How attackers are using Google Drive

Google Drive is a wonderful tool that allows you to collaborate with colleagues and share information easily. All you need is someone’s email address and the file you share shows up in their Shared with me folder. Easy peasy, lemon squeezy. Unfortunately you are not the only one taking advantage of this. Scammers too love the easy way they can deliver malicious documents directly into your Shared with me folder.

Some attackers like to send an email notification, thinking their email is clever enough to direct you to the document. Others are less confident of their composition skills and skip the email, hoping you will stumble upon the malicious document the next time you cruise through your Shared with me folder. The expecation is once the document is discovered, curiosity will drive you to open it.

The good news is Google scans all shared documents so if you do open it, nothing bad will happen. However the danger is not in opening the document. The danger is in what the document contains … malicious links. Those link take you to a Google form or a malicious website that harvests login credentials or loads malware onto your machine. One click and your computer can be compromised.

How to protect yourself

If you stumble upon a document you don’t recognize in your Shared with me folder, right click it and choose File information>Details.  Scroll down until you find the name of the creator. If they are a MRU colleague, email them using their MRU email address and ask for more details about the document.

If they are outside of MRU and you have their phone number, call them and ask about the document. If you don’t know them, consider the document malicious. Drag the file to your Google Drive Spam folder (yes you have one). A dialog box will appear asking you why you are reporting the file and giving you the option to block further document shares from that email address. Make your selections and click the Report button. It won’t prevent the attacker from creating another email address and sharing another document, but it gives Google information it can use to stop similar document shares in the future.

Oct. 1 marks the beginning of Cybersecurity Awareness Month. To celebrate we have  fun activities to participate in and prizes to give away.

The Virtual Treasure Hunt returns this year. Solve puzzles, collect clues and find Blue Beard’s treasure. Everyone who finds the treasure is entered into a draw for an Anker PowerWare 10 Dual Pad wireless charger donated by Proofpoint. To make things even more fun, each clue you find gives you an entry into a draw for a spin of the prize wheel. The prize wheel is loaded with fun prizes such as travel mugs, reuable memo pads, insulated mugs, golf shirts and more. The first treasure hunt clue is dropped on Oct. 3. However you can register anytime before Oct. 31 and still participate.  Registration is open now. Students, staff and faculty can all register. Sign up and get in on the fun.

Also returning is the Random Acts of Cybersecurity program. Starting Oct. 1 you can nominate a colleague for being cybersafe. Each nomination will earn the nominee AND the nominator one entry into a draw to spin the prize wheel. Two winners will be selected, one nominee and one nominator. Share with your colleagues the cybersafe things you are doing and get nominated or ask your colleagues how they are being cybersafe and start nominating. The program will run until the end of March 2023. Unfortunately only staff and faculty can participate. A big thank you to our sponsors, Proofpoint, Paolo Alto and CDW.

One poor student got more than they bargained for when they did some web surfing on a library computer.  An innocent click  on a search result produced this alarming notification.

The freaked out student asked library staff for help and IT Services was contacted. Once the technician arrived, he realized the computer was a victim of a Chrome browser takeover.  In a Chrome browser takeover, it looks like the computer itself has been compromised as the normal Window controls are missing and the only way to get rid of the alerts appears to be by calling the toll free number.

In reality, the computer is just fine and it is only the Chrome browser that has been hijacked. Since Microsoft does not monitor computers for malicious software, nor do they block access to your computer, the technician knew what type of attack he was dealing with.  To regain access to the computer, he did the following:

1. Pressed CTRL + ALT + DELETE to view the Task Manager
2. Clicked on Google Chrome in the Apps list
3. Clicked the End task button

This closed down Chrome and returned the computer to normal. Both the student and the library staff were releived that no harm had been done. So was the technician who congratulated them both on contacting the IT Service Desk rather than trying to resolve the issue on their own.

Unfortuately there is no way this attack could have been prevented. The website that iniated the attack was a legitimate site that had been compromised. There was no way to know that before the link was clicked as that site had been visited many times before without issue.

Remember, if you see an alert appear on your computer insisting that you call a phone number to fix it, it is a scam. Close the browser window and don’t visit that website again. If the Window controls are missing, shut down the browser using the task manager. No legitimate anti-virus software will ask you to call them.

For years you have been hearing that a strong password is greater than 8 characters long, has uppercase letters, lowercase letters, numbers and symbols. Today that is no longer the case. The threat actors now have computing power and tools that allow them to brute force hack any 8 character password in less than a day.

So how long should your password be? Well that depends on whether you have created the password yourself or have had a password manager do it. According to experts, if you generate the password yourself, it has to be 20 characters long. If you have a password manager generate a random one for you, then it only needs to be 12 characters long.

Why the discrepancy? The thought is the human brain cannot generate a random enough password to keep criminals out. We tend to use dictionary words and dates making it easier for these types of passwords to be cracked. In comparison, a password manager generates a completely random combination of characters which is much more secure.

I know what you are thinking, isn’t 20 characters overkill? Well we have had multiple accounts on campus brute force hacked in the past year. The passwords were unique, were used no where else, had 12 characters or less and included all the recommended characters.  There was no way that the passwords could have been stolen from elsewhere. A brute force hack is the only explanation of how the accounts were compromised.

A 20 character password may be secure, but if you are trying to come up with a single word that is that long, it can be bloody hard. The whole process is easier if you use four random words that have meaning to you, but would be nonsensical to anyone else. Once you hae your words, insert a number into each one and capitalize one letter in the word. You can use spaces as your special character or replace the spaces with a special character. For example, saddlepad blue shiny bay, becomes s4addlepaD#b4luE#s4hinY#b4aY.

To make it easy to remember, I insert the same number in the same place, captialize the last letter and replace the spaces with the same symbol. The result is a monster password that will take years to crack but can be remembered.

While having a 20 character password will keep your accounts safe for now, it won’t be long before we will need 33 character passwords or longer. To add an extra layer of security, enable multi-factor authentication on all your accounts so that if your passwords are cracked, the attackers won’t be able to gain access.

Passwords, they are our saviors keeping our data safe while at the same time they are our oppressors clogging our brains and stressing us out. We know we should have long, complicated passwords and that we shouldn’t reuse them. However, who has the time to be that creative every time you sign up for a new service, never mind being able to memorize them all? It isn’t surprising that password reuse is as common as grilled cheese.

Attackers know that, which is why credential stuffing is one of their favorite attack methods. It takes little skill and effort. Just go on the dark web and find a list of stolen credentials, plug them into a software program and let it run. After a few minutes you have a whole list of websites that you can login to hassle free. You don’t even have to buy stolen credentials anymore.  Over a hundred of them are just sitting there, free for the taking.

Thankfully there is a way to have long, strong unique passwords for every service without losing your mind. This magical tool even logs in for you, saving you valuable time and effort.  The best part is you only have to create and remember one password. Yup, only one, the one to gain access to the tool. After that, this gift from the Gods creates passwords for you. They are long, complicated monsters that would take years to brute force hack. They would be impossible for a human mind to remember, but this genius of an application does it for you.

What is this mythical piece of software? It is a password manager. In the past they have been known for their ability to effortlessly store passwords, however their other skills are largely unknown. They are your secret weapon against credential stuffing.

There are many, many types of password managers. On workstations across campus you can find KeePass. While functional, it doesn’t look very user friendly and it strikes terror into the hearts of most. All it takes to tame the beast is a quick training session. However, for those less adventurous there are alternatives. The one we recommend is Bitwarden. It uses a browser extension to enable functionality and offers a full range of features for free.

If you aren’t sure if Bitwarden is for you, PC magazine does a great job of reviewing the most popular password managers every year. All of them allow you to use them for free for at least a week before you buy. I suggest picking three and trying them out one at at time. It works best if you only enter your login credentials for your most used services. That way you don’t invest a lot of time into a tool that you decide you don’t want to use later on.

Which password manager is the best? The one that you use. Each one has it’s own quirks and features. Some you may like, others you may not. If you don’t use the tool, then it isn’t the right one for you. That is why I recommend giving a few of them a try. Ideally you want to find one that fits in so seamlessly with your work that you barely notice it is there.

In preparation for the implementation of mandatory MFA on February 28, 2022, a new pop-up will appear when you login to Google if MFA is not turned on. It looks like this.

If you click Do this later, you can access your account and enable MFA at a later date. However, we do encourage you to click Enroll instead. The sooner you enable it , the sooner the annoying pop-up goes away. After February 28, 2022 anyone who does not have MFA turned on will have to contact the IT Service Desk to get access to their Mount Royal email account, Google Drive or any other Google Workspace apps.

It is hard to believe but it has been about 18 months since we were last all on campus. Whether you are thrilled to be amongst students and colleagues or pining for the solitude of your dining room table, you will have developed different work habits while you were working from home.  Now is the time to dust off those old habits again. To help you get back on track, I have a few helpful tips.

Lock your screen

Yes, I know that I was teaching people to keep locking their screens when working from home. However, I know most of you didn’t consider the kids, your spouse or the cat a big threat. Now that we are back, it is time to develop that habit again. When you stand up from your machine, lock it.  If you are in a hybrid work situation, keep up that habit when you are home so you don’t forget when you are on campus.

Watch for tailgaters

Don’t let people you don’t know sneak in behind you into a secured area. If a stranger has forgotten their OneCard, send them to security rather than let them in with yours. With everyone masking up again, it is harder to verify someone is who you think they are. If you aren’t sure, send them to security.  If you have a visitor coming to campus, meet them outside secured areas and then accompany them to the appropriate office or meeting room. Do not leave guests unaccompanied in a secured area.

Don’t let others use your credentials

If you have guests coming on campus, have them bring their own laptop and connect to MRvisitor rather than logging into a workstation for them. If you are training someone new, contact the Service Desk to get them access to what they need rather than logging into an application for them.  Your credentials are for your use alone, not the other 114 people who want to access the network.

Keep storing documents on Google Drive

Even though we are now back at our workstations, it is impossible to know if sometime in the future we will have to return to working from home. Make your life easier, continue to store your documents containing non-sensitive information on the Google Drive. That way you won’t have to scramble should we suddenly get sent home again.