WiFi Safety

Forward: Over the last year or so of researching and writing this blog, I’ve come to the conclusion that there really are only about ten cybersecurity tips, and they are mostly common sense. The rest are just minor variations. With that in mind, I’m going to repeat and rework a few from the last year over the next weeks. Please read on, as these are all really the essence of cybersecurity. Please also pay attention to the bonus tip at the end.

The Tip

Whether you’re vacationing, at a coffee shop, visiting a friend, or waiting in an airport, wifi hotspots are becoming ubiquitous. Sometimes the hotspots will cost a small fee, and other times they are free. In either case, be careful! Frequently, free wifi can be a scam setup by criminals just to see what information they can glean.

The Detail

In broad terms, this is how the scam works:

  • the unsuspecting victim browses their network connections to find a wifi network in the area
  • you find a network called “Free Wifi” or some such thing and decide to connect
  • this free wifi network is not actually a hot spot, but rather a computer-to-computer network that has been setup as a trap
  • while you believe you are using the internet as normal, you are actually browsing through the hacker’s computer, and as a result, they can see everything you are doing online including usernames and passwords

This is an especially big problem if you are doing any online banking or checking email or anything else where you are accessing accounts. Finally, if your device is setup for file-sharing, the attacker can now access all your files and data, and even possibly install spyware or malware on your device.

Beware of the evil-twin.

Sometimes hackers will setup a real hot spot near to a place that offers free wifi. Ask the business you are in if there is a hot spot available and get the name of it. Only connect to that network and if you see two hot spots with the same name, don’t connect to either of them. One of them could be the phoney evil-twin, setup solely to trick you into connecting to it.

The easiest way to protect yourself from these sorts of scams is to be very cautious when using public wifi. If you’re in a place that has a legitimate network for a small fee, use it. It will be worth the peace of mind. If you do choose to connect to a free wifi network, keep the following things in mind;

  • anybody can name a wifi network whatever they want, so even though a free network may have a name that is correct within context (eg: “Pearson Airport Customer WiFi” if in Pearson International Airport) that is no guarantee it is legitimate
  • avoid all financial transactions and online banking if you are not using a network that you know and trust
  • avoid using VPNs* or accessing sensitive information when using public wifi
  • use https to access webmail and avoid non-encrypted protocols like http or ftp
  • turn off your computer’s file-sharing capabilities when using public wifi
  • when choosing a wireless network, check out the description and never connect to a ‘computer-to-computer’ network
  • if your device has a firewall, use it

* In this context I mean avoid connecting to corporate or institutional Virtual Private Network while using public Wifi. This is not the same as using a VPN anonymizing service for security. I’ll discuss that in a future post.

Special Bonus Tip

Given yet another major data breach in the news and another large collection of usernames and passwords being shared by hackers on the internet, it seems prudent to again mention the terrific service to check Have I Been Pawned and Is My Password Floating Around. If you are not subscribed to this terrific service, please do so now.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Internet Hot Water

The Tip

This issue is just a light-hearted follow-up to the pre-holiday season’s, “Internet Skinny Dipping”. I thought it was ironic to get this article in my news feed upon our return to work.

===========================

The Detail

Apparently amongst the newest entires to the “Internet of Things” (IoT) is a smart-app enabled hot tub. You may ask, “why would I need my hot tub to be smart”. I know I did. The fact is though, whether we need it or not, so many things are becoming net-connected that we need to be aware of the potential pitfalls. Hackers have already launched Denial of Service attacks against major web services using small armies of compromised appliances. Bad security habits can make it easy for a hacker to lock/unlock/start most modern vehicles, or mess with the heating and lighting in your smart-house.

The following story is a tale of how we should never assume that the developers of these technologies are doing even the basic due diligence in the security realm. It actually reads like a lesson in how not to do IoT security. Although it might seem just humorous that some casual neighbourhood hacker might mess with the temperature of your hot tub, it gets a little more scarier and a lot creepier when the tub also sends information to the hacker that the jets are in use, meaning someone is in the tub.

Enjoy the following read, and we’ll get back to regular tips next week.

IoT weaknesses leave hot tub owners in deep water

Internet Skinny-dipping

Skinny DippingThe Tip

This holiday season, many of us will give or unwrap a brand new computer, phone or tablet. Let’s take a few minutes before we take our first plunge with them into the internet.

The Detail

While most new computers come with some form of trial anti-virus software, people just receiving a new device as a gift are usually excited and eager and rarely want to take the time to activate and set these things up properly. Using the internet without good security precautions is never a good idea. It only takes a few minutes to be compromised. Take the time to get that new device up to snuff before you start visiting websites and downloading things.

  • Check for and install any updates to the operating system. There is always some, even with brand new devices.
  • Check for and activate any trial anti-virus and spyware software, or get some the first thing you do on-line
  • Make sure the anti-virus and spyware definitions are up-to-date
  • Install or setup your password manager (you do use one don’t you?)
  • Create a guest account on your new computer if you’re going to let other people use it
  • Set up any parental controls your new device offers, if children will be using it
  • Now go and enjoy the internet safely 🙂

Let’s get SMART

The Tip

This holiday season, many of us will be buying or receiving gifts that are ’Smart’ and will be internet connected and a part of the Internet of Things (IoT). Whether it’s a television or a personal assistant, fitness tracker or home security device, or even a child’s toy, these devices can greatly enhance our day-to-day lives but also come with a risk and a responsibility.

The Detail

It’s an unfortunate fact that many of these devices are rushed to market without adequate consideration or testing for even the most basic security and privacy issues. It’s up to us as consumers to make informed decisions when buying and using these products. Fortunately, these products generally improve over time. There are also watch-dog groups that aim to not only inform us, but also advocate on our behalf with manufacturers, retailers, and regulators.

One such organization is CONNECTSMART, a member of Consumers International and the Internet Society advocacy groups. They publish a series of awareness videos and tips at https://www.connect-smart.org/.

Taken directly from their website, the following 5 tips will help us all stay SMART.

  • SEARCH – for potential security and privacy issues before buying.
  • MAKE – strong, unique passwords for each device.
  • ADJUST – settings for maximum security and privacy.
  • REGULARLY – update software.
  • TURN OFF – features you don’t need and the device when not in use.

Please visit the CONNECTSMART website for more details on each of these points, as well as videos and further information.

Don’t rely on the giants

The Tip

Some of the big players in tech these days don’t want you to think about security all, it should be as easy as breathing. Although this is a nice utopian vision that we would all like to see come true, unfortunately trusting strictly in the technology is never a good idea. Education is still the key.

The Detail

We are all our own first line of defence when it comes to personal and institutional security. We are also the most likely vector point for a cybersecurity breach. According to Verizon’s 2018 Data Breach Investigations Report, almost one in five cybersecurity breaches were caused by human error. Add to this the fact that nearly 30% of all phishing emails are opened and it doesn’t take long to realize how important educating the human firewall is!

An increase in awareness and knowledge needs to happen at every level in organizations like ours. As the threats become increasingly sophisticated and multi-faceted, untrained people become an even bigger cybersecurity risk than ever. This is why we have been writing this blog and attempting to raise awareness with various KnowBe4 training and testing campaigns. It is important.

This knowledge is not just the responsibility of technology staff and administrators. It is the responsibility of the community as a whole. It only takes one person to open an innocent-looking but malicious email attachment, or give up their password in a phish attempt, to open the entire organization to an attack. No amount of money or tech can prevent this. Just awareness.

At the end of the day, humans are the frontline. We are all both the weakest link, and the first line of defence, in terms of both prevention and mitigation of cybersecurity breaches. Knowledge is key.

From HelpNetSecurity, here are three pieces of advice to improve cybersecurity strategies moving forward;

  • People should be your number one priority – they are the guardians of your assets. Invest in their knowledge and performance. It will pay off immensely.
  • Policies are dynamic – always check, test and recheck them. Rewrite anything that needs updating, and then start over.
  • Know your enemy – never cease to educate and learn about each discovered attack and offensive strategy. It cannot be said more clearly. Knowledge is really a lifesaving factor in our business.

2018 Top Ten Tips

The Tip

As 2018 is nearly in the books, we thought we’d do a little googling for the top cybersecurity tips. There are a LOT of lists to be found out there, but the top 10 seem pretty consistant everywhere. We’ve pretty much covered all of these through this series of cybersecurity tips. New inspiration is getting hard to find, so let’s take a minute and review. Following is Berkley’s top 10 list for 2018. It’s pretty typical of any list you will find. These should seem like familiar territory by now. If you have anything new you’d like to see covered, please write in. In the following weeks to finish the year, we’ll go into further detail on a couple of these.

The Detail
With links to previous articles on our blog;

  1. You are a target to hackers
  2. Keep software up to date
  3. Avoid Phishing scams – beware of suspicious emails and phone calls
  4. Practice good password management
  5. Be careful what you click
  6. Never leave devices unattended
  7. Protect sensitive data
  8. Use mobile devices safely
  9. Install anti-virus protection
  10. Back up your data

Source of the list:
https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips

Anatomy of a Phish

The Tip

This week will be a little different. Last week, as many of you know by now, we sent a simulated phish test out to the portion of our community that is support staff and full-time faculty. This was the second test in about 7 months and was designed to measure the progress/results from the 3rd-party training we are providing to this group, as well as through these Cybersecurity newsletters. Although we have seen growth since our first test, there is always room for improvement.

This test was designed to be a 4 out of 5 on the ‘difficult to detect’ scale. It was intentionally designed to mimic an email from UTS, as that would be trivial for any real phishing campaign targeted towards us, and it is the most likely vector for a casual attack.

There were several red flags built in to this simulation that we can all learn from. Let’s have a look at those below.

Any one of these red flags seen in an email is enough to stop you from acting on it. When receiving a suspicious email, report it to UTS and delete it. You can always retrieve it out of the trash if it was legitimate. We are thankful to those who reported the suspicious email to UTS.

The Detail

Here is a screen capture of the phish test we sent last week, with the red flags hi-lighted. Each point is discussed below.

  1. Misspelled domain name in the replyto address (spoofed domain)
  2. Call for immediate action with implied urgency
  3. Impersonal or ambiguous salutation
  4. This is something we would never do, and inform people of this in the footer of every email we send, including this phish attempt
  5. Hovering over the link revealed that the actual link destination does not match the displayed text

Depending on the browser you use to check webmail, or the email client you use, you may also have seen other warning signs. For instance, I believe gmail in all browsers showed the email was sent through a delegate and not actually techserv. I’ve heard reports that the Chrome browser put a red bar near the top warning about the link mismatch. My email client put a large red bar over the link when hovering over it, to caution me about the mismatch. Other browsers and email clients may do similar things to help. It’s worth taking a few minutes to get completely familiar with some of these built-in defences, as well as learning to spot the red flags.

Gmail 3rd-party add-ons caution

Recently a few people have been asking us about using 3rd-party add-ons to gmail such as ‘Boomerang’ and ‘Email Studio for Gmail’. These add-ons will add power tools and features to gmail such as scheduled mail, reminders, smarter auto-responder options and so on.

Unfortunately, they also come with a price. In some cases, the price is cash. In many cases, the price is also serious security and privacy concerns. In the case of both of the products mentioned above;

This basically gives an external company, who is not google, full access to your email. What does this mean?

  • they can download and store your email on their servers.
  • employees of that company can read, delete or modify your email.
  • if the company is hacked or compromised, your email can be hacked or compromised
  • your data can be used in ways that aren’t obvious, or shared with others. (Check their privacy policy). Ie, they may sell your contact list to marketers.

We ask that you do not use these products with your Nipissing University email. If you need features you are not finding in gmail, please speak with someone in UTS. We may be able to offer suggestions for alternatives that will not come with such serious security risks.

 

Does it have to be all so technical?

The Tip

Strong security isn’t just about complicated rules around passwords and anti-virus software and malware and managing access. Many important habits for safeguarding your important personal and work information build down to common sense and physical security and generally cautious behaviour. This week, we’ll take a step back and look at a few important and easy, non-technical tips.

The Detail

  • When you get up from your desk, lock your screen. It’s easy – (ctrl-alt-delete).
  • Keep an eye on your devices and never leave them alone near strangers.
  • Don’t discuss any sensitive information in public areas or anywhere where someone might be able to eavesdrop.
  • Look for privacy in places like coffee shops or libraries. Sit where no one can look over your shoulder (shoulder-surfing is a big concern).
  • Keep your screen dim or get a privacy shield to make it harder for people to see what’s on your screen.
  • Get a good case for your phone or tablet. A good case will protect your device (and data) should it suffer a drop or something being spilled on it.
  • Be sure to use a passcode on your phone and tablet.

What To Do When Breached

The Tip

The odds are really against us when it comes to data/account breaches. It’s not really a question of if, so much as a question of when. How would we know that our account has been breached and what should we do about it?

The Detail

The first thing we should do is check to see if any of our accounts have been involved in known breaches. You’d be surprised at the major companies that have been compromised. Then we should sign up for a notification service for any future breaches that come to light.

If you have suffered a breach, follow these basic tips;

  • Keep calm and login immediately to anywhere you’ve used the compromised username/password. Change the password, being sure to use a strong and unique password.
  • If multi-factor authentication is available at the service, enable it right away. This is an easy way to greatly enhance your security.
  • Don’t recycle your passwords. If you were using the same password for more than one account, you need to login to each of those services and change it. It is critical for security to use unique passwords on all accounts. Start with the email account associated with this password and change it there first. Then work your way through any other service where you have used the same password, and start using unique passwords on all accounts.
  • If you’re worried about remembering all those robust new passwords, or even having trouble making them up, this is a good time to start using a password wallet.

Cybersecurity Month Ends

The final theme for cybersecurity month was How cyber security is driving the jobs of the future. There is a good read there with thoughts on education and career opportunities for the immediate future.

Passwords Matter

The Tip

Passwords are our first line of defence in cybersecurity. So why do so many of us have bad password habits? Who knows. It just seems to be human nature. Readily available hacker scripts can guess most bad passwords in seconds, just by shear brute force. A couple of basics can greatly enhance your cybersecurity.

The Detail

Here are some things to consider in choosing and using passwords;

Special Bonus Tip

The theme for week 4 of Cybersecurity month is Our critical eye and the internet. According to Media SmartsDigital Literacy is more than technological know-how; it includes a wide variety of ethical, social and reflective practices that are embedded in work, learning, leisure and daily life.

Your data is valuable!

The Tip

Everything from personal information, personal photos, work correspondence, to your banking information and social media activity is valuable. If it’s valuable to you, it’s valuable to cybercriminals. In fact, some of it is valuable to cybercriminals without you even realizing it.

The Detail

Here are some things to consider in protecting your personal data;

  • Cleaning up old devices… do you know where all the old computers and phones and tablets you’ve had in the past are now? You may have traded them in and forgotten about them, but if you didn’t erase them first, they can come back to haunt you. Many criminal groups buy up old computer hardware and scan them looking for whatever they might find. Always do a factory reset on mobile devices and reformat hard drives on desktops before trading them in. A basic reformat will stop rookie cybercriminals only. For real protection, you should write over any existing data with zeros. Consult the manual for your disk utilities on how to do this low-level erase/reformat.
  • Social media… always be careful when adding new friends to your social network. Many social media networks are suffering from waves of fake friend requests. These are all attempts to find out more about you. Even if you are very selective in your connections, be cautious about over-sharing and privacy.
  • Surveys and games… you’ve seen them, the games and surveys and Facebook posts asking about your favourite foods and first pet and the street you grew up on, and so on. At first glance these seem harmless and fun, but it’s no coincidence that most of these questions are similar to the common security questions you might use for retrieving a lost password. Keep these details to yourself, or answer them with fake answers if you must play along.
  • Offline trouble… you don’t need to be online to be taken advantage of. Be careful of strangers ‘shoulder-surfing’ when you’re using a computer in a public space. Be careful of what you throw into the recycling box (consider a shredder). Be careful of who’s in ear-range if you’re giving credit information over the phone. Be careful when using your pin. These old-school privacy theft techniques can still be successful for cybercriminals.

Special Bonus Tip

Watch for the “Ask Us and Win” desk this week in UTS… you could have a coffee on us!

 

Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Top