Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site. They use computer programs that allows them to test thousands of login credentials in minutes. If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.
So how do you protect yourself against credential stuffing?
- Use unique passwords for every account. I know it is inconvenient and a pain but it really is the only way to protect yourself.
- Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
- Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
- Enable multi-factor authentication on every account that has it available. Multi-factor authentication and its cousins two-step verification and two factor authentication requires you to enter an authentication code, respond to a prompt from an authentication app or insert an authentication key when you enter your password.
Not every hacker makes their money by breaking into accounts and stealing funds or ransoming your data. Some hackers are content to simply break into servers and steal usernames. passwords and other personal information that they then sell on the dark web. It is quite a niche business.
To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale. You can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.
This gives you the opportunity to change your password and username or delete the account. This is an easy process if you don’t reuse passwords. It is a huge headache if you do. What’s even cooler, you can subscribe to an alert service so they will automatically notify you when there is a new account breach. This is so awesome, Mount Royal even subscribes.
We get notified when anyone with an @mtroyal.ca email is involved in a breach. We also get told which account was breached. We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.
So if you are using your @mtroyal.ca account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach. It gets awkward for everyone.
This is a friendly reminder, only use your @mtroyal.ca email account for business. IT Services thanks you.
As part of our phishing training program, I visit repeat clickers and analyze their business processes to determine why they are having difficulty identifying phishing emails. An interesting trend is appearing. Time after time, I hear people say that they thought IT Services had tools that filtered out all malware so anything that reached their inbox was safe to click.
I am going to set the record straight. There is no anti-virus, anti-malware or other type of software or technology that can identify all malware or malicious links. While IT Services has wonderful tools that help them stop most attacks, they cannot stop everything. Every organization is vulnerable to new strains of malware and hundreds of new strains are developed every day. Whether at work or at home, you cannot rely on anti-virus/anti-malware to protect you 100% of the time.
You are our first line of defense. If you avoid clicking or opening something that you shouldn’t, the odds of being victimized decreases exponentially. Simply by pausing when you are triggered emotionally by an email or when an email contains a link or attachment, you can reduce your chances of a cyber attack by 75%. We can’t do it alone, we need your help. Join us in the fight against cyber crime, stop and think before you click.
Iranian hackers are sending out phishing emails that appear to come from within a targeted university. The emails contain a link and urge the recipient to sign in to an internal resource, the favorite being the library system. The link is to a fake login page that records login credentials.
The hackers appear to be trying to steal research data. The campaign is world wide with over 16 universities targeted and over 300 fake websites created. Canadian universities are among the targets.
If you receive an email asking you to login to one of our internal resources, do not click on any links in the email. Instead, access that resource using a bookmark or a link on www.mtroyal.ca. You can also contact the department in charge of that resource and ask them if they sent out an email. Pay special attention to emails asking you to login to the library system.
If you are unsure of the legitimacy of any email, you can forward it to email@example.com and IT Services will be happy to investigate for you.
On a regular basis, account providers are hacked and their customer data is stolen and put up for sale on the dark web in large data dumps. Usernames and passwords are often included in the information. As over 30% of users reuse passwords and usernames, once a hacker has that information they can access several accounts. As part of our ongoing efforts to keep Mount Royal’s data safe, we subscribe to a service that lets us know if any @mtroyal.ca email addresses appear in these lists. If an account provider gets hacked and a user used an @mtroyal.ca email address as a username, we get notified about the breach. This happens about 3.8 times a month. We then force a password change on the account to ensure it stays secure.
Where things get uncomfortable is when users decide to use their @mtroyal.ca email address for personal accounts. Many account providers who deliver special interest content do not have the best security practices and are often hacked. We really don’t want to know that you belong to the Jelly of the Month Club or you are a member of Poniverse (those are the G-rated ones). Please save us and yourselves the embarrassment. Use your @mtroyal.ca account for business purposes only.
Have you checked the settings on your Google Group lately? By default when you create a group, only group members can post and view messages and people must ask to join the group. However, researchers have discovered that thousands of Google groups have their permissions set to allow the general public to view the group posts. This would not be an issue if the people posting information to the Google Group understood that their posts could be viewed by the public. However, sensitive and private information has been found within these group posts suggesting that they really have no idea.
If you are the owner of a Google Group, please take a moment to check your permissions. To check permissions:
- Open the Google Group.
- In the title bar of the Google Group, click Manage. The left menu changes.
- In the left menu, click Permissions. A list of permissions appears.
- Click to select each permission type and review its settings.
Please note that if you have selected All organization members, to View topics or Post anyone with an @mtroyal.ca email address may do so. This includes students, staff and faculty. If you have selected All members of the group, users must actually join the group to be able to post or view emails/topics.
If you wish to email/post to a Google Group, check the settings of the group to see who can see the messages you send. To check the settings:
- Open the Google Group.
- In the title bar of the Google Group, click About.
- Scroll down to find the Access section. The posting and viewing permissions of the group are listed here.
If you have questions or concerns about setting permissions, please contact Bernadette Pasteris at firstname.lastname@example.org.
Hackers have discovered a new way to deliver malicious links, through your Google calendar. How? Simply by creating a calendar event and inviting you.
By default when you are invited to a Google calendar event, the event appears in your calendar whether you have responded to an invite or not. The sneaky hackers know that if you receive an email with an invite from someone you don’t recognize, the odds are great that you will simple delete it or ignore it. So, they create an event with a vague description and include a link to the meeting agenda but choose to not email the guests.
What the hackers hope is days or weeks later when you receive a meeting notification or see the event sitting in your calendar, you will think you have forgotten about a meeting and will open up the event and click on the link to view the agenda. I know what you are thinking, I wouldn’t fall for that because I would check the meeting owner’s email. Ideally that is exactly what you would do, however when humans think they have messed up they tend to panic and click.
How do you protect yourself from the panic and click? You can change your event settings on your Google calendar. Go to Settings and select Event Settings. In the Automatically add invitations section, select No, only show invitations to which I have responded. This prevents events from being added to your calendar without an email invite so you can’t be ambushed.
Is your computer acting weird? Is it suddenly working really slowly? Are pop-ups all over your screen? Are folders graying out and can’t be opened? Are files suddenly unavailable or can’t be found? Is your mouse moving on it’s own? Has the text become unreadable? Do you have a virus alert? If you are experiencing any of these, you could have a virus or malware on your computer.
If you think you have malware on your machine, do not turn off your machine, some types of malware load on start up. Do not run a virus scan, some types of malware corrupt anti-virus programs. Do not try to fix the problem yourself. Do not panic, help is available. So what do you do?
- Don’t touch anything. Many types of malware are loaded by clicking anywhere on a pop up window. If you don’t click, you may be able to prevent an infection.
- Disconnect from the Internet. On your workstation, unplug the network cable. On your mobile device, disconnect from wifi.
- Call the IT Service Desk.
Not sure what a network cable looks like? It looks like a phone cable, but comes out of the back of your computer. It can be red, white, black, blue, gray or yellow. Still not sure? Here is a photo for you:
Worried about getting into trouble and you don’t want to call the Service Desk? Please don’t be. IT Services has service in the name for a reason. We are here to help you. We know you are human. We know people make mistakes. We like to get your calls.
In today’s world of brand recognition, nothing is more important than your domain name. Whether you are Coca-Cola, ESPN or Freds Furniture, you need a web page that people can find just by typing the name of your business. What happens though when a consumer gets the name wrong? On-the-ball businesses buy the domain names for common misspellings of their name and redirect consumers with fat fingers to the correct web site. Those that don’t, leave consumers and their business exposed.
Criminals are buying up the misspelled domain names of popular web sites and loading them with malware. This practice is called typosquatting. It costs businesses millions in sales and untold grief for consumers. In the best case scenario, visiting one of these sites will result in your anti-virus going spastic with pop-ups and alerts. At the worst, malware too new for your anti-virus to recognize will be quietly and efficiently deposited onto your machine. Many of these web sites can only be visited once. A repeat visit results in a 404 web page not found error, making it difficult to shut the site down.
The easiest way to protect yourself from typosquatting is to use bookmarks to visit your favourite sites. When looking for new ones, read and re read the search terms you have entered and then read them again. Don’t let a slip of a finger deliver you into the hands of a hacker.
The Cyber Safety Summit 2018 will be held on October 2, 2018 at the Lincoln Park room in the Main Building of Mount Royal University’s campus. The summit will include experts speaking on home security, social engineering, fraud protection and how to recover from a cyber attack. In addition we are adding a new topic this year, protecting your privacy. Registration is free.
Spend the whole day with us or just come by for your favourite session. Either way you have the opportunity to hear from the experts themselves how to keep your family and home cyber safe. Come with your questions and concerns, leave armed with the knowledge you need to keep hackers at bay.
Can’t attend the summit? We will be live streaming all sessions. Visit the website to review last year’s program and to sign up for Summit updates.
Mark your calendars now!! See you on October 2, 2018!!