Cybersecurity Blog

Phone recharge led to wiping a laptop clean – 07/26/2023

 

 

Last week Carrie (not her real name) lost three days of productivity when her laptop had to be reimaged. For those of you who don’t know what reimaging is, it is when ITS has the pleasure of wiping everything off of your machine and then reinstalls the standard applications.

I know what you are thinking, “If they reinstalled everything, why did she lose three days of productivity?”. Simple, no one has just the standard applications with the default settings on their computer. Every department and every person has their own special applications and settings that allow them to do their job more effectively. It takes time to get your machine back to where it was before it was reimaged. In Carrie’s case, it was three days.

What caused all this inconvenience and frustration for Carrie? A stranger’s smartphone. Yup, you read correctly. A smartphone. When Carrie left for a two day vacation, she left her laptop tucked under the shelf of her standing desk plugged into the docking station. Carrie works in reception and she doesn’t have a door that she can lock. She thought if she just left it tucked out of the way, her laptop would be safe. Afterall, her department’s offices are behind doors that are locked every night.

While she was gone, her colleagues heard an alarm going off at her desk. When they investigated, they discovered the source of the alarm was a smartphone plugged into her laptop. They contacted Carrie to see if the phone belonged to her. When she assured them that it didn’t, they checked with the rest of the department. The smartphone didn’t belong to anyone there either.  Security was called but they were unable to determine who the smartphone belonged to. Because there was no way to know if this was a malicious act or not, it had to be assumed that the smartphone had downloaded something nasty onto Carrie’s laptop.

The laptop was reimaged according to ITS security protocols.  They require that If a device could be compromised, it is reimaged … period. Even if a malware scan finds nothing, we do the safest thing which is to wipe the machine clean.

Sadly, it is most likely that some MRU employee from another department innocently plugged their phone in for a quick charge and then forgot about it. In their rush, it never occurred to them they would be causing such grief.

This story is a reminder to everyone.

  1. If your phone needs charging, please use your own computer or the public charging stations around campus. DO NOT use a colleague’s computer.
  2. Secure your device as much as possible when you leave for the day. If you have a laptop. take it home or lock it away. If you have a desktop, lock your office door or make sure the common area door is locked.
  3. Do not store files on your desktop or C: drive, otherwise you will lose them if your machine has to be reimaged.
  4. If you find a strange device plugged into your machine, do what Carrie’s colleagues did, contact Security and ITS. Do not use your computer until ITS has determined it is safe to do so.

These simple steps will protect our network while saving you and your colleagues a lot of time and frustration.

 

 

The use and care of your MRU email address – 12/07/212

 

We are regularly notified that Mount Royal email addresses have been involved in a data breach through Have I been pwned. When we receive that notification, we are told what account provider was affected and which email addresses were involved.  This allows us to contact those who had their accounts compromised and ask them  to change their passwords.

With multi-factor authentication enabled, this is less of an issue. Even if a password is stolen, the attacker will not be able to get into a MRU email account without the second factor.  However it is still important that compromised passwords are changed, especially if the same one is being used for multiple accounts. So we are still receiving data breach notifications.

Usually the data breaches are for work related services. However, once in while we are notified that a gaming site, dating website or a site with adult content has been breached. If you have used your Mount Royal email address to access that site, we will be notified. It is awkward for everyone when that happens.

Please keep your private life private and only use your MRU email address for work purposes. We don’t need to know what you do for hobbies, how you spend your time outside of work or where you shop. Save us all the embarrassment and use another email address for your personal pursuits.  The security team thanks you.

 

When to use your @mtroyal.ca email address – 01/27/20

 

In today’s modern world, the lines between our personal lives and our work or school lives often becomes blurred. We are shopping on Amazon on our lunch hour and answering University emails from our laptop at home.  This often makes it difficult to determine when you should use your @mtroyal.ca email to sign up for an account or service and when you should use your personal email.

A good guideline is to use your personal email address for anything that you want to use or have access to even if you aren’t working or attending Mount Royal University. For those services and accounts that you will only access WHILE working or attending the University, use your @mtroyal.ca email address.

When sending university related emails, use your @mtroyal.ca account. It reduces the chances your email will be mistaken for a phishing attempt and reported to abuse@mtroyal.ca.

Following these guidelines reduces our network’s exposure and vulnerability. It also makes it easier for you to maintain access to services and accounts when you retire, graduate or work for another organization.  In addition, it means you will get fewer notifications from us that your email was part of a data breach. Less work for us, less hassle for you…everybody wins!

 

A hacker hid in the Australian National University’s network for weeks – 10/29/19

 

On December 21, 2018 the IT department of the Australian National University (ANU) detected unusual behavior on its network. Upon investigation they discovered a compromised workstation on campus was being used as a command and control (C&C) server by a cyber criminal. They immediately shut down the workstation and severed the attackers access to the network. They thought that it was an isolated incident. They were wrong.

By the time the C&C server was discovered, the attacker had already been in the network for over a month collecting login credentials, compromising servers and stealing financial and personal data. The attack which began with a successful phishing attempt, was stopped when the C&C server was discovered, however the hacker continued to attempt to infiltrate the network using the information they had collected until March 2019.

ANU has very courageously shared their story so that all of us could learn from it. Here is a step by step break down of the attack.

  1. Spear phishing email with an attachment is sent to a senior staff member. The email has a plausible premise for contact and looks like it is coming from within the University. The email results in the collection of the targets login credentials. 
  2. Login credentials are used to access the senior staff members calendar. Information for future spear phishing attacks is collected.
  3. Login credentials are used to access a webserver. The attacker sets up remote access on this server. This allows them to access the server without having to continue to use the stolen credentials as well as gives them the ability to access other devices connected to the server.
  4. An old, no longer used server is accessed from the compromised webserver using the stolen credentials. The credentials do not allow administrative access to this legacy server limiting what the hacker can access. 
  5. The hacker finds flaws in the system and uses them to elevate their privileges, giving them full administrative access and control over the legacy server.
  6. The attacker locates and compromises a second webserver. 
  7. The second compromised webserver is used to download tools and scripts that are then installed on the legacy server. The legacy server becomes their command and control server. The tools downloaded are used to map the network and automatically delete logs so their presence wouldn’t be detected. 
  8. The hacker creates a virtual machine on the second compromised webserver that scans monitored or redirected network traffic looking for additional login credentials.
  9. An old outdated school workstation with a publicly routable IP address located outside of the University’s firewall  is compromised through a remote desktop. 
  10. The attacker uses an old mail server to send emails from the University. These emails likely contained network mapping, user and machine data.
  11. An encrypted connection designed to hide traffic between the hackers computer and the University’s network is established
  12. The hacker begins intercepting data being transferred on the network and analyzing it.  At this point, the attacker still does not have the level of network access that they are looking for as their stolen credentials don’t have the right permissions and they are only able to escalate them on an old server. Even with all of the work they have done, they are not able to move beyond a few compromised systems.
  13. A second spear phishing email is sent to one external and 10 internal email addresses. Only one login credential is stolen with limited privileges.
  14. This login is not enough to gain access to the desired servers. The hacker continues to look for additional credentials in the network traffic.
  15. The attacker gains access to file shares with found credentials. They focus on the ones storing finance and HR related files. 
  16. Using the file share information the hacker tracks down the database servers but is unable to immediately gain access.
  17. The hacker uses password cracking tools to gain access to the database servers and then uses a commercial tool to search and extract database records from the database server.
  18. Database records are sent to the old compromised workstation and then outside of the university network.
  19. The attacker attempts to disable the email spam filters.
  20. The attacker sends out 50 spear phishing emails to University email addresses and 25 to emails outside of the University. They are able to steal credentials with administrator level access. It is at this point that ANU changed their firewall as part of their routine maintenance. This cut the hacker off from the legacy server and they lost access to their control and command server.
  21. After two weeks the hacker is able to compromise a machine running an old operating system, access the network again and set up a second control and command server. This machine is outside of the firewall and using publicly routed IP addresses.
  22. The attacker sends 40 spear phishing emails to ANU staff with privileged accounts. The emails contain information from the calendar breached after the first spear phishing attack. Several login credentials are obtained.
  23. ANU staff detect unusual activity on the network and take down the second control and command server. IT staff think this is an isolated incident.
  24. Repeated attempts to regain access to the ANU network and database are made and stopped.
  25. ANU publicly announces that they have had a breach.
  26. Within an hour the network was hit with a botnet attack that was stopped by ANU.
  27. The following night an attempted attack against the spam filter and mail gateway was unsuccessful.
  28. ANU continues to investigate the repeated attempts to access their database.that occurred after the detection of the breach.

What can we learn from this? A few things stand out.

  • This started with one phishing email.
  • The people who received the phishing emails had no idea their login credentials were stolen.
  • Even though the stolen credentials did not give the attacker the access they wanted, they were able to use vulnerabilities in the systems to escalate their privileges and gain greater access.
  • Old machines that were no longer updated or maintained were compromised using known vulnerabilities.

To sum it all up,  that phishing email that arrives in your inbox is usually just the beginning of a planned, concentrated and persistent effort to access your data.  This effort often starts by quietly stealing your login credentials. When they can’t convince you to give them their credentials, they will use password cracking tools to gain access. They can leverage known vulnerabilities in old systems to gain further access. These tactics along with others allows hackers to spend weeks collecting information off of a network without anyone noticing. This information is then used to carry out more attacks or is sold.

You can prevent this from happening just by stopping and thinking before you click, keeping your software updated, having a strong password and reporting suspicious emails to abuse@mtroyal.ca. Let’s be safe out there!

What is credential stuffing and why should you care? – 02/14/19

 

Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site.  They use computer programs that allows them to test thousands of login credentials in minutes.  If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.

So how do you protect yourself against credential stuffing?

  1. Use unique passwords for every account. I know it is inconvenient and a pain but it really is the only way to protect yourself.
  2. Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
  3. Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
  4. Enable  multi-factor authentication on every account that has it available. Multi-factor authentication and its cousins two-step verification and two factor authentication requires you to enter an authentication code, respond to a prompt from an authentication app or insert an authentication key when you enter your password.

Updated 03/01/22

Hotel chain data breach 11/30/18

 

Have you stayed at one of the following hotels in the past 4 years?

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Meridien Hotels & Resorts
  • Four Points by Sheraton
  • Design Hotels

Lucky you!!  There is a possibility your name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure data, reservation dates and/or  credit card information were stolen in a data breach.  Marriott has reported an unauthorized access to their guest reservation database was made on or before Sept 10 of this year.  However they acknowledge that the criminals have been inside the company’s network since 2014.

In response they have set up a dedicated website, established a call center to answer questions and will be emailing those affected. To make their customers feel better they are also offering a free on year subscription to an internet monitoring service. When a subscriber’s personal information is found on the web, they are  notified.  This service is available to customers in Canada.

If you think you may have been affected, visit the website for more information and look for signs of identity theft.

 

Dell customer data breached – 11/29/18

 

Dell has announced that on November 9 they detected in intrusion into its systems.  Customers’ names, email addresses and passwords were involved in the breach. However, Dell did not find any evidence that any of this information was actually extracted.  To be safe, all customers were forced to reset their passwords.

If you have had financial information stored in your Dell account, keep an eye on your credit card statements.  There is no evidence any of this information was affected, but its not unusual for a company to initially report everything is okay, there is nothing to see and then a month later (after the executives have sold their shares) reveal all your personal data has been stolen .  Yes Equifax, I am talking about you.

 

How we get notified of an account breach – 11/23/18

 

Not every hacker makes their money by breaking into  accounts and stealing funds or ransoming your data. Some hackers are content to simply  break into servers and steal usernames. passwords and other personal information that they then sell on the dark web.  It is quite a niche business.

To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale.  You  can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.

This gives you the opportunity to change your password and username or delete the account.   This is an easy process if you don’t reuse passwords. It is a huge headache if you do.  What’s even cooler,  you can subscribe to an alert service so they will automatically notify you when there is a new  account breach.  This is so awesome, Mount Royal even subscribes.

We get notified when anyone with an @mtroyal.ca email is involved in a breach.  We also get told which account was breached.  We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.

So if you are using your @mtroyal.ca account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach.  It gets awkward for everyone.

This is a friendly reminder, only use your @mtroyal.ca email account for business. IT Services thanks you.

 

Browser extensions cause of Facebook data breach – 11/05/18

 

 

The BBC Russian Service has found  data from 81 000 Facebook profiles sitting on the web. The data is apparently just a small sample of what was taken from 120 million accounts by a hacker selling his haul.  It is hard to know if 120 million profiles were indeed hacked or if the breach is limited to what is currently on display.  One would think that Facebook would notice 120 million profiles being accessed, so my guess is they don’t have much more than the small sample. After all, criminals aren’t known for their honesty.

Facebook is blaming malicious browser extensions. They are reporting that the extensions were monitoring user’s Facebook activity while shuttling personal information as well as private conversations to the hackers.  The majority of information taken was from Ukrainian and Russian users, however profiles from all over the world were also pilfered.

This is a reminder to be wary of browser extensions. As with apps, only download ones that:

  • You really need
  • Have good reviews
  • Have lots of downloads
  • Come from reputable sites

Malicious browser extensions can be very difficult to detect as extensions update automatically.  This allows hackers to create extensions that are harmless, until their first update. After that your handy extension starts doing all sorts of nasty things.

To reduce the risk, if you really need a particular browser extension consider disabling it when you aren’t using it.  Lastly once you no longer need the extension, remove it from your browser.

 

Facebook breach – logout of your account 09/28/18

 

Today Facebook announced that they have discovered hackers have stolen 50 million access tokens.  These tokens allow them to take over an account without having to login with a password. They did it by taking advantage of a vulnerability in the View As feature that allows users to see what their account looks like when viewed by others.

To solve the problem, they have logged out all the users who they believe were affected and disabled the View As feature.  As often happens in these types of breaches, there is a possibility that at a later date they may find there are more people affected than originally thought.

To be on the safe side I suggest that you logout of Facebook by going to Settings  and selecting Security and Login. There you can logout of all your devices at once with a single click. Alternatively, this might be a good time to get rid of Facebook all together.