Security Matters

Since May 25, Information Security and Enterprise Architecture (ISEA) has received several reports of a phishing scam that targets University of Toronto (U of T) students by offering various summer work opportunities. The phishing emails approach students with a job vacancy and prompt the recipient to divulge personal information in order to be considered for the position. Examples of these job phishing emails can be viewed on the Security Matters PhishBowl here: https://securitymatters.utoronto.ca/phish-part-time-personal-assistant-needed/.

If you’ve received an unsolicited email about a job opportunity through your University email address, ISEA recommends that you take the following measures:

1. Do not respond to any unsolicited emails. If you do reply and have received an email response from the sender, you should refrain from further action: many of these scams engage the victim in divulging personal information over the course of an email exchange.
2. Report the email to: report.phishing@utoronto.ca.
3. Contact your local IT help desk if you clicked on a link you think may be malicious.
4. If you provided sufficient information that you think your identity is at risk, contact your bank and follow their recommended procedures.
5. If you provided your login and password to any account, change the password immediately; If this was your UTORid and password, please change it at utorid.utoronto.ca.

Meanwhile, the U of T community is advised to remain on alert for phishing emails. Be aware of classic signs of a phishing attempt and ask yourself:

• Is the email unexpected or odd?
• Does the email come with a sense of urgency?
• Does the email ask for secrecy?

Keep in mind that phishing emails are becoming increasingly sophisticated: many scams look like authentic communications and do not contain spelling mistakes or grammatical errors. For more tips on how to spot phishing emails and stay safe online, visit the Security Matters resource section.

On May 14, Microsoft announced a vulnerability in its Remote Desktop Protocol (RDP). The event caused quite a stir in the global information security community: the vulnerability made it possible for unauthenticated attackers to connect to an organization’s computer systems that use RDP. Once connected, the attacker could then execute code, install programs, create new accounts and view, change or delete data.

What does this mean for members of the University of Toronto (U of T) community? If you are a staff or faculty member who uses a managed Windows device in your workspace, you have likely used a Remote Desktop service. The service makes it possible for staff and faculty to log into their work computers from devices such as home computers or laptops.

The University has already taken action against the vulnerability by restricting RDP service from the internet, protecting potentially thousands of devices. Information Technology Services (ITS) staff ask you to take the following measures if you use Remote Desktop. If you don’t use Remote Desktop, following these measures on a regular basis is an excellent way to maintain the security of your workplace and personal information.

“Our security program is about partnership. We recognize that there is a shared responsibility and it is not always about technology—we can all do something to help.” says the University’s Chief Information Security Officer Isaac Straley. “In this case, we want to make sure community members know to update their personal Windows computers because the risk can impact not only institutional data but them directly.”

1. Update your devices. If your workplace device is managed by IT staff, they will ensure that patching/updating is completed. If you manage your own device, you must ensure it is updated.

   For Windows devices:

   In the bottom left hand corner of your computer click on the Windows icon. Then enter ‘Windows Update’ in the search bar and run. If your device is up-to-date, you will be informed. If not, please follow the instructions, re-booting if necessary.

2. If you use RDP to connect to University services remotely there are two use cases to address:

   If your device is managed by IT staff and you are connecting to an RDP ‘gateway’ service, then your remote access should continue to work.

   If you are using your own personal device for work and you RDP into it directly, your service may be blocked soon. To work around this block, please refer to: https://isea.utoronto.ca/advisory-remote-desktop-protocol-vulnerability/ or seek assistance from your local IT support staff.

For additional answers to frequently asked questions about the RDP vulnerability, please access this announcement from ITS: http://main.its.utoronto.ca/news/remote-desktop-protocol-blocked-due-to-vulnerability/.

For many of us the start of spring is synonymous with cleaning out spaces, both physical and virtual: you’ve finally vacuumed under your couch, emptied out your spam folder and submitted three years of overdue taxes. But have you taken a moment to check up on your University of Toronto (U of T) UTORid account? Don’t worry if you haven’t, because it can be done in three easy steps.

1. Make sure your password recovery details are still valid.

   You can use the University’s UTORid account recovery service to manage your password reset and account management options (instead of paying a visit to the help desk). If you haven’t opted in yet, you can register here. Just enter your phone number and/or an alternate email address and then select a personalized method for recovering your password.

2. Choose a new unique password for your U of T account.

   Your UTORid password should be as unique as you are: it’s the gateway to all your services at the University. This could include your email, your University records and your financial information. If someone gains access to your University email account, they could use it to gain access to other accounts or services that are linked to that email address. Using the same passwords across multiple accounts also makes you more vulnerable to credential stuffing (when hackers take a set of login credentials and ‘stuff’ them into different digital service login pages to see what they can compromise).

3. Choose a really strong password.

   Fortunately, the University makes it easy to create a strong password: all newly created passwords must be between 10 and 32 characters and follow these rules. If your password was created before these guidelines were implemented, now is a great time to make updates. Your new strong and unique U of T password can be used for a long time – your account is safe unless you suspect it has been compromised. If you suspect your password has been compromised in any way, change it immediately using the password recovery tool or contact the help desk.

Does your password spark joy? If you have a strong, unique and recoverable password you’re good to go. If you want to track all your passwords but are worried about the clutter, consider using a password manager as your assistant.

From May 1 – 3 the University of Toronto (U of T) will host UnITe 2019, a three-day conference for higher education information technology (IT) professionals dedicated to technology, higher learning and the collaborative exchange of ideas. UnITe features a partnership of the Ontario Higher Education Information Technology (OHEIT) conference, the University of Toronto’s TechKnowFile (TKF) conference and Ryerson University’s Cybersecurity Day (RUCD).

U of T is pleased to partner with Ryerson University to help bring cyber security to the forefront of IT discourse. For the past two years, Ryerson has dedicated a full day of their annual IT conference to cyber security. To learn more about UnITe 2019 and RUCD and to register, visit: https://oheit2019.ca/.

“We started a number of major security initiatives at Ryerson and the conference seemed like a great way to help increase awareness and to report back to the community on how we were doing,” says Ryerson’s Chief Information Officer (CIO) Brian Lesser. “At the same time, many university CIOs were wrestling with the same issues I was. So we invited to the conference fellow Ontario public sector chief information officers and chief information security officers who might be interested. To my surprise, people from outside Ryerson started registering and the event took on a life of its own.”

This year’s RUCD keynote will be delivered by the Privacy by Design Centre of Excellence’s Dr. Ann Cavoukian, who is recognized as one of the world’s leading privacy experts. Other speakers include Aruba’s Mike Hyson, Dan Ward of SecOps at Palo Alto Networks and Ryerson University’s CIO Brian Lesser. RUCD will also feature a panel with Chief Information Security Officers Isaac Straley, Colin Couchman and Kashif Parvaiz of the University of Toronto, Western University and Ryerson University respectively.

RUCD at UnITe will also give attendees the opportunity to network with over 1,000 higher education IT professionals from across the country. Social events include a welcome cocktail reception on May 1 and a celebratory gathering at Toronto’s famous Steam Whistle Brewery on May 2.

This week, a department at the University of Toronto (U of T) received an especially sneaky phishing email. The email used many of the hallmarks of social engineering in an attempt to manipulate recipients into clicking on a malicious link that appeared to be from the department’s manager.

Luckily, members of the department recognized that something wasn’t right, and reported the email to Information Security staff. Can you spot the signs and characteristics of a phishing email? We spotted at least seven.

1. The email was sent from someone who shares the first name of a department member. While this detail is small, in uses social engineering techniques to generate a sense of familiarity for the recipients
2. The sender’s domain does not belong to U of T. Never open emails from suspicious domains. Even if you do recognize the domain, it doesn’t mean the email is safe: hackers regularly spoof email addresses to make it seem like they are coming from legitimate sources.
3. The individuals that received the email are all current members of the same department, but it didn’t make sense for everyone to receive this email from an unrecognized source. Using related and legitimate institutional email addresses is another common social engineering exploit: the recipient list only contained legitimate and related U of T email addresses.
4. The body of the email uses the department manager’s name and says that they have shared a file with the recipient list. This is another trick intended to make the email seem more legitimate.
5. There is a typo in a strange place. Typos are synonymous with phishing emails.
6. The document link is to OneDrive, but it is not U of T’s Sharepoint. If you hover over the email link you can see that the document link leads to a non-University Sharepoint domain.
7. The email adds a Microsoft OneDrive footer with a privacy statement link to add legitimacy to the email, but the link is suspicious. If you hover your mouse over the text you will see that it leads to a strange URL.

To report a suspicious email or phishing attack, contact report.phishing@utoronto.ca.

For more tips on how to stay safe online at work visit our Security Matters blog and check out our tip sheets.

Machine learning has gone from rags to riches over the last decade: once dismissed as a computer scientist’s pipe dream, we now live in the time of the ‘Great A.I. Awakening’ where Google Brain, neural networks and the University of Toronto’s own Vector Institute are no longer niche references for computer scientists. Machine learning has become part of the mainstream cultural lexicon.

If you have access to a computer, machine learning has probably sparked your imagination. While we certainly aren’t living in an age of advanced artificial lifeforms and dystopic friendships with computers, machine learning’s potential applications excitingly include improved medical diagnoses and self-driving cars.

But what does machine learning mean for information security? It can mean a lot. Cyber security experts continue to identify new ways of using machine learning to better detect and prevent potential risks and threats to your information. Here are three:

1. Machine learning can be used to detect phishing attempts. The social engineering element of phishing emails makes it tricky for computers to detect phishing emails: the most dangerous phishing attempts succeed because the content sounds like a real person. Machine learning-based algorithms can work around the familiar tone to spot unusual semantic patterns and formulaic scams.
2. Machine learning can be used to detect malicious Twitter accounts that distribute spam, scams and misinformation. Researchers from the University of Iowa have developed a machine learning approach that can identify more abusive Twitter accounts faster and with a higher rate of accuracy.
3. Finally, machine learning can be used to create cyber security baselines and identify situations that don’t match the anticipated patterns. People who work in cyber security are still the most critical part of securing organizations, but machine learning can help to herald when something might be wrong.

Machine learning to prevent cyber security breaches is exciting, but humans (you!) remain the best frontline defence. To learn more about how you can spot phishing emails, malicious scams and cyber security warning signs, visit the Security Matters blog and check out our resources for staff, students and faculty.