Cybersecurity Blog

Mount Royal Community Member gets fake CRA call – 03/09/18

 

One sure sign that spring is on its way…tax scammers pop up along with the tulips.  Although we are a ways away from enjoying the tulips, the scammers are out in full force. One Mount Royal employee came into work to find this on his voicemail.

Click the far left of the bar to listen to the voicemail message.

Pretty nasty huh? So how to do you know this is a scam?  Simple, the CRA will never phone you and threaten legal action or arrest. They will never send someone to your house to collect payment or to arrest you either.  This was a voicemail, so it was easy to calmly listen to the message and analyze it to determine if it was legitimate.

What do you do if they have you on the phone and they are threatening you? The scammers can be very insistent and believable causing considerable stress and confusion. If you experience a call like that from the CRA, tell them you will call them back and hang up. You can then contact the CRA at 1-800-959-8281.  If there are any issues with your taxes, whoever answers the phone will be able to address them.

Watch out for phishing emails from the CRA as well. As I mentioned in a post last year, the CRA will never email you unless you have given them previous permission to do so and they will never send you an email with links unless you have specifically requested a document.

For more information on how to identify CRA fraud and protect yourself, visit the CRA website.

Why you should worry about cryptocurrency mining – 01/26/18

First things first, what is cryptocurrency? Cryptocurrency is digital currency. The most known is Bitcoin, however others are popping up such as Monero.  How do they work? Well, I found a nifty little video that tells you the basics. It refers to bitcoin but the premise applies to all cryptocurrencies.

Neat huh?  Notice the part where they say it takes lots of computing power and lots of electricity to mine? This is where things get interesting. Criminals have figured out that if they use the computing power of other machines, they can mine more cryptocurrency faster without having to invest in all the computing power or electricity themselves.

Why should you be concerned? More and more malware is mining cryptocurrency. The malware is often hidden on legitimate websites, applications or browser extensions.  Why is this a problem? After all it is just using the processing power of my computer, its not actually doing any real harm is it? Well, no and yes. No it isn’t doing anything malicious like encrypting your hard drive or stealing your data. However, it is wearing out your machine and slowing it down. The more clever mining malware waits until you aren’t actually using your machine to mine. This reduces the chance you will notice that it is actually there, but still wears out the processor, eats up bandwidth and increases your electricity bill. Less clever creations, slow your computer down to a noticeable crawl.

Having millions of other peoples computers mining cryptocurrency for you can be quite lucrative. So much so that some websites have turned from using adware to generate revenue to asking users to lend their computing power. This is just fine if the user knows it happens and consents. It is another thing entirely when its done behind the scenes. Finding out your machine is being used for mining after the fact tends to leave you feeling like you need to take a shower. Its just not nice.

So what can you do about it? First of all, if your workstation seems slow contact the Service Desk. If it is your home machine, check the CPU processes to see if you have any spikes in usage.  How do you prevent the mining in the first place?  The mining software is considered to be malware, so the regular security measures that you take to protect yourself from malware will protect you from crypto mining. Make sure you:

  • Use an Ad blocker
  • Stay away from shady websites
  • Only download software from reputable sites with good reviews
  • Beware of browser extensions

New security vulnerabilities found on everything with a computer processor – 01/08/18

What are they?

New vulnerabilities called  Meltdown and Spectre have been found in computer processors  built after 2009 that allow a program to steal data from your computer system’s memory without your permission or knowledge.  It affects everything that has a computer processor including your computer, tablet, phone and IoT (Internet of things such as a smart thermostat).

Why should I be concerned?

These vulnerabilities have the potential to allow hackers to covertly fetch sensitive information  such as passwords from system memory allowing access to your online banking, social networking accounts and the like. To make matters worse, the attack can be made via your browser.

How is the problem fixed?

As these vulnerabilities are in the main processing chip on the computer, the ultimate fix will be to change the processor codes, the firmware or the chip itself.  However, the problem can be mitigated by modifying how the software interacts with the processor. As a result, software and hardware vendors are currently developing patches for these vulnerabilities.

What is IT Services doing about it?

We are following our standard processes to manage the patches for these vulnerabilities.

What do I have to do?

You do not need to update your workstation, it will be done by the MRU patch management process.  Your regular updates include all required patches. If you have a Mount Royal laptop or device and you aren’t sure that it is getting updated, please visit the IT Service Desk.

Install updates for all your personal portable devices and home machines as soon as they become available.  Make sure that your browser is updated as well. Please note that not all anti-virus programs are compatible with Microsoft’s latest updates. If your machine has incompatible anti-virus software, the Microsoft updates will not be uploaded and your machine will be left vulnerable. Check your anti-virus program’s website to see if it is compatible.

Make sure you visit official/trusted websites to get your updates or use the update feature from within your software.  We do not recommend clicking on links and opening attachments in emails claiming to have a link to the latest updates or patches.  Criminals may take this opportunity to send out fake security patch or update emails with malicious links to try and trick you into downloading their malware.

For more details on the vulnerabilities, check out the sources for this article:

 

Threatening voicemail left at Mount Royal – 11/21/17

 

Yesterday one of our staff members checked her voicemail and found a nasty message from an “Officer” Robert William asking her or her attorney to call him immediately before “the legal situation unfolds”.  Our quick thinking staff member Googled the number, 905-581-1528 and discovered that it was a phone scam.

Had she called them, she would have been asked her personal information including her SIN.  Armed with that info, the crooks would have applied for credit cards and loans in her name, leaving her on the hook for the payments.  Only after months of paperwork and expensive legal fees would she have been able to clear her credit record and name.

This is just a reminder to never give out information people already should have, over the phone, in an email or text.  If someone calls you and tells you they are from your bank, a vendor, the CRA, RCMP or Calgary Police Service:

  1. Ask for their name.
  2. Tell them you will call them back.
  3. Call the organization’s switchboard directly using a number that you obtain from a Google search or that you have used before.
  4. Ask for the individual by name.

If they insist that the only way to reach them is through a number that they give you, you know that it is not a legitimate call. If they tell you that they may not be available when you call back, you should be able to have your account or file reviewed by someone else in the same department.

Remember, no legitimate agency threatens legal action over the phone.

Cyber safety information to share with your family – 04/12/17

Attendees to my Protecting yourself Against Cyber Crime workshop have been asking for the slide deck to share with family and friends. The presentation covers just the basics and includes several slides that allow you to test your ability to spot a phishing email.  Haven’t taken the workshop yet?  Join us on April 18th, registration is through the Employee Training page on MyMRU. Don’t have time for a workshop, complete the online training in Blackboard.

Protecting Yourself from Scams During Tax Season – 03/14/17

 

Every tax season the cyber criminals try to take advantage of tax payers eager to get their refunds.  What do you need to know to protect yourself?

  • The CRA will never communicate with you via email unless you have signed up for online mail.
  • The CRA will never ask for personal or financial information via email.
  • The only time the CRA will send you an email with a link in it, is when you are on the phone with them and are requesting information be sent via email.

If you unexpectedly receive an email from the CRA containing links, delete the email. If you receive an email from the CRA asking for personal or financial information, delete the email. If you are uncertain as to the legitimacy of an email received from the CRA, call them directly using a phone number you have found on the CRA website.  For more information on how to protect yourself from scams, identify theft and fraud, check out the CRA website.

 

What you Should Know Before you Buy an Appliance/Toy that Connects to the Internet. – 03/03/17

 

Technology is an amazing thing.  Everyday we hear about new and exciting technological advances. We can now control our home with our voice, see who is ringing our doorbell at home while we work, track the movements of our teenagers and have our toys interact with us.

Unfortunately manufacturers have been so busy keeping us entertained and making our lives easier that they have forgotten to keep us safe as well.  The majority of these devices do not allow for firmware updates, changing the access passwords or usernames. Security is usually last on the list, leaving many devices with huge holes that cyber criminals can use to gain control of these them.

You may be thinking what is the worst that can happen if they get control of my coffee maker? Well if they gain access to your coffee maker, they can turn your coffee maker into a bot, instructing it to visit a particular website or server. On its own, this is harmless. However if hackers turn millions of devices into bots, it overwhelms the website and crashes the server. This is called a Denial of Service attack. It prevents customers from accessing a site and making purchases,  costing businesses millions in revenue.

Even more concerning are those devices containing cameras or microphones. They can record images of us or our voices and send them to some distant server where security often takes a back seat and our private lives may be monitored. Companies can collect this information and then use it to sell us products. In addition, their often poor security practices can allow hackers to intercept the information or steal it from servers.

So how do you protect yourself and your privacy while still enjoying the wonders of technology?  Here are a few things to consider when purchasing internet connected devices for your home.

  • Do not purchase products that do not allow you to change the default password.
  • Do not purchase products that do not allow the firmware (the software that runs the device) to be upgraded.
  • If the device has a camera or microphone, determine what is being recorded, why is it being recorded and where those recordings are being stored.

Once you have made the purchase and brought your new toy into your home there are some things you can do to protect your data and privacy.

  • Change the default password.
  • Keep the firmware updated.
  • Don’t enable the features that require an Internet connection unless it is really necessary.
  • Disconnect it from the Internet when you are not using it.
  • Cover up recording devices that are not being used.

Don’t give up your privacy or put your security at risk, just because something is super cool.  Not sure if that feature is worth the risk? Ask yourself…is having my coffee pot automatically order beans for me worth loosing access to my bank accounts?