identity theft

A Nightmare on Shred Street 2: Data’s Revenge

Like any Hollywood nightmare, a sequel is always in the offing, and identity theft just isn’t going away. With that in mind, the second annual “A Nightmare on Shred Street” event was held on Monday, October 23. In support of Cybersecurity Awareness Month, Information Technology Services teamed up with Lethbridge Mobile Shredding to offer free shredding of personal documents, hard drive degaussing, and e-waste recycling at the University of Lethbridge.

In just four hours, this public event helped more than 100 people protect themselves from identity fraud by shredding over 2000 gallons of paper documents, as well as several hundred magnetic and other non-paper items (credit cards, cell phones, CDs, floppy disks, etc.) containing personal information. Over 3.5 cubic metres of electronic waste was collected and sent for recycling. A degausser was on site to demagnetize and erase 49 hard drives before recycling.

Donations for the University of Lethbridge campus food bank were gratefully accepted. The event raised $375 and collected 120 food items, which is enough for about seven hampers, to help University of Lethbridge students through the end of the fall term. Seven functioning laptops were also salvaged from recycling, with permission from the donors, and will be wiped clean and donated to the Operation Underground Railroad organization, which helps children escape from trafficking and slavery.

All of this more than doubles the numbers from last year’s event! Information Technology Services acknowledges the generous support of Lethbridge Mobile Shredding, DBS Environmental, Campus Safety, Facilities, and the many individual people who came together to make it happen.

Tis the season….to get scammed!

Once again the holiday season is upon us. This is a time where we celebrate family and friends, reach out to those in need and try to make the world a better place one little act of kindness at a time. Unfortunately, it’s also a time where those who don’t share our vision of “Peace on Earth” abuse the generosity and trust of people around the world by lying, stealing and destroying the financial lives of innocent victims. Cyberattacks are on the rise and the Christmas holiday season provides online fraudsters with ample ammunition to target online shoppers and those expecting various communications from mail and parcel delivery services.

In an effort to protect you during the holidays, the Information Management and Security Office would like to remind you of the following guidelines to help you keep your information and your computing devices safe and scam free.

Passwords

You certainly wouldn’t hang your house keys or car keys on your mailbox outside your house. Anyone could walk by, grab the keys and help themselves to your assets. Unfortunately, we don’t treat our passwords with the same kind of respect it seems. Passwords are the key to your online identity and improper usage or storage of them makes it easy for attackers to abuse your credentials and do things that would certainly land them on the naughty list. Some guidelines to remember for keeping passwords safe include:

1. DON’T REUSE PASSWORDS ACROSS WEBSITES. Although it’s tempting since passwords are hard to remember, it is a very poor practice to only have one password for your online identity. Not all sites are created equal so there may be some wiggle room in that directive but generally you need to have distinctly separate passwords on the following sites:

a. Banking
b. Email
c. Ecommerce sites that store your credit card or banking info (PayPal, Amazon, etc).

A password management tool like KeePass or LastPass can help manage your passwords and keep them safe. Many of them are free and will create a vault for you to store these precious assets in.

2. DO NOT ENTER PASSWORDS INTO WEBSITES THAT ASK YOU TO CONFIRM YOUR IDENTITY THROUGH EMAIL. Those emails that promise more space or a deactivation of your account are fraudulent. We refer to them as phishing attacks. These websites are often hosted in questionable locations that don’t have anything to do with the organization who supposedly sent you the email. Always check the address bar of your browser or hover over a link with your mouse to make sure you are where you think you are. For example, a uleth.ca login page will never be hosted on a site that doesn’t end in .uleth.ca (https://login.uleth.ca/cas/login, or https://adfs.uleth.ca )

For a complete training course on phishing, we encourage you to enroll in our online training materials available for all students, staff and faculty. Visit the Information Security webpage  for more information. Enrollment in these courses is easy.

Email Attachments

Part of our overall security strategy at the University is to restrict certain files from coming into your inbox. Certain attachments can be used to spread viruses, malware or ransomware. For example, you cannot receive .zip, .docm, .exe or .com files. All of these could contain potential risks and so we remove them before they ever have a chance to arrive in your email. However, we cannot control your personal email accounts or websites you may visit, which may host these types of files. We encourage you to never open a suspicious file from someone you don’t know or to click on links from non-trusted webpages that encourage you to download these types of files. When downloaded and running, these types of files can silently download malicious software onto your computer which could result in the complete loss of data or usage of your machine.

During the holidays there are some common scams that occur including emails which are attempts to trick users into thinking they are receiving a package or delivery. Because of the time of year we aren’t always thinking about whether or not we are actually expecting something and sometimes click on places we shouldn’t. A few years ago we had a huge spike in these kinds of emails and so we created a webpage that describes the attack in detail and how you can avoid it. Please review that summary here.

Ransomware
A new and very effective attack that is becoming increasingly popular is ransomware. This type of attack will hold your data ransom and demand payment (usually $200 – $400 per machine) in order to restore access. There is no technical solution that can fix ransomware once it has infected your computer and unless you have backups in place, you will be forced to pay or lose your data. Paying ransom can be complicated and doesn’t actually guarantee that you will be able to recover your data so the preference is to never get infected in the first place. Ransomware is typically delivered though malicious email attachments or files downloaded from the internet. Most infections can be easily avoided if you pay attention to what you click on and never allow untrusted applications or website to run programs on your system. Ransomware affects a variety of institutions and organizations. Recently, the University of Calgary and Carleton University in Ottawa had ransomware unleashed in their environment which caused huge interruptions to their research and teaching activities. These types of attacks could have serious implications on the University of Lethbridge and we urge all users to be vigilant in their computing activities to prevent similar incidents from happening here.

What can you do?
The Information Security program at the University of Lethbridge has created a variety of training and education opportunities to help you understand how best to protect your information. All University staff, faculty and students should be engage in these online and in person training opportunities. Any questions or concerns should be sent to ITS who will be happy to assist you.

Current training courses include:

1. Security Awareness (A general overview of good IT Security practices)
2. Phishing Awareness (A focused review of Phishing attacks and how to avoid them)
3. Data Encryption (How to encrypt and protect sensitive data in the event of loss or theft)
4. Data Storage Standard (All staff and faculty should take this every 2 years to determine where and how to store various types of data)

To schedule some in person training for your department, please reach out to Kevin Vadnais, 403-332-4056 or kevin.vadnais@uleth.ca, who will arrange a time to address the topics that affect your teams the most.

Hacker typing on a laptop

The coffee’s on Leslie – just in time for ‘phishing season’

 

The next time you see Leslie Gatner, Financial Analyst in Financial Services, the coffee’s on her. Gatner’s name was drawn to win the $25 Starbuck’s gift card for completing the online Phishing and Identity Theft course last month.

“We had a good response to the online course, but in my world, 100% completion would be ideal,” says Kevin Vadnais, IT Services Information Security Manager. He says he realizes it may not be realistic but it’s his goal nonetheless, especially with the holiday season looming.

“We’re coming into one of the busiest ‘phishing’ seasons with the upcoming holidays, so I would like to advise the University community to be vigilant.” Vadnais says the Christmas season logically lends itself to shipping scams by the bad guys. “Typically you will see emails from which you’re invited to download a .zip or .exe file that claims to have tracking information on a shipment. The email uses high-quality logos from companies like Canada Post, FedEx and UPS and, in addition, the grammar is far better than the usual phishing emails we see. Once the user clicks on the attachment, what it actually does is download malware on the user’s machine. The malware can contain a variety of threats: for example, Crypto locker is one that holds a computer hostage until a significant ‘ransom’ is paid, and there’s the threat of data theft. The bad guys can capture passwords when doing online banking, find personal data like social insurance numbers in tax returns, and both can lead to identity theft.”

As in all cases, Vadnais advises users to stop and ask themselves if it makes sense to simply click on an attachment, or go to the sender’s website instead to find tracking information. “Use common sense, if you’re not expecting a package, don’t click on a link that says you have one. One of the easiest clues is to hover your cursor over the link provided and compare it to what url shows next to it, or in the bottom of your browser. If it’s phishing or a malicious file, the destination in the link or image which pops up in the hover will not match what the browser text or image is showing. When that happens think twice about proceeding.”

URL hover image

 

 

 

Vadnais says the Information Security website is a good resource to check out if you’re wondering about an email. It contains some of the most current and common threats. He strongly encourages people to take the Security Awareness and Phishing and Identity Theft courses online, and more than once if required – just to refresh the memory. “They are excellent sources of information for everyone.”

Also contained on the site is a form users can complete to report a phishing attack. “The phishing messages we’re concerned about are those that appear in our inboxes, or slip by filters without the ***PHISHING MESSAGE*** alert in the subject line. We can take a lot of those sites down if we report them to the company whose image is being falsely used and alert organizations when we see one of their accounts being abused. This provides us an opportunity to take preventative measures to stop our accounts from being compromised.”

For more information, or to arrange a security session for your unit or department, please contact Kevin Vadnais at kevin.vadnais@uleth.ca.

Cyber Security Awareness Month wrap-up – it’s not too late to get your gift!

 

The IT Services Information Security Office and University Privacy Office extends a huge thank-you to the U of L community for its support of the recent events held in support Cyber Security Awareness Month.

About 150 students, faculty and staff stopped by the information booths set up in the UHall Atrium and Students’ Union building during the weeks of Oct. 14 and 20th, says Kevin Vadnais, Information Security Manager. “Everyone who took the 10-question quiz was awarded with a light-up yo-yo or pocket flashlight, and we still have more for those who didn’t get the chance at the booths.”CyberSecurity

Vadnais is encouraging everyone to take the online quiz, and they simply need to send him the answer to the bonus question via email at kevin.vadnais@uleth.ca to request one of the gifts. He adds that test-takers need to enter their name in the title of the screen to be eligible.

Earlier in the month, consultants for PricewaterhouseCoopers presented on Security Trends in Today’s Market at CASA which piqued great discussion among University and Lethbridge community members.

“We had a good response from the community both in the public and private sector. I think most were engaged in the topic and took away valuable information. This kind of event sets the stage for more related sessions in the future and promotes collaboration within the Lethbridge community. It’s everyone’s problem and everyone’s responsibility to educate and protect themselves, and those they may serve,” Vadnais adds.

Everyone is reminded to take the 10-minute phishing and identity theft course in order to be entered into a draw for a $25 Starbucks gift card. Completion of the course must occur by 11:59 PM on Oct. 31 to be eligible for the draw.

Faculty, staff and students are also strongly encouraged to take the security awareness course that is now a permanent feature on the Information Security website.

For more information, contact Kevin Vadnais at (403) 332-4056 or kevin.vadnais@uleth.ca.

Community Shredding Event

In an effort to promote the secure destruction of personal information and the prevention of identity theft, the AMA is sponsoring a free event where community members can bring their sensitive documents and electronic storage items (not including hard drives) to be destroyed by a professional shredding service.  The event will be held on Saturday March 23, 2013 from 10am – 2pm at the AMA Lethbridge Centre
located at 120 Scenic Dr. South.  For more information on how to participate, please visit the event website.

Cyber Security – A community effort

Kevin Vadnais, Information Security Analyst, was asked to present on cyber safety to two community groups in November and early December.  A parent preschool group in Coaldale, and the Lethbridge Breakfast Club were brought up to speed on cyber safety and identity protection.

kevin vadnais1 nov30 2012

“They asked me to explain some of the things that would help them become more savvy about internet threats, and to protect their own personal information online.”

Vadnais demonstrated how easily someone can become a victim of identity theft. Within minutes of conducting internet queries and piecing together seemingly unrelated bits of information about one of the audience members, Vadnais had the full name, birthdate, parents’ names, parents’ address, parents’ phone number, along with their children’s information. This eye-opening video shows a similar example.

For more details about Vadnais’ presentations, see the article published by the Lethbridge Herald.

If you have questions about the University’s cyber security program, or would like advice on how to be cyber safe, contact the Solutions Centre at  help@uleth.ca or 403-329-2490.