Important: Phishing Alert

We’ve had several reports of an ongoing phishing campaign targeted at members of the university today.  Some of you have received emails from someone impersonating Mike DeGagné.
 
This particular scam is pretty easy to spot.  If you inspect the email below, you’ll see that Mike’s name is correct, but that’s not his email address.  
 
We have technology that blocks a lot of this type of email, but some still gets through, so please remain diligent in verifying requests that come over email.  As always, if you receive an email that doesn’t feel quite right, pass it along to techsrv@nipissingu.ca for further inspection.
 
Stay safe, and have a great week!
 
-The UTS Team
Example of Phishing email

Safety Online At Tax Time

CRA ScamThe Tip

Now that we are entering the full swing of tax time, it’s important to remind ourselves that this is the season for online scams, phishing emails and fraudulent phone calls. This is the cybercriminals’ most favourite time of the year.

The Detail

In 2018, the CRA reported that over 60,000 Canadians complained of phone scams alone. In the USA, the IRS reported an astonishing 60% increase in bogus email schemes looking to steal tax money or data. The Canada Revenue Agency tells us that CRA scams may come in many forms – over the phone, by e-mail, or by text message – in all cases the caller or sender poses as an agent in an attempt to gain personal information that can be used later, or attempts to intimidate a victim into providing real financial payments.

Phone Scams

Scammers posing as CRA agents may claim several possibilities;

  • that you owe money and are facing arrest
  • that a lawsuit has been filed against you
  • that an arrest warrant is outstanding against you
  • that you are facing deportation

In all cases, the threats are an attempt to get you to share personal information and/or pay money. Hang up.

Email / Text Message Scams

You will receive a convincing message from a fake CRA agent claiming;

  • your tax calculations are complete and by filling in a form, you will receive an immediate refund
  • that you are being accused of tax evasion
  • that your filed form has misinformation and needs to be revised
  • that you are under investigation
  • that you have received an e-transfer for your refund

Rejecting the scam and protecting yourself

  • Hang up immediately if you are suspicious, or delete the email. The CRA will never threaten immediate arrest or use abusive language
  • The CRA will never request payment by means such as e-transfer, bitcoin, pre-paid credit or gift cards
  • Do not click on any link in an email pretending to be from the CRA. The CRA will never ask you to click on a link for refunds or for information collection
  • The CRA never sends text messages
  • Make sure your younger family members and friends are aware of this

How to respond

  • If you’re just not sure, confirm your tax status online through a CRA secure portal such as My Account or by calling 1-800-959-8281
  • File a report with the Canadian Anti-Fraud Centre (CAFC) toll-free at 1-888-495-8501 or online, whether you paid money or not
  • Report the scam to your local police if you paid money in any form
  • If you sent money or shared financial information, report it to the financial institution used
  • If your social insurance number has been stolen, contact Service Canada at 1-800-206-7218

Additional information can be found at

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

The Risk in Reusing Passwords

The Tip

We’ve mentioned in several weekly tips that it is a bad habit to use the same passwords on multiple sites. With more and more large breaches coming into the news recently, it’s more important than ever to stop this bad habit that we all so easily fall into.

The Detail

The risk we take when we reuse a password is that when one of these breaches of user information does happen, the criminals will immediately start trying these username:password combinations at major banking sites, Amazon, Google, your workplace, and so on and so on. It doesn’t take long to do this with automated hacking programs. If you’ve used the same password at any of these places you can be in trouble quickly.

Fortunately, protecting yourself from these threats is easy;

  • Never use the same password on more than one site
  • Use a service like https://haveibeenpwned.com to monitor known breaches for your email address
  • If your address does come up, change your password immediately and if you have used that password in more than one place, go change all of them to unique passwords
  • If you have too many passwords to keep track of, start using a password wallet

The website have i been pwned tracks known breaches and can be set up to notify you if your address shows up in one. It can also be used to monitor an entire domain. We use it here to keep an eye on @nipissingu.ca addresses in known breaches. These events happen all too often, even at major sites where you might feel the security would be the tightest. Not necessarily so. For instance;

  • Verifications.io was breached in Feb of 2019. 763,117,241 accounts were exposed. 538 of these were @nipissingu.ca addresses
  • MyFitnessPal was breached in Feb of 2018. 143,606,147 accounts were exposed. 65 of these were @nipissingu.ca addresses
  • ShareThis was breached in Jul 2018. 40,960,499 accounts were exposed. 66 of these were @nipissingu.ca addresses
  • MyHeritage was breached in Oct 2017. 91,991,358 accounts were exposed. 25 of these were @nipissingu.ca addresses

Other major breaches have included places like Adobe, DropBox, Equifax and more.

If you think that you may have been in one of those, it’s a good reason to refresh your passwords now and be sure you are using good quality and unique passwords/passphrases everywhere.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

Email And Personal Information Breaches In The News

Recently there have been several privacy/security breaches in the news. People that subscribe to the terrific service at https://haveibeenpwned.com will already be aware of these. These breaches have been happening at major sites, and by now, if you use the internet and have registered accounts on various websites, chances are pretty good your privacy and details have been compromised.

A new discovery was announced on the weekend by https://haveibeenpwned.com/. This one effected over 500 people with @nipissingu.ca email addresses.

Fortunately, this one did not include passwords, but it does include a lot of personal information. This personal information could be used in the future by criminals in targeted phishing campaigns (spear phishing). In a spear-phishing attack, criminals will use personal information in a phishing attempt against you, in order to make it look less suspicious and more legitimate.

We should take two things away from this;

  • be extra careful moving ahead, when reacting to emails. Phishing attacks are getting more and more convincing, and just because an email may have your name and other personal information in it, doesn’t mean you can trust it.
  • this is a good time to improve our password habits:
    • do not use the same password at multiple sites
    • use strong passphrases
    • change your passwords/passphrases from time to time
    • consider using a password wallet to make these good habits easier to manage

These topics have been discussed in depth on our blog. Please visit https://cybersecurity.nipissingu.ca/ for further information on these and other related topics.

Here are some recent major breaches

  • Verifications.io was breached in Feb of 2019. 763,117,241 accounts were exposed. 538 of these were @nipissingu.ca addresses
  • MyFitnessPal was breached in Feb of 2018. 143,606,147 accounts were exposed. 65 of these were @nipissingu.ca addresses
  • MyHeritage was breached in Oct 2017. 91,991,358 accounts were exposed. 25 of these were @nipissingu.ca addresses
  • ShareThis was breached in Jul 2018. 40,960,499 accounts were exposed. 66 of these were @nipissingu.ca addresses

Other major breaches have included places like Adobe, DropBox, Equifax and more.

If you think that you may have been in one of those, it’s a good reason to refresh your passwords now and be sure you are using good quality and unique passwords/passphrases everywhere.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

The Return of the Norton Scanner Scam

The Tip

What’s old is new again. If you’re surfing and you get a pop-up that says something along the lines of “Norton Security: Your PC is infected with 5 viruses”… DO NOT click on proceed or install.

The Detail

This is a social engineering attack that displays a fake alert stating that your computer is infected and that you need to download a program to fix it. However if you click on the “Install Now” button, rather than downloading a trustworthy program, you will be installing a potential piece of malware or adware.

This scam has been around a while and keeps resurfacing in minor variations. Much like the fake Facebook login we talked about two weeks ago, it is very convincing. There are a few tell-tale signs though, and things you need to know;

  • Your system cannot be scanned for viruses using a website that runs through your browser
  • You will not get virus scans from apps not installed on your computer, only locally installed apps can do this

If you do see this, do not just close the pop-up window as that can actually install the virus. Here is what to do;

At Home

  • Close the browser window
  • Open your antivirus application
  • Run a scan

At work

  • Don’t click on anything and leave your machine on
  • Disconnect from the network if you can (unplug the network cable)
  • Call UTS support

For more information about this, here is Norton’s page on tech support scams and a detailed post in the Norton blog. There is also a thorough article with instructions for removal using several different tools in this post on malwaretips.com.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Passwords and Passphrases, again

The Tip

In this issue, I’d like to revisit our first Cybersecurity post from November of 2017, “Passwords vs Passphrases”. It is as important and relevant today as it was then.

The Detail

I won’t repeat the entire first post here. The condensed version is “passwords are bad, passphrases are better”. An un-credited quote on the topic of passwords is that “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”.

So why is a passphrase better than a password?

  • Passphrases are easier to remember than a random string of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
  • Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated passwords easily.
  • Satisfies complex rules easily. The use of punctuation, upper and lower cases, in passphrases also meets the complexity requirements for passwords.
  • Major OSs and applications supports passphrases. All major OSs including Windows, Linux and Mac allow passphrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
  • Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools break down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.

See the original post here as well as a great infographic on why “correct horse battery staple” is MUCH better than “Tr0ub4dor&3”.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Phishing for Facebook Logins

The Tip

A new phishing attack has surfaced that can easily catch the most diligent of us. It is also fortunately easy to spot, once you’re aware of what to look for.

The Detail

We’ve all been to sites now that offer you the convenience of logging in with your Facebook or Google account. This is a great convenience and can really reduce the number of accounts you might need to have for casual things like news blogs and such. This new attack targets that model that we have become used to. It’s effectiveness is it’s simplicity.
Here’s how it works.

  • Generally when you click on a link to “log in with Facebook” you are either re-directed to Facebook or you get a pop-up window with Facebook’s login screen.
  • In this attack you get a pop-up window that exactly mimics the Facebook pop-up, down to the apparent lock/secure icon and green address bar.
  • You enter your username and password.
  • The login will fail, but the criminals have now captured your Facebook login credentials

How do we protect ourselves from this? Once you know what to look for, it’s actually easy to spot.

  • Try dragging the pop-up window away from the window it is being displayed in
  • If you cannot drag the pop-up away, and it instead disappears beyond the bounds of the parent window, it is a fake. DO NOT USE.

Here is a video demonstrating

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

Finding the Sender

The Tip

It’s actually rather trivial to fake a sender in an email phish, and easy to spot the simple attempts. In some cases, especially on a mobile device, it’s not always obvious that a ‘from’ address has been faked. Here’s how to check quickly.

The Detail

We’re not going to talk about some of the sophisticated methods that a from address might be faked in a phishing attempt, in this post. Let’s just discuss the simple and most common ones. These are the ones where the display name doesn’t match the actual address. This is the most common technique in low-level phishing attempts.

These are actually generally easy to spot in desktop email clients. You might see something like this in the ‘from’ field. 

From: Technology Services tech@fakedomain.com

We know by now to look at the address and see that it doesn’t match the name.

This gets a little harder on a mobile device though. Most mobile devices and even some desktop mail applications will just show the display name. This might be in an effort to conserve limited screen real estate, or it maybe just to keep things a little prettier looking. It does make it a little harder to spot the bad guys though.

This infographic illustrates how to check the actual email address in the default mail applications on iOS and Android phones. Although this is no guarantee that a more sophisticated sender-spoofing isn’t going on, it will expose most basic attempts.

InfoGraphic

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

 

Tax Identity Theft

TaxesThe Tip

Tax season is not only the busiest time of the year for accountants and financial institutions. It is also becoming one of the busiest times of the year for scammers and thieves.

The Detail

There are many fraud types. New ones arrive every day. These fraud attempts can arrive by telephone, mail, email, or text messages. We all need to be vigilant when receiving any sort of communication that claims to be from Revenue Canada. These scammers are getting increasingly sophisticated every year. They may try to get your personal information, they may try to intimidate you into paying money to them, they may direct you to very convincing but fake websites. We all need to be careful to never respond to these fraudulent communications.

The government of Canada and the Canada Revenue Agency provides a lot of information to help protect us from these scams and attempted fraud. They also provide real-life examples of the sorts of scams that have been seen in the wild. I won’t repeat the entire website here, but please visit the following site for timely and qualitative information on;

  • know how to recognize a scam (by phone, email, mail, messaging)
  • how to protect yourself from identity theft
  • what to do if you’ve been a victim
  • scam stories
  • a great list of external resources

https://www.canada.ca/en/revenue-agency/corporate/security/protect-yourself-against-fraud.html

In a nutshell, the CRA will never;

  • ask for personal information by email or text message;
  • request payment by prepaid credit card;
  • share your tax information with another person or organization, unless you have agreed that it can be shared;
  • leave personal information on an answering machine;
  • threaten or use nasty language.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Password Managers

Forward: Over the last year or so of researching and writing this blog, I’ve come to the conclusion that there really are only about ten cybersecurity tips, and they are mostly common sense. The rest are just minor variations. With that in mind, I’m going to repeat and rework a few from the last year over the next weeks. Please read on, as these are all really the essence of cybersecurity.

The Tip

The easiest way you can vastly improve your personal cybersecurity as well as improve all your password habits is to start using a password manager now.

The Detail

Passwords are the bane of online existence, but they’re not going anywhere in the foreseeable future. Most of us have to manage dozens or hundreds of different username:password combinations. Many solve this problem by using simple memorable passwords, or worse, using the same password on site after site after site. That’s just asking for trouble.

The fix is simple and cheap, in many cases, free. The fix is to start using a password manager now. The best password managers;

  • capture your credentials during account creation
  • capture credentials of existing logins upon first access
  • generate quality passwords for you when creating new ones
  • automatically log you in to sites
  • make your passwords available to you on all your devices, always in sync, online or offline
  • store other forms of information such as credit cards
  • warn you if you’re using weak passwords
  • warn you if your username:pass combination is part of a known breach
  • advanced commercial managers also offer features like team sharing of certain credentials

There are several very good free, commercial and subscription-based solutions out there. LastPass was one of the first ones and remains quite popular. I use 1Password for it’s robust features and also as it’s a Canadian product. KeePass, Keeper, Dashlane are also popular. They all offer similar features and most offer free trials, or completely free solutions.

If you want to make your life a lot easier and your security a lot better, start using one today!

Here are some side-by-side feature reviews.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

WiFi Safety

Forward: Over the last year or so of researching and writing this blog, I’ve come to the conclusion that there really are only about ten cybersecurity tips, and they are mostly common sense. The rest are just minor variations. With that in mind, I’m going to repeat and rework a few from the last year over the next weeks. Please read on, as these are all really the essence of cybersecurity. Please also pay attention to the bonus tip at the end.

The Tip

Whether you’re vacationing, at a coffee shop, visiting a friend, or waiting in an airport, wifi hotspots are becoming ubiquitous. Sometimes the hotspots will cost a small fee, and other times they are free. In either case, be careful! Frequently, free wifi can be a scam setup by criminals just to see what information they can glean.

The Detail

In broad terms, this is how the scam works:

  • the unsuspecting victim browses their network connections to find a wifi network in the area
  • you find a network called “Free Wifi” or some such thing and decide to connect
  • this free wifi network is not actually a hot spot, but rather a computer-to-computer network that has been setup as a trap
  • while you believe you are using the internet as normal, you are actually browsing through the hacker’s computer, and as a result, they can see everything you are doing online including usernames and passwords

This is an especially big problem if you are doing any online banking or checking email or anything else where you are accessing accounts. Finally, if your device is setup for file-sharing, the attacker can now access all your files and data, and even possibly install spyware or malware on your device.

Beware of the evil-twin.

Sometimes hackers will setup a real hot spot near to a place that offers free wifi. Ask the business you are in if there is a hot spot available and get the name of it. Only connect to that network and if you see two hot spots with the same name, don’t connect to either of them. One of them could be the phoney evil-twin, setup solely to trick you into connecting to it.

The easiest way to protect yourself from these sorts of scams is to be very cautious when using public wifi. If you’re in a place that has a legitimate network for a small fee, use it. It will be worth the peace of mind. If you do choose to connect to a free wifi network, keep the following things in mind;

  • anybody can name a wifi network whatever they want, so even though a free network may have a name that is correct within context (eg: “Pearson Airport Customer WiFi” if in Pearson International Airport) that is no guarantee it is legitimate
  • avoid all financial transactions and online banking if you are not using a network that you know and trust
  • avoid using VPNs* or accessing sensitive information when using public wifi
  • use https to access webmail and avoid non-encrypted protocols like http or ftp
  • turn off your computer’s file-sharing capabilities when using public wifi
  • when choosing a wireless network, check out the description and never connect to a ‘computer-to-computer’ network
  • if your device has a firewall, use it

* In this context I mean avoid connecting to corporate or institutional Virtual Private Network while using public Wifi. This is not the same as using a VPN anonymizing service for security. I’ll discuss that in a future post.

Special Bonus Tip

Given yet another major data breach in the news and another large collection of usernames and passwords being shared by hackers on the internet, it seems prudent to again mention the terrific service to check Have I Been Pawned and Is My Password Floating Around. If you are not subscribed to this terrific service, please do so now.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Internet Hot Water

The Tip

This issue is just a light-hearted follow-up to the pre-holiday season’s, “Internet Skinny Dipping”. I thought it was ironic to get this article in my news feed upon our return to work.

===========================

The Detail

Apparently amongst the newest entires to the “Internet of Things” (IoT) is a smart-app enabled hot tub. You may ask, “why would I need my hot tub to be smart”. I know I did. The fact is though, whether we need it or not, so many things are becoming net-connected that we need to be aware of the potential pitfalls. Hackers have already launched Denial of Service attacks against major web services using small armies of compromised appliances. Bad security habits can make it easy for a hacker to lock/unlock/start most modern vehicles, or mess with the heating and lighting in your smart-house.

The following story is a tale of how we should never assume that the developers of these technologies are doing even the basic due diligence in the security realm. It actually reads like a lesson in how not to do IoT security. Although it might seem just humorous that some casual neighbourhood hacker might mess with the temperature of your hot tub, it gets a little more scarier and a lot creepier when the tub also sends information to the hacker that the jets are in use, meaning someone is in the tub.

Enjoy the following read, and we’ll get back to regular tips next week.

IoT weaknesses leave hot tub owners in deep water

Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Top