USB Sticks

USB StickThe Tip

Have you ever found a USB Stick/Thumb Drive, or a CD on the ground or in a parking lot? Hopefully you did not put this into your computer. While you may be tempted by curiosity to see what data is on there, or perhaps to identify the owner, Do Not insert any of these found objects into your computer.

The Detail

You may think that it is your lucky day… ‘Hey, Free USB Stick!’, but in fact it could turn out to put you in a hot seat with your IT department. This is a common tactic used by bad guys to infiltrate your network and steal information and to gain unauthorized access. Code can be executed simply by inserting these devices into your computer. By the time you can see what files are on it, the damage may have already been done.

The average cost of a cyber attack such as this one on a small company is $200,000. The cost to a large public corporation can cost over $6,000,000 per day of downtime. Always consult UTS on how to handle these situations.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Summer Break

This will be the last issue of the Nipissing Cybersecurity newsletter for this year. Watch for new initiatives in the future. Keep Cybersecurity awareness and diligence a part of your daily routine, always.

 

World Password Day 2019

World Password DayThe Tip

We’ve discussed the topic of passwords a few times throughout other posts in this newsletter, but it’s a topic that’s important to highlight, particularly as we gear up for World Password Day on May 2nd. This annual event was created to highlight the importance a password has on your cybersecurity.

The Detail

Many people tend to overlook the idea of creating passwords by not setting them up well, creating weak ones, or using the same password for more than one account. All of these bad habits can eventually lead to a cyber attack, fraud, or even worse, identity theft.

What is World Password Day?
With increasing cybersecurity threats emerging each year, several of the world’s largest companies, nonprofits, and cybersecurity organizations decided to join forces in a collaborative effort. Their efforts were aimed at educating Internet users everywhere on the importance of using strong layered passwords. Their efforts have helped to increase the security of Internet users in 251 different countries by asking users to pledge better password habits.

Why does it matter?
Are you aware that identity theft is one of the fastest growing crimes in Canada and the US? In today’s world, we store more data on the Internet than ever before. Risking the protection of this data could mean putting your information into the hands of a cybercriminal. Should you fall victim to identity theft, this means that a criminal has accessed your personally identifiable information and used it to commit fraud. Typically they will use this information to create false credentials or open new accounts in your name. Practicing strong password habits can help prevent you from ever exposing your PII to any potential cybercriminals.

Taking Action
Though it’s important to educate yourself on ways to stay safe online, taking action is the only way to truly protect yourself. When it comes to passwords there are several ways to ensure you are getting the best protection possible for your devices. Here are 5 actionable tips we’d like to remind you to keep in mind not only for World Password Day but every day:

  1. Passphrases are better than passwords – Not only is a passphrase easier to remember for the user, but it’s also much harder for a hacker to guess. Nowadays, there are higher level tools available to hackers that can easily crack the code to dozens of passwords on users accounts instantly. However, passphrases have proven to be much harder for these systems to guess.
  2. Do not reuse passwords – Using the same password for multiple accounts is a bad habit. If a hacker is able to access one account, this means that they’ll now have access to all of your other accounts with the same login credentials.
  3. Use a password manager – When you’re using different credentials for each account, it can be hard to keep track of which one you use for each. Password managers can safely store each of them to help you log in with ease and security each time an account asks you to.
  4. Always use two-factor verification (when available) – Adding additional layers of security to your accounts in any way that you can is a smart move. With two-factor authentication processes, a prompt will appear on your device asking you to prove your identity by either accepting the login on another device or by entering a security code.
  5. Never share your passwords – Though it can be tempting to share your password with your friends or significant others, you should refrain from doing so. If anything should ever go wrong with these relationships, these people will have access to your information and could use it against you. It can also easily lead to both of you getting hacked if one account is compromised.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

CRA, the wills and the won’ts

CRA LogoThe Tip

A couple of weeks ago, we talked about tax time and the Canada Revenue Agency, and the many scammers that come out of the woodwork this time of the year. We focused on the types of scams and the things that the CRA will not do. A regular reader pointed me to this recent article that also focuses on what the CRA can and might do. I’m essentially repeating it below.

The Detail

The CRA reports that scammers have created such uncertainty in people, that many assume the CRA will never attempt to contact you. This is not true. What is true is that:

The CRA will never;

  • Ask for information about passports, health cards or driver’s licenses
  • Demand immediate payment, in any form
  • Use aggressive language or threats
  • Provide personal information themselves
  • Email you links to forms requesting personal financial information
  • Email you a link to your refund
  • Request immediate action and be persistent about it

The CRA can and might;

  • Ask for details about your account, in the case of a business enquiry
  • Send you a notice of assessment or reassessment via postal mail
  • Notify you when a new message or a document, such as a notice of assessment or reassessment, is available for you to view in secure CRA portals such as My Account, My Business Account, or Represent a Client
  • Email you a link to a CRA webpage, form, or publication that you ask for during a telephone call or a meeting with an agent (this is the only case where the CRA will send an email containing links)
  • Ask you to pay an amount you owe through any of the CRA’s payment options
  • Ask for financial information such as the name of your bank and its location
  • Take legal action to recover the money you owe, if you refuse to pay your debt
  • Contact you to begin an audit process

The CRA also says it is important to understand exactly what is required for your taxes, and to only share information that you would find on a tax form with anyone

For more information and further details about the types of communication you might expect from the CRA under what circumstances, please visit http://canada.ca/taxes-fraud-prevention/

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Cookies, not the ones Granny used to make

The Tip

What are Browser Cookies? Should I allow them? Are they important? Should I worry about them? Are there privacy concerns? In a nutshell, yes to all the above.

The Detail

Cookies, more properly called HTTP Cookies, are small bits of data stored in text files on your computer. Websites then use these small bits of data for keeping track of you and interacting with you. They enable core functionality in most modern websites. They are a necessary part of how the modern internet works, as well as a serious source of privacy and security concerns. Because they are just bits of text and not applications or executables, most anti-virus software does not report them as threats, although some may give you warnings. That doesn’t mean they are not a concern for your privacy.

Type of cookies and useful things they can do

  • Session cookies. These cookies might remember things like your logged-in status, or what’s in your shopping cart, or filtered lists and presentation preferences and short-term things like that. They expire when your browser closes.
  • Persistent cookies. These cookies store details for a longer time, perhaps when you have chosen ‘remember me’ logging into Facebook and other sites, set preferences at a news or blogging site, what ads you’ve clicked on, what terms you’ve searched for, and so on. Because these cookies stick around for long periods of time and theoretically can store information across multiple websites, they can present a bigger privacy risk.
  • First-party cookies. These are cookies set by the site you are currently visiting and might include things like logged-in status and any preferences you may have set for the site, shopping cart contents, and so on.
  • Third-party cookies. These are cookies set by domains other than the domain you are currently visiting. These might be tracking what sorts of ads and links you have clicked on, what sorts of searches you have done, what sorts of things you have added to a shopping cart. Although a necessary part of the modern web, these can also pose a real risk of the invasion of privacy and other security concerns. You’ve probably already noticed how you can search for something at your favourite search engine, and then ads for those things seem to start showing up on every other non-related site you visit. That’s because of 3rd-party cookies.

Cookies and the law

  • The landscape is changing around this regularly, but it is currently law in the EU that websites need to get informed consent from you about their use of cookies, before sending them to you. Similar regulations are in the works in the US, and Canada will likely not be far behind. That’s why you are beginning to see more and more websites that pop-up a banner or alert of some sort, requiring you to click ‘yes’ to cookies before proceeding, or at least acknowledging that you understand they are there. There is often a link to a page with more details about what cookies and trackers are being used and why.

Privacy, security, and tools for managing cookies
Although it’s beyond the scope of this article, there are several tools and strategies for managing cookie use in all modern browsers.

  • At the simplest, all modern browsers offer a private or incognito mode. Using your browser this way ensures that in addition to your browser history being purged when the session is over, any session cookies will be deleted, and no long-term cookies will be stored.
  • All modern browsers also have built-in tools that allow you to specify what types of cookies will be accepted, and also allow you to see what cookies you have stored and allow you to delete them selectively or en-masse.
  • Some AV/Malware tools will recognize some forms of potentially dangerous cookies and warn you.
  • Most ad-blocking browser extensions also give you control over what 3rd-party cookies/trackers to allow and what to block. It’s very illuminating to install something like Ghostery, and then see what sorts of cookies/trackers are following your browsing footsteps.

There’s a lot of information to be found on this topic on the internet. Here are a few good articles on the subject, but there are many more if you are interested.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

PII, what it is and how to protect it

The Tip

What is PII? PII, or personally identifiable information, is sensitive data that could be used to identify, contact, or locate an individual. In the wrong hands, PII leads to identity theft and other forms of fraud.

The Detail

Living in a society that’s so immersed in connectivity and technology has, unfortunately, led to a sacrifice of privacy. Scammers and social engineers violate privacy by gaining your trust and convincing you to release info or to click on something or to install something. Stay alert, follow policy at work, and prioritize security at home!

How to Avoid Identity Theft in 5 Easy Steps

  1. Reduce information. Limit the amount of personal info you make public. Set your social media profiles to fully private and thoroughly vet all friend requests.
  2. Remain skeptical. Government and tax entities will never email you requests for payments. Treat all requests for sensitive info or money with a high degree of skepticism.
  3. Respond responsibly. If you receive a notification that an account has been compromised, call the number on your card or visit the legit website. Never click on unsolicited links that come via emails or text messages.
  4. Record activity. Log into your financial accounts weekly to confirm that no unauthorized purchases have been made and consider placing fraud alerts on your credit reports.
  5. Restore defaults. When recycling old smart devices, be sure to delete all data and restore to factory default. Shred all sensitive documents before discarding.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

Mobile Device Security, Are You Doing Enough?

This week’s topic is Mobile Device Security, Are You Doing Enough?

The Tip
Most of us don’t think about it, but chances are your smart phone is more precious than your wallet or your keys, and in many cases, your actual computer. Although we all might think about it occasionally, most of us don’t do more than a 4-digit passcode and hope for the best.

Locked Smartphone

The Detail

With that in mind, here are some basic but important tips that will help keep your sensitive information secure, even in the event of a theft of your phone.

Always lock your phone with a password
One of the most basic but often overlooked tips is to secure your phone with a password. Swipe patterns are ok, but finger-trails easily reveal these. A 4-digit passcode is an improvement, but using a strong passphrase is the ideal protection. Even if your phone is stolen, this basic protection will stop most thieves from getting your data. Most phones can also be set to auto-erase with too many failed login attempts, if you need additional security.

Ensure your device locks itself automatically
If you setup password protection, but leave your phone unlocked on your desk for long periods of time, you’re not secure. Most phones are readily setup to lock automatically after a period of inactivity. Choose the shortest amount of time you are comfortable with. A couple minutes is appropriate, even if it seems a tiny bit inconvenient.

Keep your phone up-to-date
Update your OS and apps regularly. These updates often include important security and vulnerability updates. If you’re nervous about teething problems on the bleeding edge of updates, at least get the reminders, but don’t forget to eventually update. Minor version updates are almost always security related.

Only download apps from approved sources
Apple’s App Store and The Google Play Store take security seriously and do the best they can to watch for vulnerable apps. Don’t jailbreak your devices to get access to other apps, and read user reviews before downloading new apps. There is often good information there.

Install anti-virus software
Although not as widespread as on desktop computers, virus’ and other problem software still exist on mobile devices. Most major antivirus companies have apps for your mobile device.

Use discretion when downloading apps
It’s easy to get excited about the wealth of low-cost or free apps available. Most of us add apps of all sorts without too much research. Don’t downloads apps you don’t really need, and clean up your apps from time-to-time. Also, it’s important to see what permissions your apps are asking for. You can expect a mapping app will want to know your GPS location, but if an alarm clock wants access to your contacts database, you might want to treat that with extreme caution.

Stick to window-shopping on public WiFi
Public WiFi networks have popped up all over the place, and are very handy, but security on these networks is scarce at best, and non-existent typically. Be very careful what you do on public WiFi as the chances are pretty good that others may be watching network activity. In particular, avoid activities that convey a password or account or credit card number, unless you are absolutely sure you are using a secured connection.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Important: Phishing Alert

We’ve had several reports of an ongoing phishing campaign targeted at members of the university today.  Some of you have received emails from someone impersonating Mike DeGagné.
 
This particular scam is pretty easy to spot.  If you inspect the email below, you’ll see that Mike’s name is correct, but that’s not his email address.  
 
We have technology that blocks a lot of this type of email, but some still gets through, so please remain diligent in verifying requests that come over email.  As always, if you receive an email that doesn’t feel quite right, pass it along to techsrv@nipissingu.ca for further inspection.
 
Stay safe, and have a great week!
 
-The UTS Team
Example of Phishing email

Safety Online At Tax Time

CRA ScamThe Tip

Now that we are entering the full swing of tax time, it’s important to remind ourselves that this is the season for online scams, phishing emails and fraudulent phone calls. This is the cybercriminals’ most favourite time of the year.

The Detail

In 2018, the CRA reported that over 60,000 Canadians complained of phone scams alone. In the USA, the IRS reported an astonishing 60% increase in bogus email schemes looking to steal tax money or data. The Canada Revenue Agency tells us that CRA scams may come in many forms – over the phone, by e-mail, or by text message – in all cases the caller or sender poses as an agent in an attempt to gain personal information that can be used later, or attempts to intimidate a victim into providing real financial payments.

Phone Scams

Scammers posing as CRA agents may claim several possibilities;

  • that you owe money and are facing arrest
  • that a lawsuit has been filed against you
  • that an arrest warrant is outstanding against you
  • that you are facing deportation

In all cases, the threats are an attempt to get you to share personal information and/or pay money. Hang up.

Email / Text Message Scams

You will receive a convincing message from a fake CRA agent claiming;

  • your tax calculations are complete and by filling in a form, you will receive an immediate refund
  • that you are being accused of tax evasion
  • that your filed form has misinformation and needs to be revised
  • that you are under investigation
  • that you have received an e-transfer for your refund

Rejecting the scam and protecting yourself

  • Hang up immediately if you are suspicious, or delete the email. The CRA will never threaten immediate arrest or use abusive language
  • The CRA will never request payment by means such as e-transfer, bitcoin, pre-paid credit or gift cards
  • Do not click on any link in an email pretending to be from the CRA. The CRA will never ask you to click on a link for refunds or for information collection
  • The CRA never sends text messages
  • Make sure your younger family members and friends are aware of this

How to respond

  • If you’re just not sure, confirm your tax status online through a CRA secure portal such as My Account or by calling 1-800-959-8281
  • File a report with the Canadian Anti-Fraud Centre (CAFC) toll-free at 1-888-495-8501 or online, whether you paid money or not
  • Report the scam to your local police if you paid money in any form
  • If you sent money or shared financial information, report it to the financial institution used
  • If your social insurance number has been stolen, contact Service Canada at 1-800-206-7218

Additional information can be found at

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

The Risk in Reusing Passwords

The Tip

We’ve mentioned in several weekly tips that it is a bad habit to use the same passwords on multiple sites. With more and more large breaches coming into the news recently, it’s more important than ever to stop this bad habit that we all so easily fall into.

The Detail

The risk we take when we reuse a password is that when one of these breaches of user information does happen, the criminals will immediately start trying these username:password combinations at major banking sites, Amazon, Google, your workplace, and so on and so on. It doesn’t take long to do this with automated hacking programs. If you’ve used the same password at any of these places you can be in trouble quickly.

Fortunately, protecting yourself from these threats is easy;

  • Never use the same password on more than one site
  • Use a service like https://haveibeenpwned.com to monitor known breaches for your email address
  • If your address does come up, change your password immediately and if you have used that password in more than one place, go change all of them to unique passwords
  • If you have too many passwords to keep track of, start using a password wallet

The website have i been pwned tracks known breaches and can be set up to notify you if your address shows up in one. It can also be used to monitor an entire domain. We use it here to keep an eye on @nipissingu.ca addresses in known breaches. These events happen all too often, even at major sites where you might feel the security would be the tightest. Not necessarily so. For instance;

  • Verifications.io was breached in Feb of 2019. 763,117,241 accounts were exposed. 538 of these were @nipissingu.ca addresses
  • MyFitnessPal was breached in Feb of 2018. 143,606,147 accounts were exposed. 65 of these were @nipissingu.ca addresses
  • ShareThis was breached in Jul 2018. 40,960,499 accounts were exposed. 66 of these were @nipissingu.ca addresses
  • MyHeritage was breached in Oct 2017. 91,991,358 accounts were exposed. 25 of these were @nipissingu.ca addresses

Other major breaches have included places like Adobe, DropBox, Equifax and more.

If you think that you may have been in one of those, it’s a good reason to refresh your passwords now and be sure you are using good quality and unique passwords/passphrases everywhere.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

Email And Personal Information Breaches In The News

Recently there have been several privacy/security breaches in the news. People that subscribe to the terrific service at https://haveibeenpwned.com will already be aware of these. These breaches have been happening at major sites, and by now, if you use the internet and have registered accounts on various websites, chances are pretty good your privacy and details have been compromised.

A new discovery was announced on the weekend by https://haveibeenpwned.com/. This one effected over 500 people with @nipissingu.ca email addresses.

Fortunately, this one did not include passwords, but it does include a lot of personal information. This personal information could be used in the future by criminals in targeted phishing campaigns (spear phishing). In a spear-phishing attack, criminals will use personal information in a phishing attempt against you, in order to make it look less suspicious and more legitimate.

We should take two things away from this;

  • be extra careful moving ahead, when reacting to emails. Phishing attacks are getting more and more convincing, and just because an email may have your name and other personal information in it, doesn’t mean you can trust it.
  • this is a good time to improve our password habits:
    • do not use the same password at multiple sites
    • use strong passphrases
    • change your passwords/passphrases from time to time
    • consider using a password wallet to make these good habits easier to manage

These topics have been discussed in depth on our blog. Please visit https://cybersecurity.nipissingu.ca/ for further information on these and other related topics.

Here are some recent major breaches

  • Verifications.io was breached in Feb of 2019. 763,117,241 accounts were exposed. 538 of these were @nipissingu.ca addresses
  • MyFitnessPal was breached in Feb of 2018. 143,606,147 accounts were exposed. 65 of these were @nipissingu.ca addresses
  • MyHeritage was breached in Oct 2017. 91,991,358 accounts were exposed. 25 of these were @nipissingu.ca addresses
  • ShareThis was breached in Jul 2018. 40,960,499 accounts were exposed. 66 of these were @nipissingu.ca addresses

Other major breaches have included places like Adobe, DropBox, Equifax and more.

If you think that you may have been in one of those, it’s a good reason to refresh your passwords now and be sure you are using good quality and unique passwords/passphrases everywhere.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

The Return of the Norton Scanner Scam

The Tip

What’s old is new again. If you’re surfing and you get a pop-up that says something along the lines of “Norton Security: Your PC is infected with 5 viruses”… DO NOT click on proceed or install.

The Detail

This is a social engineering attack that displays a fake alert stating that your computer is infected and that you need to download a program to fix it. However if you click on the “Install Now” button, rather than downloading a trustworthy program, you will be installing a potential piece of malware or adware.

This scam has been around a while and keeps resurfacing in minor variations. Much like the fake Facebook login we talked about two weeks ago, it is very convincing. There are a few tell-tale signs though, and things you need to know;

  • Your system cannot be scanned for viruses using a website that runs through your browser
  • You will not get virus scans from apps not installed on your computer, only locally installed apps can do this

If you do see this, do not just close the pop-up window as that can actually install the virus. Here is what to do;

At Home

  • Close the browser window
  • Open your antivirus application
  • Run a scan

At work

  • Don’t click on anything and leave your machine on
  • Disconnect from the network if you can (unplug the network cable)
  • Call UTS support

For more information about this, here is Norton’s page on tech support scams and a detailed post in the Norton blog. There is also a thorough article with instructions for removal using several different tools in this post on malwaretips.com.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Passwords and Passphrases, again

The Tip

In this issue, I’d like to revisit our first Cybersecurity post from November of 2017, “Passwords vs Passphrases”. It is as important and relevant today as it was then.

The Detail

I won’t repeat the entire first post here. The condensed version is “passwords are bad, passphrases are better”. An un-credited quote on the topic of passwords is that “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”.

So why is a passphrase better than a password?

  • Passphrases are easier to remember than a random string of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
  • Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated passwords easily.
  • Satisfies complex rules easily. The use of punctuation, upper and lower cases, in passphrases also meets the complexity requirements for passwords.
  • Major OSs and applications supports passphrases. All major OSs including Windows, Linux and Mac allow passphrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
  • Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools break down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.

See the original post here as well as a great infographic on why “correct horse battery staple” is MUCH better than “Tr0ub4dor&3”.

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Top