alexa-eavesdropped-on-a-couples-conversation-and-then-sent-the-recording-to-someone-else

Check those photos you are posting on social media – 05/18/18

When sharing with friends, family and colleagues on social media, check your photos carefully before you post them to make sure you aren’t sharing too much. Just ask the Hawaii Emergency Agency or the RAF how embarrassing it is to have sensitive information broadcast over the Internet.  I am choosing to ignore that fact that they used horrible judgement when it came to password storage and management, as nauseous as it makes me. Instead I want to focus on the fact that they failed to recognize the photos would be handing out their login credentials to anyone who can use the zoom feature on a browser.

Other photos found on the Internet have displayed phone lists with employee’s home phone numbers, accounting codes, employee id cards and passwords.

Before you post a photo online, take a really good look at it.  Zoom in on details. Make sure that there is nothing sensitive in the photo.  Look for contact lists, house numbers, license plate numbers, account numbers, bill statements, invoice statements, credit card statements or anything else you want to keep confidential.  Don’t count on the text being too small or out of focus  to read. With the right software, a hacker can make almost anything readable.

Twitter asking users to change their passwords – 05/04/18

 

Why is twitter asking all its users to change their passwords? They discovered that login credentials were being stored unmasked in an internal log.  This means anyone at the company who opened this log could see users’ passwords and usernames. A HUGE no no.  The good news is, they have no evidence that suggests any passwords or account information have been stolen.  Now this doesn’t mean that some Twitter systems analyst hasn’t taken down your credentials to use at a later date, it just means they don’t think it has happened.

While this is a huge embarrassment for Twitter, for most of its users it will likely be nothing more than a lesson on the importance of having two step verification enabled.  Those lucky ones who reuse passwords will also be reminded why it is better not to as they scramble to remember all the accounts that use the newly exposed password.