The tech support scam is back. This week a MRU community member had a virus warning popup on their screen while they were working. The virus warning listed a phone number and appeared to come from Microsoft.
The individual phoned the Service Desk. However, when they couldn’t get through they called the ‘Microsoft’ number in the pop up. The fake Microsoft rep hung up on them when the caller didn’t provide the rep with the information they were looking for. Our MRU community member avoided being scammed simply by not being cooperative. However, had they been dealing with a more patient scammer, this could have gone very wrong very quickly.
This is a reminder if you see a dialog box with a virus warning and a phone number, it is a scam. Most likely there is no virus on your machine. instead, the website that you have visited has been compromised by a hacker to display a fake virus warning to anyone who views it. If this happens to you, close your browser and then open it again. Do not close the pop up. Do not visit that website again.
If you are concerned that your MRU issued device may have a virus, contact the Service Desk. Be patient, they will get back to you. If it is your personal device you are concerned about, run a virus scan. If something appears to be amiss and the virus scan does not find anything, take your device to a repair shop to have it checked.
With everyone avoiding contact with other people at all costs, the use of digital signatures has become more common. However, some forms of digital signatures are more secure than others.
Services like Adobe or Docusign encrypt your digital signature. This means if someone tries to access it without your password, all they will see is gobbly gook. As long as you are careful with your passwords, your signature is secure with these types of services.
Other solutions for digital signatures are not as safe. Pictures of your written signature stored unencrypted or emailed can easily be stolen. If they are on your Google Drive, Onedrive or Dropbox this makes them even more vulnerable. Likewise, entering your signature into text fields in unencrypted forms is also dangerous.
Remember that your digital signature is used to verify your identify. You should treat it like you do your credit card number. If you wouldn’t store or transmit your credit card number using a particular method or service, then you shouldn’t store or transmit your signature that way either.
Reminders are going out for everyone to complete their cybersecurity awareness training. In response people are noticing they have no training assignments and are wondering if they have completed the training or not. These wonderful folks usually completed their training in October.
Unlike Blackboard, the new Security Education Platform doesn’t let you access modules once they are completed. They are removed from your assignment list. However you can still see what training you have completed by looking at your Report Card.
To access your Report Card, click on your name in the upper right hand corner of the platform window and then select My Report Card. It will show you the status of all your assignments.
Please note that the name has been blurred out in this screenshot. In addition, you will see the cybersecurity survey in your assignment list. This survey is no longer available. Don’t worry if you didn’t complete it, it was optional.
I hope this helps those of you who can’t remember if you completed your training or not. If you have any other questions about the cybersecurity awareness training, please feel free to continue to contact me.
A while ago I posted an article on Data Privacy Day. Out of that article, several readers requested recommendations on privacy settings for Google Chrome. As much as I would love to tell readers to lock down everything and shut down the great Google data collection, privacy is a very personal thing. One person may be willing to give up functionality of their tools to ensure their private information stays private, while another is just fine with all knowing Google collecting their data if it means their life is easier. In short, I cannot tell you wonderful people what to lock down. Each one of you has to make that decision for yourselves.
That said, I can tell you what settings to check and where they are currently located. Google, just like most other service providers, likes to make them hard to find. A cynical person would say that was done on purpose. I have decided to be more positive today and I am going to blame poor interface design… I am trying here. Work with me.
Decide how your browsing history is used in Chrome
Most of the privacy goodies are hidden under Settings>Sync and Google Services. The first stop should be Control how your browsing history is used to personalize Search, ads and more. Click on the little square next to this monster and you find the Activity Controls.
At first glance, all you see is Web & App Activity. Scroll down a bit and click the See all activity controls link to find the motherload.
These settings determine how much functionality you want from Chrome vs how much data you want to keep from their prying eyes. It may take a few tries to find the right balance for you. Don’t be afraid to turn on some controls. You can always turn them off if they are making your life difficult. Personally I prefer to give them as little information as possible and find things on my own. I don’t like to be fed my content. You can stumble upon some pretty interesting stuff when you don’t have someone curating your content for you. However, that might not be your jam. Totally okay.
Further down the Sync and Google Services page, there are some other settings that you should check. Do you want to help Google be a better service, or send them your URLS or the text you type into the browser? Once again, try turning them off and see what happens to the functionality of Chrome.
Decide how you will be tracked
Cookies are used by websites to identify you for a variety of reasons. Some of them are useful like keeping track of what is in your shopping cart. Others are more concerning like tracking what you click on. As with all browsers, Chrome lets you decide what types of cookies are okay and which are to be disabled or blocked.
Chrome’s cookie settings can be found in Settings>Cookies and other data. I do not recommend selecting Allow all cookies or Block all cookies. However you may want to experiment with Blocking third party cookies.
Another setting you can consider is the Send a “do not track” request with your browsing traffic. As it suggests, it simply sends a request to a website that you not be tracked. How they respond to the request depends on the website. However, I feel better knowing that I have at least asked for some privacy. The odds that they honor that request are probably pretty slim. There I go being all cynical again. Sorry, I slipped.
Cover your tracks
Your browsing history including cookies, cached pages and autofill data can be cleared out manually or you can set it up to perform a cleaning at regular intervals. Ideally things should be cleaned out once a week, however the best cleaning interval for you depends on how you work. Do be aware that if you clean out cookies regularly, it may mean you have to re-enter things on sites over and over again. As with the other settings, experiment with it to find what works best for you. You can find these settings under Settings>Clear Browsing data.
Even if you try out these settings and decide to not enable any of them, that’s perfectly okay. The important thing is you are aware of them and know how to change them. You are taking control and making decisions about your privacy instead of having them made for you.
Unfortunately, account providers regularly change their privacy settings and Google is no different. The information in this article may be out of date in a week, a month or tomorrow. Therefore, I suggest that every quarter you take a look at your privacy settings and make sure they are still at a comfortable level. A little proactivity goes a long way when maintaining your privacy.
The MRU community have been finding emails in their spam folder similar to this one.
The email looks like it comes from a colleague or instructor. However the email contains some red flags. The biggest one being they are asking for your personal phone number. If they don’t already have it, they shouldn’t be asking for it. In addition, it was found in the Spam folder.
Google puts emails that it thinks are suspicious but they aren’t sure of into the Spam folder. If you see an email in your Spam folder, assume it is malicious and always confirm legitimacy with the sender before you respond. Confirmation is best done over the phone, however in situations like this where an MRU email wasn’t used, it is enough to contact the sender through an MRU email.
It is hard to say what the end game of this scam is. However, this is often step one in a gift card scam where they compel you to purchase gift cards and then give them the redemption codes. These redemption codes can then be sold on the dark web.
The cybersecurity awareness program at MRU has been around for several years now. Throughout that time we have encouraged the campus community to Be Superheros by practicing cybersafe behavior. While the Be a Superhero branding has worked well for us, we are always looking for ways to make the program more engaging and effective.
We would like your feedback on our branding. Let us know if you still want to Be a Superhero or if it is time to leave our capes behind. You can find the survey here.
Everyone who completes the survey will receive a contest entry code for the Cybersecurity Challenge and a chance to win a $250 Best Buy gift certificate. As this is the last month to collect entry codes, this is a great way to get entries in and move your team forward.
January 28, was Data Privacy day. This is the one day a year that we are reminded how valuable our data is. We should protect it like we protect our money. However, account providers regularly change their privacy policies, settings and terms and conditions which makes that challenging.
When account providers make those types of changes, they sent out a notification email or we see a popup appear when we login to our account. Both are annoying and both require us to acknowledge we are aware of the changes before we can use their service. When we receive that notification we usually don’t have time to wade through the legalese to find the changes, we just click accept and move on with our day.
Data Privacy Day is a great time to take a pause and check those changes. Check both the terms and conditions and privacy settings. That way you know what data the account provider has access to and how much control you have over it. While this is a pain, taking a few minutes to check things now can save a lot of heartache later. In addition, if you are not comfortable with the changes it gives you an opportunity to let the account provider know and if necessary find a new service.
With criminals constantly coming up with new ways to hack into our systems, keeping your devices updated with the latest security patches is more important than ever. When you are on campus keeping your workstation up to date and secure is easy. Shut down your machine at the end of the day Friday and start it up Monday morning. However once you are working from home and your computer is always on keeping your machine updated isn’t so straight forward.
If you are remoting in to an MRU workstation you can’t shut it down. Instead, logout of the workstation and disconnect from GlobalProtect at the end of each work day. The updates are downloaded in the background as you work. Once you log out, your workstation is automatically restarted to install them.
If you have an MRU laptop assigned to you, it is setup to automatically download updates as you work. Once the updates are downloaded you are prompted to restart your machine to install them. As long as you don’t ignore the prompts, you are good to go. If you choose to ignore them and call the Service Desk for support, you won’t be helped until you restart your machine.
If you are using your personal computer, make sure you have automatic updates enabled on Windows/Mac OS and all your applications. From the Windows Start menu, select Settings>Updates and security to check your Windows update settings. On a Mac, select System Preferences>Software Update and click the Automatic Updates checkbox. Just like MRU laptops, updates are downloaded in the background and you are asked to restart your machine to install them.
Once you know what to do, installing your security patches is pretty easy. While it can be annoying, it is well worth your time. With a little bit of effort you make it exponentially more difficult for attackers to compromise your data and mess with your life.
Happy New Year!! Another year, another security concern. This time it isn’t your email, your workstation or your smart phone. This time it is your voicemail. Hackers are taking over voicemail accounts and using them to impersonate people, make thousands in long distance calls and by-pass two factor authentication. Not only does this cost organizations but it is also embarrassing and can lead to network compromise and data loss.
To prevent this, secure your voicemail just as you would your workstation. Use UNIQUE passwords/PINs at least 8 characters long. Remember you aren’t limited to just the 6 characters we are used to using. You can use up to 64 if you wish. Also, make sure your voicemail password/PIN is not a numeric version of any of your other passwords, your age, your birthday, your pets name or any other personal information.
Lastly keep your voicemail password/PIN secret. That means do not share it with colleagues nor leave it on a post-it on your phone. Once someone has your password/PIN, they can forward calls, change your greeting, make long distance calls, pretend to be you and generally cause problems while making you the fall guy. Even if they don’t have malicious intent, once someone gets ahold of your password/PIN they may not be as careful with it as you are.
If you are away on vacation and need someone else to cover for you, record a vacation message directing people to call your substitute directly. You can have calls forwarded automatically, but if no one answers a message is left on the voicemail that received the call, not the one that the call was forwarded to. If neither of these solutions will work for you contact the IT Service Desk, they will find one that does not involve the sharing of passwords/PINs.
This past year, Student Fees began issuing refunds through Interac e-transfers. Although students are notified in advance that a refund is coming, there is still some confusion about the legitimacy of these emails.
A sure fire way to ensure the refund is legitimate is to login to MyMRU and check your account balance. If you have been issued a refund, the amount will be posted there. If it matches the amount in the notification email then you know the e-transfer is legitimate.
If you are still not sure, you can email Student Fees at email@example.com and ask them if they sent you an e-transfer.