Microsoft has made changes in Windows 10 version 1903 that allows users an option to run an offline scan of their system using Windows Defender.  Periodically running this scan is a good security precaution to check for the presence of any rootkits that may be on your system, as a normal scan would be unable to detect the presence of a rootkit. 

If you are still using Windows 7 Operating System on any of your computers, you should seriously consider upgrading, as Windows will no longer be providing any support or updates.  Below is a link to Microsoft where you can find out more information.

support.microsoft.com/en-ca/help/4057281/windows-7-support-will-end-on-january-14-2020

Ransomware is becoming the number one threat in Cybersecurity.  It can be very profitable for criminal organizations or individuals to carry out ransomware attacks.  A large number of municipal government organizations have been targeted with ransomware attacks in 2019. Universities, public schools and Hospitals have also been targeted.  Below is a link to a very good explanation of ransomware by the University of California - Berkeley. 

security.berkeley.edu/faq/ransomware

The German Federal Office for Information Security (Bundesamt Fur Sicherheit in Der Informationschnik) tested four of the major web browsing applications to determine which one they considered the most secure.  The tests were conducted in September 2019 and the following browsers were tested:
Chrome vs 76, Microsoft Internet Explorer vs  11, Microsoft Edge vs 44, and Firefox vs 68.
Their test had a 21 point list of various security requirements and options.  Of the four browsers, Firefox received top marks and was the only one that passed all 21 points in their criteria. 

Hardly a day goes by without another news story being released on yet another “security breach” occurring, or a “new scam” being discovered, or a number of people finding their “bank accounts being drained” by sophisticated schemes of criminal individuals and organizations.  Below are three recent stories from the CBC website on some of the ugly things that are happening out in Cyber land.  The first story shows how your life can be turned around by being subjected to identity theft.   The second and third story relates to off shore organized crime organizations targeting Canadians in an attempt to defraud them of their money.  Most people will recognize a con job in the making, when they receive a phone call from someone claiming to be from the Canada Revenue Agency, or some other government department. Unfortunately, these organizations are very sophisticated and convincing, and there are always a number of people that fall victim to their schemes.   


cbc.ca/news/canada/toronto/meet-deborah-oguntoyinbo-accused-of-being-a-professional-and-prolific-identity-thief-1.5348438

cbc.ca/news/politics/fraud-spoofing-canada-government-1.5348659

cbc.ca/news/world/national-cra-india-rcmp-scam-1.4883796

Below are a couple of recent newsworthy stories posted on the CBC website regarding our banking institutions in Canada. 

www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982

My take on this story...

Online banking can be risky if you don't take security precautions into consideration:
#1 Don't ever share your PIN number with anyone.  (See related story below.  It's shocking that a financial institution would be asking a potential customer for their account and associated PIN number!)
#2  Don't reuse passwords for any online accounts, especially banking and eCommerce sites.
#3  Use strong passwords.  Use a password manager (add-on to most browsers) to create and keep track of your passwords.  Lastpass is a good password manager in my opinion.  Don't allow your browser program to save all your passwords.  Use a password manager instead.
#4  If your financial institution offers Two-Factor Authentication in their login process, use it.  It may be a more cumbersome process to login, but it should provide a higher level of security for your online presence.  A warning though, criminals have figured out how to get around two-factor authentication as well, so the process is not bullet proof.  Even though your bank doesn't offer two- factor authentication, they may provide a second level of security in a different flavor.  RBC online banking offers a "Sign-in-protection" option where they ask you  a personal verification question. You have to set this up as an option in your online banking.  There is also a tick box asking that at least one PVQ is asked at sign in.  This should always be selected. As of this writing, only one of the five major banks in Canada provides two-factor authentication, which is TD Bank.
#5  Security is your responsibility, not only the bank's responsibility.  If you are lax on security precautions, you shouldn't expect the bank to cover all your loses if you're the victim of an online related fraud.

At the bottom of the first article, there are some good tips on how to prevent online banking fraud by Limor Kessem, an IBM X-Force, executive security adviser. 

www.cbc.ca/news/canada/nova-scotia/national-bank-canada-customer-banking-privacy-1.5334059

Not only should you be concerned with protecting yourself from security vulnerabilities, you should also be vigilant at protecting your privacy as well.  Most people use some form of Google Services, whether the applications are on your smartphone, or home/office computer, you potentially could be tracked extensively by Google, and other third party companies.  Google does provide you with the tools to adjust your privacy settings.  Below is a good article on how to set some of those privacy settings.   
www.itworldcanada.com/article/how-to-control-your-privacy-for-google-services/

A recently discovered critical vulnerability has been discovered on WINRAR, a compression/decompression utility program that is installed on more that 500 million PC's.  A new release V5.70 has been released as of Feb 28, 2019.  All older versions have the vulnerability and should be upgraded. 

The updated version is available here:  https://www.win-rar.com/

Con Artists have been around since the beginning of time.  They're constantly figuring out new techniques to scam you out of your hard earned money or possessions.  With the advent of the internet and personal computers, in many cases the profession of the con artist has evolved into the modern day hacker.  Creative Social Engineering is allowing hackers the ability to con unsuspected computer users into providing their personal or account related information, allowing their online accounts to be compromised.

Below are three YouTube links of excerpts of a UK TV program showing various ways that con artists can scam their potential victims.  The videos are a bit old, but still show how creative con artists can be. 

The Real Hustle:  Laptop stolen at airport scam
https://www.youtube.com/watch?v=H7N6WoaASDQ

The Real Hustle:  Stolen Bag at airport scam
https://www.youtube.com/watch?v=IwcTiuxzqv0

The Real Hustle:  The Give And Take
https://www.youtube.com/watch?v=KwFWJKMZ8uQ

In a previous blog post, a reference was made indicating Multi-Factor Authentication (MFA) was often referred to as Two-Factor Authentication (2FA).  There’s actually a difference between the two authentication methods, 2FA being a subset of MFA.  A website that only requires a userID/password combination is referred to as having Single-Factor Authentication.   2FA uses two pieces of evidence to provide authentication, whereas MFA uses more than two.  Most common 2FA implementations use a userID/Password combination, plus one other variable:  SMS message, phone call, email note, and software or hardware token.  MFA adds a more complex process for authentication, usually using some form of Biometrics, i.e. voice or facial recognition, retina or iris scan, or fingerprint recognition.  The current location where you attempt a website login can be also used as an additional factor in MFA.  MFA is a more robust form of authentication where a user is only granted access only after successfully presenting evidence in at least three categories:  Knowledge (something you know  [i.e. your userID/password] ), Possession (something you have [a software or hardware token] ) and Inherence (something you are [fingerprint recognition] ).

2FA (and eventually MFA) is a technology that will become a mainstream login process on user’s accounts in the future.  Currently, very few websites that require user login have implemented this technology.  Partially because of the amount of work that is required for companies to add this to their websites, and partially because of user resistance in using the technology, even if it’s offered.  2FA is an evolving technology that potentially could be prone to failure, partially because of the result of successful Social Engineering attacks by utilizing newly discovered vulnerabilities.    
   
Below is an article from a CBC News website on how a cryptocurrency executive lost money in an online account that she thought had a secure login process using 2FA. Her cell phone account was compromised and SMS 2FA failed as result of successful Social Engineering.
https://www.cbc.ca/news/technology/marketplace-social-engineering-sim-swap-hack-1.5009279

If you reside in Canada, you can watch the Marketplace episode that was originally broadcasted on Feb 8, 2019 at this address:  https://watch.cbc.ca/media/marketplace/season-46/episode-14/

Refer also to a previous post referring to the “Human Factor in Network Security”.
https://www.runetworksafe.com/blog/the-human-factor-in-network-security
 

Two-Factor Authentication (or Multifactor Authentication) has been mentioned in some previous blog postings.  What is it, you ask?  It’s an added layer of security in the login process, that’s implemented by a website owner (i.e. your bank for online account access or your favorite online retailer).  Why use it, it just makes logging in that much more difficult!  Having an extra layer of security also makes it much more difficult for the criminal element, preventing unauthorized access to your accounts. Data breaches on companies that have an online presence are becoming a common occurrence; there are more breaches that occur than the news media care to cover.  If you have an account with a company that has experienced a data breach, there's a high probability that your userID and password could eventually become exposed on the internet as a result of that data breach.  This is especially dangerous if you happen to reuse passwords for multiple accounts.

Here is an excellent article by a Time Magazine writer on staying safe online by using two-factor authentication.  http://time.com/5510195/two-factor-authentication In this article, another website is mentioned  https://twofactorauth.org/ that gives you the ability to check to see if your bank or retail website provides the option for two-factor authentication.  If you find that they don’t provide that service, they can and should be shamed on social media, encouraging them to provide that extra layer of security for their customer's.  An alternative would be to send a quick email note to the company that you deal with online, requesting that they add that service to their website.  Chances are, most companies will be scrambling to have their website developers implement this type of added security.  It protects their customer's and could also prevent them from potential liability.

Of the five major banks in Canada, notice that TD Canada Trust is the only Canadian bank that currently offers two-factor authentication for their online customers. The other banks have some website development to do!

Reusing passwords for numerous internet sites is dangerously insecure.   A typical computer user when warned about this practice might respond as “what’s the big deal, I do it all the time”.  The problem is, most typical computer users don’t really understand the inherent dangers associated with reusing passwords. This is especially troublesome if passwords are reused for sites that contain personal and/or financial information, i.e. credit card info.  Below is an example of why you shouldn’t reuse your passwords. 
                                                                                                                                                   
Joe Blow is a typical computer user who has a number of web site logins that are linked to his email account joeblow@email.com, and he uses the same password for all those sites.  He uses Facebook, Instagram, Google, online banking, Steam for his gaming, Expedia for his travel, and numerous online shopping accounts including Amazon.  Joe plays some online computer games and he had an account to play Town of Salem   that was produced by BlankMediaGames.  A recent discovery was made at the end of Dec, 2018 revealing that this site had been hacked.  A serious data breach had occurred resulting in the exposure of over 8 million individual user’s email accounts, web site usernames and passwords, IP addresses, past purchases, and website activity.  More information on this hack can be found here:  https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/   

Since Joe uses the same password for all of his website accounts, the Town of Salem breach created exposure to most of Joe’s online activity including his email account, banking, social media and online shopping.  A question most people would ask, “Once a breach has occurred, what do hackers do with all that data”?  Partial or complete databases of this kind of information are sold on the Dark Web, either outright or through an auction process to the highest bidder.  Data of this kind can make its way into criminal organizations where they can handsomely profit by exploiting user’s accounts and personal information. 
  
A data breach can occur on a targeted organization and not be discovered for several months.  In Joe’s case, he was unaware of the data breach that had occurred with his Town of Salem account.  One day, Joe tried to log into his online banking account, and kept getting an error, saying his userID or password was incorrect.  After several login attempts, he decided to reset his password, but when asked to complete an email verification, he was unable to log into his email account.  Joe was under a time constraint to make a rent payment to his landlord, so he made a trip to his local banking branch to make the payment and resolve his online login problem.  When he reached the bank, to his horror, the banking representative informed him that he only had a balance of $5 dollar remaining in his account.  

At this point, Joe realized something serious had occurred and his various online accounts had been compromised, but he couldn’t understand why this had happened?  He used what he thought was a very strong password. The problem was, he had reused his password on various accounts, including the Town of Salem account.  That security breach had exposed his email and password information for the criminal world to exploit.  His banking account was compromised because he reused his common password and didn’t use multifactor authentication (can also be referred as two-factor authentication), a service that his bank had offered, but something that he never got around to setting up.  Hackers were now able to log into his various internet accounts and not only drain his bank account, but gather and dissect all kinds of personal information on Joe.  Once the perpetrators had control of Joe’s email account, they were able to change his password on all of his other accounts, thus locking Joe out.  
         
By following more secure practices in Password Management, Joe could have avoided this situation from happening.  Joe wonders how one could possibly set up and remember countless user names and passwords for all his accounts. By utilizing a password management program like Lastpass, where only one master password has to be remembered, and a different password can be generated and used for all his accounts, Joe’s problem could have been alleviated.  Use multifactor authentication wherever possible, especially on your most important and sensitive web sites, or on sites where financial transactions are taking place.  Don’t allow web sites to remember your credit card information if possible (click the box “do not remember credit card” if that option exists).  Don’t allow your browser to remember your passwords.

Now Joe has the unwanted burden of resetting all his online accounts; not a simple process like setting up an online account in the first place.  He also has to set up credit monitoring, so he can hopefully avoid or minimize the affect of identity theft, since most of his online accounts had been compromised. Joe will never make the mistake of reusing passwords again, and will implement better password management habits from now on.   
 
 You can also refer to a previous blog posting on password management for more information.   https://www.runetworksafe.com/blog/password-management

Yesterdays blog post mentioned a web site that allows you the ability to verify if your email address has been compromised by a data breach in the past. Another web site that offers a similar service is provided by Mozilla.  The web site address is https://monitor.firefox.com/

You can also sign up for Firefox Monitor alerts, which will send you an email alert if you have an account with a company that experiences a new data breach, that has been discovered and details released to the public. 

Hardly a week goes by where another news story hits the airwaves.  Another company has fallen victim to some type of data breach where hundreds of thousands, sometimes millions of the company's customers or clients have had their personal data compromised. You ask yourself the question, why does this happen?  Many times, it’s because of a company being complacent with their security policies and practices.  Take the Equifax data breach for an example.  (Review a previous blog post for more information https://www.runetworksafe.com/blog/equifax-security-breach)  Criminal activity in cyberspace can be a very profitable venture.  Security vulnerabilities are constantly surfacing, exposing companies that house your personal data.  Newly discovered exploits many times are sold to criminal organizations, allowing them to hack into compromised systems, even before companies are aware of those exploits.  There is a varying degree of personal information that can be extracted from a data breach.  It depends on the sophistication of the breach, and how and what information a company retains on their databases for each customer or client.  Names, Date of Birth, email addresses, physical home or business addresses, phone numbers, social security numbers, and credit card information can be extracted from a company’s database, when they fall victim to a data breach.  What can you do to help prevent the damage caused by having your personal data exposed to a criminal organization as the result of a data breach?  The first thing that you should do as an ongoing precaution is utilize a good form of Password Management.  (Refer to another past blog post for more information https://www.runetworksafe.com/blog/password-management)

A very handy web site is available that allows you to check to see if your email account has been compromised by a data breach in the past. The web site is https://haveibeenpwned.com/  By entering your email address, you can determine if you are a victim of a data breach.  You can even be proactive by signing up to be notified if your email address happens to be contained in a future data breach.
 

If you find yourself the victim of a recent data breach, what precautions should you take to prevent your identity and personal information and/or credit card information from falling into a criminal cesspool?   Changing your password on the compromised web site is the first thing you should do.  If you've used the same password on any other web sites that you log into, you need to change those passwords as well.  If your credit card information has been compromised, you need to cancel  your credit card and request a new card to be reissued by your financial institution.  You should also take an added precaution by signing up for credit report monitoring. Identity Theft is another issue that will be covered in a future blog posting, since there is too much information that is required for that topic.   

Below is a news story from the CBC Website, telling the experience of a Saskatoon homeowner, who discovered that a complete stranger had access to her home video cameras.  A misconfiguration on the equipment by the technician of the home security company allowed this problem to occur.  This is another prime example of human error causing a security vulnerability and blatant invasion of privacy.  It's possible that this vulnerability could have gone on for an indefinite length of time, without the homeowner ever knowing about it.  Follow the link below for the complete story.
vivint-security-privacy-stranger-access

Below is a link to an interesting article on a CBC Website describing how Google tracks and records your location, even if you change your privacy settings to prevent location tracking from occurring.  Pretty well the only thing that you can do to prevent location tracking, is by turning data off or completely powering off your phone.
cbc.ca/news/technology/google-movements-tracking

I've been receiving phone calls from international numbers over the last few days (6 calls so far). The calls I've received originate from Somalia, the phone rings only once and then disconnects.   I haven't picked up the calls as I can see on the call display that they are international calls.  I found some information on a cell phone scam that pretty well fits into the same category as what I'm experiencing. http://windsorstar.com/news/local-news/new-phone-scam-involves-overseas-calls Don't pick up these calls and don't call back.  Call blocking probably won't work as the number is always a little different.

When you are browsing on the internet, the site’s domain address that you are visiting should show up in the browser’s address bar.  This will look slightly different, depending on the particular browser that you are using. 

 Mozilla Firefox Unified Search/Address Bar

Google Chrome Address Bar

Http (HyperText Transfer Protocol) was originally designed for the web browsing in the earlier days of the internet.   Unfortunately, no security was built into this protocol and it was considered an insecure form of communication.   Https (HyperText Transfer Protocol Secure) was developed to provide a secure method of transmission, by encrypting the data between the user’s web browser and a web server that they were connected to.  Financial institutions and online purchasing sites were originally the common sites using the https protocol. 

As the internet has evolved over the years, security has become more of an issue.  Now, most sites (mine included) are switching from http to https.  This provides better protection from the standpoint of security, and the http protocol will eventually be phased out. 
       
If you are using Firefox, Chrome or Opera browsers, an extension called HTTPS Everywhere should be installed to provide an added level of security. 

If you've downloaded a file from the internet, or have received one in an email note, and you aren't completely certain on it's trustworthiness, there are a few things that you should do before opening or executing it.  The first thing you should do is scan the file with your antivirus program that is installed on your computer.  The second thing that you could do is open this website virustotal.com and upload and scan the file.  The same can be done for checking the validity of a website that you are not sure of.  Bookmark this site and keep it handy for these purposes.  

It should be an absolute crime for corporations “entrusted in keeping our personal data”, from conducting lackadaisical security practices, and putting our security and privacy in jeopardy.  The Equifax security breach in 2017 is a prime example.

Equifax is a credit bureau that provides credit information to many financial institutions and data brokers.  It holds vast amounts of personal data on individuals, so banking institutions can determine credit worthiness for loan and mortgage applications.

Equifax was breached in May 2017 on a server utilizing an Apache Struts 1 open-source web application.  Equifax was notified in March 2017 by Apache, as well as the Department of Homeland Security, of a critical security patch that was required to be installed to correct a security vulnerability with the Struts 1 application.  Equifax didn’t get around to installing the patch until the end of July, 2017.  At that point, a discovery was made that a breach had occurred on their system back in May 2017, 2 months after they should have installed the patch.  Attackers were able to use a known vulnerability to gather vast amounts of personal data on over 145 million US, 15 million UK, and over 100,000 Canadian citizens.  This attack was not even considered very sophisticated by security experts, and Equifax was said to be solely at fault.  
 
To add salt to the wound, after the security breach had been discovered, Equifax’s Incident response was less than stellar.  It took Equifax nearly 6 weeks to divulge to their customers that they had been breached, putting them at more risk of Identity theft. 

It is unfortunate that corporations and our financial markets are more interested in “the bottom line” of profits, rather than funding a small cybersecurity budget to prevent situations like this from happening.  Equifax is one of many corporations that have been hit by cyber criminals.  Who will be the next target?

Below is a link to Wikipedia on a list of data breaches that have occurred over the years.
https://en.wikipedia.org/wiki/List_of_data_breaches

Researchers have just recently released information on two security flaws that they have discovered that create security vulnerabilities on most smartphone and computer CPU hardware. They have called these two flaws Meltdown and Spectre.  Software companies are scrambling to get software patches written to correct these flaws from affecting most smartphones and  computer equipment.  This is just another example of why it is so important to keep your computers and smartphones updated with the latest security patches and system updates. Below are links to several articles for further information on these security flaws. 

https://meltdownattack.com/

http://www.cbc.ca/news/technology/security-flaws-cpus-intel-arm-amd-spectre-meltdown-memory-1.4472675

Below are some timely articles on purchasing tech toys, just in time for your last minute Christmas shopping.  If you are buying your children/Grand children tech toys for Christmas, you should be aware of the potential security threat imposed by connecting those toys to your wireless internet connection, or your smartphone bluetooth.

Tech toys could put kids' privacy at risk. Here's how to stay safe
www.cbc.ca/news/technology/connected-toys-safety
Dec 22, 2017

FBI Tech Tuesday: Building a Digital Defense Against Internet-Connected Toys
www.fbi.gov/contact-us/field-offices/portland/news/press-releases/fbi-tech-tuesday-building-a-digital-defense-against-internet-connected-toys
Dec 22, 2017

Inside the FBI: Internet-Connected Toys Pose Security Risks
www.fbi.gov/audio-repository/inside-podcast-internet-connected-toys-081017.mp3/view
Dec 22, 2017

A research company called 4iQ, a provider of Identity Threat Intelligence, has recently discovered a very disturbing database on the Dark Web which contains in excess of 1.4 Billion searchable stolen credentials.  This list is an aggregation of information from numerous data breaches, which have taken place in the past.  Analysis of this database shows that users still use common and simple passwords, and re-use the same passwords for multiple accounts.  4iQ used the database to discover 40 of the most common passwords used by individuals.   Don’t fall victim to Cyber Crime, by using weak passwords or re-using passwords for a number of different sites.  Periodically change your passwords, especially if you’re a customer or client of a corporation that has been subject to a data breach.  Use a password manager like Lastpass, to help generate and keep track of strong passwords, as well as sync passwords between different devices that you use.  ie. between your PC, Tablet or Smartphone.

 https://4iq.com/     Dec 19, 2017