Cyber Security

Citizen Lab unearths spyware attacks against Catalan politicians, U.K. government: The New Yorker

rahul.kalvapalle — Thu, 21 Apr 2022 18:58:35 +0000

Citizen Lab unearths spyware attacks against Catalan politicians, U.K. government: The New Yorker

rahul.kalvapalle Thu, 04/21/2022 - 14:58

Cutline

(Photo by time99lek/iStockPhoto/Getty Images)

Topic

Global Lens

Citizen Lab

Cyber Espionage

Cyber Security

Faculty of Arts & Science

Munk School of Global Affairs & Public Policy

The ��Ƶ’s Citizen Lab, based at the Munk School of Global Affairs & Public Policy, is highlighted in a New Yorker feature by journalist and author Ronan Farrow that explored the use of Pegasus spyware, built by Israeli firm NSO Group, by governments and global actors – as well as efforts by big tech companies like Facebook and Apple to counter it.

The New Yorker piece, titled “How Democracies Spy on Their Citizens,” reports that just last month, Catalan politician Jordi Sole approached Citizen Lab researcher and fellow Elies Campo to ask for help analyzing his iPhone, which had been receiving suspicious text messages – breaches traced to 2020. “In those days, your device was infected—they took control of it and were on it probably for some hours. Downloading, listening, recording,” Campo told Sole, the New Yorker reported.

More recently, in February 2021, the Citizen Lab uncovered an infection on the laptop of the Catalan activist Joan Matamala – though this attack was traced to another Israeli spyware firm, Candiru. The New Yorker reports that Campo instructed Matamala to wrap the laptop in aluminum foil to prevent the spyware from communicating with Candiru’s servers. In a recent post on its website, the Citizen Lab outlined detailed findings from its investigations on the use of Pegasus and other spyware programs to target Catalan pro-independence figures.

The New Yorker also notes the Citizen Lab found at least five instances of hacking of U.K. Foreign Office phones between July 2020 and June 2021, as well as infection of a device connected to the network at 10 Downing Street, office and residence of the prime minister. “When we found the No. 10 case, my jaw dropped,” John Scott-Railton, a senior researcher at the Citizen Lab, told the magazine. On Monday, the Citizen Lab confirmed that it “observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official U.K. networks.”

Read the New Yorker feature

Read the Citizen Lab report on spyware operations targeting Catalans

Read the Citizen Lab post about spyware operations targeting the U.K. government

Spyware investigations involving U of T’s Citizen Lab reveal targets in El Salvador, Poland: Reports

mattimar — Mon, 17 Jan 2022 19:33:43 +0000

Spyware investigations involving U of T’s Citizen Lab reveal targets in El Salvador, Poland: Reports

mattimar Mon, 01/17/2022 - 14:33

Cutline

(Photo by Marco Piunti/Getty Images)

Topic

Our Community

Munk School of Global Affairs & Public Policy

Citizen Lab

Cyber Espionage

Cyber Security

Faculty of Arts & Science

Global

A joint investigation by the ��Ƶ’s Citizen Lab and Access Now reveals that dozens of journalists and activists in El Salvador had their cellphones allegedly hacked by Israeli firm NSO Group’s Pegasus spyware.

John Scott-Railton

The investigation, which identified 35 individuals whose phones were successfully infected with the sophisticated spyware normally used to target criminals, was reported on by the Associated Press, Reuters, the Guardian and other media outlets.

A sample of cases in the report were reviewed by Amnesty International’s Security Lab, which investigates cyberattacks against civil society.

The alleged hacks took place between July 2020 and November 2021, a time of ongoing censorship of journalists who investigated the government of President Nayib Bukele.

“The aggressiveness and persistence of the hacking was jaw-dropping,” John Scott-Railton, senior researcher at the Citizen Lab and an author of the report, told the Associated Press.

“I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador.”

In a statement to Reuters, Bukele’s office said it is not a client of NGO Group and that some of the government’s top officials might have also had their phones hacked.

The Citizen Lab, part of the Munk School of Global Affairs & Public Policy in U of T’s Faculty of Arts & Science, has been tracking victims of Pegasus spyware since 2016, helping to identify dozens of cases of inappropriate use. The technology has been used to eavesdrop on journalists, diplomats, lawyers, activists and politicians from the Middle East to Mexico.

Earlier this month, the Associated Press reported that Polish senator Krzysztof Brejza and two other Polish government critics were allegedly hacked by with the Pegasus spyware. The Citizen Lab and Amnesty International say the senator was allegedly hacked multiple times during the 2019 parliamentary elections.

There are also concerns closer to home.

Noura Aljizawi and Siena Anstis, researchers at the Citizen Lab, have interviewed 18 Canadian human rights activists about being the target of cyber attacks and misinformation campaigns, the Toronto Star reports. Some worry that authorities aren’t doing enough to protect them.

“The silence of Canada is giving the attackers more space to launch an attack,” Aljizawi told the Toronto Star.

The researchers say finding ways to stop the export of Canadian-developed technology to countries using it for cyber attacks and providing mental health resources for refugees are just a few of the ways to deal with this complex issue. To bring increased exposure to the dangers faced by newcomers and activists, the Citizen Lab is set to release a report investigating digital transnational repression in the coming months.

Read about the Citizen Lab investigation in El Salvador in the Associated Press

Read the Toronto Star’s article about cyber attacks

With cyber scams on the rise, U of T expert offers tips on how to protect yourself

Christopher.Sorensen — Thu, 09 Dec 2021 17:28:17 +0000

With cyber scams on the rise, U of T expert offers tips on how to protect yourself

Christopher.Sorensen Thu, 12/09/2021 - 12:28

Cutline

(Photo by Issouf Sanago/AFP via Getty Images)

Topic

An email lands in a student’s inbox pretending to be from an unnamed recruiter at the ��Ƶ. It claims to have received an application for an easy-sounding, part-time and remote job that pays $700 every two weeks – no experience required. Just follow the link to apply.

Shannon Howes

The fake job offer is one of many real phishing attempts recounted on the university’s Security Matters page in an effort to warn the U of T community about recent cyber scams.

Shannon Howes, U of T’s director, high risk, community safety and crisis and emergency preparedness, says such cyber frauds are not only becoming more common – they are also becoming sneakier.

“Even rudimentary phishing attempts, there’s an estimate that one in 10 people will fall victim to them,” she says. “If you think about some of the more sophisticated attempts being made, the statistic jumps up to more like three in 10. So, it is a pervasive problem right now and we have had a lot of people who have been targeted at the university.”

Howes recently spoke to U of T News about how people can protect themselves from cyber fraud and what they should do if they are duped.

What do these cyber scams look like?

There are a number of different types of frauds and scams that we’re seeing right now. One kind that is really prevalent – and members of the community will have seen examples in their inboxes – are phishing attempts.

These attempts are perpetrated by people who are trying to mine user information so that they can compromise personal accounts such as bank or credit cards, or engage in identity theft. There are very sophisticated ways of masking an email address so that an email appears to be from someone who might be an actual official at the university, a bank employee or someone from the Canada Revenue Agency, for example. When recipients click on the embedded link they are redirected to an online form, where the scammer requests a number of different pieces of personal information. That could include a date of birth, social insurance number, credit card numbers and photos of personal IDs such as a driver’s license. There are many different types of information that can be requested and then used against you.

Some of the scams we are seeing reported at U of T are admission frauds, where individuals are posing as faculty members and are advertising supposed “pathways” for gaining admission to U of T in exchange for a hefty application fee, or, in some cases, full tuition fees paid up front. There’s quite a wide range of types of scams, but for the most part they're monetarily driven.

We have also seen a lot of frauds targeting our international students. Incoming international students can be particularly vulnerable because they’re new to Canada. They don't necessarily have local supports that can help them do things like open a bank account or seek trusted advice when confronted with something like apparent criminal charges or threats of deportation. They may also be less familiar with how things work in another country (the consumer protections, privacy rules, etc.) and may not realize how suspect some of these demands are.

How big is this problem?

The scams we are seeing are actually growing in prevalence and in sophistication. There is some research that indicates that scams, and especially email scams, go up in frequency during times of crisis. The COVID-19 pandemic has provided a ripe environment for fraudsters to try to take advantage of people, particularly while people have been facing a lot of change, isolation, instability and uncertainty. Email scams are socially engineered to prey on the emotions of readers and to instill a sense of urgency to respond, and these emotions are already heightened during a time of crisis.

I think most people will be familiar with seeing an email come into their inbox that doesn’t look quite right. The sender could be posing as your bank, asking you to log in through a link or an email could come in looking like it’s from the Canada Revenue Agency, saying there’s a problem with your Social Insurance Number. There may be spelling mistakes or generic greetings used in these emails, whereas you would expect to be contacted by your name if the email was legitimate.

Unfortunately, these types of attempts, while they've been around for a long time, are increasing in sophistication and the credibility of how they present themselves. So, it’s actually becoming much more commonplace right now – and people are falling victim.

Even with rudimentary phishing attempts, there’s an estimate that one in 10 people will fall victim to the ruses. If you think about some of the more sophisticated attempts being made, the statistic jumps up to more like three in 10. So, it is a pervasive problem right now and we have had a lot of people who have been targeted at the university.

Some of the frauds that have been reported at the university this fall involve relatively small amounts of money and some involve very large amounts. It’s important to note that falling victim to fraud is not just a student issue – this is affecting faculty and staff as well.

What are the red flags to spot in a phishing attempt?

There are a lot of good recommendations on the Security Matters Website and there’s another good list of tips for protecting yourself against cyber fraud by U of T’s Citizen Lab.

The Office of the Chief Information Security Officer is currently piloting an online training session that they are hoping to roll out broadly to members of the university community about different types of cyber fraud – not only specific to phishing, but also ransomware and other cyber threats and fraud attempts.

One of the top recommendations to identify a phishing attempt is for people to pause and assess an email. Often, these fraudulent emails try to prey on our emotions. If it’s a phishing attempt, it could say you’ve won this fantastic cruise in a lottery – even though you never entered a sweepstakes. Your sense of curiosity, your excitement triggers this emotional response leading you to think, “Oh my gosh, did I actually win something?”

Likewise, a lot of phishing attempts manufacture a sense of urgency. They might say your system has been compromised, or your SIN number has been compromised – act now by clicking this link. This triggers a fear response.

One of the best things you can do is “practise the pause” – stop what you’re doing, take a breath, and actually evaluate what you’re being told to do, and whether it makes sense. Is this an organization that you normally deal with and is known to you? Is this a person who you actually know in real life? Does what they’re asking you to do make sense?

What happens if the person contacting you says that they are from an official agency – law enforcement for example?

The same recommendations apply here. Pause, take a breath and assess what you are being told and what you are being asked to do. Does it make sense? Did they use your proper name when they addressed you? Were you contacted by a recorded message?

It is important to note that no legitimate agency will ever hold it against you for hanging up the call and taking the time to follow up with them on the phone through a legitimate number – that you might find on the back of your credit card, for example, or on their website. Tell the person that you are speaking with that you would like to verify who they are and will call them back. No legitimate government agent or member of law enforcement personnel will fault you for double checking that they are who they say they are. If they get upset or start to escalate on the phone they are more likely a fraudster trying to use a sense of urgency and fear to prey upon you.

Another very important point: Bitcoin and gift cards are not a legitimate currency for official purposes in Canada. The university won’t accept them and neither will the Canadian government or law enforcement authorities.

Also, you should never have to pay to avoid criminal charges. That’s not something law enforcement does. If you’re being asked to pay someone claiming to be a police officer to avoid being charged with criminal activity, that’s a big red flag.

Would you recommend adjusting your email filter to prevent being targeted by scams?

Definitely look into your security settings, including your email filters, on your personal accounts.

Through our UTmail+ accounts, we’re really lucky to have a good filter feature already built in and a reporting structure in place for when phishing emails find their way through. You can click on “Report Email” and send it through to report.phishing@utoronto.ca for IT Security’s awareness and action. There’s also something at the university called the Phish Bowl, where real-life examples of fraudulent emails that have been reported are posted. It's a good idea to review the Phish Bowl from time to time to stay current on the types of scams that are actively going around.

The IT Security team also has excellent resources about getting “cyber safe” on their Security Matters Website. They also address how to maintain your UTORid safety and share a lot of information about how to identify phishing or ransomware attacks.

Additional steps that can be taken include: paying attention to the external email notification banners that have been activated on UTmail+ accounts; connecting to Virtual Private Networks (VPNs) when accessing the university’s system from remote locations; and ensuring that multi-factor authentication (MFA) is set up for your Microsoft account – U of T recently introduced a new MFA program to the tri-campus community called UTORMFA.

What about safety on social media platforms?

In terms of social media safety, one of the things we recommend is conducting an annual refresh on the privacy policies on your different platforms and reviewing who your online friends are. Do you actually know everyone on your friends list personally? If you are engaged in some work online around influencing and you need to have a platform with followers who are unknown to you, make sure you keep a distinct platform for your personal pages and be cautious about what information you share on your public-facing accounts.

Additionally, consider whether moments need to be shared live or if they can be shared at a later date/location. Geo-tagging can unwittingly let scammers know where you are physically and when, especially if you are active with your posting. Consider turning off geo-location tags all together. Also, know how to actually delete your accounts when you close them. Inactive accounts that are still accessible to other users can often be a source of a lot of information about you.

Finally, be wary of who you connect with online, especially if you do not know them in real life. Online dating sites and chat rooms can be a dangerous breeding ground for different types of romance scams and catfishing. These can sometimes lead to sextortion attempts. Sextortion is a form of extortion where scammers create fake profiles on social media and dating websites. They use these profiles to lure victims into a relationship and coerce them into performing sexual acts on camera with the intent to record the session. Once the images are in the scammer’s possession they threaten to distribute if the victim doesn’t pay them, or sometimes provide additional sexual images.

What should you do if you’ve been duped, clicked on a malicious link or, worse, transferred money to a stranger?

If you believe you’ve become a victim of a fraud you should contact Campus Safety, Special Constable Service to file a formal report. They are a tri-campus service and work directly with local law enforcement – Toronto Police for U of T Scarborough and St. George and Peel Police for U of T Mississauga – on criminal matters. Campus Safety officers work closely with the fraud divisions within municipal police services on incidents of fraud.

If the fraud occurred via your UTmail+ accounts or if your UTORid may be compromised, you should also report the incident to report.phishing@utoronto.ca

In terms of university resources and support services, if you think that you’re in a situation where you’ve mis-stepped or divulged too much personal information – perhaps shared photos of yourself or your personal identification cards – we advise you to contact the Community Safety Office (CSO), even if you’re not being scammed yet. This team has case managers available that can meet with you to try and do some proactive work to help prevent you from falling victim to fraud, to help you consider what may be compromised and whether there are organizations you need to proactively reach out to, and how to set up a monitoring plan.

In the event that a critical piece of information has been compromised, such as your Social Insurance Number, a member of the CSO team can help you manage the reporting pathway. They can also provide personal support and assist you in navigating any accommodations that may be needed as a result.

What is the university doing to protect its community from cyber fraud?

The university is taking a very proactive stance on fraud. University offices are engaged with local law enforcement and cyber security to stay on the cutting edge of data security and protection software, as well as practices and areas of concern for law enforcement. Additionally, the university has established a Fraud Prevention Working Group that will be rolling out a number of education and awareness initiatives across the three campuses.

One of the most effective ways to prevent fraud is to educate members of our community about what fraud looks like. We have been working on a central Fraud Prevention Website that will offer members of the university community a one-stop location to learn about different types of scams with real life scam examples, tips on how to protect yourself from fraud attempts, as well as resources – both at the university and in the community – that can assist individuals who find themselves targeted.

Knowing that a significant number of the frauds that have been reported to Campus Safety are by international and first-year students, a lot of the initial education efforts will be focused around residences, commuter students and international students – with additional focus around issues such as income tax season, application scams and personal data hygiene to come.

How else can you protect yourself?

Again, one of the best ways you can take steps to protect yourself is to “practise the pause.” That pause is something that helps us in a number of ways in our daily lives. Stop, take a breath, and think about the situation. If we know that scams are socially engineered to prey on our emotional responses – be it fear, excitement, curiosity, etc. – then a great way to combat fraud is to give ourselves the time to evaluate the request objectively.

Another way of protecting yourself is by protecting your personal information. This includes good password hygiene (using different passwords for your different accounts). It sounds like a lot to remember, but you can download some very secure apps that can help you with password management.

Protecting your privacy also means being careful about your social media presence, including making sure that your geo-locators are off when you’re posting things so your location isn’t being tracked and being wary about how much information you share. One thing scammers do to appear more legitimate is mine your social media, so they know your parents’ names, your birth date and even your dog’s name when they make contact with you.

Finally, identify who you are dealing with. Verify the identity of the email sender or the person on the other end of the line. Make sure there are no spelling mistakes in URLs and email addresses. Remember – no legitimate authority figure will question you hanging up and calling them back to verify their identity through a trusted source. The same principle is true for social media. Know who you are speaking with. Be wary of requests from people you only know via online chat rooms and social media platforms.

Being careful about what you share, how you share it, and who you are sharing it with, is a key way to protect yourself.

More information can be found at the following websites:

'In this together': U of T’s Isaac Straley named to Ontario's cybersecurity expert panel

rahul.kalvapalle — Wed, 28 Oct 2020 21:05:47 +0000

'In this together': U of T’s Isaac Straley named to Ontario's cybersecurity expert panel

rahul.kalvapalle Wed, 10/28/2020 - 17:05

Cutline

Isaac Straley, U of T's chief information security officer, says the scope of the cybersecurity threat faced by universities is unique because they operate in so many different areas, from research labs to bookstores (photo by Lisa Sakulensky)

Rahul Kalvapalle

Topic

Our Community

Cyber Security

Isaac Straley, a cybersecurity expert and the ��Ƶ's chief information security officer, was recently appointed to a new expert panel established by the Ontario government to improve cybersecurity and digital resilience among broader public sector organizations.

The Broader Public Sector Cyber Security Expert Panel will see experts and leaders in information technology, cybersecurity and public sector service delivery come together to address pressing challenges in cybersecurity, provide feedback on the provincial government’s existing efforts in that realm and create a comprehensive cybersecurity strategy.

Created by the Ministry of Government and Consumer Services as part of Ontario’s Cyber Security Strategy, the 10-person panel will examine broad and sector-specific cybersecurity risks faced by organizations such as universities, colleges, hospitals and school boards. The panel will be chaired by Robert Wong, executive vice-president and chief information officer at Toronto Hydro and a U of T alumnus.

Several broader public sector agencies and their service delivery partners have been targeted by cyberattacks in recent years, according to the ministry, resulting in the loss of sensitive personal and health data, sabotaging of organizations’ operations and forced payment of ransom to regain data access.

In a conversation with U of T News, Straley – who was appointed U of T’s first ever chief information security officer in 2018 – discussed the panel’s mandate, the range of cybersecurity threats faced by universities and other broader public sector organizations, and the importance of working collaboratively to boost information security across the province.

How vulnerable are broader public sector organizations to cyberattacks, and how has the threat evolved in recent years?

What’s challenging for the broader public sector is we are very visible organisations, and the attacks we’re seeing are often motivated by opportunity. While there are attacks that are designed to steal specific data and target big companies, the reality is that a lot of the activity we see is opportunistic, and they try to get whoever they can.

A lot of what what’s out there is criminal activity with attacks like ransomware – software that encrypts your data and asks you to pay money to get it back. This has become, especially during the pandemic, even more acute because criminal organizations can make a lot of money. When you look at the organizations in the broader public sector – hospitals, utilities, universities, etc. – they are ripe for targeting because they provide critical services.

What are the specific cybersecurity and information security threats faced by universities?

The attacks we face are themselves not unique, but the scope of attacks that we face is. We have administrative cores with institutional information; we have our teaching component which, especially during a pandemic, has a global reach and impact; we have physical infrastructure – we run power plants and building systems; we have athletic facilities and sports camps; we run food service and bookstores and we take credit cards.

We’ve got researchers who are working on the most innovative research, which are intellectual property that somebody – like another country – want to access. We also have research we’re working on that someone might want to disrupt, for economic or even geopolitical reasons.

How do you see this panel helping to solve these issues?

For me, it’s about having a common framework and vision to work on resolving these problems. The broader public sector is in this together. It might also be able to help us garner resources that we might not individually have to tackle these problems.

One of the angles of security is economic – if it’s more expensive for the attacker to attack you, then they’re not going to. Maybe they’ll go somewhere else or maybe they just won’t be incentivized to do it. My hope is the latter – that we can de-incentivize attacking in the first place.

Information security is a big problem that costs money. We have to work together or else there will continue to be an economic advantage for the attackers.

What is U of T’s role to help boost information security?

My approach to this is to bring U of T’s expertise to the table and solve these problems collectively. And that’s not just me as an individual. What I can represent is the expertise we have across the university, whether that’s operational professionals like myself or consulting with experts in our faculty.

One of the things that I am doing in U of T’s security program is helping tackle problems at the community level, provincial level, national level and even, in some ways, the international level. U of T can – and needs to – play a role moving us forward.

Is there anything else you’d like to tell the U of T community, or the public for that matter, about this panel and its work?

I’m really excited about the opportunity and humbled to be appointed to a panel like this.

For me, collaboration is critical. I applaud our government for bringing together a panel like this, and we need more such platforms and conversations to solve problems together on cybersecurity because this is a collective problem.

Security done in isolation is generally building barriers. I think security done in collaboration is enabling what we’re trying to do. At the end of the day, the university is trying to teach, it’s trying to do research, it’s trying to improve the world and better its community.

Hospitals and all of the other broader public sector organizations each have similar mandates with critical services. We have a shared fate. We’re in this together and we have to work on this together. When we do security right, especially in this inter-connected age, we can enable so much more. When you do it by yourself, you just build walls. We’re not trying to build walls – we’re trying to move forward securely.

'A password you can't change': U of T alumnus Karl Martin on how to keep biometric data safe

Christopher.Sorensen — Mon, 24 Feb 2020 13:47:53 +0000

'A password you can't change': U of T alumnus Karl Martin on how to keep biometric data safe

Christopher.Sorensen Mon, 02/24/2020 - 08:47

Cutline

Karl Martin, a biometrics expert and alumnus of U of T's Faculty of Applied Science and Engineering, says biometric data is increasingly used as an added layer of security to authenticate users on handheld devices (photo by Lukenn Sabellano via Unsplash)

Topic

Electrical & Computer Engineering

Faculty of Applied Science & Engineering

If you unlock your smartphone with facial recognition or your fingerprint, you’re using biometrics.

In the past few years, biometric data – positioned as an added layer of security to verify a person’s identity using unique physical traits – has become a reliable method of authentication for access to handheld devices.

But there are strings attached to this convenience: there’s a risk of identity theft, data gathering without consent as well as physical and online surveillance.

“If our biometric data is stolen, it’s equivalent to stealing a password that you can’t change,” says Karl Martin (left), an alumnus of the ��Ƶ’s Faculty of Applied Science & Engineering who is also a biometrics expert and entrepreneur.

Writer Amanda Hacio recently spoke with Martin to learn more about the security implications of giving out our most personal and unique data.

What is your experience with biometric data?

I co-founded – and led for many years – the company Nymi, which developed a biometric authentication wristband that simplifies authentication and compliance for workers in regulated industrial settings. The Nymi Band uses fingerprints and the electrocardiogram (ECG) to ensure high trust while maintaining privacy and usability. Prior to this, during both my PhD studies and while running a boutique consulting firm, I was involved in developing systems that used facial, ECG and handwritten-signature recognition.

What were some of the security concerns and challenges you ran up against when creating Nymi?

From the beginning, we recognized the importance of handling biometric data with a high degree of care. We took a stance that the biometric data must only be stored in the local device controlled by the user. We had to ensure that users could trust that no one could access the data.

Additionally, the communication between the wristband and other systems, such as mobile devices and computers, was based on Bluetooth, which is generally considered an unsecure means to communicate information. We had to develop a proprietary protocol that assumed that third parties would be snooping.

What are the security concerns related to biometric data more broadly?

We’re increasingly relying on biometrics to enable easy and reliable authentication to devices and systems. If our biometric data is stolen, it’s equivalent to stealing a password that you can’t change. Our accounts and data become vulnerable to being accessed without our authorization by people impersonating us using our biometric data.

Another danger is unauthorized surveillance. If biometric data is being gathered without our permission, it may be used to monitor and track us through a variety of sensors such as surveillance cameras or our online presence.

If stored locally within a device, it’s less likely to be targeted by attackers since there’s less of an opportunity for a mass, scalable data breach. It’s worth noting, however, that not all device-based storage is created equal. At the secure end, some devices such as Apple’s Touch ID and the Nymi Band use cryptographic hardware for secure storage. On the vulnerable end, a typical app on your phone is not secure and may itself be the source of a breach.

What can companies and users do to make sure the biometric technology they’re using isn’t stealing personal data or information?

I believe that people should not accept applications that move their biometric data into the cloud. Users should demand a “privacy-by-design approach,” which ensures that system design puts user privacy at the forefront. However, individual users are often at a disadvantage with a lack of transparency on how their data is being handled. I believe this is where regulations have a role in ensuring transparency and adoption of best practices when it comes to the design of systems.

What do you do if your data is already in the cloud?

The now classic adage is unfortunately true: Once something is on the internet, it’s there forever. But all is not lost, depending on the situation. If you’re enrolled in a system that stores your biometric data in the cloud, it’s worth un-enrolling yourself and attempting to have your data deleted. Unfortunately, there’s no guarantee that the service provider will comply or execute a secure deletion.

More generally, it’s likely for most of us that our face-image data is already online and associated with our identity through various social media sites. Given that this data is already out there and even being exploited, this is where regulations come into play. We should all consider advocating for regulations that prevent corporations from exploiting our data without our permission. And at least in the short term, we should give preferential treatment to companies and products that follow the Privacy by Design framework.

What unconventional forms of biometrics are being collected that the average person might not be aware of?

Two modalities that are now actively commercialized, but not well known, are electrocardiogram (ECG) and gait – our individually distinct manner of walking. At Nymi, we were the first to fully commercialize ECG recognition into a market-ready product. Gait, while not a strong identifier, can be used in video surveillance along with other factors to identify individuals, often without their knowledge.

As artificial intelligence (AI) becomes more sophisticated, what security concerns do you think will arise with biometric technology?

One of the applications of biometrics is emotion recognition, which can use a variety of signals such as facial expression and heart rate. While this technology is still in its infancy, there are both positive and negative potential implications.

On the positive side, it creates the opportunity to build applications that are adaptive to a user’s state of mind, delivering more customized and relevant experiences. On the negative side, with the proliferation of AI technologies, there is a risk of mass population manipulation such as what we saw with the Cambridge Analytica scandal – should biometric data not be protected and controlled by individuals.

From phishing scams to compromised passwords: U of T cyber security expert on how to stay safe online

Romi Levine — Mon, 28 Jan 2019 21:53:56 +0000

From phishing scams to compromised passwords: U of T cyber security expert on how to stay safe online

Romi Levine Mon, 01/28/2019 - 16:53

Cutline

Whether you're browsing social media sites or checking your work email, there are ways to protect your data online (photo by rawpixel via Unsplash)

Topic

The internet is everywhere – from smartphones to cars and fridges. While that means our apps and appliances are more sophisticated than ever before, so too are the hackers, scammers and phishers who are trying to access your personal information.

Today, the ��Ƶ is raising awareness about managing the risks of the digital world and providing resources to help the university community stay safe online with Data Privacy Day events taking place on the downtown Toronto campus. There is also a wealth of information available at securitymatters.utoronto.ca, including tools like Citizen Lab’s security planner, which gives you a personalized online safety recommendation, and a series of video tutorials with online safety tips.

Isaac Straley, U of T’s first-ever chief information security officer, shared his tips with U of T News on how to put your online privacy first.

Protect your passwords

“Password management is one of the most important things for everybody to be paying attention to right now,” says Straley.

Compromised accounts are one of the primary ways that data breaches happen, but there are a number of ways to keep yours safe and secure.

The first is using websites or applications with two-factor or multifactor authentication – where you are required to provide more than just a password when logging in.

“When you're using banking or other online tools, they might send you a code in addition to putting in your password or might have you push a button on your phone,” says Straley. “What this does is make it harder for an attacker to just know your password because you have to have the other information to be able to log in.”

The university is starting to roll out two-factor authentication for Office 365 for faculty and staff, he says.

Protip: Check out twofactorauth.org to find out if a website uses two-factor authentication.

Straley also says to avoid reusing passwords, but recognizes that remembering them all can be a challenge.

“Using a password manager is a really good tool,” says Straley. Apps like Password Safe and KeePass allow you to generate and store multiple passwords in one safe place – and not in your head.

But don’t put everything in your password manager, Straley warns. “Take the logins that are the most sacred or most important – protect the highest risk information – and remember those. But put everything else in the password manager so you don't have to waste your valuable brain space on remembering half a dozen passwords.”

Don’t be bait for phishing scams

It’s getting harder to distinguish an email scam from a legitimate message, but there are a few red flags you should be aware of, says Straley.

“Number one is almost always urgency,” he says. “When someone is asking you to do something fast.”

Emails warning you your account is about to be locked, or that you’ve gone over a quota are likely coming from illegitimate sources.

“Another one we’re starting to see more of are emails that look like they come from a supervisor or a manager or a colleague that say, ‘Hey, I'm really busy right now, can you help me out?’”

Don’t be fooled by these seemingly personal messages, says Straley. As soon as you agree to help, the scammer will ask you to do something for them, like buy a gift card.

“When you do, you end up spending your money and giving the gift cards to the attackers,” he says.

Personalize your privacy settings

It doesn’t matter if you’re a technophobe or a social media addict, you need to decide what level of privacy you’re comfortable with online, says Straley.

“I'm surprised how often folks don't stop and think about what they expect from their online life. Most of the services are pretty open on their privacy settings,” he says.

With social media platforms like Twitter, Instagram and Facebook, Straley says to make sure that the sharing settings are restricted to the communities you are specifically looking to engage online.

“Especially if you install a lot of social media and tools that have applications on the phone or multiple devices, those tools will ask for a lot of permissions like ‘give us access to all your photos or your mic, camera, or your location settings,’” he says.

Depending on the operating system you use, Straley says, you can choose to share your information with an application only when you're using it.

Cyber crime fighting at U of T

“A big portion of what we do is identifying different resources that would be attacked and making sure they are protected,” says Straley of his information security team.

“We’ve got tools that allow us to detect attacks – in our jargon they're called intrusion prevention or detection systems – and we have other ways to look for bad activity,” he says.

U of T also co-ordinates with fellow higher education institutions, governments and other organizations so it knows what to look out for.

“One of our biggest challenges is just keeping up with the attackers,” Straley says.

U of T staff (ethically) hack CERN, world’s largest particle physics lab

noreen.rasbach — Wed, 04 Apr 2018 16:27:39 +0000

U of T staff (ethically) hack CERN, world’s largest particle physics lab

noreen.rasbach Wed, 04/04/2018 - 12:27

Cutline

CERN, the international lab near Geneva, is home to the Large Hadron Collider, the world’s largest particle accelerator (photo by Claudia Marcelloni/CERN)

Topic

Information Technology

It takes 22 member states, more than 10,000 scientists and state-of-the-art technology for CERN to investigate the mysteries of the universe. But no matter how cutting-edge a system is, it can have vulnerabilities – and last year ��Ƶ employees helped CERN find theirs.

CERN, the European Organization for Nuclear Research, asked for help to hack its digital infrastructure last year, organizing the White Hat Challenge. Allan Stojanovic and David Auclair from U of T’s ITS Information Security Enterprise and Architecture department, along with a group of security professionals, were more than willing to answer the call.

Passionate advocates for information security, Stojanovic and Auclair say regular testing is essential for any organization.

“Vulnerabilities are not created, they are discovered,” says Stojanovic. “Just because something has been working, doesn’t mean there wasn’t a flaw in it all along.”

Their director, Mike Wiseman, supported their participation in the challenge. “This competition was an opportunity to bring experts together to exercise their skill as well as give CERN a valuable test of their infrastructure.”

Stojanovic first heard about the challenge during a presentation at a Black Hat digital security conference. He jumped at the opportunity, immediately approaching the presenter, Stefan Lüders, CERN’s security manager.

Stojanovic put together a group of eight industry professionals (pen testers, consultants, Computer Information Systems administrators and programmers), set goals for the test and created a ten-day timeline.

Any penetration test involves three main stages: scoping, reconnaissance and scanning. Before the scanning stage begins, testers are not allowed to interact with the system directly, but try to learn everything they can about it.

During the “scoping” stage, testers define what is “in scope” and specify what IP spaces and domains they can and cannot probe during the testing. The “recon” stage is exactly what it sounds like: reconnaissance. The testers try to find out everything they can about the domains that are in scope, helping guide them towards potential weaknesses.

With scoping and recon complete, the team was able to officially begin the scanning stage. Scanning is like a huge treasure hunt, beginning with a broad search and gradually narrowing it down, burrowing deeper and deeper into the most interesting areas and letting go of the others.

This went on for nine days. It was a gruelling process – the team would find a tiny foothold, investigate it, but nothing significant would emerge. This happened again and again.

Read about U of T scientists at CERN

Finally, Stojanovic was woken up one day by a short message, “I got it!” One of his team members, Jamie Baxter, had solved the puzzle – a breakthrough generated by multiple late nights of patient analysis.

Details of the breakthrough are kept secret due to a confidentiality agreement with CERN. But after more than two weeks of work, the team revealed weaknesses in CERN’s security infrastructure and provided important recommendations on how to improve it.

CERN's security group was then able to roll out fixes and address the identified vulnerabilities before U of T's formal report even hit their desks.

Stojanovic hopes that his team’s success will encourage educators to use penetration testing as a pedagogical tool.

“It’s a lot of really fantastic experience,” he says, adding that these are the hands-on skills that new security professionals are going to need in the fast-growing information security industry.

Stojanovic also hopes that other institutions, including U of T, will follow CERN’s lead in opening themselves up to testing of this nature.

And this won’t be the last CERN will see of U of T – Lüders has already asked for round two.

How to protect online data: U of T Citizen Lab's Security Planner tool offers safety tips from the experts

noreen.rasbach — Thu, 22 Mar 2018 17:55:22 +0000

How to protect online data: U of T Citizen Lab's Security Planner tool offers safety tips from the experts

noreen.rasbach Thu, 03/22/2018 - 13:55

Cutline

The Security Planner tool, launched by Citizen Lab at U of T’s Munk School of Global Affairs, aims to make online safety easier to navigate (illustration courtesy of Citizen Lab)

Topic

Munk School of Global Affairs & Public Policy

Our online accounts, from email to banking to social media, contain some of our most important, private information – and there’s a lot of it, with the average internet user maintaining roughly 92 accounts.

Amid a growing number of data breaches and the recent scandal involving Facebook and Cambridge Analytica, people may understandably be looking for more and better ways to protect themselves on the Web.

Fortunately, researchers at Citizen Lab, at the ��Ƶ's Munk School of Global Affairs, have some recommendations.

“Password managers can really help improve your online security by helping you to use unique and strong passwords across a variety of different accounts without having to remember them,” says Christine Schoellhorn, project manager for Security Planner, the Citizen Lab’s online safety tool. “If you use email, the most common threats you face are phishing and password theft. A password manager helps reduce some of the burden of using different passwords by automatically inputting your username and password into the websites that you use.”

Schoellhorn also recommends enabling two-factor authentication (2FA) for an additional layer of protection for your online accounts. The 2FA method requires a small extra step, like entering a verification code sent to your phone, in addition to entering your password on certain websites. “It’s a small lifestyle change, but the impact is really tremendous,” she says. “We are increasingly putting a larger amount of our private lives online and that can be a risk. Keeping yourself safe can also protect other people within your network.”

Safety tips like these and more are available through the Citizen Lab’s Security Planner tool. Users are prompted to take a brief survey to assess their personal security needs and, based on their survey results, are given a tailored action plan to address their most pressing safety concerns. Users can get instructions on everything from how to secure their web browser to how to run a security checkup on their Facebook account. All of the site’s recommendations are based on peer-reviewed research by a cross-section of digital security experts.

“People want to be more secure online but they’re not sure which actions are a good use of their time and what might be overkill. There’s a lot of contradictory advice out there,” says John Scott-Railton, a senior researcher at Citizen Lab and editor of Security Planner’s recommendations. “So, we thought, ‘Why don’t we get a bunch of experts together, gather the best ideas and then provide those to users in a way that’s accessible?’ The goal of Security Planner is to make those first security steps as easy as possible.”

Most of Security Planner’s tips are quick and easy to implement. Although the tool is designed to help the average Internet user, it also provides links to outside resources for people who may be at a higher risk of cybersecurity threats because of who they are or what they do. (Certain groups – like journalists, legislators or dissidents – may be at a higher risk of cyber-attacks. Citizen Lab has released several reports outlining the details of targeted threats they’ve uncovered.) Designed to be simple and straightforward, the tool provides each user with the safety tips they need most, and strips away information that may not be as useful.

“So many guides that are available online just provide a wall of text. And for someone who is already feeling anxious about taking steps toward better security, they don’t want to have to read a 20-page document on how to be safer,” says Schoellhorn. “They want targeted advice with as little extraneous information as possible.”

The tool is also built to evolve. There is a section on the website for users to provide feedback and the recommendations on the site are updated as security threats change.

“It’s important to keep information updated and current, because security problems change and advice needs to change with it,” says Scott-Railton. “As soon as you take one of those security steps, you’re better off than before you did. We did market research and really tried to find ways to make these recommendations accessible. Because just as free and open communications should be a right, security should be a right too.”

Looking for more online safety tips? Visit securityplanner.org for your personalized safety action plan.

Citizen Lab survey finds many journalism schools lacking in cybersecurity training

Romi Levine — Wed, 10 Jan 2018 17:16:19 +0000

Citizen Lab survey finds many journalism schools lacking in cybersecurity training

Romi Levine Wed, 01/10/2018 - 12:16

Cutline

While cybersecurity poses a serious threat to journalists, U of T's Citizen Lab says journalism schools are not doing enough to teach their students how to protect themselves (photo by Japanexperterna.se via Flickr)

Topic

Faculty of Arts & Science

Global

Munk School of Global Affairs & Public Policy

It’s easy to be fooled by a misleading link in your inbox, but for journalists, a seemingly innocent click could put their work and sources at risk.

Journalists all over the world have been targeted by organizations and governments who are using techniques like email deception to spy on them by gaining access to their phones and computers, according to research by ��Ƶ’s Citizen Lab and reporting by the New York Times.

Citizen Lab is based at U of T's Munk School of Global Affairs and focuses on research on cybersecurity, including digital espionage and privacy breaches.

Cybersecurity breaches pose a serious threat to journalists, but a recent survey of journalism schools across the U.S. and Canada by Citizen Lab found that schools are not doing enough to train their students on how to recognize and protect themselves against online threats.

Joshua Oliver, a U of T alumnus and research assistant at Citizen Lab, wrote about the survey results in the Columbia Journalism Review.

“Only half of the 32 schools across the US and Canada that responded to the survey offer digital security training, and less than a quarter make that training mandatory,” writes Oliver.

And of the schools that do provide training, most devote around two hours to the subject, which Oliver says is not enough.

While Oliver recognizes it’s a hefty requirement for journalism schools to have this kind of full-time expertise, the digital threats to journalists are worsening, adding a layer of urgency, he says.

"Once considered the exclusive concern of national security reporters, basic digital security competence is now essential for all journalists," says Oliver.

He writes that the best way to introduce the topic of cybersecurity into the syllabus is to bring up the issue in existing courses.

"For example: a basic reporting class might touch on the need to store notes and contacts securely in case your devices are searched; a photojournalism class would mention that metadata in photo files can reveal the location where they were taken."

The survey was funded by the John D. and Catherine T. MacArthur Foundation and Ronald Deibert, professor of political science in the Faculty of Arts & Science and director of Citizen Lab, was the principal investigator.

Read about the survey results in the Columbia Journalism Review

Experts take on the latest hacks and leaks at U of T's upcoming McLuhan Salon

Romi Levine — Thu, 19 Jan 2017 20:30:26 +0000

Experts take on the latest hacks and leaks at U of T's upcoming McLuhan Salon

Romi Levine Thu, 01/19/2017 - 15:30

Cutline

U of T alumnus and Mozilla Foundation Executive Director Mark Surman will be participating in Thursday's McLuhan Salon (photo by Joi Ito via Flickr)

Romi Levine

Author legacy

Romi Levine

Topic

City & Culture

Cyber Security

U.S. politics

McLuhan Centre for Culture & Technology

Cities

Information Technology

Alumni

The leak of an alleged intelligence memo about U.S. president-elect Donald Trump divided the media on whether or not to publish its details or acknowledge its legitimacy.

On Tuesday, President Barack Obama commuted the prison sentence of Chelsea Manning, the former U.S. army intelligence analyst who leaked classified documents to WikiLeaks – a move that was praised by many but received harsh criticism from Republicans.

Tonight, the McLuhan Salon is taking on its most timely and contested topic yet. Ripped straight from the headlines, “Hacks, Leaks, and Breaches: Chronicles from the Cybervillage” will dissect the latest news and address hotly debated issues around cyber security.

Participants include Mark Surman, a U of T alumnus and executive director of the Mozilla Foundation, McGill University's Gabriella Coleman, an expert on Anonymous, and Mathew Ingram, a senior writer at Fortune Magazine.

The salons, inspired by the late U of T professor and influential media theorist Marshall McLuhan, are hosted by U of T’s McLuhan Centre for Culture and Technology and are held at different Toronto venues every month. Tonight's salon takes place at the Toronto Reference Library.

“The role played by WikiLeaks, Anonymous or trolling in recent years is no longer a niche cultural phenomena,” says Paolo Granata, visiting professor, McLuhan Centenary fellow and salon organizer.

These organizations, often called “hacktivists,” have been a game changer in their ability to influence global politics, says Granata.

“For this reason, we need to understand what is at stake in a networked society in terms of security and privacy, rights and freedom,” he says.

High profile government operatives-turned-leakers such as Manning and Edward Snowden have been central to shedding light on these issues, making them a hero to some and an enemy to others.

“We certainly benefited from people having the courage to leak information,” says Surman. “It helps us understand what's really going on, on the Internet. I personally think of Snowden as a hero as many do.”

Ingram is interested in discussing the thorny ethics surrounding hacks and leaks.

“When is it okay to report on and when is it not? It's a difficult question – and the goalposts keep moving,” he says.

Coleman will explore the ways digital leaks came into being.

“What's really interesting is that its history is remarkably recent even though the technical possibilities to engage in this form of hacking to leak has existed for 25 years,” she says.

The spate of hacks and leaks has forced companies and governments to learn hard lessons, but they still aren’t going far enough to protect themselves, says Coleman.

“This is a perennial issue, and you'd think with each new hack and leak and breach, that organizations would get their security act together. So far, there have been small steps in that direction, but it's very slow going.”

The salon provides a unique opportunity to have a public discussion outside of the Internet echo chambers – something Ingram and Coleman are looking forward to.

“I've never seen so many shows about hacking and so much news media, but it's hard to understand what the public thinks,” says Coleman. “[The salon] will provide an interesting barometer for how people are receiving this news, what they think about security, and whether they find value in some of these leaks – some of them are very, very controversial.”

Ingram wants salon participants to weigh in.

“I would like to hear their thoughts about whether they feel less secure, and whether they think the media should be publishing things like people's personal emails just because they can,” he says.