Security Matters

There has been a significant increase in successful ransomware attacks after Colonial Pipeline paid $4.4M USD and the meat producer JBS paid $11M USD. Following these events, there are reports that the U.S. now suffers seven ransomware attacks an hour. As members of a large institution, it is important for the University of Toronto (U of T) community to understand the risk of ransomware attacks and how to protect ourselves.

What is ransomware?

Ransomware events lock users and organizations out of data and infrastructure and the attackers demand a payment to return access and not expose affected data. These events can have significant impact – in the worst cases, shutting down operations entirely and risking loss of critical information.

How can you protect yourself, your data and your devices?

Here are three key steps and additional reading to keep you informed and protected:

1. Backup information

• Run ransomware resilient backups for your work devices

2. Patch systems for security vulnerabilities

• Protect yourself against malware

3. Secure login credentials

• Use multi-factor authentication (UTORMFA)
• Protect your passwords
• Protect your Wi-Fi network

Bonus tip: Remember to protect your personal data through blocking known malicious sites, identifying and reporting phishing attempts and effectively managing your personal devices.

A detailed description and in-depth guidance for Information Technology staff and units can be found on the Information Security website.

For more information on cyber security best practices, visit the Remote Security Matters web page.

Though most of the world is beginning to feel an end to the harsh effects of the COVID-19 pandemic, the cyber security world is still seeing an increase in vulnerabilities because of the shift in remote network dependencies. As a result, cyber security attacks continue to be a hot topic in local, national and international news coverage. Here is a brief roundup of some of the most interesting recent news items from the past few months.

1. Ransomware attack shuts down Colonial Pipeline

The United States’ largest gasoline pipeline was shut down on May 7 due to a ransomware attack by suspected Eastern European-based criminal gang DarkSide. As a result of some of its business network systems being affected, Colonial Pipeline said it notified law enforcement and temporarily shut down its operations to contain the threat. In response to this attack and a series of intrusions by other overseas hackers, the U.S. federal government is issuing new cyber security regulations.

Insight: Although DarkSide claims they do not attack schools or non-profit organizations — only big organizations that can afford to pay large ransoms — the University of Toronto (U of T) is taking steps to ensure its community and their data is protected.

2. Ransomware attack disrupts global meat-packing producer’s production

On May 30, global meat packing giant JBS was forced to shut down some of the world’s largest slaughterhouses due to a ransomware attack affecting its servers. JBS suspects a criminal organization in Russia was the source of the attack. According to White House Deputy Press Secretary, Karine Jean-Pierre, the White House is assisting JBS in their efforts to mitigate the threat.

Insight: Ransomware attempts targeting the food and commodities industries have become a trend since May 2020. Following the Colonial Pipeline attack, the attack on JBS also occurred “as the meat industry battles lingering COVID-19 absenteeism” because of plants being shut down last year.

3. Ransomware attack at Humber River Hospital triggers Code Grey (loss of essential services)

On June 14, Humber River Hospital officials shut down the information technology systems after discovering a ransomware attack which was attempting to corrupt patient health records. While no confidential information was released due to a quick response, the shutdown impacted patient care, including prolonged wait times.

Insight: Christopher Parsons, Senior Research Associate at Citizen Lab, said, “Humber River Hospital appears to have had appropriate safeguards in place and enacted a quick and accurate response to the ransomware attack.”

4. Peloton’s security flaw grants hackers access to user data

In January 2021, a security researcher discovered and privately disclosed that there was a privacy flaw in Peloton’s Application Programming Interface (API). This flaw allowed anyone to view Peloton users’ personal details including age, gender, city, weight and workout statistics. Though Peloton was slow to respond, the vulnerability was fixed months later in May 2021.

Insight: In response to this specific leaky API, Setu Kulkarni, the Vice President of Strategy at WhiteHat Security said: “while APIs promise agility, personalization and connectivity between services, they are also becoming the most vulnerable point of attack.” For developers, Kulkarni recommends taking the following two steps:

1. Test your APIs in production for application security vulnerabilities and mitigate those vulnerabilities using API management solutions in production.
2. Start adding security-based exit criteria for APIs in development.

5. More details uncovered in Pulse Connect Secure attacks

In April 2021, it was revealed that a cyber espionage campaign was targeting organizations that use Pulse Connect Secure networking devices. However, newly uncovered details confirm that many high-value and well-protected entities, including Verizon and the New York subway system, were among those targeted. It is unclear if any sensitive information was compromised, but the hackers’ access to these systems is still worrisome.

Insight: Although the Chinese government has not been officially blamed for these attacks, U.S. President Joe Biden has put priority on monitoring China’s rising influence, as it is speculated that these attacks may be a tactic in China’s race to advance its economy.

What is the University of Toronto (U of T) doing to help protect its community from such threats?

• Rolling out Multi-Factor Authentication (UTORMFA), for which anyone can self-enrol
• Rolling out Advanced Threat Protection to high-risk users
• Creating a meaningful partnership with the Canadian Shared Security Operations Centre (CanSSOC) to enhance our ability to quickly detect attacks
• Providing guidance to users about ransomware protections (Coming soon)
• Publishing an Incident Response Plan

For more tips on staying safe online, visit the Remote Security Matters webpage.

It is important for all University of Toronto (U of T) community members to remain informed on cyber security best practices in order to help protect ourselves and our data. For the University’s student population, whether looking to improve daily cyber security practices or interested in opportunities for further learning, the Student Resources web page is a one-stop-shop.

The Information Security team has revamped this web page and will be regularly updating it with relevant content. The page offers a variety of cyber security-related resources, including:

• Educational pieces explaining how to protect yourself, your data and your devices
• U of T and external events
• Professional development opportunities

Review this page often as new information will be posted regularly.

In today’s remote landscape, we can all benefit from incorporating small cyber security practices into our daily lives. Understanding how to keep your work and personal information safe from malicious hackers is crucial to keeping ourselves and our devices secure.

Take the Data Privacy Day challenge — review and take these three steps to protect your privacy as we work and learn from home:

Download the Tip Sheet as a PDF.

For more tips on online safety, visit the Remote Security Matters webpage.

This Jan. 28, 2021 marks 30 years since the signing of Convention 108, the first legally-binding treaty to address data privacy and protection for individuals. Since then, there has been exponential development in information security and how we protect ourselves.

The treaty and this ongoing growth are the reasons we celebrate Data Privacy Day internationally each year — to highlight the value and trends in data privacy.

Here are five big data breaches that made the news in 2020 and lessons learned:

Estée Lauder database exposed

In January 2020, more than 440 million database records belonging to Estée Lauder were exposed. The database reportedly housed internal documents, sales data, IP addresses and email addresses. Read this article to learn more about the Estée Lauder breach.

Takeaway: Though this case was not consumer-facing, it’s important to know that large companies get hacked too. Once hackers gain access to your information, you are more susceptible to cyber threats in the future. Review these University of Toronto (U of T) information security tips to learn how to protect yourself against personal attacks.

Nintendo user accounts compromised

In April 2020, 300,000 Nintendo user accounts were compromised due to a cyber attack. Hackers used the stolen account information, including passwords, birthdates and email addresses, to purchase digital items. As a response to the attack, Nintendo altered its Network ID (NNID) login method and advised users to enable multi-factor authentication (MFA). Read this article to learn more about the NNID breach.

Takeaway: Enabling MFA offers an extra layer of protection to accounts and data. It is good practice to enable MFA where possible to avoid these types of attempts. Read this article about U of T’s MFA service called UTORMFA.

Thousands of Zoom accounts stolen

In April 2020, criminals gained access to more than 530,000 Zoom user accounts and listed them for sale on the dark web. They accessed details such as passwords, email addresses, host keys and personal meeting URLs. Read this article to learn more about the Zoom breach.

Takeaway: Cyber criminals take advantage of trends. Since most of the world switched to online learning and working in March, Zoom accounts were strategic targets. Cases like this are a reminder to use different passwords for different accounts so that if one of your accounts is hacked others may still be protected. Read this article for U of T’s tips on password best practices.

Hackers access EasyJet customer personal information

In May 2020, a “highly-sophisticated” malicious actor gained access to the personal data of nine million EasyJet customers. This included email addresses, names and travel records. An additional 2,200 customer files were accessed, which included customers’ credit card information. Read this article to learn more about the EasyJet data breach.

Takeaway: These customers are likely to face phishing attempts in the future based on the information the hackers now have. Educate yourself on what phishing attempts look like and how to deal with them, here.

SolarWinds Orion breach triggers White House security meetings

Throughout 2020, there were ongoing threats and reactions to the SolarWinds cyber-espionage campaign, which began in September 2019. The breach targeted numerous government agencies and private organizations including the world’s leading cyber security firm, FireEye. Read this article to see a timeline of the SolarWinds hack.

Takeaway: Anyone, even cyber security firms and the State, can get hacked. Review U of T’s Information Security-approved tips for working securely online, here.

In an increasingly digital world, cyber security issues are an inevitable (and ever-growing) part of the landscape. As a result of COVID-19’s increased effect on security breaches, this continues to be a hot topic in local, national and international news coverage. Here is a brief roundup of some of the most interesting recent news items from the past month.

Cyber security attack targets Saskatchewan Polytechnic

Saskatchewan Polytechnic fell victim to a cyber attack on Nov. 1. Though the specific type of attack has not been disclosed to the public, the school is reported to be making progress on safely restoring systems, after all online and in-person classes were cancelled until Nov. 4.

Takeaway: Cyber attacks are common and can happen to anyone. A simple tip to help protect yourself is to update your passwords often and use different passwords for all your accounts. By doing this, if one of your passwords gets compromised, your other accounts will still be safe. Learn more about password best practices.

Phishing scam reported at Waterloo University

The University of Waterloo reported a phishing scam on Oct. 26, which took the form of a convincing email, targeting university faculty, staff and students. Recipients were told they could receive $2,000 for COVID-19 support by filling out a form.

Takeaway: Educate yourself on phishing red flags. Some tips include hovering over links to view the link address, looking for typos or bad grammar and reaching out to the contact directly to confirm the details in the email.

Cybercrime threat to U.S. hospitals and healthcare providers

KrebsOnSecurity received a tip that a well-known Russian cybercriminal gang, Ryuk, was preparing to disrupt information technology systems at hospitals, clinics and medical care facilities across the United States. While there have only been a handful of attacks so far, the malware seems to be targeted against Windows systems, but there are some indications that it may also impact other platforms like Linux.

Takeaway: University staff and faculty are urged to be on alert and continue efforts around applying regular patches as needed. Managing vulnerabilities on your environment is a one of the best practices against the ever-evolving threat landscape. Review this tip sheet from the Canadian Centre for Cyber Security.

Cyber attack hits Jewish General’s IT network

The Jewish General Hospital and other institutions in Montreal’s west end fell victim to a computer virus that attacked their information technology systems on Oct. 28. In response, access to networks were quickly suspended, which limited access to patient records and data. Since the intrusion was spotted early, no data was accessed and no ransom demand was made.

Takeaway: Ransomware is typically spread via spam or phishing emails, exploitation of software vulnerabilities or remote admin (e.g., remote desktop protocol) connections that are accessible from the internet. Learn more about ransomware and how to protect yourself.

Montreal public transport agency refuses to pay ransomware hackers

A ransomware attack targeted Société de transport de Montréal’s (STM) servers and asked for $2.8 million as ransom, which the agency is refusing to pay. The attack impacted 624 operationally sensitive servers and stopped STM from providing adapted transit for almost one week.

Takeaway: While there is no way to fully prevent ransomware, there are a number of steps you can take to minimize your risk, including providing security awareness training for employees, patching operating systems and third-party apps, performing frequent back-ups and more.

 

For more tips on staying safe online, visit the Remote Security Matters webpage.

As technology advances and the current pandemic forces a virtual approach to everyday tasks, online shopping is becoming a more accessible and common method of purchasing gifts and everyday items. This societal shift has caused an uptick in social engineering attacks as hackers take advantage of this reliance on our devices. In addition, hackers historically anticipate the influx of online shoppers during the holiday season, which puts our personal and financial information at an even greater risk.

Before loading up your virtual shopping cart, read through this list to ensure you are protecting your information by following cyber security best practices:

Do your research

Shop with reputable vendors and/or ones that you are familiar with. If you come across special holiday deals that seem too good to be true – and if the website isn’t familiar to you – do your research before moving forward with your purchase. The Better Business Bureau helps identify trustworthy businesses and provides direct links to their online retail sites.

Look for the lock

Don’t input any sensitive (personal or financial) information unless the webpage URL begins with https and shows the lock icon. These will indicate that you are working within a secure network and that it is safe to input your data. When possible, default to giving up as little personal data as possible. Even large companies’ websites get breached all the time.

Be skeptical

Phishing attacks are becoming more advanced and more common as a result of the pandemic. Be skeptical of any email that asks you to confirm personal or financial information, even if it references a specific recent purchase. If you suspect a phishing attempt, review these steps and report it.

Wi-Fi or VPN

Public Wi-Fi connections make it easier for hackers to intercept insecure transactions as they are being transmitted. Play it safe by connecting to a password-protected Wi-Fi that you trust before inputting any personal information.

If you need to use public Wi-Fi to make a purchase, connect to a virtual private network (VPN), which creates an encrypted tunnel between your computer and the server, so hackers won’t be able to intercept your personal information.

Create strong passwords

When an online retailer requires you to create an account to make a purchase, make sure to create a strong password. This includes making it unique from any of your other passwords. Click here for more password tips.

Opt for credit

Once you make it to the payment page, best practice is to use a credit card instead of debit. Most credit card companies have protections in place to save you from fraudulent charges, plus the money is not automatically drawn from your account. In either case, it is also best to check your bank statement to ensure there are no discrepancies.

Safe shopping!

Throughout the month of October, hundreds of University of Toronto (U of T) staff, students and faculty sharpened their knowledge of remote security by participating in U of T’s virtual Cyber Security Awareness Month (CSAM) events and activities.

CSAM, an internationally recognized initiative, is hosted annually at U of T by ITS’ Information Security (IS) team in partnership with Education, Awareness & Culture.

One hundred and four tri-campus community members attended U of T CSAM events, including two Coffee with the CISO sessions and a “Get to know your Information Security team” webinar panel. Additionally, U of T’s Mississauga and Scarborough Information and Instructional Technology Services (IITS) teams hosted U of T’s first virtual information security conference called Secure Together, featuring 49 presenters, each speaking on an aspect of privacy and security. If you missed it, you can watch the conference here.

The CSAM 2020 events and programs highlighted the many Information Security programs available to the U of T community. On Oct. 28, a launch event was held for the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA) program, which featured presentations from Information Security and Data Governance staff who provided an overview of the program and offered information on how and why to enrol.

“CSAM is a great opportunity to enhance awareness and educate our community on the daily routines and precautions we can perform to protect ourselves and our data.” says Deyves Fonseca, associate director, Information Security Operations, ITS. “I was happy to take part in this year’s campaign to help relay these important messages and remind our tri-campus community about the available programs that help keep us safe.”

Throughout the month-long campaign, 12 educational blog posts were published and viewed by 890 readers and 34 Twitter posts received 647 engagements. These communications ranged from highlighting secure remote teaching resources to outlining U of T’s new multi-factor authentication service, UTORMFA.

The U of T community was also encouraged to test their security and privacy knowledge in activities, including weekly CSAM Trivia and a new UTORMFA BINGO game. The participants of both games were entered into raffles to win Amazon gift cards.

• The CSAM Trivia 2020 winners are Seth Akira Feldman, Mahnoor Mukhtar and Tara Wells
• The UTORMFA BINGO winner will be announced shortly.

Though the campaign has come to an end, we should not let down our guard when it comes to remote security. Continue to visit the Security Matters website regularly for resources. Plus, review links to all the CSAM 2020 materials here:

• Security Matters Resources page
• IITS Mississauga
• IITS Scarborough

University of Toronto (U of T) students are invited to meet and have a conversation with U of T’s Chief Information Security Officer (CISO), Isaac Straley, at a virtual Coffee with the CISO event.

Straley joined U of T in 2018 and he holds the inaugural appointment of CISO at the University. As the CISO, he is responsible for providing strategic leadership and oversight of U of T’s information security and privacy programs. He leads senior technology managers and staff on securing University systems and data assets and implementing practices that meet U of T’s policies and standards for information security. In addition, the CISO identifies, evaluates and reports information security risks to the chief information officer.

Attendees will join Isaac Straley for an engaging conversation — discussing his role as CISO, careers in Information Security and how data privacy and security relates to our higher education environment. Come prepared with topics or questions that interest you, as these sessions are open conversations between Isaac and the attendees.

Date: Nov. 12, 2020
Time: 10:30 – 11:30 a.m.
Register*: https://its.eve.utoronto.ca/home/events/1025

*Spaces are limited