Security firm Kaspersky recently released a report indicating that approximately 45% of US and Canadian employees wouldn’t know how to respond if they were targeted in a Ransomware attach.  An alarming 37% didn’t even know what a Ransomware attach was.  
The Canadian Centre for Cyber Security (CCCS) has prepared a “Best Practices” document with information for companies to follow to prevent or recover from a Ransomware attach.  See link below.
https://cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099

One key aspect for companies to follow in preventing a Ransomware attach from occurring is educating their employees on what and what not to do, when dealing with potential Ransomware threats. 

The Canadian Anti-Fraud Centre has reported an increase in the number of computer related scams that are taking place as a result of the COVID-19 pandemic.  Crafty fraudsters take advantage of people and organizations in vulnerable times, many times because their guard has been taken down because of the situation.   Below is a link to a story that was posted on the CBC news website. 
https://www.cbc.ca/news/politics/covid-scams-fraud-crime-1.5551294

The Canadian Internet Registration Authority (CIRA) is a body that regulates the .ca domain on the Internet.  CIRA has developed and is providing a free service to all Canadian non-business residents for heightened Internet security.  They call this service the “Canadian Shield”.  What this service actually provides is added protection to your devices when DNS queries are made when you are connecting to sites on the Internet.  There are three levels of service that are available.  Below is a link to their website for instructions on making changes to your home router or devices.
  https://www.cira.ca/cybersecurity-services/canadian-shield/configure

IP addresses for resolving DNS queries are required to be changed on you home router, and/or computing device.  If changes are made to you home router, there is not a requirement to change IP address settings on all your individual devices while you’re on a wired or Wi-Fi connection within your house.  For portable devices like a tablet or cell phone, that may be connected to your data provider when you are away from your home, you should consider changing the IP settings on those devices for the full protection of this service.  
If you use Firefox or Chrome browsers, another setting that you should change on all your devices is a setting for DNS Encryption over HTTPS (DOH).  Instructions on how to make these changes are also contained in the link above.

Below is a link to a particularly good resource that was posted from the Canadian Centre for Cyber Security.  If you or your employees are teleworking from home, precautions should be made to prevent security issues from occurring. 
https://cyber.gc.ca/en/guidance/telework-security-issues-itsap10016

Below is a link to a German Web researcher and developer that has discovered that Avast and AVG online security extensions, that you would typically install on your web browser, in addition to you running their antivirus software, is spying on you.  Mozilla has already pulled the extentions from their Addon Repository.  If you are using these extensions, you should remove them from your browser addons.  If you are running Windows 10 OS, there's no need to be running 3rd party antivirus software, as Windows defender is doing a very good job.  Avast also provides their own web browser called Avast Secure Browser which is also spying on you. You should be using a browser that you can trust, like Firefox or Chrome.
palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/

Phishing is a technique used by criminals to gather personal and account login information from you, so they can exploit you or your organization. There are many various forms of phishing that exist.  Below is a link to a very good article describing the various types of phishing attacks that you should avoid. 
 6-common-phishing-attacks-and-how-to-protect-against-them/
It's important to remember that if you receive an offer either through email, SMS text or a phone call, and the offer sounds too good to be true, it's most likely a scam.  Phishing techniques are becoming so advanced that users find it difficult discerning a fake from a legitimate request.  

I might be dating myself, but I recall a TV series that played for seven seasons, starting in 1981 called "Hill Street Blues".  If you're not familiar with this program, it was based on the life and times of New York City police officers and the work they did on a daily basis.  At the beginning of every show was a segment where all the police officers had their morning briefing, conducted by their precinct sergeant.  At the conclusion on his briefing, he would always have a saying, "Let's Be Careful Out There" as he was concerned for the safety and well being  of all his officers.  I am reminded of this saying and think it would be a good slogan for this Website.  Every one of us that has an online presence to the Internet with either our computers or smart phones,  are subject to countless security threats.  Precautions are paramount in order to protect your privacy and data, from getting into the wrong hands of the criminal element.  Below is a short video of the sergeant finishing his briefing.

Microsoft has made changes in Windows 10 version 1903 that allows users an option to run an offline scan of their system using Windows Defender.  Periodically running this scan is a good security precaution to check for the presence of any rootkits that may be on your system, as a normal scan would be unable to detect the presence of a rootkit. 

If you are still using Windows 7 Operating System on any of your computers, you should seriously consider upgrading, as Windows will no longer be providing any support or updates.  Below is a link to Microsoft where you can find out more information.

support.microsoft.com/en-ca/help/4057281/windows-7-support-will-end-on-january-14-2020

Ransomware is becoming the number one threat in Cybersecurity.  It can be very profitable for criminal organizations or individuals to carry out ransomware attacks.  A large number of municipal government organizations have been targeted with ransomware attacks in 2019. Universities, public schools and Hospitals have also been targeted.  Below is a link to a very good explanation of ransomware by the University of California - Berkeley. 

security.berkeley.edu/faq/ransomware

The German Federal Office for Information Security (Bundesamt Fur Sicherheit in Der Informationschnik) tested four of the major web browsing applications to determine which one they considered the most secure.  The tests were conducted in September 2019 and the following browsers were tested:
Chrome vs 76, Microsoft Internet Explorer vs  11, Microsoft Edge vs 44, and Firefox vs 68.
Their test had a 21 point list of various security requirements and options.  Of the four browsers, Firefox received top marks and was the only one that passed all 21 points in their criteria. 

Hardly a day goes by without another news story being released on yet another “security breach” occurring, or a “new scam” being discovered, or a number of people finding their “bank accounts being drained” by sophisticated schemes of criminal individuals and organizations.  Below are three recent stories from the CBC website on some of the ugly things that are happening out in Cyber land.  The first story shows how your life can be turned around by being subjected to identity theft.   The second and third story relates to off shore organized crime organizations targeting Canadians in an attempt to defraud them of their money.  Most people will recognize a con job in the making, when they receive a phone call from someone claiming to be from the Canada Revenue Agency, or some other government department. Unfortunately, these organizations are very sophisticated and convincing, and there are always a number of people that fall victim to their schemes.   


cbc.ca/news/canada/toronto/meet-deborah-oguntoyinbo-accused-of-being-a-professional-and-prolific-identity-thief-1.5348438

cbc.ca/news/politics/fraud-spoofing-canada-government-1.5348659

cbc.ca/news/world/national-cra-india-rcmp-scam-1.4883796

Below are a couple of recent newsworthy stories posted on the CBC website regarding our banking institutions in Canada. 

www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982

My take on this story...

Online banking can be risky if you don't take security precautions into consideration:
#1 Don't ever share your PIN number with anyone.  (See related story below.  It's shocking that a financial institution would be asking a potential customer for their account and associated PIN number!)
#2  Don't reuse passwords for any online accounts, especially banking and eCommerce sites.
#3  Use strong passwords.  Use a password manager (add-on to most browsers) to create and keep track of your passwords.  Lastpass is a good password manager in my opinion.  Don't allow your browser program to save all your passwords.  Use a password manager instead.
#4  If your financial institution offers Two-Factor Authentication in their login process, use it.  It may be a more cumbersome process to login, but it should provide a higher level of security for your online presence.  A warning though, criminals have figured out how to get around two-factor authentication as well, so the process is not bullet proof.  Even though your bank doesn't offer two- factor authentication, they may provide a second level of security in a different flavor.  RBC online banking offers a "Sign-in-protection" option where they ask you  a personal verification question. You have to set this up as an option in your online banking.  There is also a tick box asking that at least one PVQ is asked at sign in.  This should always be selected. As of this writing, only one of the five major banks in Canada provides two-factor authentication, which is TD Bank.
#5  Security is your responsibility, not only the bank's responsibility.  If you are lax on security precautions, you shouldn't expect the bank to cover all your loses if you're the victim of an online related fraud.

At the bottom of the first article, there are some good tips on how to prevent online banking fraud by Limor Kessem, an IBM X-Force, executive security adviser. 

www.cbc.ca/news/canada/nova-scotia/national-bank-canada-customer-banking-privacy-1.5334059

Not only should you be concerned with protecting yourself from security vulnerabilities, you should also be vigilant at protecting your privacy as well.  Most people use some form of Google Services, whether the applications are on your smartphone, or home/office computer, you potentially could be tracked extensively by Google, and other third party companies.  Google does provide you with the tools to adjust your privacy settings.  Below is a good article on how to set some of those privacy settings.   
www.itworldcanada.com/article/how-to-control-your-privacy-for-google-services/

A recently discovered critical vulnerability has been discovered on WINRAR, a compression/decompression utility program that is installed on more that 500 million PC's.  A new release V5.70 has been released as of Feb 28, 2019.  All older versions have the vulnerability and should be upgraded. 

The updated version is available here:  https://www.win-rar.com/

Con Artists have been around since the beginning of time.  They're constantly figuring out new techniques to scam you out of your hard earned money or possessions.  With the advent of the internet and personal computers, in many cases the profession of the con artist has evolved into the modern day hacker.  Creative Social Engineering is allowing hackers the ability to con unsuspected computer users into providing their personal or account related information, allowing their online accounts to be compromised.

Below are three YouTube links of excerpts of a UK TV program showing various ways that con artists can scam their potential victims.  The videos are a bit old, but still show how creative con artists can be. 

The Real Hustle:  Laptop stolen at airport scam
https://www.youtube.com/watch?v=H7N6WoaASDQ

The Real Hustle:  Stolen Bag at airport scam
https://www.youtube.com/watch?v=IwcTiuxzqv0

The Real Hustle:  The Give And Take
https://www.youtube.com/watch?v=KwFWJKMZ8uQ

In a previous blog post, a reference was made indicating Multi-Factor Authentication (MFA) was often referred to as Two-Factor Authentication (2FA).  There’s actually a difference between the two authentication methods, 2FA being a subset of MFA.  A website that only requires a userID/password combination is referred to as having Single-Factor Authentication.   2FA uses two pieces of evidence to provide authentication, whereas MFA uses more than two.  Most common 2FA implementations use a userID/Password combination, plus one other variable:  SMS message, phone call, email note, and software or hardware token.  MFA adds a more complex process for authentication, usually using some form of Biometrics, i.e. voice or facial recognition, retina or iris scan, or fingerprint recognition.  The current location where you attempt a website login can be also used as an additional factor in MFA.  MFA is a more robust form of authentication where a user is only granted access only after successfully presenting evidence in at least three categories:  Knowledge (something you know  [i.e. your userID/password] ), Possession (something you have [a software or hardware token] ) and Inherence (something you are [fingerprint recognition] ).

2FA (and eventually MFA) is a technology that will become a mainstream login process on user’s accounts in the future.  Currently, very few websites that require user login have implemented this technology.  Partially because of the amount of work that is required for companies to add this to their websites, and partially because of user resistance in using the technology, even if it’s offered.  2FA is an evolving technology that potentially could be prone to failure, partially because of the result of successful Social Engineering attacks by utilizing newly discovered vulnerabilities.    
   
Below is an article from a CBC News website on how a cryptocurrency executive lost money in an online account that she thought had a secure login process using 2FA. Her cell phone account was compromised and SMS 2FA failed as result of successful Social Engineering.
https://www.cbc.ca/news/technology/marketplace-social-engineering-sim-swap-hack-1.5009279

If you reside in Canada, you can watch the Marketplace episode that was originally broadcasted on Feb 8, 2019 at this address:  https://watch.cbc.ca/media/marketplace/season-46/episode-14/

Refer also to a previous post referring to the “Human Factor in Network Security”.
https://www.runetworksafe.com/blog/the-human-factor-in-network-security
 

Two-Factor Authentication (or Multifactor Authentication) has been mentioned in some previous blog postings.  What is it, you ask?  It’s an added layer of security in the login process, that’s implemented by a website owner (i.e. your bank for online account access or your favorite online retailer).  Why use it, it just makes logging in that much more difficult!  Having an extra layer of security also makes it much more difficult for the criminal element, preventing unauthorized access to your accounts. Data breaches on companies that have an online presence are becoming a common occurrence; there are more breaches that occur than the news media care to cover.  If you have an account with a company that has experienced a data breach, there's a high probability that your userID and password could eventually become exposed on the internet as a result of that data breach.  This is especially dangerous if you happen to reuse passwords for multiple accounts.

Here is an excellent article by a Time Magazine writer on staying safe online by using two-factor authentication.  http://time.com/5510195/two-factor-authentication In this article, another website is mentioned  https://twofactorauth.org/ that gives you the ability to check to see if your bank or retail website provides the option for two-factor authentication.  If you find that they don’t provide that service, they can and should be shamed on social media, encouraging them to provide that extra layer of security for their customer's.  An alternative would be to send a quick email note to the company that you deal with online, requesting that they add that service to their website.  Chances are, most companies will be scrambling to have their website developers implement this type of added security.  It protects their customer's and could also prevent them from potential liability.

Of the five major banks in Canada, notice that TD Canada Trust is the only Canadian bank that currently offers two-factor authentication for their online customers. The other banks have some website development to do!

Reusing passwords for numerous internet sites is dangerously insecure.   A typical computer user when warned about this practice might respond as “what’s the big deal, I do it all the time”.  The problem is, most typical computer users don’t really understand the inherent dangers associated with reusing passwords. This is especially troublesome if passwords are reused for sites that contain personal and/or financial information, i.e. credit card info.  Below is an example of why you shouldn’t reuse your passwords. 
                                                                                                                                                   
Joe Blow is a typical computer user who has a number of web site logins that are linked to his email account joeblow@email.com, and he uses the same password for all those sites.  He uses Facebook, Instagram, Google, online banking, Steam for his gaming, Expedia for his travel, and numerous online shopping accounts including Amazon.  Joe plays some online computer games and he had an account to play Town of Salem   that was produced by BlankMediaGames.  A recent discovery was made at the end of Dec, 2018 revealing that this site had been hacked.  A serious data breach had occurred resulting in the exposure of over 8 million individual user’s email accounts, web site usernames and passwords, IP addresses, past purchases, and website activity.  More information on this hack can be found here:  https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/   

Since Joe uses the same password for all of his website accounts, the Town of Salem breach created exposure to most of Joe’s online activity including his email account, banking, social media and online shopping.  A question most people would ask, “Once a breach has occurred, what do hackers do with all that data”?  Partial or complete databases of this kind of information are sold on the Dark Web, either outright or through an auction process to the highest bidder.  Data of this kind can make its way into criminal organizations where they can handsomely profit by exploiting user’s accounts and personal information. 
  
A data breach can occur on a targeted organization and not be discovered for several months.  In Joe’s case, he was unaware of the data breach that had occurred with his Town of Salem account.  One day, Joe tried to log into his online banking account, and kept getting an error, saying his userID or password was incorrect.  After several login attempts, he decided to reset his password, but when asked to complete an email verification, he was unable to log into his email account.  Joe was under a time constraint to make a rent payment to his landlord, so he made a trip to his local banking branch to make the payment and resolve his online login problem.  When he reached the bank, to his horror, the banking representative informed him that he only had a balance of $5 dollar remaining in his account.  

At this point, Joe realized something serious had occurred and his various online accounts had been compromised, but he couldn’t understand why this had happened?  He used what he thought was a very strong password. The problem was, he had reused his password on various accounts, including the Town of Salem account.  That security breach had exposed his email and password information for the criminal world to exploit.  His banking account was compromised because he reused his common password and didn’t use multifactor authentication (can also be referred as two-factor authentication), a service that his bank had offered, but something that he never got around to setting up.  Hackers were now able to log into his various internet accounts and not only drain his bank account, but gather and dissect all kinds of personal information on Joe.  Once the perpetrators had control of Joe’s email account, they were able to change his password on all of his other accounts, thus locking Joe out.  
         
By following more secure practices in Password Management, Joe could have avoided this situation from happening.  Joe wonders how one could possibly set up and remember countless user names and passwords for all his accounts. By utilizing a password management program like Lastpass, where only one master password has to be remembered, and a different password can be generated and used for all his accounts, Joe’s problem could have been alleviated.  Use multifactor authentication wherever possible, especially on your most important and sensitive web sites, or on sites where financial transactions are taking place.  Don’t allow web sites to remember your credit card information if possible (click the box “do not remember credit card” if that option exists).  Don’t allow your browser to remember your passwords.

Now Joe has the unwanted burden of resetting all his online accounts; not a simple process like setting up an online account in the first place.  He also has to set up credit monitoring, so he can hopefully avoid or minimize the affect of identity theft, since most of his online accounts had been compromised. Joe will never make the mistake of reusing passwords again, and will implement better password management habits from now on.   
 
 You can also refer to a previous blog posting on password management for more information.   https://www.runetworksafe.com/blog/password-management

Yesterdays blog post mentioned a web site that allows you the ability to verify if your email address has been compromised by a data breach in the past. Another web site that offers a similar service is provided by Mozilla.  The web site address is https://monitor.firefox.com/

You can also sign up for Firefox Monitor alerts, which will send you an email alert if you have an account with a company that experiences a new data breach, that has been discovered and details released to the public. 

Hardly a week goes by where another news story hits the airwaves.  Another company has fallen victim to some type of data breach where hundreds of thousands, sometimes millions of the company's customers or clients have had their personal data compromised. You ask yourself the question, why does this happen?  Many times, it’s because of a company being complacent with their security policies and practices.  Take the Equifax data breach for an example.  (Review a previous blog post for more information https://www.runetworksafe.com/blog/equifax-security-breach)  Criminal activity in cyberspace can be a very profitable venture.  Security vulnerabilities are constantly surfacing, exposing companies that house your personal data.  Newly discovered exploits many times are sold to criminal organizations, allowing them to hack into compromised systems, even before companies are aware of those exploits.  There is a varying degree of personal information that can be extracted from a data breach.  It depends on the sophistication of the breach, and how and what information a company retains on their databases for each customer or client.  Names, Date of Birth, email addresses, physical home or business addresses, phone numbers, social security numbers, and credit card information can be extracted from a company’s database, when they fall victim to a data breach.  What can you do to help prevent the damage caused by having your personal data exposed to a criminal organization as the result of a data breach?  The first thing that you should do as an ongoing precaution is utilize a good form of Password Management.  (Refer to another past blog post for more information https://www.runetworksafe.com/blog/password-management)

A very handy web site is available that allows you to check to see if your email account has been compromised by a data breach in the past. The web site is https://haveibeenpwned.com/  By entering your email address, you can determine if you are a victim of a data breach.  You can even be proactive by signing up to be notified if your email address happens to be contained in a future data breach.
 

If you find yourself the victim of a recent data breach, what precautions should you take to prevent your identity and personal information and/or credit card information from falling into a criminal cesspool?   Changing your password on the compromised web site is the first thing you should do.  If you've used the same password on any other web sites that you log into, you need to change those passwords as well.  If your credit card information has been compromised, you need to cancel  your credit card and request a new card to be reissued by your financial institution.  You should also take an added precaution by signing up for credit report monitoring. Identity Theft is another issue that will be covered in a future blog posting, since there is too much information that is required for that topic.   

Below is a news story from the CBC Website, telling the experience of a Saskatoon homeowner, who discovered that a complete stranger had access to her home video cameras.  A misconfiguration on the equipment by the technician of the home security company allowed this problem to occur.  This is another prime example of human error causing a security vulnerability and blatant invasion of privacy.  It's possible that this vulnerability could have gone on for an indefinite length of time, without the homeowner ever knowing about it.  Follow the link below for the complete story.
vivint-security-privacy-stranger-access

Below is a link to an interesting article on a CBC Website describing how Google tracks and records your location, even if you change your privacy settings to prevent location tracking from occurring.  Pretty well the only thing that you can do to prevent location tracking, is by turning data off or completely powering off your phone.
cbc.ca/news/technology/google-movements-tracking