Tutorial: KeePassXC

Alex Dean Cybulski Blog

Today we’re going to prove you with a short tutorial on how to get started using KeePassXC as your password manager.

First, download the latest version of KeePassXC from https://keepassxc.org/

Make sure to download the version appropriate for your operating system (Windows, Mac or Linux) and processor (most likely the non-32-bit version).

Once you’re downloaded and installed KeePassXC open the program and click the “database” menu 

In the database menu select “New Database” to create a file that will store your passwords. These files are “encrypted” which means that the data inside it is locked and can only be read by someone if they have your password.

The first thing that you will be asked is where you’d like to save your master password file. Keep on your computer somewhere that you can easily find it! Because the file is password protected and encrypted you can keep it on your desktop without worrying that other users might steal your passwords.

Next, you’ll be asked to create a master password – this is the password you’ll use whenever you want to access your password database. Use the best system you know to create the strongest password you can remember.

Once you’re finished setting the master password it’s time to add new entries to your password database. It’s a good idea to create a new entry for every account you’re already using, but also get in the habit of creating entries when you need to create a new account online. Click the “add new entry” button indicated below.

Once you’ve selected “Add New Entry” you’ll be asked for some information, the name of the website, your username on the site and a URL that you would access the login page from. Don’t enter a password just yet.

Pro tip: for an added layer of security, don’t add card numbers to your database for online bank accounts. That way your username and account will always be separate for high-priority accounts.

Finally, click the icon of the black dice/die on the right hand side of the new entry window, under the eye icon.

Use the slider or the box at the end to specify the length of the password. Make sure that your password isn’t too short or too long for the website you’re using. Then make sure all of the boxes under “character types” are selected in blue. If you run into issues with password characters uncheck the “/*…” type box. When you’re done generating a password you can click on the eye to preview the password or, simply “Apply” on right side of the box to set the password you generated. Once you’re finished the entry should look something like this:

Finally, once you’re finished click “OK” to save the entry.

Now that we’ve set up an entry, it’s time to figure out how to use that entry to log into your accounts. When you need the password you created, right click on the saved entry and select “copy password” this will put the password into your clipboard and you simply right click the password box on your website of choice and select the “paste” put it into the password field.

 

Petya: What the UofT Community Should Know About the Ongoing Malware Epidemic

Alex Dean Cybulski Blog, Good to know alerts from U of T

A massive malware outbreak known as Petya is currently infecting computer systems in numerous countries across the world.

Petya targets un-patched Microsoft Windows computers and then locks (encrypts) the machine’s contents from the user – pending the payment of a ransom. At present, the e-mail address used to pay the ransom is disabled making it impossible to pay the criminals running this software in exchange for encrypted data. While it is never recommended that users pay a criminal to recover their files, this means that files encrypted by this malware are permanently irretrievable. Recent evidence even suggests that the malware was never designed to allow users to recover their files.

Petya propagates by identifying and infecting other machines on a network, including those which are patched against the SMB vulnerability, making it critical that all systems be patched and up to date.

What U of T is doing:

Defenses are in place at multiple network locations/gateways to block incoming attacks.

The information security team is constantly scanning the university networks to identify unpatched equipment, primarily using outdated and unsupported operating systems such as Windows XP, and to notify appropriate administrators about the need to patch the devices.

What you should do:

  • Keep your devices up-to-date. Install security updates and patches, particularly those identified as being “critical.” Consider ALL your devices, not just machines used at work.
  • Maintain backups. The existence and integrity of data and system backups is critical to protecting your data and maintaining availability in case of a compromised device. If you are unsure as to whether your devices are backed up, check with your local IT team.

For additional information and support, please contact your local IT team. Additional resources are available from the information security department and at the security awareness site.

Featured image: “Petya Hungers”, is a derivative of “City-eating Kaiju” by Unosombrero, used under CC BY. “City-eating Kaiju” is licensed under CC BY by Alex Dean Cybulski.

Feature Image: "frtknx", is a derivative of 050/365 | Fort Knox by keepingtime_ca, used under CC BY. "050/365 | Fort Knox" is licensed under CC BY by Alex Dean Cybulski

Security Professional Pro-Tip: Password Managers

Alex Dean Cybulski Blog

Last week we talked about why using the same password for all of your online accounts, password re-use, was fatal in the era of the daily data breach. This week we’re going to show you some ways to create strong, unique passwords and how to organize them.

Making strong, unique passwords is tough. You’ve probably heard tons of unhelpful or contradictory rules and policies for creating strong passwords, including “change your password every 2 months”, “use sentences, not single words to create passphrases”, “make sure they are totally random with letters, numbers and special characters!” or “use dice to make a random password every time!”

You’ve probably heard tons of unhelpful or contradictory rules or policies for creating strong passwords…

It’s difficult to say what the best method is for making passwords and it’s much harder to say how you’re supposed to remember the dozens of different passwords you need. Especially if you’re using a different password to log into your e-mail address, order pizza online, connect on social media and book your next meet-cute on a dating website. If you can’t write them down it seems like you’re going to forget them. Having to reset your passwords constantly isn’t great for your account security and it gets tedious.

Considering using a password manager instead…

Consider using a password manager instead. A password manager can make your life a lot easier and more secure. Password managers are programs that help you create strong passwords and store them in a secure database. Instead of memorizing dozens of unique passwords you only have to remember the one needed to open your password file.

When it comes to managing your online accounts securely, password managers are a blessing. There are password managers available for Windows, Mac, Linux and mobile devices including both Android and Apple phones. There are even online services that will store your passwords securely in the cloud for a subscription fee (but don’t run out and get one of these just yet, more in a minute).

Password managers come highly recommended by many digital security professionals, they make managing dozens, even hundreds unique passwords easy. With that being said, there are some limitations you need to be aware of before you dive in.

1) Password managers kept on your computer use encrypted key files. Which means that when you create a password file, you are the only person who knows the password to open that file. If you forget your master password, you’ll have to manually reset all your passwords and start over. Still, not a bad trade-off compared to having your account breached because of password re-use.

2) Cloud password managers work on almost every platform and synchronize your passwords automatically. The problem? They are also a popular target of online criminals. So before you run out and pay for a subscription, do your research. Has the cloud password manager you’re looking at had a data breach before? That might be a good warning sign to steer clear.

3) You still need to make sure your computer and browser are free of malware that might steal your passwords. If someone is shoulder surfing, or digitally shoulder surfing your password manager they might know your master key.

Here are a few password managers the Security Matters team uses themselves:

PC/Windows:

KeePassXC: https://keepassxc.org/

KeePass Professional: http://keepass.info/

Mac:

KeePassXC: https://keepassxc.org/

1Password: https://1password.com/ (cloud based)

Cloud/Mobile:

1Password: https://1password.com/ (cloud based)

KeePassXC: https://keepassxc.org/

Over the next few weeks the Security Matters team will provide some tutorials for how to use this software.

Feature Image: “frtknx”, is a derivative of “050/365 | Fort Knox” by keepingtime_ca, used under CC BY. “050/365 | Fort Knox” is licensed under CC BY by Alex Dean Cybulski

 

 

 

Featured image: "badpassword", is a derivative of "Key 66/365" by massmatt, used under CC BY. "Key 66/36" is licensed under CC BY by Alex Dean Cybulski.

Having One Password Makes you Easy Prey in the Era of the Data Breach

Alex Dean Cybulski Blog

On May 5th, 2017 a massive trove of 457,962,538 stolen usernames and passwords from various data breaches known as the “Anti-Public” list was uploaded onto the Internet for any criminal to use.

It might surprise you to find out that online crooks freely share and trade these password caches, or that data breaches are practically a daily occurrence.

What is troubling about the Anti-Public list specifically, is that it combines password information from multiple data breaches. Combo lists give any criminal with access to these lists the ability to see which users have the same password for all of their accounts. Even if you use a two or three different passwords, it makes breaching your accounts mere guesswork. Armed with this knowledge, any jerk can compromise the account of someone who re-uses passwords, they don’t even have to be a talented hacker.

Combo lists are compelling evidence that you should never re-use the same password for different websites.

Combo lists are compelling evidence that you should never re-use the same password for different websites. Should your password get stolen by a phishing attack, or should one website you use get breached, that password will be known to just about anyone, forever! Even if you change passwords after a data breach you might forget about another, leaving yourself open to further compromise. That’s assuming you ever find out that your password has been compromised in the first place!

Instead, try to use a unique password for every site you access. Unique passwords make it impossible for criminals to simply guess their way into your online accounts. Online crime is all about opportunity, so if your accounts present a challenge they’ll move on to the next person who re-uses their passwords.

Using one password paints a huge target on your back, the digital equivalent of advertising that you keep your house keys under the doormat.

Using one password paints a huge target on your back, the digital equivalent of advertising that you keep your house keys under the doormat.

So, if there’s one thing you need to take away from reading it’s this: Always make a unique password for every online account. Never re-use the same password.

In our next post, we talk about the advantages of using a password manager to help you create strong, unique passwords and keep track of them.

Featured image: “badpassword”, is a derivative of “Key 66/365” by massmatt, used under CC BY. “Key 66/36” is licensed under CC BY by Alex Dean Cybulski.

WannaCry Malware Advisory

WannaCry: What U of T community should know about the malware attack

Tamara Adizes Jacobs Good to know alerts from U of T

Originally published via U of T News:

Currently, no incidents of malware have been reported to U of T’s information security team since the WannaCry attack began on Friday.

WannaCry targets unpatched Microsoft Windows computers and then locks the machine’s contents from the user – pending the payment of a ransom amount. WannaCry propagates by identifying and infecting other unpatched machines on a network.

What U of T is doing:

Defences are in place at multiple network locations/gateways to block incoming attacks.

The information security team is constantly scanning the university networks to identify unpatched equipment, primarily using outdated and unsupported operating systems such as Windows XP, and to notify appropriate administrators about the need to patch the devices.

What you should do:

  • Be careful with e-mail messages. Do not open any messages with offers that are too good to be true. Beware of messages from the CRA about your income tax refund for example, or banks asking for your credentials, or to have you open an attachment.
  • Keep your devices up-to-date. Install security updates and patches, particularly those identified as being “critical.” Consider ALL your devices, not just machines used at work.
  • Maintain backups. The existence and integrity of data and system backups is critical to protecting your data and maintaining availability in case of a compromised device. If you are unsure as to whether your devices are backed up, check with your local IT team.

For additional information and support, please contact your local IT team. Additional resources are available from the information security department and at the security awareness site.

UTSend Screenshot

Send.utoronto.ca: Helping you ‘Detach from E-mail Attachments’

Alex Dean Cybulski Blog

Ever get a computer virus from an e-mail? Know someone who has? The answer to both of these questions is usually a resounding “yes.”

Despite the fact that e-mail has been around for a few decades there are a ton of glaring security flaws in one of the web’s most common mediums for communication. E-mail users are susceptible to malicious e-mails known as phishing, fraudulent e-mails from individuals posing as others using a technique known as ‘spoofing’ and infections with malicious computer programs, known as viruses or malware.

Despite the fact that e-mail has been around for a few decades there are a ton of glaring security flaws in one of the web’s most common mediums for communication.

Last Friday at least 45,000 computers in more that 74 countries, including hospitals and other medical care providers were hit with malware, a malicious computer program known as  WannaCry/Wcry. True to it’s name the WannaCry malware forces infected users to pay its creators $600 dollars in bitcoin after three days of becoming infected or their files are destroyed permanently.

Malware infections like WannaCry can spread in a number of ways, often by attacking computers with vulnerable connections to the Internet, or though e-mail attachments.

The timely demands of our academic and/or professional lives, not to mention the limited security of e-mail contribute heavily to the possibility of becoming infected with ransomware through malicious e-mail attachments.

Like last week, we always recommend that you treat all file attachments like strangers at your door. Ask yourself: “Was I expecting a file from the person sending me this?” Instead of blindly opening the attachment call or text the sender to confirm that they sent you a file. Remember: taking 30 seconds could save you hours trying to fix your PC, or in this case $600 dollars.

The other approach you might want to consider is ‘detaching from attachments’, the slogan of the Tibetan Action Institute, which encourages individuals to avoid sharing files over e-mail and instead use a storage service.

Detach From Attachments! English subtitles from Tibet Action Institute on Vimeo.

If you are a student, staff or faculty member at the University of Toronto you have access to send.utoronto.ca, a utility that allows you to share files with others at the University.

If you are a student, staff or faculty member at the University of Toronto you have access to send.utoronto.ca, a utility that allows you to share files with others at the University. Send is incredibly useful because it allows you to share files with other UofT users over the University’s network, making it ideal for transmitting academic or professional data, even sensitive information including intellectual property and research data can be shared using this service provided you use an additional layer of encryption to protect it.

Drop-off allows you to upload a file that you want to share with another user.

Pick-up allows you to retrieve a file someone has sent you using send.utoronto.ca.

Request a Drop-off allows you to send a notice to another person that you’d like them to send you a specific file.

send.utoronto.ca is useful for numerous reasons:

  1. It provides you with an additional layer of security by keeping potentially malicious e-mail attachments out of your inbox.
  2. It can be used to store files up to 500 megabytes, helpful for sending large files that won’t fit in an e-mail attachment.
  3. It stores the files on the University of Toronto’s network
  4. It allows you to share the files with anyone once they have the ‘Claim ID’ and ‘Claim Passcode’.
  5. It allows you to exchange sensitive, personal or private information involving University research or business provided it is encrypted.

Keep in mind: 

Send only hosts files for 14 days before they are deleted, so it is not suitable for long-term storage. Additionally, send cannot be used to exchange copyrighted material that you do not have permission to exchange including books, music or any other kind of copyrighted media.

Tales from the Phishbowl: How a Million Gmail Users got Hacked on Thursday.

Alex Dean Cybulski Blog

It’s four o’clock in the afternoon on a Thursday. You’re over the work week hump, vacation day tomorrow, maybe. The phone buzzes. It’s Gmail, letting you know that your friend Joe has invited you to edit a Google Doc. You open the invite and click on the big blue “Open in Docs” button like you’ve done a thousand times before. A window pops up telling you that ‘Google Docs’ would like permission to “read, send, delete and manage your e-mail” and “manage your contacts.” Annoying. Did you clear your cache recently or something? You click “allow” because it’s already 4:30 and you just want to see what’s going on in this doc before you go home; tomorrow you’ll attack whatever this document is. Weird. Instead of taking you to a  doc the last box you clicked on took you back to your Gmail inbox. Now twenty of your friends are texting you wondering why you’re inviting them to edit a Google Doc. This is bad.Read More

Phish Bowl

Phish Bowl – A new resource

Tamara Adizes Jacobs Blog

Phishing BowlWe are pleased to announce a new resource available to our community, the Phish BowlIt is as simple as it sounds! As we spot phishing emails circulating inboxes at U of T, we will post the message contents and a screenshot of the message to our collection of phishing emails into the Phish Bowl. 

By providing a collection of verified phishing messages, the community can use this resource to cross check messages they receive when they are not sure if the email message is a phishing attempt or not. In addition, by accessing this resource on regular basis, we hope that faculty, staff and students can become skilled at instantly spotting phishing messages by recognizing common indicators.

If you would like to contribute a screenshot of a phishing message, please email us with your submission.

Security in the News

Tamara Bahr Blog

Spotlight on Travel Security

While you may think you don’t have anything to hide, your personal privacy and protecting institutional data are important considerations when planning to travel for leisure or work. In this climate of heightened border security, where device searches at the border are prominent in the news, we thought this would be a good opportunity to visit some of the ways in which you can travel more securely.

Our smartphones and other electronic devices store detailed accounts of our conversations, professional lives, whereabouts, and web-browsing habits. They paint a far more detailed picture of our private lives than, say, a piece of luggage.

Tips for maintaining privacy and securing your devices at border crossings and while you are away

Do border agents have the right to search or seize your device? Can they require you to provide passwords to your various social media accounts or apps? You betcha! The laws are fairly grey and yes, you can say “no” to any request to search your devices at the border, but of course, border security can always turn you away for non-compliance.

• Bring a clean device
Is it possible to take a loaner device? If so, this is an opportunity to bring only data that you require for work while travelling and the device can be wiped upon return.
• Travel with reduced information
Keep phone numbers, email addresses, and contacts to a minimum. An example of contacts you may not want to be easily searched: Research study participants…
• Enable security features on your device Two factor authentication. Strong passwords. Encrypted storage. Save your data, reset to factory defaults, and restore your backup when you return.
• Review your email or network connected file storage
When you login to your mobile device, your email is generally viewable to a border agent. Consider what information is available in your inbox, sent mail, or other folders. If you have files available (via Sharepoint for example), review access to that content.
• Use a VPN to access sensitive information
Web-based VPN services can be used to access sensitive information while travelling (assuming the country doesn’t block such service). Using a web-based VPN rather than a standard client-based VPN may reduce the risk of a border agent asking you to activate it.

There is no dearth of information on how to protect your privacy and data while travelling and the points above are not exhaustive. But,they do offer a few handy suggestions to consider while preparing to travel. For more in depth articles and advice view the articles listed below:

Travel to High risk countries
https://uit.stanford.edu/security/travel/high-risk-countries-recommendations

Travel to China or Russia
http://security.uri.edu/travel/travel-to-china-or-russia/

This Tax Season: Protect Yourself Against Fraud

Tamara Adizes Jacobs Good to know alerts from U of T

This Tax Season: Protect Yourself Against FraudA message from U of T’s Central Payroll Services

It is tax time again and with that we see an increase in the number of fraudulent communications claiming to be from the Canada Revenue Agency (CRA). These include phishing emails, calls, texts or mail.

Please be aware that the Canada Revenue Agency (CRA) does not:

  • Send email with a link and ask you to divulge personal or financial information
  • Ask for personal information of any kind by email or text message
  • Request payments by prepaid credit cards
  • Give taxpayer information to another person, unless formal authorization is provided by the taxpayer
  • Leave personal information on an answering machine

When in doubt, ask yourself the following:

  • Did I sign up to receive online mail through My Account, My Business Account, or Represent a Client?
  • Did I provide my email address on my income tax and benefit return to receive mail online?
  • Am I expecting more money from the CRA?
  • Does this sound too good to be true?
  • Is the requester asking for information I would not provide in my tax return?
  • Is the requester asking for information I know the CRA already has on file for me?

You should never respond to these fraudulent communications, including emails or telephone messages, or click on any of the links provided.

Learn more about how to recognize a scam.

Watch this video: Beware of scammers posting as CRA employees.