Cyber Security / en Citizen Lab unearths spyware attacks against Catalan politicians, U.K. government: The New Yorker /news/citizen-lab-unearths-spyware-attacks-against-catalan-politicians-uk-government-new-yorker <span class="field field--name-title field--type-string field--label-hidden">Citizen Lab unearths spyware attacks against Catalan politicians, U.K. government: The New Yorker</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/GettyImages-1250273320-crop.jpg?h=afdc3185&amp;itok=Uezz3MRJ 370w, /sites/default/files/styles/news_banner_740/public/GettyImages-1250273320-crop.jpg?h=afdc3185&amp;itok=AAO79EyH 740w, /sites/default/files/styles/news_banner_1110/public/GettyImages-1250273320-crop.jpg?h=afdc3185&amp;itok=87i0uRIJ 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/GettyImages-1250273320-crop.jpg?h=afdc3185&amp;itok=Uezz3MRJ" alt="hand uses a smartphone in the dark"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>rahul.kalvapalle</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2022-04-21T14:58:35-04:00" title="Thursday, April 21, 2022 - 14:58" class="datetime">Thu, 04/21/2022 - 14:58</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">(Photo by time99lek/iStockPhoto/Getty Images)</div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/citizen-lab" hreflang="en">Citizen Lab</a></div> <div class="field__item"><a href="/news/tags/cyber-espionage-0" hreflang="en">Cyber Espionage</a></div> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/faculty-arts-science" hreflang="en">Faculty of Arts &amp; Science</a></div> <div class="field__item"><a href="/news/tags/munk-school-global-affairs-public-policy" hreflang="en">Munk School of Global Affairs &amp; Public Policy</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p style="margin-bottom:11px"><span style="background:white">The University of Toronto’s Citizen Lab, based at the Munk School of Global Affairs &amp; Public Policy,&nbsp;<a href="https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens">is&nbsp;highlighted in a <i>New Yorker </i>feature</a> by journalist and author Ronan Farrow that explored the use of Pegasus spyware, built by Israeli firm NSO Group, by governments and global actors&nbsp;– as well as&nbsp;efforts by big tech companies like Facebook and Apple to counter it.</span></p> <p style="margin-bottom:11px"><span style="background:white">The<i> New Yorker </i>piece, titled “How Democracies Spy on Their Citizens,” reports that just last month, Catalan politician Jordi Sole approached Citizen Lab researcher and fellow&nbsp;<b>Elies Campo </b>to ask for help analyzing his iPhone, which had been receiving suspicious text messages – breaches traced to 2020. “In those days, your device was infected—they took control of it and were on it probably for some hours. Downloading, listening, recording,” Campo told Sole, <i>the</i> <i>New Yorker </i>reported.</span></p> <p style="margin-bottom:11px"><span style="background:white">More recently, in February 2021, the Citizen Lab uncovered an infection on the laptop of the Catalan activist Joan Matamala – though this attack was traced to another Israeli spyware firm, Candiru. <i>The</i> <i>New Yorker </i>reports that Campo instructed Matamala to wrap the laptop in aluminum foil to prevent the spyware from communicating with Candiru’s servers. In a recent&nbsp;post on its website, the Citizen Lab&nbsp;<a href="https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/">outlined detailed findings from its investigations</a> on the use of Pegasus and other spyware programs to target Catalan pro-independence figures. </span></p> <p style="margin-bottom:11px"><i><span style="background:white">The</span></i><span style="background:white"> <i>New Yorker</i>&nbsp;also notes the Citizen Lab found at least five instances of hacking of U.K. Foreign Office phones between July 2020 and June 2021, as well as infection of a device connected to the network at 10 Downing Street, office and residence of the prime minister. “When we found the No. 10 case, my jaw dropped,” <b>John Scott-Railton</b>, a senior researcher at the Citizen Lab, told<i>&nbsp;</i>the<i>&nbsp;</i>magazine.&nbsp;</span><span style="background:white"><a href="https://citizenlab.ca/2022/04/uk-government-officials-targeted-pegasus/">On Monday, the Citizen Lab confirmed</a> that it “</span><span style="background:white">observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official U.K. networks.</span>”</p> <h3 style="margin-bottom: 11px;"><span style="background:white"><a href="https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens">Read the <i>New Yorker </i>feature</a></span></h3> <h3 style="margin-bottom: 11px;"><span style="background:white"><a href="https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/">Read the Citizen Lab report on spyware operations targeting Catalans</a></span></h3> <h3 style="margin-bottom: 11px;"><span style="background:white"><a href="https://citizenlab.ca/2022/04/uk-government-officials-targeted-pegasus/">Read the Citizen Lab post about spyware operations targeting the U.K. government</a></span></h3> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Thu, 21 Apr 2022 18:58:35 +0000 rahul.kalvapalle 174198 at Spyware investigations involving Թϱ’s Citizen Lab reveal targets in El Salvador, Poland: Reports /news/spyware-investigations-involving-u-t-s-citizen-lab-reveal-targets-el-salvador-poland-reports <span class="field field--name-title field--type-string field--label-hidden">Spyware investigations involving Թϱ’s Citizen Lab reveal targets in El Salvador, Poland: Reports</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/2023-04/GettyImages-495514569-crop.jpeg?h=afdc3185&amp;itok=9OpxdX6_ 370w, /sites/default/files/styles/news_banner_740/public/2023-04/GettyImages-495514569-crop.jpeg?h=afdc3185&amp;itok=vyQUvuH4 740w, /sites/default/files/styles/news_banner_1110/public/2023-04/GettyImages-495514569-crop.jpeg?h=afdc3185&amp;itok=cHJBvCPa 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/2023-04/GettyImages-495514569-crop.jpeg?h=afdc3185&amp;itok=9OpxdX6_" alt="a woman checks her cellphone"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>mattimar</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2022-01-17T14:33:43-05:00" title="Monday, January 17, 2022 - 14:33" class="datetime">Mon, 01/17/2022 - 14:33</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item"><p>(Photo by Marco Piunti/Getty Images)</p> </div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/our-community" hreflang="en">Our Community</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/munk-school-global-affairs-public-policy-0" hreflang="en">Munk School of Global Affairs &amp; Public Policy</a></div> <div class="field__item"><a href="/news/tags/citizen-lab" hreflang="en">Citizen Lab</a></div> <div class="field__item"><a href="/news/tags/cyber-espionage-0" hreflang="en">Cyber Espionage</a></div> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/faculty-arts-science" hreflang="en">Faculty of Arts &amp; Science</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>A joint investigation by the University of Toronto’s Citizen Lab and Access Now reveals that dozens of journalists and activists in El Salvador had their cellphones allegedly hacked by Israeli firm NSO Group’s Pegasus spyware.&nbsp;</p> <div class="image-with-caption left"> <div><span id="cke_bm_695S" style="display: none;">&nbsp;</span> <div class="align-center"> <div class="field field--name-field-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/styles/scale_image_750_width_/public/2023-04/JSR-headshot-2-crop.jpeg?itok=4CmFUt9_" width="750" height="1125" alt="JSR" class="image-style-scale-image-750-width-"> </div> </div> <em><span style="font-size:12px;">John Scott-Railton</span></em></div> </div> <p>The investigation, <a href="https://citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/">which identified 35 individuals whose phones were successfully infected</a> with the sophisticated spyware normally used to target criminals, was reported on by the <a href="https://apnews.com/article/technology-caribbean-toronto-software-journalists-5f0ebcace3bc8c0f2d21f66cd6278ae1"><i>Associated Press</i>,</a> <a href="https://www.reuters.com/technology/salvadoran-journalists-phones-hacked-with-spyware-report-finds-2022-01-13/"><i>Reuters</i></a><span class="MsoHyperlink" style="text-decoration-line:underline"><i>, </i></span><a href="https://www.theguardian.com/news/2022/jan/13/pegasus-spyware-target-journalists-activists-el-salvador"><i>the Guardian</i></a><i> </i>and other media outlets.</p> <p>A sample of cases in the report were reviewed by Amnesty International’s Security Lab, which investigates cyberattacks against civil society.&nbsp;</p> <p>The alleged hacks took place between July 2020 and November 2021, a time of ongoing censorship of journalists who investigated the government of President Nayib Bukele.</p> <p>“The aggressiveness and persistence of the hacking was jaw-dropping,” <b>John Scott-Railton</b>, senior researcher at the Citizen Lab and an author of the report, told the <i>Associated Press</i>.</p> <p>“I’ve seen a lot of Pegasus cases but what was especially disturbing in this case was its juxtaposition with the physical threats and violent language against the media in El Salvador.”</p> <p>In a statement to <i>Reuters, </i>Bukele’s office said it is not a client of NGO Group and that some of the government’s top officials might have also had their phones hacked.&nbsp;</p> <p>The Citizen Lab, part of the Munk School of Global Affairs &amp; Public Policy in Թϱ’s Faculty of Arts &amp; Science, has been tracking victims of Pegasus spyware since 2016, helping to identify dozens of cases of inappropriate use. The technology has been used to eavesdrop on journalists, diplomats, lawyers, activists and politicians from the Middle East to Mexico.</p> <p>Earlier this month, <a href="https://apnews.com/article/technology-business-canada-elections-europe-908b0dea290ca6be1894b89f784eac60">the <i>Associated Press</i> reported</a> that Polish senator Krzysztof Brejza and two other Polish government critics were allegedly hacked by with the Pegasus spyware. The Citizen Lab and Amnesty International say the senator was allegedly hacked multiple times during the 2019 parliamentary elections.</p> <p>There are also concerns closer to home.</p> <p><b>Noura Aljizawi</b> and <b>Siena Anstis</b>, researchers at the Citizen Lab, have interviewed 18 Canadian human rights activists about being the target of cyber attacks and misinformation campaigns, <a href="https://www.thestar.com/news/canada/2022/01/10/human-rights-advocates-say-theyre-being-hit-by-foreign-cyber-attacks-and-that-canada-is-doing-little-to-stop-it.html?rf">the <i>Toronto Star</i> reports</a>. Some worry that authorities aren’t doing enough to protect them.</p> <p>“The silence of Canada is giving the attackers more space to launch an attack,” Aljizawi told the <i>Toronto Star</i>.</p> <p>The researchers say finding ways to stop the export of Canadian-developed technology to countries using it for cyber attacks and providing mental health resources for refugees are just a few of the ways to deal with this complex issue. To bring increased exposure to the dangers faced by newcomers and activists, the Citizen Lab is set to release a report investigating digital transnational repression in the coming months.</p> <h3><a href="https://apnews.com/article/technology-caribbean-toronto-software-journalists-5f0ebcace3bc8c0f2d21f66cd6278ae1">Read about the Citizen Lab investigation in El Salvador in the <i>Associated Press</i></a></h3> <h3><a href="https://www.thestar.com/news/canada/2022/01/10/human-rights-advocates-say-theyre-being-hit-by-foreign-cyber-attacks-and-that-canada-is-doing-little-to-stop-it.html?rf">Read the <i>Toronto Star’s</i> article about cyber attacks</a></h3> <div class="image-with-caption left"> <div>&nbsp;</div> </div> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Mon, 17 Jan 2022 19:33:43 +0000 mattimar 301119 at With cyber scams on the rise, Թϱ expert offers tips on how to protect yourself    /news/cyber-scams-rise-u-t-expert-offers-tips-how-protect-yourself <span class="field field--name-title field--type-string field--label-hidden">With cyber scams on the rise, Թϱ expert offers tips on how to protect yourself &nbsp;&nbsp;</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/GettyImages-1134624698-crop.jpg?h=afdc3185&amp;itok=pJOLQPcx 370w, /sites/default/files/styles/news_banner_740/public/GettyImages-1134624698-crop.jpg?h=afdc3185&amp;itok=pfsfRzei 740w, /sites/default/files/styles/news_banner_1110/public/GettyImages-1134624698-crop.jpg?h=afdc3185&amp;itok=nCFFynPL 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/GettyImages-1134624698-crop.jpg?h=afdc3185&amp;itok=pJOLQPcx" alt="&quot;&quot;"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>Christopher.Sorensen</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2021-12-09T12:28:17-05:00" title="Thursday, December 9, 2021 - 12:28" class="datetime">Thu, 12/09/2021 - 12:28</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">(Photo by Issouf Sanago/AFP via Getty Images)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/geoffrey-vendeville" hreflang="en">Geoffrey Vendeville</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/our-community" hreflang="en">Our Community</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/campus-safety" hreflang="en">Campus Safety</a></div> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/st-george" hreflang="en">St. George</a></div> <div class="field__item"><a href="/news/tags/u-t-mississauga" hreflang="en">Թϱ Mississauga</a></div> <div class="field__item"><a href="/news/tags/u-t-scarborough" hreflang="en">Թϱ Scarborough</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>An email lands in a student’s inbox pretending to be from an unnamed recruiter at the University of Toronto. It claims to have received an application for an easy-sounding, part-time and remote job that pays $700 every two weeks – no experience required. Just follow the link to apply.</p> <div class="image-with-caption left"> <div><img alt src="/sites/default/files/IMG_2151-crop.jpg" style="width: 200px; height: 300px;"><em>Shannon Howes</em></div> </div> <p>The fake job offer is one of many real phishing attempts recounted on the university’s <a href="https://securitymatters.utoronto.ca/">Security Matters page</a> in an effort to warn the Թϱ community about recent cyber scams.</p> <p><b>Shannon Howes</b>, Թϱ’s director, high risk, community safety and crisis and emergency preparedness, says such cyber frauds are not only becoming more common – they are also becoming sneakier.</p> <p>“Even rudimentary phishing attempts, there’s an estimate that one in 10 people will fall victim to them,” she says. “If you think about some of the more sophisticated attempts being made, the statistic jumps up to more like three in 10. So, it is a pervasive problem right now and we have had a lot of people who have been targeted at the university.”</p> <p>Howes recently spoke to <i>Թϱ </i>about how people can protect themselves from cyber fraud and what they should do if they are duped.</p> <div align="center" style="text-align:center"> <hr align="center" size="0" width="100%"></div> <p><b>What do these cyber scams look like?</b></p> <p>There are a number of different types of frauds and scams that we’re seeing right now. One kind that is really prevalent –&nbsp;and members of the community will have seen examples in their inboxes –&nbsp;are phishing attempts.</p> <p>These attempts are perpetrated by people who are trying to mine user information so that they can compromise personal accounts such as bank or credit cards, or engage in identity theft. There are very sophisticated ways of masking an email address so that an email appears to be from someone who might be an actual official at the university, a bank employee or someone from the Canada Revenue Agency, for example. When recipients click on the embedded link they are redirected to an online form, where the scammer requests a number of different pieces of personal information. That could include a date of birth, social insurance number, credit card numbers and photos of personal IDs such as a driver’s license. There are many different types of information that can be requested and then used against you.</p> <p>Some of the scams we are seeing reported at Թϱ are admission frauds, where individuals are posing as faculty members and are advertising supposed “pathways” for gaining admission to Թϱ in exchange for a hefty application fee, or, in some cases, full tuition fees paid up front. There’s quite a wide range of types of scams, but for the most part they're monetarily driven.</p> <p>We have also seen a lot of frauds targeting our international students. Incoming international students can be particularly vulnerable because they’re new to Canada. They don't necessarily have local supports that can help them do things like open a bank account or seek trusted advice when confronted with something like apparent criminal charges or threats of deportation. They may also be less familiar with how things work in another country (the consumer protections, privacy rules, etc.) and may not realize how suspect some of these demands are.</p> <p><b>How big is this problem?</b></p> <p>The scams we are seeing are actually growing in prevalence and in sophistication. There is some research that indicates that scams, and especially email scams, go up in frequency during times of crisis. The COVID-19 pandemic has provided a ripe environment for fraudsters to try to take advantage of people, particularly while people have been facing a lot of change, isolation, instability and uncertainty. Email scams are socially engineered to prey on the emotions of readers and to instill a sense of urgency to respond, and these emotions are already heightened during a time of crisis.</p> <p>I think most people will be familiar with seeing an email come into their inbox that doesn’t look quite right. The sender could be posing as your bank, asking you to log in through a link or an email could come in looking like it’s from the Canada Revenue Agency, saying there’s a problem with your Social Insurance Number. There may be spelling mistakes or generic greetings used in these emails, whereas you would expect to be contacted by your name if the email was legitimate.</p> <p>Unfortunately, these types of attempts, while they've been around for a long time, are increasing in sophistication and the credibility of how they present themselves. So, it’s actually becoming much more commonplace right now – and people are falling victim.</p> <p>Even with rudimentary phishing attempts, there’s an estimate that one in 10 people will fall victim to the ruses. If you think about some of the more sophisticated attempts being made, the statistic jumps up to more like three in 10. So, it is a pervasive problem right now and we have had a lot of people who have been targeted at the university.</p> <p>Some of the frauds that have been reported at the university this fall involve relatively small amounts of money and some involve very large amounts. It’s important to note that falling victim to fraud is not just a student issue – this is affecting faculty and staff as well.</p> <p><b>What are the red flags to spot in a phishing attempt?</b></p> <p>There are a lot of good recommendations <u>on the </u><a href="https://securitymatters.utoronto.ca/tips-for-identifying-and-reporting-a-phishing-attempt/">Security Matters Website</a> and there’s <a href="https://citizenlab.ca/docs/recommendations.html">another good list of </a><a href="https://citizenlab.ca/docs/recommendations.html">tips</a> for protecting yourself against cyber fraud by Թϱ’s Citizen Lab.&nbsp;</p> <p>The Office of the Chief Information Security Officer is currently piloting an online training session that they are hoping to roll out broadly to members of the university community about different types of cyber fraud – not only specific to phishing, but also ransomware and other cyber threats and fraud attempts.</p> <p>One of the top recommendations to identify a phishing attempt is for people to pause and assess an email. Often, these fraudulent emails try to prey on our emotions. If it’s a phishing attempt, it could say you’ve won this fantastic cruise in a lottery – even though you never entered a sweepstakes. Your sense of curiosity, your excitement triggers this emotional response leading you to think, “Oh my gosh, did I actually win something?”</p> <p>Likewise, a lot of phishing attempts manufacture a sense of urgency. They might say your system has been compromised, or your SIN number has been compromised – act now by clicking this link. This triggers a fear response.</p> <p>One of the best things you can do is “practise the pause” – stop what you’re doing, take a breath, and actually evaluate what you’re being told to do, and whether it makes sense. Is this an organization that you normally deal with and is known to you? Is this a person who you actually know in real life? Does what they’re asking you to do make sense?</p> <p><b><img alt="Things to look for in a phishing email include impersonating you boss, incorrect utoronto email address, urgency, no greeting, spelling/grammar errors and no signature" src="/sites/default/files/phish22_0.jpg" style="width: 750px; height: 423px;"></b></p> <p>&nbsp;</p> <p><b>What happens if the person contacting you says that they are from an official agency – law enforcement for example?</b></p> <p>The same recommendations apply here. Pause, take a breath and assess what you are being told and what you are being asked to do. Does it make sense? Did they use your proper name when they addressed you? Were you contacted by a recorded message?</p> <p>It is important to note that no legitimate agency will ever hold it against you for hanging up the call and taking the time to follow up with them on the phone through a legitimate number – that you might find on the back of your credit card, for example, or on their website. Tell the person that you are speaking with that you would like to verify who they are and will call them back. No legitimate government agent or member of law enforcement personnel will fault you for double checking that they are who they say they are. If they get upset or start to escalate on the phone they are more likely a fraudster trying to use a sense of urgency and fear to prey upon you.</p> <p>Another very important point: Bitcoin and gift cards are not a legitimate currency for official purposes in Canada. The university won’t accept them and neither will the Canadian government or law enforcement authorities.&nbsp;</p> <p>Also, you should never have to pay to avoid criminal charges. That’s not something law enforcement does. If you’re being asked to pay someone claiming to be a police officer to avoid being charged with criminal activity, that’s a big red flag.</p> <p><b>Would you recommend adjusting your email filter to prevent being targeted by scams?</b></p> <p>Definitely look into your security settings, including your email filters, on your personal accounts.</p> <p>Through our UTmail+ accounts, we’re really lucky to have a good filter feature already built in and a reporting structure in place for when phishing emails find their way through. You can click on “Report Email” and send it through to <a href="mailto:report.phishing@utoronto.ca" target="_blank"><span style="background:white">report.phishing@utoronto.ca</span></a> for IT Security’s awareness and action. There’s also something at the university called <a href="https://securitymatters.utoronto.ca/category/phish-bowl/">the Phish Bowl</a>, where real-life examples of fraudulent emails that have been reported are posted. It's a good idea to review the Phish Bowl from time to time to stay current on the types of scams that are actively going around.</p> <p>The IT Security team also has excellent resources about getting “cyber safe” on their <a href="https://securitymatters.utoronto.ca/">Security Matters Website</a>. They also address how to maintain your UTORid safety and share a lot of information about how to identify phishing or ransomware attacks.</p> <p><span style="background:white">Additional steps that can be taken include: paying attention to the&nbsp;<a href="https://easi.its.utoronto.ca/initiatives/external-email-banner-project/" target="_blank">external email notification banners</a>&nbsp;that have been activated on UTmail+ accounts; connecting to Virtual Private Networks (VPNs) when accessing the university’s system from remote locations; and ensuring that multi-factor authentication (MFA) is set up for your Microsoft account – Թϱ recently introduced a new MFA program to the tri-campus community called UTORMFA.</span></p> <p><span style="background:white"><b>What about safety on social media platforms?</b></span></p> <p>In terms of social media safety, one of the things we recommend is conducting an annual refresh on the privacy policies on your different platforms and reviewing who your online friends are. Do you actually know everyone on your friends list personally? If you are engaged in some work online around influencing and you need to have a platform with followers who are unknown to you, make sure you keep a distinct platform for your personal pages and be cautious about what information you share on your public-facing accounts.</p> <p>Additionally, consider whether moments need to be shared live or if they can be shared at a later date/location. Geo-tagging can unwittingly let scammers know where you are physically and when, especially if you are active with your posting. Consider turning off geo-location tags all together. Also, know how to actually delete your accounts when you close them. Inactive accounts that are still accessible to other users can often be a source of a lot of information about you.</p> <p>Finally, be wary of who you connect with online, especially if you do not know them in real life. Online dating sites and chat rooms can be a dangerous breeding ground for different types of romance scams and catfishing. These can sometimes lead to sextortion attempts. Sextortion is a form of extortion where scammers create fake profiles on social media and dating websites. They use these profiles to lure victims into a relationship and coerce them into performing sexual acts on camera with the intent to record the session. Once the images are in the scammer’s possession they threaten to distribute if the victim doesn’t pay them, or sometimes provide additional sexual images.</p> <p><b>What should you do if you’ve been duped, clicked on a malicious link or, worse, transferred money to a stranger?</b></p> <p>If you believe you’ve become a victim of a fraud you should contact <a href="https://www.campussafety.utoronto.ca/">Campus Safety</a>, Special Constable Service to file a formal report. They are a tri-campus service and work directly with local law enforcement – Toronto Police for Թϱ Scarborough and St. George and Peel Police for Թϱ Mississauga – on criminal matters. Campus Safety officers work closely with the fraud divisions within municipal police services on incidents of fraud.</p> <p>If the fraud occurred via your UTmail+ accounts or if your UTORid may be compromised, you should also report the incident to <a href="mailto:report.phishing@utoronto.ca">report.phishing@utoronto.ca</a></p> <p>In terms of university resources and support services, if you think that you’re in a situation where you’ve mis-stepped or divulged too much personal information – perhaps shared photos of yourself or your personal identification cards – we advise you to contact the <a href="mailto:community.safety@utoronto.ca">Community Safety Office</a> (CSO), even if you’re not being scammed yet. This team has case managers available that can meet with you to try and do some proactive work to help prevent you from falling victim to fraud, to help you consider what may be compromised and whether there are organizations you need to proactively reach out to, and how to set up a monitoring plan.</p> <p>In the event that a critical piece of information has been compromised, such as your Social Insurance Number, a member of the CSO team can help you manage the reporting pathway. &nbsp;They can also provide personal support and assist you in navigating any accommodations that may be needed as a result.</p> <p>&nbsp;</p> <div class="media_embed" height="422px" width="750px"><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen frameborder="0" height="422px" src="https://www.youtube.com/embed/FZp4mBtJBNQ" title="YouTube video player" width="750px"></iframe></div> <p>&nbsp;</p> <p><b>What is the university doing to protect its community from cyber fraud?</b></p> <p>The university is taking a very proactive stance on fraud. University offices are engaged with local law enforcement and cyber security to stay on the cutting edge of data security and protection software, as well as practices and areas of concern for law enforcement. Additionally, the university has established a Fraud Prevention Working Group that will be rolling out a number of education and awareness initiatives across the three campuses.</p> <p>One of the most effective ways to prevent fraud is to educate members of our community about what fraud looks like. We have been working on a central <a href="https://www.communitysafety.utoronto.ca/fraud-prevention/">Fraud Prevention Website</a> that will offer members of the university community a one-stop location to learn about different types of scams with real life scam examples, tips on how to protect yourself from fraud attempts, as well as resources – both at the university and in the community – that can assist individuals who find themselves targeted.&nbsp;&nbsp;</p> <p>Knowing that a significant number of the frauds that have been reported to Campus Safety are by international and first-year students, a lot of the initial education efforts will be focused around residences, commuter students and international students – with additional focus around issues such as income tax season, application scams and personal data hygiene to come.&nbsp;</p> <p><b>How else can you protect yourself?</b></p> <p>Again, one of the best ways you can take steps to protect yourself is to “practise the pause.” That pause is something that helps us in a number of ways in our daily lives. Stop, take a breath, and think about the situation. If we know that scams are socially engineered to prey on our emotional responses – be it fear, excitement, curiosity, etc. – then a great way to combat fraud is to give ourselves the time to evaluate the request objectively.</p> <p>Another way of protecting yourself is by protecting your personal information. This includes good password hygiene (using different passwords for your different accounts). It sounds like a lot to remember, but you can download some very secure apps that can help you with password management.</p> <p>Protecting your privacy also means being careful about your social media presence, including making sure that your geo-locators are off when you’re posting things so your location isn’t being tracked and being wary about how much information you share. One thing scammers do to appear more legitimate is mine your social media, so they know your parents’ names, your birth date and even your dog’s name when they make contact with you.</p> <p>Finally, identify who you are dealing with. Verify the identity of the email sender or the person on the other end of the line. Make sure there are no spelling mistakes in URLs and email addresses. Remember – no legitimate authority figure will question you hanging up and calling them back to verify their identity through a trusted source. The same principle is true for social media. Know who you are speaking with. Be wary of requests from people you only know via online chat rooms and social media platforms.</p> <p>Being careful about what you share, how you share it, and who you are sharing it with, is a key way to protect yourself.</p> <hr> <h4>More information can be found at the following websites:</h4> <ul> <li><a href="https://www.communitysafety.utoronto.ca/international-students/international-students-and-safety/">Community Safety Office</a></li> <li><a href="https://www.utm.utoronto.ca/international/fraud-alert">International Education Centre at Թϱ Mississauga</a></li> <li><a href="https://www.utsc.utoronto.ca/utscinternational/article/scams-targeting-international-students">International Student Centre at Թϱ Scarborough</a></li> </ul> <p>&nbsp;</p> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Thu, 09 Dec 2021 17:28:17 +0000 Christopher.Sorensen 171634 at 'In this together': Թϱ’s Isaac Straley named to Ontario's cybersecurity expert panel /news/together-u-t-s-isaac-straley-named-ontario-s-cybersecurity-expert-panel <span class="field field--name-title field--type-string field--label-hidden">'In this together': Թϱ’s Isaac Straley named to Ontario's cybersecurity expert panel</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/DZ6_7396.jpg?h=afdc3185&amp;itok=ntm-EGKD 370w, /sites/default/files/styles/news_banner_740/public/DZ6_7396.jpg?h=afdc3185&amp;itok=1J-O8Ljw 740w, /sites/default/files/styles/news_banner_1110/public/DZ6_7396.jpg?h=afdc3185&amp;itok=9gUGgfFO 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/DZ6_7396.jpg?h=afdc3185&amp;itok=ntm-EGKD" alt="Isaac Straley"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>rahul.kalvapalle</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2020-10-28T17:05:47-04:00" title="Wednesday, October 28, 2020 - 17:05" class="datetime">Wed, 10/28/2020 - 17:05</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">Isaac Straley, Թϱ's chief information security officer, says the scope of the cybersecurity threat faced by universities is unique because they operate in so many different areas, from research labs to bookstores (photo by Lisa Sakulensky)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/rahul-kalvapalle" hreflang="en">Rahul Kalvapalle</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/our-community" hreflang="en">Our Community</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><strong>Isaac Straley</strong>, a cybersecurity expert and the University of Toronto's chief information security officer,&nbsp;<a href="https://news.ontario.ca/en/release/58828/ontario-appoints-new-expert-panel-on-cyber-security">was recently appointed to a new expert panel</a> established by the Ontario government to improve cybersecurity and digital resilience among broader&nbsp;public sector organizations.</p> <p>The Broader Public Sector Cyber Security Expert Panel will see experts and leaders in information technology, cybersecurity and public sector service delivery come together to address pressing challenges in cybersecurity, provide feedback on the provincial government’s existing efforts in that realm and create a comprehensive cybersecurity strategy.</p> <p>Created by the Ministry of Government and Consumer Services as part of Ontario’s Cyber Security Strategy, the 10-person panel will examine broad and sector-specific cybersecurity risks faced by organizations such as universities, colleges, hospitals and&nbsp;school boards.&nbsp;The panel will be chaired by <strong>Robert Wong</strong>, executive vice-president and chief information officer at Toronto Hydro and a Թϱ alumnus.</p> <p>Several broader public sector agencies and their service delivery partners have been targeted by cyberattacks in recent years, according to the ministry, resulting in the loss of sensitive personal and health data, sabotaging of organizations’ operations and forced payment of ransom to regain data access.</p> <p>In a conversation with <em>Թϱ</em>, Straley – who was appointed Թϱ’s first ever chief information security officer in 2018 – discussed the panel’s mandate, the range of cybersecurity threats faced by universities and other broader public sector organizations, and the importance of working collaboratively to boost information security across the province.</p> <div align="center"> <hr align="center" size="0" width="100%"></div> <p><strong>How vulnerable are broader public sector organizations to cyberattacks, and how has the threat evolved in recent years?</strong></p> <p>What’s challenging for the broader public sector is we are very visible organisations, and the attacks we’re seeing are often motivated by opportunity. While there are attacks that are designed to steal specific data and target big companies, the reality is that a lot of the activity we see is opportunistic, and they try to get whoever they can.</p> <p>A lot of what what’s out there is criminal activity with attacks like ransomware – software that encrypts your data and asks you to pay money to get it back. This has become, especially during the pandemic, even more acute because criminal organizations can make a lot of money. When you look at the organizations in the broader public sector – hospitals, utilities, universities, etc. – they are ripe for targeting because they provide critical services.</p> <p><strong>What are the specific cybersecurity and information security threats faced by universities?</strong></p> <p>The attacks we face are themselves not unique, but the scope of attacks that we face is.&nbsp;We have administrative cores with institutional information; we have our teaching component which, especially during a pandemic, has a global reach and impact; we have physical infrastructure – we run power plants and building systems; we have athletic facilities and sports camps; we run food service and bookstores and we take credit cards.</p> <p>We’ve got researchers who are working on the most innovative research, which are intellectual property that somebody – like another country – want to access. We also have research we’re working on that someone might want to disrupt, for economic or even geopolitical reasons.</p> <p><strong>How do you see this panel helping to solve these issues?</strong></p> <p>For me, it’s about having a common framework and vision to work on resolving these problems. The broader public sector is in this together. It might also be able to help us garner resources that we might not individually have to tackle these problems.</p> <p>One of the angles of security is economic – if it’s more expensive for the attacker to attack you, then they’re not going to. Maybe they’ll go somewhere else or maybe they just won’t be incentivized to do it. My hope is the latter – that we can de-incentivize attacking in the first place.</p> <p>Information security is a big problem that costs money. We have to work together or else there will continue to be an economic advantage for the attackers.</p> <p><strong>What is Թϱ’s role to help boost information security?</strong></p> <p>My approach to this is to bring Թϱ’s expertise to the table and solve these problems collectively. And that’s not just me as an individual. What I can represent is the expertise we have across the university, whether that’s operational professionals like myself or consulting with experts in our faculty.</p> <p>One of the things that I am doing in Թϱ’s security program is helping tackle problems at the community level, provincial level, national level and even, in some ways, the international level. Թϱ can – and needs to – play a role moving us forward.</p> <p><strong>Is there anything else you’d like to tell the Թϱ community, or the public for that matter, about this panel and its work?</strong></p> <p>I’m really excited about the opportunity and humbled to be appointed to a panel like this.</p> <p>For me, collaboration is critical. I applaud our government for bringing together a panel like this, and we need more such platforms and conversations to solve problems together on cybersecurity because this is a collective problem.</p> <p>Security done in isolation is generally building barriers. I think security done in collaboration is enabling what we’re trying to do. At the end of the day, the university is trying to teach, it’s trying to do research, it’s trying to improve the world and better its community.</p> <p>Hospitals and all of the other broader public sector organizations each have similar mandates with critical services. We have a shared fate. We’re in this together and we have to work on this together. When we do security right, especially in this inter-connected age, we can enable so much more. When you do it by yourself, you just build walls. We’re not trying to build walls – we’re trying to move forward securely.</p> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Wed, 28 Oct 2020 21:05:47 +0000 rahul.kalvapalle 166188 at 'A password you can't change': Թϱ alumnus Karl Martin on how to keep biometric data safe /news/password-you-can-t-change-u-t-alumnus-karl-martin-how-keep-biometric-data-safe <span class="field field--name-title field--type-string field--label-hidden">'A password you can't change': Թϱ alumnus Karl Martin on how to keep biometric data safe</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/lukenn-sabellano-RDufjtg6JpQ-unsplash.jpg?h=afdc3185&amp;itok=RYKjnNOd 370w, /sites/default/files/styles/news_banner_740/public/lukenn-sabellano-RDufjtg6JpQ-unsplash.jpg?h=afdc3185&amp;itok=q1ZLp1la 740w, /sites/default/files/styles/news_banner_1110/public/lukenn-sabellano-RDufjtg6JpQ-unsplash.jpg?h=afdc3185&amp;itok=q9YcAehO 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/lukenn-sabellano-RDufjtg6JpQ-unsplash.jpg?h=afdc3185&amp;itok=RYKjnNOd" alt="Image of a fingerprint scan icon on a smartphone"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>Christopher.Sorensen</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2020-02-24T08:47:53-05:00" title="Monday, February 24, 2020 - 08:47" class="datetime">Mon, 02/24/2020 - 08:47</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item"><p>Karl Martin, a biometrics expert and alumnus of Թϱ's Faculty of Applied Science and Engineering, says biometric data is increasingly used as an added layer of security to authenticate users on handheld devices (photo by Lukenn Sabellano via Unsplash)</p> </div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/amanda-hacio" hreflang="en">Amanda Hacio</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/our-community" hreflang="en">Our Community</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/alumni" hreflang="en">Alumni</a></div> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/electrical-computer-engineering" hreflang="en">Electrical &amp; Computer Engineering</a></div> <div class="field__item"><a href="/news/tags/faculty-applied-science-engineering" hreflang="en">Faculty of Applied Science &amp; Engineering</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>If you unlock your smartphone with facial recognition or your fingerprint, you’re using biometrics.</p> <p>In the past few years, biometric data – positioned as an added layer of security to verify a person’s identity using unique physical traits –&nbsp;has become a reliable method of authentication for access to handheld devices.</p> <div class="align-left"> <div class="field field--name-field-media-image field--type-image field--label-hidden field__item"> <img loading="lazy" src="/sites/default/files/2023-05/karl_martin.png" width="300" height="300" alt="Karl Martin"> </div> </div> <p>But there are strings attached to this convenience: there’s a risk of identity theft, data gathering without consent&nbsp;as well as physical and online surveillance.</p> <p>“If our biometric data is stolen, it’s equivalent to stealing a password that you can’t change,” says&nbsp;<strong>Karl Martin </strong>(left), an alumnus of the University of Toronto’s Faculty of Applied Science &amp; Engineering who is also a biometrics expert and entrepreneur.</p> <p>Writer <strong>Amanda Hacio</strong>&nbsp;recently spoke with Martin to learn more about the security implications of giving out our most personal and unique data.</p> <hr> <p><strong>What is your experience with biometric data?</strong></p> <p>I co-founded – and led for many years – the company&nbsp;Nymi, <a href="/news/changing-tack-how-u-t-startup-nymi-found-unexpected-lucrative-niche">which developed a biometric authentication wristband</a> that simplifies authentication and compliance for workers in regulated industrial settings. The&nbsp;Nymi Band&nbsp;uses fingerprints and the electrocardiogram (ECG) to ensure high trust while maintaining privacy and usability. Prior to this, during both my PhD studies and while running a boutique consulting firm, I was involved in developing systems that used facial, ECG and handwritten-signature recognition.</p> <p><strong>What were some of the security concerns and challenges you ran up against when creating Nymi?</strong></p> <p>From the beginning, we recognized the importance of handling biometric data with a high degree of care. We took a stance that the biometric data must only be stored in the local device controlled by the user. We had to ensure that users could trust that no one could access the data.</p> <p>Additionally, the communication between the wristband and other systems, such as mobile devices and computers,&nbsp;was based on Bluetooth, which is generally considered an unsecure means to communicate information. We had to develop a proprietary protocol that assumed that third parties would be snooping.</p> <p><strong>What are the security concerns related to biometric data more broadly?</strong></p> <p>We’re increasingly relying on biometrics to enable easy and reliable authentication to devices and systems. If our biometric data is stolen, it’s equivalent to stealing a password that you can’t change. Our accounts and data become vulnerable to being accessed without our authorization by people impersonating us using our biometric data.</p> <p>Another danger is unauthorized surveillance. If biometric data is being gathered without our permission, it may be used to monitor and track us through a variety of sensors such as surveillance cameras or our online presence.</p> <p>If stored locally within a device, it’s less likely to be targeted by attackers since there’s less of an opportunity for a mass, scalable data breach. It’s worth noting, however, that not all device-based storage is created equal. At the secure end, some devices such as Apple’s Touch ID and the Nymi Band use cryptographic hardware for secure storage. On the vulnerable end, a typical app on your phone is not secure and may itself be the source of a breach.</p> <p><strong>What can companies and users do to make sure the biometric technology they’re using isn’t stealing personal data or information?</strong></p> <p>I believe that people should not accept applications that move their biometric data into the cloud. Users should demand a “privacy-by-design approach,” which ensures that system design puts user privacy at the forefront. However, individual users are often at a disadvantage with a lack of transparency on how their data is being handled. I believe this is where regulations have a role in ensuring transparency and adoption of best practices when it comes to the design of systems.</p> <p><strong>What do you do if your data is already in the cloud?</strong></p> <p>The now classic adage is unfortunately true: Once something is on the internet, it’s there forever. But all is not lost, depending on the situation. If you’re enrolled in a system that stores your biometric data in the cloud, it’s worth un-enrolling yourself and attempting to have your data deleted. Unfortunately, there’s no guarantee that the service provider will comply or execute a secure deletion.</p> <p>More generally, it’s likely for most of us that our face-image data is already online and associated with our identity through various social media sites. Given that this data is already out there and even&nbsp;being exploited, this is where regulations come into play. We should all consider advocating for regulations that prevent corporations from exploiting our data without our permission. And at least in the short term, we should give preferential treatment to companies and products that follow the Privacy by Design framework.</p> <p><strong>What unconventional forms of biometrics are being collected that the average person might not be aware of?</strong></p> <p>Two modalities that are now actively commercialized, but not well known, are electrocardiogram (ECG) and gait –&nbsp;our individually distinct manner of walking. At Nymi, we were the first to fully commercialize ECG recognition into a market-ready product. Gait, while not a strong identifier, can be used in video surveillance along with other factors to identify individuals, often without their knowledge.</p> <p><strong>As artificial intelligence (AI) becomes more sophisticated, what security concerns do you think will arise with biometric technology?</strong></p> <p>One of the applications of biometrics is emotion recognition, which can use a variety of signals such as facial expression and heart rate. While this technology is still in its infancy, there are both positive and negative potential implications.</p> <p>On the positive side, it creates the opportunity to build applications that are adaptive to a user’s state of mind, delivering more customized and relevant experiences. On the negative side, with the proliferation of AI technologies, there is a risk of mass population manipulation&nbsp;such as what we saw with the&nbsp;Cambridge Analytica scandal&nbsp;–&nbsp;should biometric data not be protected and controlled by individuals.</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Mon, 24 Feb 2020 13:47:53 +0000 Christopher.Sorensen 162869 at From phishing scams to compromised passwords: Թϱ cyber security expert on how to stay safe online /news/phishing-scams-compromised-passwords-u-t-cyber-security-expert-how-stay-safe-online <span class="field field--name-title field--type-string field--label-hidden">From phishing scams to compromised passwords: Թϱ cyber security expert on how to stay safe online</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/unsplash-data-privacy.jpg?h=afdc3185&amp;itok=sV5L8QR7 370w, /sites/default/files/styles/news_banner_740/public/unsplash-data-privacy.jpg?h=afdc3185&amp;itok=BGx6HXro 740w, /sites/default/files/styles/news_banner_1110/public/unsplash-data-privacy.jpg?h=afdc3185&amp;itok=uhjmDDaH 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/unsplash-data-privacy.jpg?h=afdc3185&amp;itok=sV5L8QR7" alt="Photo of someone using smartphone"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>Romi Levine</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2019-01-28T16:53:56-05:00" title="Monday, January 28, 2019 - 16:53" class="datetime">Mon, 01/28/2019 - 16:53</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">Whether you're browsing social media sites or checking your work email, there are ways to protect your data online (photo by rawpixel via Unsplash)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/romi-levine" hreflang="en">Romi Levine</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/our-community" hreflang="en">Our Community</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/privacy" hreflang="en">Privacy</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The internet is everywhere – from smartphones to cars and fridges. While that means our apps and appliances are more sophisticated than ever before, so too are the hackers, scammers and phishers who&nbsp;are trying to access your personal information. &nbsp;</p> <p>Today, the University of Toronto is raising awareness about managing the risks&nbsp;of the digital world and providing resources to help the university community stay safe online with <a href="https://securitymatters.utoronto.ca/january-28th-is-data-privacy-day/">Data Privacy Day</a> events taking place on the downtown Toronto campus. There is also a wealth of information available at <a href="https://securitymatters.utoronto.ca/">securitymatters.utoronto.ca</a>, including tools like <a href="https://securityplanner.org/#/">Citizen Lab’s security planner</a>, which gives you a personalized online safety recommendation, and a series of video tutorials with online safety tips. &nbsp;</p> <p><strong>Isaac Straley,&nbsp;</strong>Թϱ’s first-ever chief information security officer, shared his tips with <em>Թϱ</em> on how to put your online privacy first.</p> <h3>Protect your passwords</h3> <p>“Password management is one of the most important things for everybody to be paying attention to right now,” says Straley.</p> <p>Compromised accounts are one of the primary ways that data breaches happen, but there are a number of ways to keep yours safe and secure. &nbsp;</p> <p>The first is using websites or applications with two-factor or multifactor authentication – where you are required to provide more than just a password when logging in.</p> <p>“When you're using banking or other online tools, they might send you a code in addition to putting in your password or might have you push a button on your phone,” says Straley. “What this does is make it harder for an attacker to just know your password because you have to have the other information to be able to log in.”</p> <p>The university is starting to roll out two-factor authentication for Office 365 for faculty and staff, he says.</p> <p><strong><a href="https://twofactorauth.org/">Protip: Check out twofactorauth.org to find out if a website uses two-factor authentication.</a></strong></p> <p>Straley also says to avoid reusing passwords, but recognizes that remembering them all can be a challenge.</p> <p>“Using a password manager is a really good tool,” says Straley. Apps like Password Safe and KeePass allow you to generate and store multiple passwords in one safe place – and not in your head.</p> <p>But don’t put everything in your password manager, Straley warns. “Take the logins that are the most sacred or most important – protect the highest risk information – and remember those. But put everything else in the password manager so you don't have to waste your valuable brain space on remembering half a dozen passwords.”</p> <h3>Don’t be bait for phishing scams</h3> <p>It’s getting harder to distinguish&nbsp;an email scam from a legitimate message, but there are a few red flags you should be aware of, says Straley.</p> <p>“Number one is almost always urgency,” he says. “When someone is asking you to do something fast.”</p> <p>Emails warning you your account is about to be locked, or that you’ve gone over a quota are likely coming from illegitimate sources.</p> <p>“Another one we’re starting to see more of are emails that look like they come from a supervisor or a manager or a colleague that say, ‘Hey, I'm really busy right now, can you help me out?’”</p> <p>Don’t be fooled by these seemingly personal messages, says Straley. As soon as you agree to help, the scammer will ask you to do something for them, like buy a gift card.</p> <p>“When you do, you end up spending your money and giving the gift cards to the attackers,” he says.</p> <h3>Personalize your privacy settings</h3> <p>It doesn’t matter if you’re a technophobe or a social media addict, you need to decide what level of privacy you’re comfortable with online, says Straley.</p> <p>“I'm surprised how often folks don't stop and think about what they expect from their online life. Most of the services are pretty open on their privacy settings,” he says.</p> <p>With social media platforms like Twitter, Instagram and Facebook, Straley says to make sure that the sharing settings are restricted to the communities you are specifically looking to engage online.</p> <p>“Especially if you install a lot of social media and tools that have applications on the phone or multiple devices, those tools will ask for a lot of permissions like ‘give us access to all your photos or your mic, camera, or your location settings,’” he says.</p> <p>Depending on the operating system you use, Straley says, you can choose to share your information with an application only when you're using it.</p> <h3>Cyber crime fighting at Թϱ</h3> <p>“A big portion of what we do is identifying different resources that would be attacked and making sure they are protected,” says Straley of his information security team.</p> <p>“We’ve got tools that allow us to detect attacks – in our jargon they're called intrusion prevention or detection systems – and we have other ways to look for bad activity,” he says.</p> <p>Թϱ also co-ordinates with fellow higher education institutions, governments and other organizations so it knows what to look out for. &nbsp;</p> <p>“One of our biggest challenges is just keeping up with the attackers,” Straley says.</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Mon, 28 Jan 2019 21:53:56 +0000 Romi Levine 151952 at Թϱ staff (ethically) hack CERN, world’s largest particle physics lab /news/u-t-staff-ethically-hack-cern-world-s-largest-particle-physics-lab <span class="field field--name-title field--type-string field--label-hidden">Թϱ staff (ethically) hack CERN, world’s largest particle physics lab</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=xdpDJkvs 370w, /sites/default/files/styles/news_banner_740/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=TB-ogLde 740w, /sites/default/files/styles/news_banner_1110/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=N53Ai2Jc 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/2018-04-04-cern-main.jpg?h=afdc3185&amp;itok=xdpDJkvs" alt="Photo of inside CERN"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>noreen.rasbach</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2018-04-04T12:27:39-04:00" title="Wednesday, April 4, 2018 - 12:27" class="datetime">Wed, 04/04/2018 - 12:27</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">CERN, the international lab near Geneva, is home to the Large Hadron Collider, the world’s largest particle accelerator (photo by Claudia Marcelloni/CERN)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/chloe-payne" hreflang="en">Chloe Payne</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> <div class="field__item"><a href="/news/tags/information-technology" hreflang="en">Information Technology</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>It takes 22 member states, more than 10,000 scientists and state-of-the-art technology for CERN&nbsp;to investigate the mysteries of the universe. But no matter how cutting-edge a system is, it can have vulnerabilities&nbsp;– and last year University of Toronto employees helped CERN find theirs.</p> <p>CERN, the European Organization for Nuclear Research,&nbsp;asked for help to hack its digital infrastructure last year, organizing&nbsp;<a href="https://security.web.cern.ch/security/services/en/whitehats.shtml">the White Hat Challenge</a>.<strong>&nbsp;Allan Stojanovic</strong> and <strong>David Auclair</strong> from Թϱ’s ITS Information Security Enterprise and Architecture department, along with a group of security professionals, were more than willing to answer the call.</p> <p>Passionate advocates for information security, Stojanovic and Auclair say&nbsp;regular testing is essential for any organization.</p> <p>“Vulnerabilities are not created, they are discovered,” says Stojanovic. “Just because something has been working, doesn’t mean there wasn’t a flaw in it all along.”</p> <p>Their director, <strong>Mike Wiseman</strong>, supported their participation in the challenge. “This competition was an opportunity to bring experts together to exercise their skill as well as give CERN a&nbsp;valuable&nbsp;test of their infrastructure.”</p> <p>Stojanovic first heard about the challenge during a presentation at a Black Hat digital security conference. He&nbsp;jumped at the opportunity,&nbsp; immediately approaching the presenter, Stefan Lüders, CERN’s security manager.</p> <p>Stojanovic put together a group of eight industry professionals (pen testers, consultants, Computer Information Systems&nbsp;administrators&nbsp;and programmers), set goals for the test and created a ten-day timeline.&nbsp;</p> <p>Any penetration test involves three main stages: scoping, reconnaissance and scanning. Before the scanning stage begins, testers are not allowed to interact with the system directly, but&nbsp;try to learn everything they can about it.</p> <p>During the “scoping” stage, testers define what is “in scope” and specify what IP spaces and domains they can and cannot probe during the testing. The “recon” stage is exactly what it sounds like: reconnaissance. The testers try to find out everything they can about the domains that are in scope, helping guide them towards potential weaknesses.</p> <p>With scoping and recon complete, the team was able to officially begin the scanning stage. Scanning is like a huge treasure hunt, beginning with a broad search and gradually narrowing it down,&nbsp; burrowing deeper and deeper into the most interesting areas and letting go of the others.</p> <p>This went on for nine days. It was a gruelling process – the team&nbsp;would find a tiny foothold, investigate it, but nothing significant would emerge. This happened again and again.</p> <h3><a href="/news/geneva-where-u-t-scientists-are-frontier-physics-world-s-largest-particle-accelerator">Read&nbsp;about Թϱ scientists at CERN</a></h3> <p>Finally, Stojanovic was woken up one day by a short message, “I got it!” One of his team members,<strong> Jamie Baxter</strong>, had solved the puzzle – a breakthrough generated by multiple late nights of patient analysis.</p> <p>Details of the breakthrough are kept secret due to a confidentiality agreement with CERN. But after more than&nbsp;two weeks of work, <a href="https://security.web.cern.ch/security/home/en/kudos.shtml">the team revealed&nbsp;weaknesses in CERN’s security infrastructure </a>and provided important recommendations on how to improve it.</p> <p>CERN's security group was then able to roll out fixes and address the identified vulnerabilities before Թϱ's formal report even hit their desks.</p> <p>Stojanovic hopes that his team’s success will encourage educators to use penetration testing as a pedagogical tool.</p> <p>“It’s a lot of really fantastic experience,” he says, adding that these are the hands-on skills that new security professionals are going to need in the fast-growing information security industry.</p> <p>Stojanovic also hopes that other institutions, including Թϱ, will follow CERN’s lead in opening themselves up to testing of this nature.</p> <p>And this won’t be the last CERN will see of Թϱ&nbsp;– Lüders has already asked for round two.</p> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Wed, 04 Apr 2018 16:27:39 +0000 noreen.rasbach 132766 at How to protect online data: Թϱ Citizen Lab's Security Planner tool offers safety tips from the experts /news/how-protect-online-data-u-t-citizen-lab-s-security-planner-tool-offers-safety-tips-experts <span class="field field--name-title field--type-string field--label-hidden">How to protect online data: Թϱ Citizen Lab's Security Planner tool offers safety tips from the experts</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/2018-03-22-citizenlab-resized.jpg?h=afdc3185&amp;itok=-eetiWm6 370w, /sites/default/files/styles/news_banner_740/public/2018-03-22-citizenlab-resized.jpg?h=afdc3185&amp;itok=fZv4J45O 740w, /sites/default/files/styles/news_banner_1110/public/2018-03-22-citizenlab-resized.jpg?h=afdc3185&amp;itok=z3dkTiQq 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/2018-03-22-citizenlab-resized.jpg?h=afdc3185&amp;itok=-eetiWm6" alt="Image from Security Planner tool"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>noreen.rasbach</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2018-03-22T13:55:22-04:00" title="Thursday, March 22, 2018 - 13:55" class="datetime">Thu, 03/22/2018 - 13:55</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">The Security Planner tool, launched by Citizen Lab at Թϱ’s Munk School of Global Affairs, aims to make online safety easier to navigate (illustration courtesy of Citizen Lab)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/adrienne-harry" hreflang="en">Adrienne Harry</a></div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/city-culture" hreflang="en">City &amp; Culture</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/citizen-lab" hreflang="en">Citizen Lab</a></div> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/munk-school-global-affairs-public-policy" hreflang="en">Munk School of Global Affairs &amp; Public Policy</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Our online accounts, from email to banking to social media, contain some of our most important, private information –&nbsp;and there’s a lot of it, with&nbsp;<a href="https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/">the average internet user maintaining roughly 92 accounts</a>.&nbsp;&nbsp;</p> <p>Amid a growing number of data breaches and the recent scandal involving Facebook and Cambridge Analytica, people may understandably be looking for more and better ways to protect themselves on the Web.</p> <p>Fortunately, researchers at Citizen Lab, at the University of Toronto's Munk School of Global Affairs, have some recommendations.</p> <p><span style="font-family:&quot;Arial&quot;,sans-serif;color:#485667"><o:p></o:p></span></p> <p>“Password managers can really help improve your online security by helping you to use unique and strong passwords across a variety of different accounts without having to remember them,” says Christine Schoellhorn, <a href="https://securityplanner.org/#/">project manager for Security Planner</a>, the Citizen Lab’s online safety tool. “If you use email, the most common threats you face are phishing and password theft. A password manager helps reduce some of the burden of using different passwords by automatically inputting your username and password into the websites that you use.”</p> <p>Schoellhorn also recommends enabling two-factor authentication (2FA) for an additional layer of protection for your online accounts. The 2FA method requires a small extra step, like entering a verification code sent to your phone, in addition to entering your password on certain websites. “It’s a small lifestyle change, but the impact is really tremendous,” she says. “We are increasingly putting a larger amount of our private lives online and that can be a risk. Keeping yourself safe can also protect other people within your network.”</p> <p>Safety tips like these and more are available through the <a href="https://securityplanner.org/#/">Citizen Lab’s Security Planner tool.</a> Users are prompted to take a brief survey to assess their personal security needs and, based on their survey results, are given a tailored action plan to address their most pressing safety concerns. Users can get instructions on everything from how <a href="https://securityplanner.org/#/tool/https-everywhere">to secure their web browser</a> to <a href="https://securityplanner.org/#/tool/security-checkups">how to run a security checkup on their Facebook account.</a> &nbsp;All of the site’s recommendations are based on peer-reviewed research by a cross-section of digital security experts.</p> <p>“People want to be more secure online but they’re not sure which actions are a good use of their time and what might be overkill. There’s a lot of contradictory advice out there,” says John Scott-Railton, a senior researcher at Citizen Lab and editor of Security Planner’s recommendations. “So, we thought, ‘Why don’t we get a bunch of experts together, gather the best ideas and then provide those to users in a way that’s accessible?’ The goal of Security Planner is to make those first security steps as easy as possible.”</p> <p>Most of Security Planner’s tips are quick and easy to implement. Although the tool is designed to help the average Internet user, it also provides links to outside resources for people who may be at a higher risk of cybersecurity threats because of who they are or what they do. (Certain groups – like journalists, legislators or dissidents – may be at a higher risk of cyber-attacks. Citizen Lab has <a href="https://citizenlab.ca/category/research/targeted-threats/">released several reports outlining the details of targeted threats</a> they’ve uncovered.) Designed to be simple and straightforward, the tool provides each user with the safety tips they need most, and strips away information that may not be as useful.</p> <p>“So many guides that are available online just provide a wall of text. And for someone who is already feeling anxious about taking steps toward better security, they don’t want to have to read a 20-page document on how to be safer,” says Schoellhorn. “They want targeted advice with as little extraneous information as possible.”</p> <p>The tool is also built to evolve. There is a section on the website for users to provide feedback and the recommendations on the site are updated as security threats change.</p> <p>“It’s important to keep information updated and current, because security problems change and advice needs to change with it,” says Scott-Railton. “As soon as you take one of those security steps, you’re better off than before you did. We did market research and really tried to find ways to make these recommendations accessible. Because just as free and open communications should be a right, security should be a right too.”</p> <p>Looking for more online safety tips? <a href="https://securityplanner.org/#/">Visit securityplanner.org for your personalized safety action plan</a>.&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Thu, 22 Mar 2018 17:55:22 +0000 noreen.rasbach 131878 at Citizen Lab survey finds many journalism schools lacking in cybersecurity training /news/citizen-lab-survey-finds-many-journalism-schools-lacking-cybersecurity-training <span class="field field--name-title field--type-string field--label-hidden">Citizen Lab survey finds many journalism schools lacking in cybersecurity training </span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/Fingers.jpg?h=5fd8c37b&amp;itok=3Jb4D548 370w, /sites/default/files/styles/news_banner_740/public/Fingers.jpg?h=5fd8c37b&amp;itok=4gXIiPsE 740w, /sites/default/files/styles/news_banner_1110/public/Fingers.jpg?h=5fd8c37b&amp;itok=d54kgEsx 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/Fingers.jpg?h=5fd8c37b&amp;itok=3Jb4D548" alt="Photo of hands on phone"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>Romi Levine</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2018-01-10T12:16:19-05:00" title="Wednesday, January 10, 2018 - 12:16" class="datetime">Wed, 01/10/2018 - 12:16</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">While cybersecurity poses a serious threat to journalists, Թϱ's Citizen Lab says journalism schools are not doing enough to teach their students how to protect themselves (photo by Japanexperterna.se via Flickr)</div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/alumni" hreflang="en">Alumni</a></div> <div class="field__item"><a href="/news/tags/citizen-lab" hreflang="en">Citizen Lab</a></div> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/faculty-arts-science" hreflang="en">Faculty of Arts &amp; Science</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> <div class="field__item"><a href="/news/tags/munk-school-global-affairs-public-policy" hreflang="en">Munk School of Global Affairs &amp; Public Policy</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>It’s easy to be fooled by a misleading link in your inbox, but for journalists, a seemingly innocent click could put their work and sources at risk.</p> <p>Journalists all over the world have been targeted by organizations and governments who are using techniques like email deception to spy on them by gaining access to their phones and computers, according to research by University of Toronto’s Citizen Lab and reporting by&nbsp;the <em>New York Times</em>.</p> <p>Citizen Lab is based at Թϱ's Munk School of Global Affairs and focuses on research on cybersecurity, including&nbsp;digital espionage and privacy breaches.</p> <p>Cybersecurity breaches pose a serious threat to journalists, but a recent survey of journalism schools across the U.S. and Canada by Citizen Lab found that schools are not doing enough to train their students on how to recognize and protect themselves against online threats.&nbsp;</p> <p><strong>Joshua Oliver</strong>, a Թϱ alumnus and research assistant at Citizen Lab,&nbsp;<a href="https://www.cjr.org/innovations/journalism-schools-behind-cybersecurity.php">wrote about the survey results in the <em>Columbia Journalism Review</em></a>.</p> <p>“Only half of the 32 schools across the US and Canada that responded to the survey offer digital security training, and less than a quarter make that training mandatory,” writes Oliver.</p> <p>And of the schools that do provide training, most devote around two hours to the subject, which Oliver says is not enough.</p> <p>While Oliver recognizes it’s a hefty requirement for journalism schools to have this kind of full-time expertise, the digital threats to journalists are worsening, adding a layer of urgency, he says.</p> <p>"Once considered the exclusive concern of national security reporters, basic digital security competence is now essential for all journalists," says Oliver.&nbsp;</p> <p>He writes that the best way to introduce the topic of cybersecurity into the syllabus is to bring up the issue in existing courses. &nbsp;</p> <p>"For example: a basic reporting class might touch on the need to store notes and contacts securely in case&nbsp;your&nbsp;devices are&nbsp;searched; a photojournalism class would mention that metadata in photo files&nbsp;can reveal the location where they were taken."</p> <p>The survey was funded by the&nbsp;John D. and Catherine T. MacArthur Foundation and <strong>Ronald Deibert</strong>, professor of political science in the Faculty of Arts &amp; Science&nbsp;and director of Citizen Lab, was the principal investigator.&nbsp;</p> <h3><a href="https://www.cjr.org/innovations/journalism-schools-behind-cybersecurity.php">Read about the survey results in the <em>Columbia Journalism Review</em></a></h3> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Wed, 10 Jan 2018 17:16:19 +0000 Romi Levine 126984 at Experts take on the latest hacks and leaks at Թϱ's upcoming McLuhan Salon /news/experts-take-latest-hacks-and-leaks-u-t-s-upcoming-mcluhan-salon <span class="field field--name-title field--type-string field--label-hidden">Experts take on the latest hacks and leaks at Թϱ's upcoming McLuhan Salon</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/surman%20main.jpg?h=afdc3185&amp;itok=z4e9AZVU 370w, /sites/default/files/styles/news_banner_740/public/surman%20main.jpg?h=afdc3185&amp;itok=kFS_2DCC 740w, /sites/default/files/styles/news_banner_1110/public/surman%20main.jpg?h=afdc3185&amp;itok=FD7s2P_K 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/surman%20main.jpg?h=afdc3185&amp;itok=z4e9AZVU" alt="Photo of Mark Surman"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>Romi Levine</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2017-01-19T15:30:26-05:00" title="Thursday, January 19, 2017 - 15:30" class="datetime">Thu, 01/19/2017 - 15:30</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">Թϱ alumnus and Mozilla Foundation Executive Director Mark Surman will be participating in Thursday's McLuhan Salon (photo by Joi Ito via Flickr)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/romi-levine" hreflang="en">Romi Levine</a></div> </div> <div class="field field--name-field-author-legacy field--type-string field--label-above"> <div class="field__label">Author legacy</div> <div class="field__item">Romi Levine</div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/city-culture" hreflang="en">City &amp; Culture</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/cyber-security-0" hreflang="en">Cyber Security</a></div> <div class="field__item"><a href="/news/tags/us-politics-0" hreflang="en">U.S. politics</a></div> <div class="field__item"><a href="/news/tags/mcluhan-centre-culture-technology" hreflang="en">McLuhan Centre for Culture &amp; Technology</a></div> <div class="field__item"><a href="/news/tags/cities" hreflang="en">Cities</a></div> <div class="field__item"><a href="/news/tags/information-technology" hreflang="en">Information Technology</a></div> <div class="field__item"><a href="/news/tags/alumni" hreflang="en">Alumni</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The leak of an alleged intelligence memo about U.S. president-elect&nbsp;Donald Trump&nbsp;divided the media on whether or not to publish its details or acknowledge its legitimacy. &nbsp;</p> <p>On Tuesday, President Barack Obama commuted the prison sentence of Chelsea Manning, the former U.S. army intelligence analyst who leaked classified documents to WikiLeaks – a move that was praised by many but received harsh criticism from Republicans.</p> <p>Tonight, the McLuhan Salon is taking on its most timely and contested topic yet. Ripped straight from the headlines,&nbsp;“<a href="https://www.eventbrite.ca/e/mcluhan-salon-hacks-leaks-and-breaches-tickets-29828476777?aff=es2">Hacks, Leaks, and Breaches: Chronicles from the Cybervillage</a>” will dissect the latest news and address hotly debated issues around cyber security.</p> <p>Participants include <strong>Mark Surman</strong>, a Թϱ alumnus and executive director of the Mozilla Foundation, McGill University's Gabriella Coleman, an expert on Anonymous, and Mathew Ingram, a senior writer at <em>Fortune Magazine</em>.</p> <p>The salons, inspired by the late Թϱ professor and influential media theorist <strong>Marshall McLuhan</strong>, are hosted by Թϱ’s <a href="http://www.chi.utoronto.ca/about-us/">McLuhan Centre for Culture and Technology</a>&nbsp;and are <a href="/news/u-t-mcluhan-salons-take-classroom-city">held at different Toronto venues</a> every month.&nbsp;Tonight's salon&nbsp;takes place at the Toronto Reference Library.</p> <p>“The role played by WikiLeaks, Anonymous or trolling in recent years is no longer a niche cultural phenomena,” says <strong>Paolo Granata</strong>, visiting professor, McLuhan Centenary fellow and salon organizer.</p> <p>These organizations, often called “hacktivists,” have been a game changer in their ability to influence global politics, says Granata.</p> <p>“For this reason, we need to understand what is at stake in a networked society in terms of security and privacy, rights and freedom,” he says.</p> <p>High profile government operatives-turned-leakers such as&nbsp;Manning and Edward Snowden have been central to shedding light on these issues, making them a hero to some and an enemy to others.</p> <p>“We certainly benefited from people having the courage to leak information,” says Surman. “It helps us understand what's really going on, on the Internet. I personally think of Snowden as a hero as many do.”</p> <p>Ingram is interested in discussing the thorny ethics surrounding hacks and leaks.</p> <p>“When is it okay to report on and when is it not? It's a difficult question – and the goalposts keep moving,” he says.</p> <p>Coleman will explore the ways digital leaks came into being.</p> <p>“What's really interesting is that its history is remarkably recent even though the technical possibilities to engage in this form of hacking to leak has existed for 25 years,” she says.</p> <p>The spate of hacks and leaks has&nbsp;forced companies and governments to learn hard lessons, but they still aren’t going far enough to protect themselves, says Coleman.</p> <p>“This is a perennial issue, and you'd think with each new hack and leak and breach, that organizations would get their security act together. So far, there have been small steps in that direction, but it's very slow going.”</p> <p>The salon provides a unique opportunity to have a public discussion outside of the Internet echo chambers – something Ingram and Coleman are looking forward to.</p> <p>“I've never seen so many shows about hacking and so much news media, but it's hard to understand what the public thinks,” says Coleman. “[The salon] will provide an interesting barometer for how people are receiving this news, what they think about security, and whether they find value in some of these leaks – some of them are very, very controversial.”</p> <p>Ingram wants salon participants to weigh in.</p> <p>“I would like to hear their thoughts about whether they feel less secure, and whether they think the media should be publishing things like people's personal emails just because they can,” he says.</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Thu, 19 Jan 2017 20:30:26 +0000 Romi Levine 103388 at