5 Tips to Securing Your Webcam

laptop-webcamThe Tip
January 28 was Data Privacy Day. Read this post about the importance of securing your webcam and protecting your privacy. This is a guest-post by Marc Saltzman, who has reported on the high-tech industry since 1996 as a freelance journalist, author, lecturer, consultant, and radio and TV personality. It is taken from The Government of Canada’s ‘Get Cyber Safe Blog’
https://www.getcybersafe.gc.ca/cnt/blg/pst-20150128-en.aspx

In case you missed the news, a young person discovered someone was spying on them via their webcam – while they were watching a DVD movie on their laptop in the bathtub, no less.

Can this really be true? While it’s not likely, it’s technically possible, yes.

It’s a privacy nightmare to think someone has remotely hijacked your webcam and is watching you in front of your computer without your knowledge.

The Detail

And so the following are a few precautions you can take to minimize the odds of this happening.

  • If you’re using an external webcam – that is, one that plugs into your computer’s USB port – only connect it when you need it. Yes, it can be a pain to remember to plug it in whenever you want to Skype or Facetime with someone, but at least you’ll know 100 percent you aren’t been spied on if there’s no camera connected.

  • Some external cameras have a small cover you can close over the webcam lens, so be sure you take advantage of this when you’re not using it. If your webcam doesn’t have this, you can point it to the ceiling until you need it, or place a small piece of electrical tape on the front of the webcam – but don’t place it directly over the lens or else it could damage it.

  • If your laptop or desktop has a built-in webcam, be sure to have good computer security software installed (which you should have anyway, of course). A good security suite includes antivirus, anti-spyware, a firewall and other tools to keep the bad guys from getting in. Good web browsers should also notify you if your webcam is being activated and you may be prompted to agree.

  • If you need to have your computer repaired, take it to a trustworthy source or else an ill-intentioned technician could secretly install spying software on your PC; ensure remote access programs aren’t on your laptop or desktop you didn’t install yourself. If you find something, immediately uninstall it and bring it to a trusted source.

  • Be sure your wireless network has strong security settings and a good password to prevent outsiders from accessing your Wi-Fi network without your consent. Another tip is to go to the webcam’s settings/options and enable some kind of notification when it’s being used, such as a small light that turns on near the webcam or a sound alert – if it doesn’t do it already (most will have a small light illuminate when activated).

For more of Marc Saltzman’s tips, reviews and videos, follow him on Twitter: @marc_saltzman

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

The Culture of Security

This week’s topic is The Culture of Security

Security Badge

The Tip
Our community has its own culture. We have a standardized method of communication. We have dress codes. We have expectations, rules, and a collective personality that exists in the university. All of us have a responsibility to increase our own cyber-security awareness. In fact, that’s one of the important aspects of our culture. How we position ourselves against the threats we face determines the overall health of our organization, which impacts every person in it! That’s why we need strong human firewalls, like you, who think before clicking, report unusual events, and always follow workplace policies and procedures.

The Detail

How can you contribute to our security aware culture?

  • Lead by example and work together. While we expect everyone to remain security aware on an individual basis, don’t forget that combating cybercrime requires teamwork!
  • Stay alert in all three domains: Cyber, Physical, and People. The threats we face are not isolated to just cybercriminals and phishing emails.
  • Report all security incidents. Even if you’re not sure if something should be considered “an incident,” it’s better to be safe than sorry!
  • Follow workplace policies and procedures especially as they pertain to security. Policies and procedures are never meant to be a hindrance to your work, though it may feel that way at times. Policies and procedures are how we support and protect everyone.
  • Take the culture home with you. Transfer your security aware efforts to every part of your personal life! Create an at-home security policy and have open dialogues about security with your family.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

The 10 Tenets of OpSec

From Beazley Breach Response Services and Lodestone Security

Operations Security, or OpSec, is the mindset of using secure practices. Practicing OpSec helps keep us safe from ne’er-do-wells.

  1. Secure your space
    Don’t leave sensitive documents out when away from your workspace. Lock them away when you leave your desk, and if you can’t, get them out of sight.
  2. Stay aware of your surroundings
    Pay attention to tailgaters, shoulder surfers, and strangers. If you see a stranger in the office without a badge or ID, direct them to the security desk.
  3. “For your eyes only”
    If your organization classifies data as sensitive, private, or confidential, label documents and files so people can understand how they should be handled. If you discover sensitive information that’s not properly protected, report it immediately.
  4. Use stronger passwords
    Longer is stronger. Instead of easy-to-crack passwords like Password1!, use a passphrase, like ‘1 Red Elephant Balloon Maker?’, or a sentence you can easily remember. Or use a password manager to create and store secure passwords.
  5. Don’t mix business and leisure
    When you use work email for Internet play, you give the bad guys more opportunities to get in. Use work email for work, and your own email for personal matters.
  6. Secure your personal devices
    If you use your own cellphone or laptop for work (“bring your own device” or BYOD), use anti-virus software and keep your computer and applications updated. If you have a work laptop or device, use it only for work and don’t expose company assets to unnecessary risk.
  7. Don’t get “attached”
    Word documents and PDFs can hide exploits sent by a hacker. Opening the file or enabling macros can give an attacker control over your computer. If you get an unexpected or strange email attachment from someone you know, call to check whether it’s legit.
  8. Use it and lose it
    If you find a stray USB drive or removable hard drive, don’t plug it in. It’s old hacker trick to litter the area around an office with infected USB devices. Don’t plug in a hacker’s weaponized USB, send it to IT!
  9. Beware of Wi-Fi eavesdropping
    Bad actors can easily impersonate known Wi-Fi connections using a cheap device that can kick you off a router and fool your device into happily accepting a faster connection. Don’t ignore browser warnings. Use a secure virtual private network (VPN) or tether to your own phone or hotspot. If you have to use an untrusted connection, avoid sensitive activities like online banking or logging into work webmail.
  10. Travel smart
    On a plane, train, or public transit, you’re not protected like at the office. Privacy screens help keep your work private. Lock your computer when you’re not using it, and lock up laptops and sensitive documents safely when you’re done for the day. Take sensitive documents back home if you can’t dispose of them securely.

Source: Lodestone Security, www.lodestonesecurity.com, info@lodestonesecurity.com

 

Mobile Device Security, Are You Doing Enough?

This week’s topic is Mobile Device Security, Are You Doing Enough?

The Tip
Most of us don’t think about it, but chances are your smart phone is more precious than your wallet or your keys, and in many cases, your actual computer. Although we all might think about it occasionally, most of us don’t do more than a 4-digit passcode and hope for the best.

Locked Smartphone

The Detail

With that in mind, here are some basic but important tips that will help keep your sensitive information secure, even in the event of a theft of your phone.

Always lock your phone with a password
One of the most basic but often overlooked tips is to secure your phone with a password. Swipe patterns are ok, but finger-trails easily reveal these. A 4-digit passcode is an improvement, but using a strong passphrase is the ideal protection. Even if your phone is stolen, this basic protection will stop most thieves from getting your data. Most phones can also be set to auto-erase with too many failed login attempts, if you need additional security.

Ensure your device locks itself automatically
If you setup password protection, but leave your phone unlocked on your desk for long periods of time, you’re not secure. Most phones are readily setup to lock automatically after a period of inactivity. Choose the shortest amount of time you are comfortable with. A couple minutes is appropriate, even if it seems a tiny bit inconvenient.

Keep your phone up-to-date
Update your OS and apps regularly. These updates often include important security and vulnerability updates. If you’re nervous about teething problems on the bleeding edge of updates, at least get the reminders, but don’t forget to eventually update. Minor version updates are almost always security related.

Only download apps from approved sources
Apple’s App Store and The Google Play Store take security seriously and do the best they can to watch for vulnerable apps. Don’t jailbreak your devices to get access to other apps, and read user reviews before downloading new apps. There is often good information there.

Install anti-virus software
Although not as widespread as on desktop computers, virus’ and other problem software still exist on mobile devices. Most major antivirus companies have apps for your mobile device.

Use discretion when downloading apps
It’s easy to get excited about the wealth of low-cost or free apps available. Most of us add apps of all sorts without too much research. Don’t downloads apps you don’t really need, and clean up your apps from time-to-time. Also, it’s important to see what permissions your apps are asking for. You can expect a mapping app will want to know your GPS location, but if an alarm clock wants access to your contacts database, you might want to treat that with extreme caution.

Stick to window-shopping on public WiFi
Public WiFi networks have popped up all over the place, and are very handy, but security on these networks is scarce at best, and non-existent typically. Be very careful what you do on public WiFi as the chances are pretty good that others may be watching network activity. In particular, avoid activities that convey a password or account or credit card number, unless you are absolutely sure you are using a secured connection.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Email Privacy, is it really?

This week’s topic is Email Privacy, is it really?

The Tip

There’s an old saying that email is about as secure as a postcard. Is that still true? The answer is yes and no. For most of us most of the time, it’s private enough. For some uses, we should be cautious.

The Detail

This should come as no surprise anymore, but your email isn’t private. In fact, it’s one of the least secure methods of communication you can use. Emails are stored at multiple locations: on the sender’s computer, your Internet Service Provider’s (ISP) server, and on the receiver’s computer. Deleting an email from your inbox doesn’t mean there aren’t multiple other copies still out there. Finally, due to their digital nature, they can be stored for very long periods of time, so think twice before writing something down in an email you don’t want others to see.

Much of this is mitigated for us, due to the way use and deliver email at Nipissing via google apps. Gmail does encrypt data over their internal network, so if you are corresponding between Nipissing email accounts, using the Gmail client, your communication should be encrypted and remain fairly secure. This is one of the advantages in using the Gmail suite.

However, while Gmail encrypts email over their network, their encryption only protects data that is on their servers – not while it is bouncing around on other servers on the Internet, meaning that your data is still vulnerable when corresponding outside the network, unless you adopt a solution that provides client-side encryption. This is not necessary for most users, just doing day-to-day correspondence. Just like a postcard going through the postal mail, most people stumbling across it couldn’t be bothered or interested to look at it. If however you are emailing sensitive documents and data around, outside of our network, you might want to consider a few other strategies. Client-side encryption takes some setup and most users couldn’t be bothered or find it confusing. That said, it is effective and essential for some types of communication, once you jump through the initial hoops. Using services like Dropbox or Google Docs/Drive are safer methods for the sharing of sensitive documents, rather than sending them as attachments.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

Patch, Patch, Patch – You need to stay up-to-date

This week’s topic is Patch, Patch, PatchYou need to stay up-to-date

The Tip

There are going to be a lot of updates released in the weeks to come for your phone, your tablet, your computers… it is more important than ever to keep your devices fully up to date.

The Detail

If you follow much news at all, you’ve likely heard a lot about the Meltdown and Spectre security threats, that became public news around the holiday break. In a nutshell, security vulnerabilities at the base chip level, effecting Intel, AMD, ARM, and possibly other processors, have been discovered. This impacts pretty much every device with a computer in existence. Industry insiders learned of this vulnerability under nondisclosure agreements several months ago and immediately began developing engineering mitigations and updating cloud infrastructures.

In the days ahead, there will be a lot of patches released by all vendors to help protect against these very real concerns. Some have already been released, and likely applied. Many servers and cloud services have been updated. Apple and Microsoft have both released updates in that last few days to deal with this. More will follow. Some older devices may be left behind, and if you’re hanging on to that ancient iPhone or desktop running Windows XP, it may be time to retire them. Older systems that are patched can expect noticeable slowdowns in performance. Newer systems (2016+) running modern operating systems (Windows 10 or Apple High Sierra) should see considerably less of a performance impact.

If you have questions or concerns about applying an update, please contact UTS Support.

 

USB Flash Drive Security – It’s Important

USB drives are so pervasive in today’s world of technology, that it’s all too easy to become blasé to the many risks in using this very useful and ubiquitous technology.

Risks inherent with USB Flash Drives fall into two broad categories. 1) Virus/malware and 2) Data theft.

1) What Can a “Bad” USB Stick Do?

A malicious device can install malware such as backdoor Trojans, information stealers and much more. They can install browser hijackers that will redirect you to the hacker’s website of choice, which could host more malware, or inject adware, spyware or greyware onto your computer. While the ramifications of these threats can range from annoying to devastating, you can stay protected from these threats by keeping anti-virus software installed and up-to-date, and by using it at all times. Finally, do not plug unknown flash drives into your computer.

2) What can a “Lost” USB Stick Do?

So, you’ve taken all the steps to keep your desktop secure, your internet usage safe, your passwords robust… and then bringing some data home from work on a USB drive, you misplace the drive. If there was anything sensitive on there, the consequences could be significant. Fortunately, it is easy to protect yourself from this risk by keeping your flash drives encrypted. Although some higher end drives actually have hardware encryption built-in, there are several inexpensive software solutions for USB disc encryption. In fact, all modern versions of Windows and MacOS come with encryption tools built in.

For more information, try googling ‘USB safety’ or ‘USB security’. There is a large selection of articles out there on these topics. UTS would also be happy to talk with you about this, and will be sending more information in the weeks and months ahead.

 

Lost USB Disk Panic

 

 

Password Managers – You should be using one

This week’s topic is Password Managers – You should be using one

The Tip

The majority of us use not-so-strong passwords, and reuse them on different sites. After all, how are you supposed to use and remember strong and unique passwords on all the websites that you use? The answer is a password manager.

The Detail

Using a password manager is one of the top safety practices recommended by security experts. Password managers are easy to use. They store your login information for all the websites that you use, and will help you login automatically. They encrypt your password database with a master password, and that is the only one you will need to remember. They will also generate strong passwords for you, for new accounts and for updating old, weak passwords, and can be used with 2-factor authentication.

Password databases can be shared across multiple devices, and are always in sync, so you have the right information with you on your phone, or tablet, or home or work desktop computers.

Password managers solve the problem of having to remember multiple and complex passwords, removing the temptation to reuse passwords on multiple sites. They are easy to use. You do not need to sit down and spend hours getting one setup. You just start to use it, and as you visit sites and login, they will capture your info for future use. They can also be used for storing pins and credit card info, should you wish, as well as secure notes. The more sophisticated managers out there will also let you share some password details with a spouse’s account, or other team setting.

Password managers come in several free and commercial versions, from several reputable vendors. Spend a few minutes and read a few reviews to find the product that is right for you. Most have free versions available with commercial licensed upgrades available for more features.

Some of the popular ones include LastPass, Dashlane, 1Password, KeePass, but that is by no means an extensive list. There is a good side-by-side review here, with further information on why password managers are so important.

https://www.pcmag.com/article2/0,2817,2407168,00.asp

 

Phishing – Don’t get Hooked!

A good bit of information and infographic from Digital Guardian.

Phishing attacks are by no means a new issue, but rather one that has plagued individuals and businesses for many years. In fact, the 2016 Verizon Data Breach Investigations Report found that 58% of incidents involving compromised user credentials utilized phishing attacks. As these attacks continue to increase in frequency and sophistication, it is of critical importance that end users and businesses learn some of the telltale signs of phishing and how to react when they are being targeted. To do our part in spreading cybersecurity awareness, we’ve created an infographic covering phishing attacks in their many forms and what users can do to protect themselves against this highly common online threat.

 

How to Recognize and Avoid Phishing Attacks Infographic

Infographic by Digital Guardian

2-Step Verification

This week’s topic is 2-Step Verification.

The Tip

It’s easier than you think for someone to steal your password

Any of these common actions could put you at risk of having your password stolen:

  • Using the same password on more than one site
  • Downloading software from the Internet
  • Clicking on links in email messages

2-Step Verification can help keep bad guys out, even if they have your password.

As an added bonus, get a free coffee on UTS when you enable 2-Step Verification. Be fast, supplies of UTS Tim Cards are limited.

The Detail

If you don’t have it set up, take the next few minutes to add one of the best defences against unauthorized email access. It’s easier than you think:

Note: This feature requires you to use your mobile phone in order to receive codes via text, voice or app

 

Passwords vs Passphrases

Welcome to the first in what we hope to make a weekly series of CyberSecurity tips. This week’s topic is Passwords and Passphrases.

The condensed version is, “passwords are bad, passphrases are better”. This is a ‘b@dPas3Word!’. ‘This is a mediocre passphrase’. ‘Good Passphr@se th1s is’.

The longer version below is taken directly from https://www.passworddragon.com/password-vs-passphrase. In a nutshell, don’t use movie titles or famous quotes for passphrases. Random groupings of words are better. To craft the best passphrase, make sure they;

  • contain at least 3 of the following: Number, Special Character, Uppercase letter, Lowercase letter
  • are at least 9 characters or longer (the longer the better)
  • include spaces
  • are changed bi-annually
  • do not recycle passwords and use unique passwords on each site

passwords vs passphrases comic

Read more ›

CyberSecurity Site in Development

We’re working on it. Watch for big things to come!

Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Brantford Campus
50 Wellington St.
Brantford, ON, Canada
N3T 2L6
Tel: 519.752.1524
Fax: 519.752.8372
Top