Image says "October is Cyber Security Awareness Month"

Cyber Security Awareness Month

Chloe Payne Blog

October is Cyber Security Awareness Month, a time to promote mindfulness and safe practices around users’ activities online. October also serves as the anniversary of the University of Toronto’s information security awareness and education initiative, dubbed “Security Matters”. This time last year, our team was rolling out its first initiative, the celebration of Cyber Security Awareness Month. We created bright, attractive banners and displayed them across the tri-campus. We wrote and shared articles about info security, providing our population with useful tips and tricks on how to protect their personal information. From there the initiative grew. We created the security matters website, set up an active social media presence, and hosted monthly info sessions at all three campuses. We created a brand with friendly mascots and created a web game, “Patch vs. the Nefarious Code” featuring those characters. We participated in outreach activities setting up pop up booths where we would chat with students about their privacy and safe password practices. It’s been a whirlwind of a year, and we are proud to present this year’s Cyber Security Awareness Month main events: a workshop and a presentation by information security expert, James Arlen. James Arlen is a world-renowned information security expert. …

Wifi Symbol

Welcome to the Internet of Things. For Better or for Worse…

Chloe Payne Blog

Did you know that technology is currently in the midst of a paradigm shift? That shift is the rise of the “Internet of Things”. Just as in the 80’s there was the era of the personal computer and in the late 90’s there was the dot com boom, we are entering of a new era in information technology with the Internet of Things (also known as IoT). So, what is the Internet of Things? In the most basic sense, IoT is the idea that everyday objects can connect to the internet. This opens the door to some pretty exciting functionality: fitness bands that track calories burned, refrigerators that know when you need to get groceries… Sounds pretty exciting, right? But with every leap forward there come various risks. In the case of IoT your security and privacy can be at risk. Unfortunately, it seems that manufacturers are building IoT too quickly for security agencies to ensure they are secure. The market is competitive and securing devices is expensive, so device security often falls to the wayside. This isn’t science fiction – we’ve already seen instances where IoT devices have been used to launch devastating DDoS attacks. Also, although your data …

Tutorial: KeePassXC

Alex Dean Cybulski Blog

Today we’re going to prove you with a short tutorial on how to get started using KeePassXC as your password manager. First, download the latest version of KeePassXC from https://keepassxc.org/ Make sure to download the version appropriate for your operating system (Windows, Mac or Linux) and processor (most likely the non-32-bit version). Once you’re downloaded and installed KeePassXC open the program and click the “database” menu  The first thing that you will be asked is where you’d like to save your master password file. Keep on your computer somewhere that you can easily find it! Because the file is password protected and encrypted you can keep it on your desktop without worrying that other users might steal your passwords. Once you’re finished setting the master password it’s time to add new entries to your password database. It’s a good idea to create a new entry for every account you’re already using, but also get in the habit of creating entries when you need to create a new account online. Click the “add new entry” button indicated below. Finally, click the icon of the black dice/die on the right hand side of the new entry window, under the eye icon. Finally, once …

Petya: What the UofT Community Should Know About the Ongoing Malware Epidemic

Alex Dean Cybulski Blog, Good to know alerts from U of T

A massive malware outbreak known as Petya is currently infecting computer systems in numerous countries across the world. Petya targets un-patched Microsoft Windows computers and then locks (encrypts) the machine’s contents from the user – pending the payment of a ransom. At present, the e-mail address used to pay the ransom is disabled making it impossible to pay the criminals running this software in exchange for encrypted data. While it is never recommended that users pay a criminal to recover their files, this means that files encrypted by this malware are permanently irretrievable. Recent evidence even suggests that the malware was never designed to allow users to recover their files. Petya propagates by identifying and infecting other machines on a network, including those which are patched against the SMB vulnerability, making it critical that all systems be patched and up to date. What U of T is doing: Defenses are in place at multiple network locations/gateways to block incoming attacks. The information security team is constantly scanning the university networks to identify unpatched equipment, primarily using outdated and unsupported operating systems such as Windows XP, and to notify appropriate administrators about the need to patch the devices. What you should do: …

Feature Image: "frtknx", is a derivative of 050/365 | Fort Knox by keepingtime_ca, used under CC BY. "050/365 | Fort Knox" is licensed under CC BY by Alex Dean Cybulski

Security Professional Pro-Tip: Password Managers

Alex Dean Cybulski Blog

Last week we talked about why using the same password for all of your online accounts, password re-use, was fatal in the era of the daily data breach. This week we’re going to show you some ways to create strong, unique passwords and how to organize them. Making strong, unique passwords is tough. You’ve probably heard tons of unhelpful or contradictory rules and policies for creating strong passwords, including “change your password every 2 months”, “use sentences, not single words to create passphrases”, “make sure they are totally random with letters, numbers and special characters!” or “use dice to make a random password every time!” You’ve probably heard tons of unhelpful or contradictory rules or policies for creating strong passwords… It’s difficult to say what the best method is for making passwords and it’s much harder to say how you’re supposed to remember the dozens of different passwords you need. Especially if you’re using a different password to log into your e-mail address, order pizza online, connect on social media and book your next meet-cute on a dating website. If you can’t write them down it seems like you’re going to forget them. Having to reset your passwords constantly isn’t …

Featured image: "badpassword", is a derivative of "Key 66/365" by massmatt, used under CC BY. "Key 66/36" is licensed under CC BY by Alex Dean Cybulski.

Having One Password Makes you Easy Prey in the Era of the Data Breach

Alex Dean Cybulski Blog

On May 5th, 2017 a massive trove of 457,962,538 stolen usernames and passwords from various data breaches known as the “Anti-Public” list was uploaded onto the Internet for any criminal to use. It might surprise you to find out that online crooks freely share and trade these password caches, or that data breaches are practically a daily occurrence. What is troubling about the Anti-Public list specifically, is that it combines password information from multiple data breaches. Combo lists give any criminal with access to these lists the ability to see which users have the same password for all of their accounts. Even if you use a two or three different passwords, it makes breaching your accounts mere guesswork. Armed with this knowledge, any jerk can compromise the account of someone who re-uses passwords, they don’t even have to be a talented hacker. Combo lists are compelling evidence that you should never re-use the same password for different websites. Combo lists are compelling evidence that you should never re-use the same password for different websites. Should your password get stolen by a phishing attack, or should one website you use get breached, that password will be known to just about anyone, forever! …

UTSend Screenshot

Send.utoronto.ca: Helping you ‘Detach from E-mail Attachments’

Alex Dean Cybulski Blog

Ever get a computer virus from an e-mail? Know someone who has? The answer to both of these questions is usually a resounding “yes.” Despite the fact that e-mail has been around for a few decades there are a ton of glaring security flaws in one of the web’s most common mediums for communication. E-mail users are susceptible to malicious e-mails known as phishing, fraudulent e-mails from individuals posing as others using a technique known as ‘spoofing’ and infections with malicious computer programs, known as viruses or malware. Despite the fact that e-mail has been around for a few decades there are a ton of glaring security flaws in one of the web’s most common mediums for communication. Last Friday at least 45,000 computers in more that 74 countries, including hospitals and other medical care providers were hit with malware, a malicious computer program known as  WannaCry/Wcry. True to it’s name the WannaCry malware forces infected users to pay its creators $600 dollars in bitcoin after three days of becoming infected or their files are destroyed permanently. Malware infections like WannaCry can spread in a number of ways, often by attacking computers with vulnerable connections to the Internet, or though e-mail …

Tales from the Phishbowl: How a Million Gmail Users got Hacked on Thursday.

Alex Dean Cybulski Blog

It’s four o’clock in the afternoon on a Thursday. You’re over the work week hump, vacation day tomorrow, maybe. The phone buzzes. It’s Gmail, letting you know that your friend Joe has invited you to edit a Google Doc. You open the invite and click on the big blue “Open in Docs” button like you’ve done a thousand times before. A window pops up telling you that ‘Google Docs’ would like permission to “read, send, delete and manage your e-mail” and “manage your contacts.” Annoying. Did you clear your cache recently or something? You click “allow” because it’s already 4:30 and you just want to see what’s going on in this doc before you go home; tomorrow you’ll attack whatever this document is. Weird. Instead of taking you to a  doc the last box you clicked on took you back to your Gmail inbox. Now twenty of your friends are texting you wondering why you’re inviting them to edit a Google Doc. This is bad.

Phish Bowl

Phish Bowl – A new resource

Tamara Adizes Jacobs Blog

We are pleased to announce a new resource available to our community, the Phish Bowl. It is as simple as it sounds! As we spot phishing emails circulating inboxes at U of T, we will post the message contents and a screenshot of the message to our collection of phishing emails into the Phish Bowl.  By providing a collection of verified phishing messages, the community can use this resource to cross check messages they receive when they are not sure if the email message is a phishing attempt or not. In addition, by accessing this resource on regular basis, we hope that faculty, staff and students can become skilled at instantly spotting phishing messages by recognizing common indicators. If you would like to contribute a screenshot of a phishing message, please email us with your submission.

Security in the News

Tamara Bahr Blog

Spotlight on Travel Security While you may think you don’t have anything to hide, your personal privacy and protecting institutional data are important considerations when planning to travel for leisure or work. In this climate of heightened border security, where device searches at the border are prominent in the news, we thought this would be a good opportunity to visit some of the ways in which you can travel more securely. Our smartphones and other electronic devices store detailed accounts of our conversations, professional lives, whereabouts, and web-browsing habits. They paint a far more detailed picture of our private lives than, say, a piece of luggage. Tips for maintaining privacy and securing your devices at border crossings and while you are away Do border agents have the right to search or seize your device? Can they require you to provide passwords to your various social media accounts or apps? You betcha! The laws are fairly grey and yes, you can say “no” to any request to search your devices at the border, but of course, border security can always turn you away for non-compliance. There is no dearth of information on how to protect your privacy and data while travelling …