Mobile Device Security, Are You Doing Enough?

This week’s topic is Mobile Device Security, Are You Doing Enough?

The Tip
Most of us don’t think about it, but chances are your smart phone is more precious than your wallet or your keys, and in many cases, your actual computer. Although we all might think about it occasionally, most of us don’t do more than a 4-digit passcode and hope for the best.

Locked Smartphone

The Detail

With that in mind, here are some basic but important tips that will help keep your sensitive information secure, even in the event of a theft of your phone.

Always lock your phone with a password
One of the most basic but often overlooked tips is to secure your phone with a password. Swipe patterns are ok, but finger-trails easily reveal these. A 4-digit passcode is an improvement, but using a strong passphrase is the ideal protection. Even if your phone is stolen, this basic protection will stop most thieves from getting your data. Most phones can also be set to auto-erase with too many failed login attempts, if you need additional security.

Ensure your device locks itself automatically
If you setup password protection, but leave your phone unlocked on your desk for long periods of time, you’re not secure. Most phones are readily setup to lock automatically after a period of inactivity. Choose the shortest amount of time you are comfortable with. A couple minutes is appropriate, even if it seems a tiny bit inconvenient.

Keep your phone up-to-date
Update your OS and apps regularly. These updates often include important security and vulnerability updates. If you’re nervous about teething problems on the bleeding edge of updates, at least get the reminders, but don’t forget to eventually update. Minor version updates are almost always security related.

Only download apps from approved sources
Apple’s App Store and The Google Play Store take security seriously and do the best they can to watch for vulnerable apps. Don’t jailbreak your devices to get access to other apps, and read user reviews before downloading new apps. There is often good information there.

Install anti-virus software
Although not as widespread as on desktop computers, virus’ and other problem software still exist on mobile devices. Most major antivirus companies have apps for your mobile device.

Use discretion when downloading apps
It’s easy to get excited about the wealth of low-cost or free apps available. Most of us add apps of all sorts without too much research. Don’t downloads apps you don’t really need, and clean up your apps from time-to-time. Also, it’s important to see what permissions your apps are asking for. You can expect a mapping app will want to know your GPS location, but if an alarm clock wants access to your contacts database, you might want to treat that with extreme caution.

Stick to window-shopping on public WiFi
Public WiFi networks have popped up all over the place, and are very handy, but security on these networks is scarce at best, and non-existent typically. Be very careful what you do on public WiFi as the chances are pretty good that others may be watching network activity. In particular, avoid activities that convey a password or account or credit card number, unless you are absolutely sure you are using a secured connection.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

Email Privacy, is it really?

This week’s topic is Email Privacy, is it really?

The Tip

There’s an old saying that email is about as secure as a postcard. Is that still true? The answer is yes and no. For most of us most of the time, it’s private enough. For some uses, we should be cautious.

The Detail

This should come as no surprise anymore, but your email isn’t private. In fact, it’s one of the least secure methods of communication you can use. Emails are stored at multiple locations: on the sender’s computer, your Internet Service Provider’s (ISP) server, and on the receiver’s computer. Deleting an email from your inbox doesn’t mean there aren’t multiple other copies still out there. Finally, due to their digital nature, they can be stored for very long periods of time, so think twice before writing something down in an email you don’t want others to see.

Much of this is mitigated for us, due to the way use and deliver email at Nipissing via google apps. Gmail does encrypt data over their internal network, so if you are corresponding between Nipissing email accounts, using the Gmail client, your communication should be encrypted and remain fairly secure. This is one of the advantages in using the Gmail suite.

However, while Gmail encrypts email over their network, their encryption only protects data that is on their servers – not while it is bouncing around on other servers on the Internet, meaning that your data is still vulnerable when corresponding outside the network, unless you adopt a solution that provides client-side encryption. This is not necessary for most users, just doing day-to-day correspondence. Just like a postcard going through the postal mail, most people stumbling across it couldn’t be bothered or interested to look at it. If however you are emailing sensitive documents and data around, outside of our network, you might want to consider a few other strategies. Client-side encryption takes some setup and most users couldn’t be bothered or find it confusing. That said, it is effective and essential for some types of communication, once you jump through the initial hoops. Using services like Dropbox or Google Docs/Drive are safer methods for the sharing of sensitive documents, rather than sending them as attachments.

If you have more questions about these topics, please contact UTS and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.

 

Patch, Patch, Patch – You need to stay up-to-date

This week’s topic is Patch, Patch, PatchYou need to stay up-to-date

The Tip

There are going to be a lot of updates released in the weeks to come for your phone, your tablet, your computers… it is more important than ever to keep your devices fully up to date.

The Detail

If you follow much news at all, you’ve likely heard a lot about the Meltdown and Spectre security threats, that became public news around the holiday break. In a nutshell, security vulnerabilities at the base chip level, effecting Intel, AMD, ARM, and possibly other processors, have been discovered. This impacts pretty much every device with a computer in existence. Industry insiders learned of this vulnerability under nondisclosure agreements several months ago and immediately began developing engineering mitigations and updating cloud infrastructures.

In the days ahead, there will be a lot of patches released by all vendors to help protect against these very real concerns. Some have already been released, and likely applied. Many servers and cloud services have been updated. Apple and Microsoft have both released updates in that last few days to deal with this. More will follow. Some older devices may be left behind, and if you’re hanging on to that ancient iPhone or desktop running Windows XP, it may be time to retire them. Older systems that are patched can expect noticeable slowdowns in performance. Newer systems (2016+) running modern operating systems (Windows 10 or Apple High Sierra) should see considerably less of a performance impact.

If you have questions or concerns about applying an update, please contact UTS Support.

 

USB Flash Drive Security – It’s Important

USB drives are so pervasive in today’s world of technology, that it’s all too easy to become blasé to the many risks in using this very useful and ubiquitous technology.

Risks inherent with USB Flash Drives fall into two broad categories. 1) Virus/malware and 2) Data theft.

1) What Can a “Bad” USB Stick Do?

A malicious device can install malware such as backdoor Trojans, information stealers and much more. They can install browser hijackers that will redirect you to the hacker’s website of choice, which could host more malware, or inject adware, spyware or greyware onto your computer. While the ramifications of these threats can range from annoying to devastating, you can stay protected from these threats by keeping anti-virus software installed and up-to-date, and by using it at all times. Finally, do not plug unknown flash drives into your computer.

2) What can a “Lost” USB Stick Do?

So, you’ve taken all the steps to keep your desktop secure, your internet usage safe, your passwords robust… and then bringing some data home from work on a USB drive, you misplace the drive. If there was anything sensitive on there, the consequences could be significant. Fortunately, it is easy to protect yourself from this risk by keeping your flash drives encrypted. Although some higher end drives actually have hardware encryption built-in, there are several inexpensive software solutions for USB disc encryption. In fact, all modern versions of Windows and MacOS come with encryption tools built in.

For more information, try googling ‘USB safety’ or ‘USB security’. There is a large selection of articles out there on these topics. UTS would also be happy to talk with you about this, and will be sending more information in the weeks and months ahead.

 

Lost USB Disk Panic

 

 

Password Managers – You should be using one

This week’s topic is Password Managers – You should be using one

The Tip

The majority of us use not-so-strong passwords, and reuse them on different sites. After all, how are you supposed to use and remember strong and unique passwords on all the websites that you use? The answer is a password manager.

The Detail

Using a password manager is one of the top safety practices recommended by security experts. Password managers are easy to use. They store your login information for all the websites that you use, and will help you login automatically. They encrypt your password database with a master password, and that is the only one you will need to remember. They will also generate strong passwords for you, for new accounts and for updating old, weak passwords, and can be used with 2-factor authentication.

Password databases can be shared across multiple devices, and are always in sync, so you have the right information with you on your phone, or tablet, or home or work desktop computers.

Password managers solve the problem of having to remember multiple and complex passwords, removing the temptation to reuse passwords on multiple sites. They are easy to use. You do not need to sit down and spend hours getting one setup. You just start to use it, and as you visit sites and login, they will capture your info for future use. They can also be used for storing pins and credit card info, should you wish, as well as secure notes. The more sophisticated managers out there will also let you share some password details with a spouse’s account, or other team setting.

Password managers come in several free and commercial versions, from several reputable vendors. Spend a few minutes and read a few reviews to find the product that is right for you. Most have free versions available with commercial licensed upgrades available for more features.

Some of the popular ones include LastPass, Dashlane, 1Password, KeePass, but that is by no means an extensive list. There is a good side-by-side review here, with further information on why password managers are so important.

https://www.pcmag.com/article2/0,2817,2407168,00.asp

 

Phishing – Don’t get Hooked!

A good bit of information and infographic from Digital Guardian.

Phishing attacks are by no means a new issue, but rather one that has plagued individuals and businesses for many years. In fact, the 2016 Verizon Data Breach Investigations Report found that 58% of incidents involving compromised user credentials utilized phishing attacks. As these attacks continue to increase in frequency and sophistication, it is of critical importance that end users and businesses learn some of the telltale signs of phishing and how to react when they are being targeted. To do our part in spreading cybersecurity awareness, we’ve created an infographic covering phishing attacks in their many forms and what users can do to protect themselves against this highly common online threat.

 

How to Recognize and Avoid Phishing Attacks Infographic

Infographic by Digital Guardian

2-Step Verification

This week’s topic is 2-Step Verification.

The Tip

It’s easier than you think for someone to steal your password

Any of these common actions could put you at risk of having your password stolen:

  • Using the same password on more than one site
  • Downloading software from the Internet
  • Clicking on links in email messages

2-Step Verification can help keep bad guys out, even if they have your password.

As an added bonus, get a free coffee on UTS when you enable 2-Step Verification. Be fast, supplies of UTS Tim Cards are limited.

The Detail

If you don’t have it set up, take the next few minutes to add one of the best defences against unauthorized email access. It’s easier than you think:

Note: This feature requires you to use your mobile phone in order to receive codes via text, voice or app

 

Cyber Security Awareness Month

Cyber Security Awareness Month (CSAM) is built upon the fact that the internet is a shared resource and securing it is our shared responsibility.

Cyber Security Awareness Month is an internationally recognized campaign held each October to inform the public of the importance of cyber security. This campaign is focused on helping all Canadians be more secure online, by being informed and knowing the simple steps to take to protect themselves, their families, their workplace and their devices. The month is divided by themes which highlight different aspects of cyber security.

https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/csm-en.aspx

 

Passwords vs Passphrases

Welcome to the first in what we hope to make a weekly series of CyberSecurity tips. This week’s topic is Passwords and Passphrases.

The condensed version is, “passwords are bad, passphrases are better”. This is a ‘b@dPas3Word!’. ‘This is a mediocre passphrase’. ‘Good Passphr@se th1s is’.

The longer version below is taken directly from https://www.passworddragon.com/password-vs-passphrase. In a nutshell, don’t use movie titles or famous quotes for passphrases. Random groupings of words are better. To craft the best passphrase, make sure they;

  • contain at least 3 of the following: Number, Special Character, Uppercase letter, Lowercase letter
  • are at least 9 characters or longer (the longer the better)
  • include spaces
  • are changed bi-annually
  • do not recycle passwords and use unique passwords on each site

passwords vs passphrases comic

Read more ›

CyberSecurity Site in Development

We’re working on it. Watch for big things to come!

DDE Attack

You may or may not be aware of a new type of attack potential called a DDE attack – a way of launching malware from a web download, an email attachment, or even directly from the body of an Outlook email message or calendar invite.

Just say no

Attachments, emails and calendar invites pop up two giveway warning dialogs before triggering a DDEAUTO attack; if you say “No” at either dialog then you prevent the attack.

First, you’ll see a warning like this when DDE is used:

outlook-dialog-box-11

Clicking “No” will stop a DDE attack from running.

If you click “Yes” at the first dialog, you will see a second dialog warning that a command is about to be run (the text in parenthesis and the program names referenced at the end will vary):

outlook-dialog-box-222

Again, clicking “No” will stop the attack.

For more information, please refer to the following page and video

Office DDE attack works in Outlook too – here’s what to do

 

Phishing Scam Alert: OneClass Chrome Extension

Be on alert for the OneClass Chrome Extension.  It is a phishing scam where once the extension is installed, it will attempt to send an email on behalf of the user and collect Campus-Wide Login (CWL) credentials.

How the phishing works:

Students will receive an email that includes a link to install the OneClass Chrome Extension.  During the installation, the user will be prompted to accept its permission of “Read and change all your data on the websites you visit.” If the user accepts, a button will be created within Connect pages to “Invite your Classmates to OneClass.”

The plugin in the exension will also attempt to send an email to everyone in the user’s class to promote the OneClass plugin. The plugin contains a code that will attempt to collect user credentials (CWL username and password).

A copy of the phishing ​email is below:

“Hey guys, I just found some really helpful notes for the upcoming exams for <University Name> courses at <URL removed by UBC Information Security>.  I highly recommend signing up for an account now that way your first download is free!”

If you receive this phishing email, do not install the extension or click on any links on the email.  Please delete the email.

If you already installed the extension, below are the instructions to remove the extension:

  1. Open up your Chrome Browser
  2. Select the 3 vertical dots in the top right-hand corner
  3. Select Settings
  4. Select Extensions in the top left-hand corner
  5. Click the Trashcan beside the “OneClass Easy Invite” extension
  6. Select Remove on the Confirm Removal Popup
  7. Close all Chrome windows and go back to the Extensions page to verify the extension has been removed (Steps 1-4)

Once you have removed this extension, please go to webadvisor.nipissingu.ca to reset your Nipissing CWL password.

If you have any questions, please contact techserv@nipissingu.ca​

 

Nipissing University
100 College Drive, Box 5002
North Bay, ON, Canada
P1B 8L7
Tel: 705.474.3450
Fax: 705.474.1947
TTY: 877.688.5507
Brantford Campus
50 Wellington St.
Brantford, ON, Canada
N3T 2L6
Tel: 519.752.1524
Fax: 519.752.8372
Top