Just a quick note to let you know that the Cybersecurity blog will be taking a summer break. We hope to be publishing again sometime in the fall of 2018.
Summer Vacation
The Physical Side of Security Awareness
The Tip
Today’s tip comes from “The Security Awareness Company”, a partner in training with KnowBe4.com. By now, we are all aware of the security threats we face online such as viruses, phishing, shady websites and more. But what about physical security? The overlap between our physical and cyber lives is more apparent than most realize.
The Detail
Computers don’t hack other computers; people hack people using computers. Likewise, in our physical lives, humans are the key component to information security. Although the following is somewhat generic for a business environment, much of it still applies to us.
- Keep It Clean. A messy desk is a security risk! It’s easy to lose important documents, devices or keycards in a messy work environment. Organization is key to our collective security.
- Proper Disposal. Always follow policy when disposing of sensitive documents or outdated hardware! Dumpster divers are happy to dig for anything that might give them access to sensitive information.
- Where’s Your Badge? Any person with proper credentials needs to ensure that any person without proper credentials is restricted from controlled areas. If you notice someone that doesn’t belong, even if it’s the delivery person you see every day, politely escort them to the approved area if you feel safe to do so and report the incident immediately!
- Look Over Your Shoulder. If you’re in a public setting, like a coffee shop or restaurant, and you’re accessing sensitive information, you should A) be sure you’re using a VPN if it’s public wifi or use your phone’s cell data instead of the public wifi (if you’re using a tablet or laptop, you can Hotspot from your cell phone’s data instead of using the public wifi) and B) ensure no one can see your screen so you don’t fall victim to shoulder surfing. The best policy is to not access anything sensitive in public, but if you must, be mindful of who is near you and consider a privacy filter for your screen so no one else can read it.
- Lock It Up! Even if it only takes you five minutes to grab a cup a coffee before returning to your desk, it’s important to lock your station. There’s a reason why our computers are password protected. Leaving them open for even a few moments is a major security failure. The same is true for doors that require security clearance.
Become your own human firewall and develop your home-grown culture of security 🙂
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Safe Online Banking
The Tip
Most of us use online banking to some extent these days. It’s important to use good habits when doing so. If the following tips sound a little familiar, it’s because being safe online in any capacity, not just banking, pretty much boils down to these 5 basics.
The Detail
Banks use comprehensive safeguards to protect the integrity and security of your information and financial transactions. You need to do the same.
- Good password habits. Use strong passwords and don’t reuse or recycle them. Bank passwords especially should be changed periodically.
- If your bank offers two-factor authentication, use it.
- Beware of phishing. We’ll never ask you for your password via email. Neither will your bank
- Always use a secure connection (https) and avoid banking over public wifi.
- Be sure to always log out when you are done and not just close your browser.
Thank you to Greg Ferguson for the inspiration for today’s tip, which he found in the “CUCCIO Fast Five: IT News” a great newsletter from the Canadian University Council of Chief Information Officers – http://www.cuccio.net/.
Become your own human firewall and develop your home-grown culture of security 🙂
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Tips For Safe Social Media Use
The Tip
Many of us use social media tools like Facebook or Twitter or Snapchat every day. Given the popularity of these tools, the landscape has become ripe ground for cyber criminals and fraudsters. Using these tools safely isn’t really complicated, and in many ways, the following list is just a summary of several of the topics we’ve already talked about in Cybersecurity.
The Detail
The following are good general guidelines for safer use of any social media tool, and the internet in general.
- Make use of the site’s or tool’s privacy settings, read the policies and revisit the privacy settings from time to time
- Don’t overshare. In general don’t share personal details such as phone numbers and home address, don’t share holiday plans and photos, at least not until you’re back. Criminals scour social networks looking for empty homes to burgle.
- Don’t accept every friend and follower request you get without taking a few minutes to verify that it’s real. Criminals use these fake accounts to harvest personal information from others. It’s estimated that 25% or more of all social media accounts are fake.
- Be wary of links. Just like phishing emails, you can’t trust all the links you see on social media sites.
- Be careful if linking accounts. Many sites make it easy to login with your Facebook account or Google account, by linking these together. By doing this, you are creating one easy entry point to all your social media spaces. That can be hugely convenient but if that one account is compromised they are all compromised. If you are comfortable using this approach, be sure that you are following best security practices with that base/master account.
- Use separate email accounts for registering with different social media networks. By doing that, your main email account is protected from spam or phishing you may receive via a compromised social media site.
- Use strong and unique passwords. We cannot emphasize the importance of this enough. Use a separate and strong password for every account you have, social media or not.
Here is some additional very good reading for Facebook users;
How to Find Out Everything Facebook Knows About You
Did you know that you can easily download and see all the information Facebook has collected from you over the years in just a few minutes?
https://thehackernews.com/2018/04/facebook-data-download.html
How to Protect Your Facebook Data
Understanding and keeping up to date with Facebook’s privacy and security settings is a regular challenge.
https://nakedsecurity.sophos.com/2018/04/16/how-to-protect-your-facebook-data-updated/
Become your own human firewall and develop your home-grown culture of security 🙂
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Is spam clogging your inbox?
The Tip
Spam campaigns are often a primary attack vector used by cyber criminals. Less spam means being a little more secure.
The Detail
Fortunately, it’s not all doom and gloom. There are a number of simple strategies you can take to weed out a lot of it and keep your inbox safer and less cluttered.
- unsubscribe from any unnecessary newsletters, or newsletters you have not read in some time
- be careful where you submit your email address, be it newsletters or contests or any other site
- consider opening an additional email account to keep your most important one safer and more private
- consider opening an additional email account just for newsletters
- take advantage of filters and mark spam emails as spam to help your email provider block spam more effectively
- never click on links in spam emails (even the ones that say unsubscribe)
- never download and open attachments in spam emails
- disable the automatic downloading of images in your emails
- enhance your privacy settings on social media sites so no one can see your email account
- if you have a website, protect your email address from automatically being scanned and harvested by spammers
Become your own human firewall and develop your home-grown culture of security 🙂
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Will Antivirus Software Make Me Untouchable
The Tip
So, you’ve done the research and chosen an antivirus software package that is well-reviewed. It’s all installed. That means you’re cyber bullet-proof right? Wrong! You yourself are the most important part of your cyber security.
The Detail
Antivirus software alone won’t protect you from all the dangers out on the web. It alone does not mean hackers can’t reach you.
- it will not help you if you ignore its recommendations and open that attachment or visit suspicious links
- it often will not detect the latest generations of financial malware and other more sophisticated drive-by techniques
- it can not protect you from even the simplest of phishing attacks
- it can not protect you from any recent threats if you do not constantly keep it’s virus signature database up to date
- it can not protect you from social engineering attacks
We are not saying that antivirus software is obsolete or unimportant. It is just not enough on its own. Good antivirus software is still an important part of your cyber security toolkit but it is just one piece. You can’t just install it and forget about everything else. Good cyber security is a package made up of good tools, good habits, and good education.
In the end, we all become a part of the human firewall as we develop our own home-grown culture of security 🙂
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
WiFi Hotspot Scams
The Tip
Whether you’re vacationing, at a coffee shop, visiting a friend, or waiting in an airport, wifi hotspots are becoming ubiquitous. Sometimes the hotspots will cost a small fee, and other times they are free. In either case, be careful! Frequently, free wifi can be a scam setup by criminals just to see what information they can glean.
The Detail
In broad terms, this is how the scam works:
- the unsuspecting victim browses their network connections to find a wifi network in the area
- you find a network called “Free Wifi” or some such thing and decide to connect
- this free wifi network is not actually a hot spot, but rather a computer-to-computer network that has been setup as a trap
- while you believe you are using the internet as normal, you are actually browsing through the hacker’s computer, and as a result, they can see everything you are doing online including usernames and passwords
This is an especially big problem if you are doing any online banking or checking email or anything else where you are accessing accounts. Finally, if your device is setup for file-sharing, the attacker can now access all your files and data, and even possibly install spyware or malware on your device.
Beware of the evil-twin.
Sometimes hackers will setup a real hot spot near to a place that offers free wifi. Ask the business you are in if there is a hot spot available and get the name of it. Only connect to that network and if you see two hot spots with the same name, don’t connect to either of them. One of them could be the phoney evil-twin, setup solely to trick you into connecting to it.
The easiest way to protect yourself from these sorts of scams is to be very cautious when using public wifi. If you’re in a place that has a legitimate network for a small fee, use it. It will be worth the peace of mind. If you do choose to connect to a free wifi network, keep the following things in mind;
- anybody can name a wifi network whatever they want, so even though a free network may have a name that is correct within context (eg: “Pearson Airport Customer WiFi” if in Pearson International Airport) that is no guarantee it is legitimate
- avoid all financial transactions and online banking if you are not using a network that you know and trust
- avoid using VPNs or accessing sensitive information when using public wifi
- use https to access webmail and avoid non-encrypted protocols like http or ftp
- turn off your computer’s file-sharing capabilities when using public wifi
- when choosing a wireless network, check out the description and never connect to a ‘computer-to-computer’ network
- if your device has a firewall, use it
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Have I Been Pwned
The Tip
We should all know by now that using the same password on multiple sites is a big security no-no! We might think our username:password is safe with the big companies, but this is absolutely not true. Did you know there is a service where you can check to see if your information has been in a known compromise?
The Detail
The word ‘Pwned’ is internet and gamer/hacker slang for being ‘owned’. It is the term used when a hacker gets your username and password combination from a site they have compromised, because at this point, there’s a good chance they own you… especially if you have used that username and password combination somewhere else. They will immediately send out bots that travel around the web trying services like Amazon and major banks, or your work if your username is a work related email address, just to see where they can break in. It’s all too easy and can happen in seconds.
We might like to think we are safe if we only use major sites and stay away from the shadier corners of the internet. After all, surely companies like Adobe and Dropbox and LinkedIn will have the best of security and never be compromised, right? Actually wrong. My own information has been stolen from data breaches on those sites and made available in hacker communities several times. How do I know this? It’s simple. There is an excellent service through which you can check your information and also set up an alert that will notify you of future compromises.
This website is https://haveibeenpwned.com. If you have never used this site before, do it now. It’s an easy to use service that will tell you how many times and where your information has been exposed (7 times for my personal address and 1 time for my work address). You can then also choose to subscribe and receive an email alert if a new breach involving your address is discovered.
This is a great way to stay on top of these things and it certainly reinforces why you should never recycle passwords. Getting a zero result here is no guarantee that your credentials have never been stolen, but it’s a pretty good service nonetheless. Try it today.
If you do find that you’ve been pwned be sure to change your password at the compromised site as well as use a unique password every where else you may have used the same password.
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
USB, Don’t Trust Anything
The Tip
We should all know by now to never insert an unknown USB drive into our computer or laptop. Sadly, researchers are finding more and more crafty ways that criminals are abusing the ‘Universal’ part of Universal Serial Bus. We now have to be careful with more than just USB drives.
The Detail
New research from Ben-Gurion University has exposed 29 types of USB attacks, and these also extend to your smartphone. These attacks can take many shapes and can range from an electrical surge being sent to your device, destroying it, to micro controllers essentially acting as invisible keyboards sending instructions to your computer or phone. There are many non-trivial USB-based attacks out there. They show that you should never use a USB charger you find lying around, and those convenient public USB ports you might find in airports and the like, don’t use those. Basically, criminals are using off-the-shelf products and easily re-purposing them. They are hard to spot. Unfortunately, the Universal aspect of USB means that any of these devices, even a simple looking charger, can be used as a gateway for introducing spyware, ransomware, power spikes, and more.
The general safe rule of thumb is to treat technology and USB devices of all kinds as something to not naturally trust. If you found food or drugs lying on the ground, you wouldn’t pick it up and ingest it. It should be the same with things like USB chargers or headsets or drives or whatever. You need to be just as cautious. It’s an unfortunate aspect of the technological times we live in.
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Thanks to Chuck S. for pointing me to an article on TechRepublic for this weeks inspiration. If you have any suggestions for future weekly tips, please email verdonv@nipissingu.ca.
Where To Keep Your Data, And Why
This week’s topic is Where to keep your data, and why. It is more an information piece geared to getting you think, than a simple tip.
The Tip
These days, many of us work on laptops and take our work with us everywhere. Even if we do not work on a laptop, we probably use a smartphone, and have a large amount of data with us at all times. Although this makes for terrific portability and convenience, to have our office with us at all times, it also opens the door to all sorts of risk to our data and privacy. To be diligent and responsible in this modern landscape, we need to ask ourselves, “what are we keeping on our laptops and why, what should we not be keeping on our laptops, how do we protect what we do store”?
The Detail
This is a complex issue and there are several variables. Broadly, we need to consider privacy and security, not just when we are working but also in the case of loss or theft.
Although most of us never really think about the distinction, we should ask ourselves, “Is this a primarily work computer that I do a little personal stuff on or primarily a personal computer that I do a little work on.” In either case, it’s probably a good idea to have separate user accounts on the laptop for each purpose. This will prevent things like your personal bookmarks and search history, possibly passwords, and other personal details from coming up when you are doing a work presentation. Think of this in the same way as many of us have separate email addresses for personal and for work.
The biggest risk to your device (and data) is loss or theft. In such a circumstance, you are not only losing the device and the data, you are also risking a 3rd-party getting access to all your data, which could expose all sorts of personal and administrative risk and liability. There are two issues here that need different approaches. The first is actually getting access to your data again in such a circumstance, and the second is preventing a 3rd-party from being able to do anything with your data. There are several strategies for each. Another huge risk to the privacy of your data is crossing borders. The rules around the privacy of your data are more than a little fuzzy, and change on a regular basis from jurisdiction to jurisdiction. In many, if not most cases, you can be legally compelled to unlock your device (and any data on it) to border officials.
So, where should we store our data? There are several approaches, each with pros and cons to consider. We might choose to just do the easy thing and keep everything on our laptop’s hard drive. This is certainly convenient, though it is the most vulnerable to loss or theft. It is also very vulnerable to any border agency that might insist on seeing what’s on your device. We might choose to keep all our sensitive data on a USB drive. Of course these small storage devices are easy to lose, they are also easier to keep private at customs agencies (if that’s a concern) and assuming you are carrying them separately from your laptop, they are not a big obvious target for thieves. Regardless of whether you are using local storage or removable media, you absolutely should be using encryption. This is the only protection in the case of loss or theft. Your laptop’s login password will only slow a thief down by a few seconds. Encryption of your hard drive or USB drive is the only way to protect the privacy of your data from theft. MacOSX and more recent versions of Windows both have encryption tools built-in, and there are several commercial tools available as well.
Of course, privacy is only one concern in the case of loss or theft. So is actually losing all your data, so regardless of where your store your data, regular backups to other storage devices (that you test occasionally) are essential!
The third option for where to store your sensitive data is the cloud. The cloud might mean a business network file-share, services like Google Drive, DropBox, OneDrive, Amazon, and so on. Cloud storage offers many advantages, provided you have an internet connection. It is the best way to cross a border if you have data you need to be 100% sure remains secure, because non of your sensitive data will actually be on the device that you can be compelled to unlock. It is not vulnerable to theft or casual loss. Many cloud services also offer backups. Most cloud services have a team of security experts working on keeping your data safe and secure. Although cloud services may seem ideal, truth be told, most of the providers have had some security incidents in their history. Of course access to your cloud data will only be as secure as the quality of your password 😉
So, that’s a relatively brief discussion on a few topics you should consider when deciding where and how to store your data. Although I’ve just scratched the surface, I hope this week’s discussion will encourage you to give some thought to these topics, and maybe do a little more reading. At the very least, you should be backing up regularly, and give serious thought to encryption. I’ve included a few links below for more reading, and as always, google is your friend.
- https://www.elie.net/blog/privacy/ten-simple-steps-for-keeping-your-laptop-secure
- http://www.cbc.ca/news/technology/the-safest-place-to-store-your-data-1.854465
- https://www.techdonut.co.uk/it-security/business-data-protection/keeping-your-data-safe#KYDS3
- https://thedigitallifestyle.com/w/index.php/2017/12/20/data-safe-potential-disasters/
- https://www.entrepreneur.com/article/217484
- https://www.infoworld.com/article/2675487/security/your-laptop-data-is-not-safe–so-fix-it-.html
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
Special Security Alert – Spear Phishing
In the last 48 hours, a huge increase in very sophisticated phishing emails are being reported by several major industry partners in the US and Canada, including finance, business and higher education. What is making these these ‘Spear’ Phishing attempts so effective is that they contain very targeted and specific personal information in them, such as names and social security numbers, making them very convincing. It’s anybody’s guess where the personal information is coming from, but it’s a good bet that recent compromises at Equifax and others are leading to more and more of these sophisticated attacks.
Please have a look at the PDF Tip Sheet on spotting Spear Phishing attempts.
More information from one our partners, Beazley Breach Solutions, follows.
March 9, 2018
New Spear Phishing Attack Using Employee SSN As Bait
The Beazley Breach Response (BBR) Services team is currently working with many policyholders who have reported within the last 48 hours that their employees have received and clicked on a new, particularly effective spear phishing email. While the first incidents were reported by credit unions, we have now seen incidents occur across industries, including higher education and utilities.Spear phishing is a form of phishing that is targeted at the recipient and appears to come from a trusted sender. This new attack is made to look like it comes from FedEx. The phishing emails included the targeted employee’s name and Social Security number. Noteworthy here is that these phishing emails “up the game” by actually including employee personal information in the email, which may be the reason the recipients were tricked into clicking on the email’s links.
The links in the email take the email recipient to a Google Docs page, which retrieves a unicode-encoded Visual Basic (VB) script from Google and uses that as a dropper to download and install malware. Essentially, this means that in these cases there is a reasonable probability of a malware infection that could potentially impact personally identifiable information (PII).
BBR Services is working closely with the affected organizations along with legal and forensic experts to investigate and mitigate any impact and also to find a common source of the compromised information.
If you receive a suspicious email, or anything you are unsure of, please contact techsrv@nipissingu.ca, and we’ll be glad to look into it for you.
Check Before You Click
The Tip
Did you know that many viruses and other forms of compromise can now be spread just by visiting a website? This makes it more important than ever to be careful what you click on!
The Detail
Potentially harmful links can come to you from all sorts of sources including email, facebook, twitter and other social media tools, messaging apps, and more. If you use a reliable anti-virus solution, some of them may warn you, but this is not available to everyone, and not enough. Many fraudsters use URL shorteners to hide where the link will actually take you. You cannot simply avoid these tiny urls though, as they are a useful tool used for many legitimate purposes.
There are several online services which will take a link you provide (copy/paste), and either analyze it for safety, or simply expand where the shortened URL will actually take you, without taking you there. These services are quick and easy to use, and a very useful tool in your cyber security tool chest.
- https://www.virustotal.com/#/home/upload (this service will scan links or files for problems)
- https://global.sitesafety.trendmicro.com (this service will check the reputation of the domain that the link is pointing to, and provide guidance based on that)
- https://zulu.zscaler.com (this is another risk analyzer for content)
- https://linkexpander.com (straight forward link expander, see where you’re going to go, before clicking on a link)
- http://www.checkshorturl.com (straight forward link expander, see where you’re going to go, before clicking on a link)
- http://urlex.org (straight forward link expander, see where you’re going to go, before clicking on a link)
If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.
- Bitcoin flaw could have allowed dreaded 51% takeover September 21, 2018The scenario was always hypothetical but the fact such a thing was even possible until this week has left some in the Bitcoin community feeling alarmed.
- Warning issued as Netflix subscribers hit by phishing attack September 21, 2018Netflix phishing scammers are at it again, sending emails that try to steal sensitive details from subscribers.
- Man who shared Deadpool movie on Facebook faces 6 months in jail September 20, 2018US government recommended six months behind bars. That’s one month for every million people that viewed a part of the pirated movie, apparently.
- US military given the power to hack back/defend forward September 20, 2018The new preventative cybersecurity powers include potentially acting against countries considered friendly toward the US - a risky move, some say.
- FBI wants to keep “helpful” Mirai botnet authors around September 20, 2018The young men behind the powerful IoT device botnet have been working undercover with law enforcement since they were first fingered.
- Western Digital goes quiet on unpatched MyCloud flaw September 20, 2018Western Digital has failed to patch a serious security vulnerability in its MyCloud NAS drives that it was told about more than a year ago, researchers have alleged.
- URL spoofing – what it is and what to do about it [VIDEO] September 19, 2018What happens if your browser doesn't tell you the truth about the identity of the website you're looking at?
- iOS 12 is here: these are the security features you need to know about September 19, 2018One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.
- Here we Mongo again! Millions of records exposed by insecure database September 19, 2018Another day, another poorly configured MongoDB database.
- Years on, third party apps still exposing Grindr users’ locations September 19, 2018A third party app can use Grindr’s distance data to pinpoint a users location down to a room within a house.
- AV18-156: Cisco Security Advisory September 21, 2018
- AV18-155: Google Chrome Security Update September 21, 2018
- AV18-154: ICS Security Advisory for BIND September 21, 2018
- AV18-153: Adobe Security Bulletins September 20, 2018
- AV18-152: Cisco Security Updates September 20, 2018
- AV18-151: NUUO NVRMini2 Security Update September 18, 2018
- AV18-150: Apple Security Updates September 18, 2018
- AV18-149: Microsoft Security Updates September 12, 2018
- AV18-148: Google Releases Security Update for Chrome September 12, 2018
- AV18-147: Adobe Security Bulletins September 12, 2018