Troy Hunt, the creator of Have I Been Pwned has just found a massive collection of usernames and passwords sitting on the web.  When I say massive, I mean massive. We are talking 1,160,253,228 unique login credentials (usernames and passwords).  We have seen large dumps of credentials for sale on the web before. However there has never been a collection of this size.

This alone is concerning, but when you also consider that the information is not sitting hidden in some dusty corner of the dark web, but being openly discussed in various forums the alarms bells start to sound. Add the fact that the information is being given away and not sold and you have reached DEFCON 1. Now any miscreant with time on his hands can start banging away at websites with a free list of easily found credentials. This greatly increases the chance your account(s) will be compromised.

It’s a like finding a garage door opener while out for a walk with your dog. You may not have been planning on breaking into a garage, but when fortune smiles upon you, you take advantage of it and pick up that sucker and start seeing which doors it opens.

The good news is there are things you can do to protect yourself.

1. Visit Have I Been Pwned and find out if you are affected.
2. Change the passwords on affected accounts as well as any accounts using the same password.

If you aren’t reusing passwords, this is a relatively easy task. If you are then it sucks to be you and it may take you a while.  On the up side,  you do get to give those brain cells a good workout trying to remember all the accounts that used that password. I lied, that sucks to.

After changing umpteen passwords and straining to remember the names of all your accounts, you may want to stop reusing them and start using a password manager.  KeePass is sitting on your workstation and is free to download and use at home. Give Verle Winsor a call to find out how to use it.

If you are ready to invest in a more user friendly tool, you may like Dashlane, 1Password, or LastPass .  They all generate effective unique passwords for you and make logging in a breeze on all of your devices.

The Better Business Bureau is reporting that Facebook and other social media sites are seeing a resurgence of the “Secret Sister” gift exchange.  This gift exchange and others like it, promise participants several  gifts in exchange for sending one inexpensive gift. All you have to do is give up some personal information and invite your friends to join.  If you think this sounds too good to be true, you would be right.

This scam is a classic pyramid scheme which is illegal in both Canada and the US. If you run across one of these gift exchanges on social media, report the post immediately.

As part of our efforts to continually improve the newsletter and the information it delivers, we will be returning to the Mailchimp delivery format November 16, 2018.  Newsletter articles will continue to reside here, only the delivery format will change.

This will allow us to create newsletters that are more visually appealing and determine what kind of articles people are most interested in.  This will be the last newsletter to appear in your inbox as a weekly digest email.  For more details, please refer to the email that I sent out to all subscribers.

I hope you enjoy the new format.

Today was the final day for the Hack the Box escape room type activity.  We had four teams compete in total.  In the end we had two faculty teams, one employee team and one student team take up the challenge.  HPHED blew away the competition finishing up in just under 20 minutes.  HR came in second at 26 minutes, third was the Faculty of Science and Technology and our wonderful students came in last at 30 minutes.

Good fun was had by all.  All participants walked away with pens and charging cables from the good folks at Lenovo.  Employees also snagged a contest entry code for the Cyber Security Challenge.

Interestingly, HPHED was quite concerned about the leaderboard and their showing on it.  They are rather keen to remedy the situation.  Facilities management, I would keep an eye on that leaderboard, we may see some changes in the last few days of the Challenge.

Just a reminder that you have until Oct 30 at 4:00 pm to enter in your codes.  Tomorrow the last of the newsletter codes will go out.  If you have missed previous ones, scroll through the articles on the newsletter website to find them.  The Cyberwar Threat, Cyber Safety Survival Guide and the General Security Tips webpage can still be mined for contest entry codes.  Check the Cyber Security Challenge webpage for details.

We have come to the end of the first week of competition.  Poor weather and the upcoming holiday has meant a slow start.  However we are starting to see entries trickling in.  Facilities management is in the lead as Building Operations has been rallying their team.  They are  working hard on upgrading our little Golden Superhero Award (photos coming soon) and they really want to win it.

Neck and neck are Support Services and Academic Administration in second.  I like to think I had something to do with that.  I made it very clear in the last IT Services department meeting that the trophy was uber cool.  I also pointed out how embarrassing it would be to not make a respectable showing on the Leaderboard.  My team responded.

I would like to thank everyone that braved the weather and came out for the Summit. I emailed codes to those who registered.  If you just dropped in and didn’t register, email me to receive your code.  I know who attended, so don’t try and snow me into saying you were there if you weren’t.  If you were unable to catch the Summit talks, I will be posting the recordings on the Summit web page.  I will let you know once they are up.

Lastly, don’t forget to get your team together for Hack the Box.  I am canceling Oct 9th’s event due to lack of registration.  However the Oct 16 and 25 time slots are filling up.  Book before it’s too late. You don’t want to miss out on a contest entry code.

Happy Thanksgiving!!

Adware a very popular app on the macOS  App Store, has been quietly sending browser history, a list of software you have downloaded and a list of processes running on your computer to  a server in China.  Unfortunately, this is only one of several apps that are collecting user data  without our knowledge, a clear violation of Apple’s policies. You can add Trend Micro’s Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr Unarchiver, Dr. Battery and Duplicate Finder to the list.

The good news is they have been removed from the App Store.  The bad news is, you may have downloaded an app that is behaving badly.  Just like Android and PC users, Mac users must be cautious when downloading apps. Just because it is in the App Store, doesn’t mean it is safe.  Reviews and the number of downloads aren’t always reliable either.  Always be wary of apps that access data that it really doesn’t need to function.

Thankfully, the next version of the macOS, Mojave is supposed to require apps to get the explicit approval of users before they start collecting and shipping off sensitive data.  Yet another reason to keep your eye out for it and update as soon as it comes out.