Cybersecurity Blog

Criminals find a way around two step verification in Google – 04/11/18

 

Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.

How did they do it?  Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.

Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset.  Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset.  Pretty clever huh?

Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the  code.

For the record, no one will ask you if you don’t want to do something with your account.  As soon as someone asks you for confirmation to NOT do something, you know the jig is up.  This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.

 

MyFitnessPal Under Armour App has been Breached – 04/03/18

If you have been using MyFitnessPal from Under Armour, change your password immediately.  On March 25 Under Armour learned that usernames, email addresses and hashed passwords were taken from about 150 million user accounts.

The good news is the passwords were hashed or scrambled and will need to be decoded before they can be used.  The bad new is, the thieves may use phishing emails to acquire your password directly instead of doing the hard work of decoding it.  Change your password directly in the app or through their website instead of using a link in an email.

If you use your MyFitnessPal password for other apps or websites, make sure you change those passwords as well.

New security vulnerabilities found on everything with a computer processor – 01/08/18

What are they?

New vulnerabilities called  Meltdown and Spectre have been found in computer processors  built after 2009 that allow a program to steal data from your computer system’s memory without your permission or knowledge.  It affects everything that has a computer processor including your computer, tablet, phone and IoT (Internet of things such as a smart thermostat).

Why should I be concerned?

These vulnerabilities have the potential to allow hackers to covertly fetch sensitive information  such as passwords from system memory allowing access to your online banking, social networking accounts and the like. To make matters worse, the attack can be made via your browser.

How is the problem fixed?

As these vulnerabilities are in the main processing chip on the computer, the ultimate fix will be to change the processor codes, the firmware or the chip itself.  However, the problem can be mitigated by modifying how the software interacts with the processor. As a result, software and hardware vendors are currently developing patches for these vulnerabilities.

What is IT Services doing about it?

We are following our standard processes to manage the patches for these vulnerabilities.

What do I have to do?

You do not need to update your workstation, it will be done by the MRU patch management process.  Your regular updates include all required patches. If you have a Mount Royal laptop or device and you aren’t sure that it is getting updated, please visit the IT Service Desk.

Install updates for all your personal portable devices and home machines as soon as they become available.  Make sure that your browser is updated as well. Please note that not all anti-virus programs are compatible with Microsoft’s latest updates. If your machine has incompatible anti-virus software, the Microsoft updates will not be uploaded and your machine will be left vulnerable. Check your anti-virus program’s website to see if it is compatible.

Make sure you visit official/trusted websites to get your updates or use the update feature from within your software.  We do not recommend clicking on links and opening attachments in emails claiming to have a link to the latest updates or patches.  Criminals may take this opportunity to send out fake security patch or update emails with malicious links to try and trick you into downloading their malware.

For more details on the vulnerabilities, check out the sources for this article:

 

Criminals could hack your device through Bluetooth – 9/14/2017

 

Researchers have discovered a vulnerability in Bluetooth enabled devices that would allow an attacker to take control of them with no action on the part of the user. The majority of manufacturers have issued updates to patch this vulnerability.  As Bluetooth is a fairly complicated protocol, experts warn that there may be more vulnerabilities not yet discovered. To protect yourself, make sure you:

  • Keep your device updated.
  • Turn off Bluetooth when not using it

AirDrop allows strangers to send you files and photos

 

There is a lovely iOS feature called AirDrop which allows you to sent files to anyone within Bluetooth range anonymously. It has facilitated the rather disturbing practice of bluejacking, sending pics of your privates to random strangers in order enjoy the look of shock on their faces. By default this feature is enabled so you can receive files from anyone on your contact list. However some people have inadvertently changed the settings so they can receive files from anyone.

To prevent such unpleasantness,  it is recommended that you disable your AirDrop unless you are using it.  To turn AirDrop off:

  1. Swipe up to view the Control Center.
  2. Select AirDrop Receiving.
  3. Select Receiving Off.