Meme Contest Winner

Chloe Payne Blog

Congratulations to our meme contest winner, Emma Hastie, whose Kermit the Frog meme made the whole Security Matters team giggle. Stay up to date on new Security Matters contests by following us on Instagram (@uoftcyberaware), Twitter (@uoftcyberaware), and Facebook (https://www.facebook.com/uoftcyberaware/)

Tips on Website Validation

Chloe Payne Blog

Everyone knows about the ‘lock’ icon on a browser. You select a shortcut or type in a URL in your browser, the page content is displayed, and the lock symbol indicates that the connection between you and the service is encrypted. You can enter a password or bank account information or Amazon purchase and be confident the information is hidden from prying eyes somewhere on the Internet. That’s valuable protection to have.

There’s another feature besides encryption the lock can indicate you have. This is ‘authentication’ of the website – the confidence you have the site you’re connected to is where you want to go and not a fake or phishing site. That is also valuable – you don’t want to be entering your account information to a site that is pretending to be, for example, your bank website or the University’s UTORid login site.

To provide good website authentication, services use an ‘Extended Validation’ or EV digital certificate. When you connect to such a site, you’ll notice the browser will show a green shading where the URL is – the green shading, and the lock, is your indication that the site you’re connected to is where you want to be. Why? Because the organization that runs the service that obtained the Extended Validation certificate has to go through a number of procedures to validate their identity and their existence as a valid business entity to the certificate issuer called the Certificate Authority or CA. These procedures include providing:

  1. Names of officials, mailing addresses, telephone numbers of the business entity that runs the service.
  2. A business identifier such as a Dunn and Bradstreet number, which is another indication the business has endeavored to prove its validity.
  3. A legal letter from the business lawyer to vouch for the business.

The CA checks all this information before issuing the digital certificate for the website. So the next time you access your bank website or log in to the University service using your UTORid, look for the ‘green bar’:

Image of a green "validated" address bar

It’s one more item to help you be safe on the Internet.

You might ask: why doesn’t every website use an Extended Validation certificate? Let’s step back and look at digital certificate validation a little closer. There are three categories of validation for digital certificates. They are:

  • Extended Validation (EV)
  • Organization Validation (OV)
  • Domain Validation (DV)

We’ve talked about EV. An Organization Validation certificate undergoes a less stringent process before being issued by the CA. A Domain Validation certificate undergoes a very basic check consisting of the CA finding the registrant of the website’s domain name and sending an email request to the specified address. The response authenticates the order of the certificate by the owner. Some points about these categories:

  • The higher the level of validation, the higher the cost to purchase the certificate from the CA. DV certs can be very inexpensive or free. The ‘Let’s Encrypt’ CA issues DV certificates at no charge. There is evidence[1] to show that DV certificates are being used for malicious purposes because of the minimal cost and the very weak validation procedure. The evidence also shows that OV and EV certificates are not used with malicious sites.
  • The EV certificate is easy to identify by a user – they see the ‘green bar’. However, there is no visual identifier on a browser available to distinguish an OV certificate from a DV certificate. So there’s not much difference from a user perspective between an OV or DV certificate. OV certificates have value over the DV certificate from an organization’s perspective though. Each OV certificate will contain common organization information. The organization can use its IT infrastructure management capability to check site certificates – verifying that they came from the organization. That, in itself, provides a strong measure of validation at a reduced cost compared to the EV certificate.

To conclude, here are some points for users and service providers to keep in mind when using certificates:

  1. When you’re shopping or banking online, and you’re prompted to enter sensitive information such as passwords, credit card or banking information, look for the ‘green bar’ on your browser. Not every browser shows the green indication in the same way (or at all!) – most do.
  2. If you’re a service provider, use EV certificates to protect websites that handle the most sensitive information. Use OV certificates for everything else.
  3. Use DV certificates for test or personal sites.

 

[1] https://casecurity.org/identity/

Image if various device screens

Cyber Monday: The Do’s and Don’ts of Online Shopping

Chloe Payne Blog

To die-hard shopping fans Black Friday is a fun and challenging experience: the thrill of beating the crowds to find the best deals, and then the satisfaction of coming home with a haul of discounted gadgets, clothing, jewellery and much more.

To others, especially those who hate crowds, Black Friday is an utter nightmare!

Cyber Monday is for shopaholics who would rather stay home than brave the crowds. Cyber Monday was created just over ten years ago as the online alternative to Black Friday. With Cyber Monday, you can stay home and shop to your heart’s content.

But when shopping online, consumers must be careful because there are scammers who are looking to take advantage of unscrupulous shoppers. On Cyber Monday, protect yourself from credit card fraud and identity theft using these simple tips:

Watch Out for Fake Online Stores

Scammers have been known to create fake online stores that advertise too-good-to-be-true deals in order to draw in potential victims. To protect yourself:

  • Shop from sites you know and trust and have purchased form before.
  • Check the domain name. Sometime fraudsters create exact replicas of well-known sites. Is the domain name spelled correctly? Is it a slight variation in the correct name?
  • If this store is unknown to you, search for reviews of the website. Keep an eye out for words like fraud or scam.

Monitor Your Credit Card Statement

If you do make a purchase from a new site, check your credit card statement in case there has been any suspicious activity. The sooner you report credit card fraud, the better.

Use a Secure Network

Don’t make purchases online when you using public Wi-Fi. Your information could be tracked and logged.

Update Your Device

When you are prompted to update your device, do it. They contain critical security updates that can protect you from the latest threats.

By staying vigilant and mindful as you shop online you can get your hands on those exciting deals without giving up your privacy or personal information.

Happy shopping!

Image of a handshake

Information Security Awareness: It’s All About Outreach

Chloe Payne Blog

Another successful Cyber Security Awareness Month has come and gone, and we had the pleasure of facilitating various outreach activities.

We ran five unique initiatives, reaching three unique audiences: faculty, staff and students. Our two most successful events were our cloud security course and our pop up booth.

The course, run by well-known information security expert, James Arlen, provided a valuable overview of ITS’ responsibilities when it comes to securing a cloud-based service. Nowadays, the procurement and deployment of cloud services (more descriptively known as Infrastructure as a Service, Platform as a Service, and Software as a Service) is becoming increasingly attractive given the complexities of operating and maintaining hardware, middleware and applications. While the responsibility for some of these aspects can be transferred to the cloud service provider, there are many other aspects that remain the responsibility of the business and technical contacts of the local service provider. Many of U of T’s technical staff attended this course and were grateful for the opportunity to learn more about this important subject.

Since we began this outreach program one year ago we have hosted pop up booths at locations across the tri campus. When we run these booths, we hand out educational materials, lead games and conduct surveys. But the most important moments are when we take the time to chat with students.

When we speak with students at our booth we have the unique opportunity to connect with them one on one. It’s amazing how, when you offer students the opportunity to express themselves about info security, the flood gates open. We hear personal stories of hacked accounts, identity theft and expressions of fear about life in the digital age, for example: we heard from a young woman who lost access to her twitter account and offensive comments and photos were posted from her account, tarnishing her reputation and we even had a young man who opened up his lap top to show us a phishing email he had just received.

In these cases, having a person physically in front of them provided the empathetic ear they craved. Often students can feel like they are just a number, by making ourselves available, they begin to feel like we care about them personally. For a young person who is confused or frightened, this makes all the difference.

Image says "October is Cyber Security Awareness Month"

Cyber Security Awareness Month

Chloe Payne Blog

October is Cyber Security Awareness Month, a time to promote mindfulness and safe practices around users’ activities online. October also serves as the anniversary of the University of Toronto’s information security awareness and education initiative, dubbed “Security Matters”. This time last year, our team was rolling out its first initiative, the celebration of Cyber Security Awareness Month. We created bright, attractive banners and displayed them across the tri-campus. We wrote and shared articles about info security, providing our population with useful tips and tricks on how to protect their personal information.

From there the initiative grew. We created the security matters website, set up an active social media presence, and hosted monthly info sessions at all three campuses. We created a brand with friendly mascots and created a web game, “Patch vs. the Nefarious Code” featuring those characters. We participated in outreach activities setting up pop up booths where we would chat with students about their privacy and safe password practices.

It’s been a whirlwind of a year, and we are proud to present this year’s Cyber Security Awareness Month main events: a workshop and a presentation by information security expert, James Arlen.

James Arlen is a world-renowned information security expert. He is Leviathan’s director of risk and advisory services and a contributing analyst at Securosis. He has delivered security solutions to many Fortune 500, TSE 100 and major public-sector organizations. James frequently speaks at industry conference and his commentary can be found in various trade publications.

For only $1000 you can take James Arlen’s two-day workshop on Cloud Security for business and IT professionals. This course provides a solid foundation in cloud security and the opportunity to apply that foundation in practice. You could become certified; the course content is sufficient to take the Certificate of Cloud Security Knowledge certification test offered by the Cloud Security Alliance. Register through ODLC here: http://www.odlc.utoronto.ca/index.php?option=com_jevents&task=icalrepeat.detail&evid=4259&Itemid=65&year=2017&month=10&day=17&title=cyber-security-awareness-month-workshop-cloud-security-with-james-arlen&uid=4960e9c29ad4729bfee89bacd21c51a1&catids=46.

You can also join us for a special speaking engagement, “Information Security Risk – from a Business, Administrative and Technical Perspective”, with Mr. Arlen on October 26th from noon-2pm.  In this talk, attendees will learn about information security risk handling and the vital role it plays in any information security program. Information security risk handling provides a process for budget managers and administrators to use for making decisions regarding reducing or accepting the risk that accompanies the operation of online services. This talk is directed at staff in administrative and business roles as well as IT professionals. This session is totally free of charge and all are welcome. Register for free here: http://securitymatters.utoronto.ca/event/information-security-risk/

During Cyber Security Awareness Month keep an eye out for our banners and follow us on social media to keep up with all of our activities.

 

To learn more visit securitymatters.utoronto.ca

Follow us: @uoftcyberaware

Like us: www.facebook.com/uoftcyberaware/

Wifi Symbol

Welcome to the Internet of Things. For Better or for Worse…

Chloe Payne Blog

Did you know that technology is currently in the midst of a paradigm shift? That shift is the rise of the “Internet of Things”. Just as in the 80’s there was the era of the personal computer and in the late 90’s there was the dot com boom, we are entering of a new era in information technology with the Internet of Things (also known as IoT).

So, what is the Internet of Things? In the most basic sense, IoT is the idea that everyday objects can connect to the internet. This opens the door to some pretty exciting functionality: fitness bands that track calories burned, refrigerators that know when you need to get groceries…

Sounds pretty exciting, right? But with every leap forward there come various risks. In the case of IoT your security and privacy can be at risk. Unfortunately, it seems that manufacturers are building IoT too quickly for security agencies to ensure they are secure. The market is competitive and securing devices is expensive, so device security often falls to the wayside. This isn’t science fiction – we’ve already seen instances where IoT devices have been used to launch devastating DDoS attacks.

Also, although your data is being collected to improve your quality of life, that data is also being given away. As a consumer, you have to consider whether you are comfortable with your data being shared to the corporation that owns your device. And keep in mind that your personal information can be stolen from these devices too.

IoT devices have some very exciting capabilities and they really can improve your quality of life, but take some time to research your device’s security features to ensure you are safe and secure as you enter this new technological era. Here’s a few pointers:

  • If confidentiality, integrity or availability are important characteristics of the IoT, then you should verify that the device is maintained by the vendor. Check to see if patches are released for the device, change and record the password for the device and be prepared to log into it occasionally to check or update it. Look into the reputation of the vendor, if you’re not comfortable with it, then choose another product. Don’t always buy the least expensive product.
  • Be prepared to disconnect the device from the network if necessary – best way to do that is power it down – yes – be prepared to lose the function of the device.
  • Put a firewall in front of the network that connects the IoTs.

Wireless router vendors are starting to include features to detect and manage IoT devices in residential networks, here’s an example of one:

https://us.norton.com/core

Tutorial: KeePassXC

Alex Dean Cybulski Blog

Today we’re going to prove you with a short tutorial on how to get started using KeePassXC as your password manager.

First, download the latest version of KeePassXC from https://keepassxc.org/

Make sure to download the version appropriate for your operating system (Windows, Mac or Linux) and processor (most likely the non-32-bit version).

Once you’re downloaded and installed KeePassXC open the program and click the “database” menu 

In the database menu select “New Database” to create a file that will store your passwords. These files are “encrypted” which means that the data inside it is locked and can only be read by someone if they have your password.

The first thing that you will be asked is where you’d like to save your master password file. Keep on your computer somewhere that you can easily find it! Because the file is password protected and encrypted you can keep it on your desktop without worrying that other users might steal your passwords.

Next, you’ll be asked to create a master password – this is the password you’ll use whenever you want to access your password database. Use the best system you know to create the strongest password you can remember.

Once you’re finished setting the master password it’s time to add new entries to your password database. It’s a good idea to create a new entry for every account you’re already using, but also get in the habit of creating entries when you need to create a new account online. Click the “add new entry” button indicated below.

Once you’ve selected “Add New Entry” you’ll be asked for some information, the name of the website, your username on the site and a URL that you would access the login page from. Don’t enter a password just yet.

Pro tip: for an added layer of security, don’t add card numbers to your database for online bank accounts. That way your username and account will always be separate for high-priority accounts.

Finally, click the icon of the black dice/die on the right hand side of the new entry window, under the eye icon.

Use the slider or the box at the end to specify the length of the password. Make sure that your password isn’t too short or too long for the website you’re using. Then make sure all of the boxes under “character types” are selected in blue. If you run into issues with password characters uncheck the “/*…” type box. When you’re done generating a password you can click on the eye to preview the password or, simply “Apply” on right side of the box to set the password you generated. Once you’re finished the entry should look something like this:

Finally, once you’re finished click “OK” to save the entry.

Now that we’ve set up an entry, it’s time to figure out how to use that entry to log into your accounts. When you need the password you created, right click on the saved entry and select “copy password” this will put the password into your clipboard and you simply right click the password box on your website of choice and select the “paste” put it into the password field.

 

Petya: What the UofT Community Should Know About the Ongoing Malware Epidemic

Alex Dean Cybulski Blog, Good to know alerts from U of T

A massive malware outbreak known as Petya is currently infecting computer systems in numerous countries across the world.

Petya targets un-patched Microsoft Windows computers and then locks (encrypts) the machine’s contents from the user – pending the payment of a ransom. At present, the e-mail address used to pay the ransom is disabled making it impossible to pay the criminals running this software in exchange for encrypted data. While it is never recommended that users pay a criminal to recover their files, this means that files encrypted by this malware are permanently irretrievable. Recent evidence even suggests that the malware was never designed to allow users to recover their files.

Petya propagates by identifying and infecting other machines on a network, including those which are patched against the SMB vulnerability, making it critical that all systems be patched and up to date.

What U of T is doing:

Defenses are in place at multiple network locations/gateways to block incoming attacks.

The information security team is constantly scanning the university networks to identify unpatched equipment, primarily using outdated and unsupported operating systems such as Windows XP, and to notify appropriate administrators about the need to patch the devices.

What you should do:

  • Keep your devices up-to-date. Install security updates and patches, particularly those identified as being “critical.” Consider ALL your devices, not just machines used at work.
  • Maintain backups. The existence and integrity of data and system backups is critical to protecting your data and maintaining availability in case of a compromised device. If you are unsure as to whether your devices are backed up, check with your local IT team.

For additional information and support, please contact your local IT team. Additional resources are available from the information security department and at the security awareness site.

Featured image: “Petya Hungers”, is a derivative of “City-eating Kaiju” by Unosombrero, used under CC BY. “City-eating Kaiju” is licensed under CC BY by Alex Dean Cybulski.

Feature Image: "frtknx", is a derivative of 050/365 | Fort Knox by keepingtime_ca, used under CC BY. "050/365 | Fort Knox" is licensed under CC BY by Alex Dean Cybulski

Security Professional Pro-Tip: Password Managers

Alex Dean Cybulski Blog

Last week we talked about why using the same password for all of your online accounts, password re-use, was fatal in the era of the daily data breach. This week we’re going to show you some ways to create strong, unique passwords and how to organize them.

Making strong, unique passwords is tough. You’ve probably heard tons of unhelpful or contradictory rules and policies for creating strong passwords, including “change your password every 2 months”, “use sentences, not single words to create passphrases”, “make sure they are totally random with letters, numbers and special characters!” or “use dice to make a random password every time!”

You’ve probably heard tons of unhelpful or contradictory rules or policies for creating strong passwords…

It’s difficult to say what the best method is for making passwords and it’s much harder to say how you’re supposed to remember the dozens of different passwords you need. Especially if you’re using a different password to log into your e-mail address, order pizza online, connect on social media and book your next meet-cute on a dating website. If you can’t write them down it seems like you’re going to forget them. Having to reset your passwords constantly isn’t great for your account security and it gets tedious.

Considering using a password manager instead…

Consider using a password manager instead. A password manager can make your life a lot easier and more secure. Password managers are programs that help you create strong passwords and store them in a secure database. Instead of memorizing dozens of unique passwords you only have to remember the one needed to open your password file.

When it comes to managing your online accounts securely, password managers are a blessing. There are password managers available for Windows, Mac, Linux and mobile devices including both Android and Apple phones. There are even online services that will store your passwords securely in the cloud for a subscription fee (but don’t run out and get one of these just yet, more in a minute).

Password managers come highly recommended by many digital security professionals, they make managing dozens, even hundreds unique passwords easy. With that being said, there are some limitations you need to be aware of before you dive in.

1) Password managers kept on your computer use encrypted key files. Which means that when you create a password file, you are the only person who knows the password to open that file. If you forget your master password, you’ll have to manually reset all your passwords and start over. Still, not a bad trade-off compared to having your account breached because of password re-use.

2) Cloud password managers work on almost every platform and synchronize your passwords automatically. The problem? They are also a popular target of online criminals. So before you run out and pay for a subscription, do your research. Has the cloud password manager you’re looking at had a data breach before? That might be a good warning sign to steer clear.

3) You still need to make sure your computer and browser are free of malware that might steal your passwords. If someone is shoulder surfing, or digitally shoulder surfing your password manager they might know your master key.

Here are a few password managers the Security Matters team uses themselves:

PC/Windows:

KeePassXC: https://keepassxc.org/

KeePass Professional: http://keepass.info/

Mac:

KeePassXC: https://keepassxc.org/

1Password: https://1password.com/ (cloud based)

Cloud/Mobile:

1Password: https://1password.com/ (cloud based)

KeePassXC: https://keepassxc.org/

Over the next few weeks the Security Matters team will provide some tutorials for how to use this software.

Feature Image: “frtknx”, is a derivative of “050/365 | Fort Knox” by keepingtime_ca, used under CC BY. “050/365 | Fort Knox” is licensed under CC BY by Alex Dean Cybulski

 

 

 

Featured image: "badpassword", is a derivative of "Key 66/365" by massmatt, used under CC BY. "Key 66/36" is licensed under CC BY by Alex Dean Cybulski.

Having One Password Makes you Easy Prey in the Era of the Data Breach

Alex Dean Cybulski Blog

On May 5th, 2017 a massive trove of 457,962,538 stolen usernames and passwords from various data breaches known as the “Anti-Public” list was uploaded onto the Internet for any criminal to use.

It might surprise you to find out that online crooks freely share and trade these password caches, or that data breaches are practically a daily occurrence.

What is troubling about the Anti-Public list specifically, is that it combines password information from multiple data breaches. Combo lists give any criminal with access to these lists the ability to see which users have the same password for all of their accounts. Even if you use a two or three different passwords, it makes breaching your accounts mere guesswork. Armed with this knowledge, any jerk can compromise the account of someone who re-uses passwords, they don’t even have to be a talented hacker.

Combo lists are compelling evidence that you should never re-use the same password for different websites.

Combo lists are compelling evidence that you should never re-use the same password for different websites. Should your password get stolen by a phishing attack, or should one website you use get breached, that password will be known to just about anyone, forever! Even if you change passwords after a data breach you might forget about another, leaving yourself open to further compromise. That’s assuming you ever find out that your password has been compromised in the first place!

Instead, try to use a unique password for every site you access. Unique passwords make it impossible for criminals to simply guess their way into your online accounts. Online crime is all about opportunity, so if your accounts present a challenge they’ll move on to the next person who re-uses their passwords.

Using one password paints a huge target on your back, the digital equivalent of advertising that you keep your house keys under the doormat.

Using one password paints a huge target on your back, the digital equivalent of advertising that you keep your house keys under the doormat.

So, if there’s one thing you need to take away from reading it’s this: Always make a unique password for every online account. Never re-use the same password.

In our next post, we talk about the advantages of using a password manager to help you create strong, unique passwords and keep track of them.

Featured image: “badpassword”, is a derivative of “Key 66/365” by massmatt, used under CC BY. “Key 66/36” is licensed under CC BY by Alex Dean Cybulski.