Information Security News Alert August 2016
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
What’s the WiFi Password?
T
here was a time when using a GPS meant pulling out one of those giant maps that never folded up the same way twice. When getting from Point-A to Point-B meant flagging down a cab driver. When recommendations for food and entertainment meant collecting flyers from the hotel lobby or asking the concierge. Back then, being mobile meant being disconnected. Now, it’s the opposite. We’ve replaced all that analog interaction and inconvenience with smart devices and applications. We live in a world of constant access. Thanks to the Internet of Things, we are connected almost everywhere we go, all the time. Before leaving the house, our phones give us traffic updates. While on the go, we stream music playlists and podcasts through our car’s interface. Even at 30,000 feet, we can watch a live soccer match via the airline’s entertainment system. As soon as we reach our destination the first question asked is almost always, “What’s the WiFi password?”
NO REST FOR THE WICKED Security lines and crowded airplanes aside, getting around once you have reached your destination is easier than ever before. It’s hard to imagine visiting a new city without the power of Google Maps directing us where to go and Yelp providing reviews of what to eat. With a quick search, we can investigate local hotspots for food and entertainment while waiting for a rideshare outside of the house we rented through AirBNB, VRBO or Home Exchange. Thanks to our mobile devices, everything we need to know is a click away. Of course, where there is convenience there are security risks. It’s important to remember that we might take vacations but criminals do not.
(OR WHAT MOBILE MEANS TODAY)
Today, mobility refers to connectivity. The Internet of Things plugs us in; the cloud syncs us up. But all that awesome tech and wireless convenience increases the bandwidth of security risks. Our mobile devices have become a huge target for cybercriminals. More personal information than ever is uploaded and stored in the cloud. The mobile, cyber and human domains are under constant attack. So, how do we protect ourselves? It starts with awareness and ends with skepticism. If you have a company issued device or are part of a BYOD (Bring Your Own Device) program, do you know which apps you’re allowed to install and use? Do you protect all of your devices with strong, unique passwords? Do you know what to do if you lose a device? Are your family’s personal devices all backed up? Most of this is non-technical security and general common sense. If we plan ahead, remain constantly aware of our surroundings, and implement strict security routines, we can be safer on the go regardless if it’s for work or play.
Did You Know? VISHING is when a scammer contacts you via phone. SMISHING is when a scammer contacts you via text message.
Smishing: Phishing Gone Mobile By now, we’ve all had our share of phishing scams show up in
link. In more sophisticated scenarios, the text message may ask
our inbox. They’re typically easy to spot due to poor grammar
you to call a phone number, which will connect you to a live
or absurd, urgent requests. But scammers aren’t just targeting
person who pretends to be someone from your bank, requiring
your computers; they’re after your mobile devices, too.
your personal information to verify your account.
Smishing is phishing via text messages, or SMS (hence the
Regardless of the scenario, the core of the scam is based on the
term “smishing”). Often, scammers send a text to your phone
same principal as phishing: social engineering. Smishing works
disguised to be from your bank or other financial institution.
because the fraudster attempts to hack the human and not the
It might warn that your account has been suspended and
device. Remember, being security aware isn’t a technical
immediate action is required, accompanied by a (malicious!)
skill. YOU are the best defense against scammers.
A REAL WORLD SMISHING EXAMPLE Earlier this year, a man in Sheffield, England was conned out of nearly £23,000/$33,730 when he received a text message that appeared to come from his bank. The message warned him of potentially fraudulent activity on his account and advised him to call the listed phone number. The man obliged, called the number, talked to the fraudsters and ultimately was robbed of his life savings after they were able to extract his banking information from him. Read the entire story here: http://bit.ly/1nVNfGT.
2015 STATS Around 1/3 of all SMS spam includes smishing attempts.
5 out of 6 large companies were targeted with spear phishing campaigns
33.61% of global phishing scams caused infection. Source: http://www.business2community.com/infographics/protectingcompany-spear-phishing-infographic-01543662#79kuWWsLUxvwykkU.97
How to avoid becoming a victim of Smishing You might think this could never happen to you. There’s no way you’d fall victim to a text message scam! But we urge you to not be overly confident. These scams are becoming more and more sophisticated, to the point of impersonating major banks to near perfection. Here are 5 ways to avoid becoming a victim:
If you get a text from your bank, delete it. Banks don’t send text messages unless you personally set up Text Banking, and even then you generally have to initiate the texting conversation with specific commands to receive specific information, and they won’t include any links. Never call an unknown phone number, regardless of the message. If you receive a request to call a certain business, look up the customer service contact information of said business and call that number to verify. Look out for urgency. Like with phishing emails, smishing attempts will often include words like “urgent” or “immediate” or “verify.” These are clear signs that a con is at play. Never click on miscellaneous links. Unlike a computer where you can easily hover over a link to determine its legitimacy, it’s much more difficult to do so on a mobile device. A quick click is a quick way to get infected with malware! When in doubt, delete. Don’t respond to random messages containing unknown phone numbers or URLs. If you’re not sure, just delete the message!
Traits of Security Savvy Travelers
IN CASE OF EMERGENCY It’s a tough scenario to think about and something we
They only take what they need. Do you need ALL of those mobile devices when traveling? We have a lot of personal items to keep track of. Consider bringing only what you need, and leave the rest at home.
hope never happens, but let’s imagine that an accident or
They make photocopies of identification. Make photocopies of passports and other things that prove identity, then print them out or keep a digital version stored on a mobile device or flash drive (password protected and encrypted, of course). This way if your bag or wallet containing your ID is stolen, you still have proof of identity.
many people wear, our smart phones now give us the
They plan ahead. Research and download the apps you need before you travel. Then you won’t have to worry about extra data charges or accessing personal information on public WiFi. You can also download Google Maps of places you are visiting so that you can still have access without using data. For more tips and tricks on traveling with apps, check out this blog: http://bit.ly/29i7LyQ.
Android, go to contacts and select “My Profile” and edit your information.)
They use protection. Personal VPNs encrypt your data when you’re connected to public WiFi, preventing cybercriminals from snooping your traffic for sensitive information like passwords and account credentials. They don’t advertise. Don’t broadcast on social media to everyone that you’ll be gone for days or weeks, and wait until you return to post the thousands of photos you took.
Airport Security
sudden health issue leaves you incapacitated and unable to communicate with emergency personnel. How are they going to know whom to contact? How will they know if you have an ongoing medical condition? In addition to the medical alert bracelets and necklaces option to allow quick access to our own personal emergency contact info without the device needing to be unlocked. By selecting “medical ID” on an iPhone, or “emergency call” on an Android, authorities will have access to emergency contacts, medical information such as current medications or allergies, blood type, plus any other information you decide to share. (To set this up on an Apple device, go to your Health app and follow the instructions. For Remember: Check with company policy before accessing our data remotely, or implementing emergency contact info and device management software—such as Find My iPhone—on company-issued devices.
So you lost your smartphone. Now what? There may be nothing more panic-inducing than losing your smartphone or having it stolen, especially while traveling. Thankfully, there are a few safeguards in place to protect our sensitive data (which, of course, include using strong passcodes to lock our devices). Apple devices have a feature called Find My iPhone. When enabled, Find My iPhone gives you the ability to track your device, ping it to ring and/or erase the phone as necessary. One of the strongest features is Lost Mode. You can find everything you need to know about these features on Apple’s website. Newer Androids with an updated OS give users the ability to locate their phones and lock them (or erase them completely) via the Android Device Manager. Simply log in using the Google credentials associated with your phone and you will now have complete control. For more details on what to do when you’ve lost your phone, read this: http://bit.ly/297ZcX7.
Once airport security has done its part, it’s our turn to think about security. Here are five ways to stay safe between flights: Use a VPN, or virtual private network, when accessing public WiFi. Avoid logging into banks or anything with financial information. Keep all devices on your person when not in use. Consider buying a Bluetooth-based luggage tracker. Never ask strangers to watch your stuff.
“The cloud is only rocket science if you’re NASA and using the cloud for rocket science. Else, for the rest of us, it’s an awesome platform upon which we leverage various opportunities to improve the way in which we think about and implement the practices and technology needed to secure the things that matter most to us.” —Chris Hoff, Security Strategist & founding member of Cloud Security Alliance
EVER WONDER WHAT THE INTERNET LOOKS LIKE?
The Cloud
In the last few years alone, external hard drives have gotten ever smaller in size and bigger in bytes while also dropping in price. This is great for backing up personal data. But the problem with physical hard drives is that they fill up and, eventually, fail. Furthermore, if your backups are all stored in the same location, they are susceptible to unpredictable destruction from fires, floods, young children, ‘helpful’ pets, etc.
This interactive map, courtesy of TeleGeography.com, shows the backbone of the internet via the global infrastructure of underwater cables. http://bit.ly/1YDup4a
The natural solution to this problem is the cloud.
Google Knows Ever thought about how much the tech giant really knows about you? The short answer is: Google knows what you’ve searched for, where you’ve been and what you’ve watched. To learn more about how much of your personal data is stored in the Google cloud, read this: http://bit.ly/297Ssss. Research anonymizers, browser plug-ins and VPN options if you want to ‘hide’ your surfing.
Case Study:
The Internet of Things Meets Physical Security
Online backups offer everything hard drives can’t: unlimited storage, off-site redundancy, and little-to-no threat of mechanical failure. But does that mean the data is safe and secure? Of course not. At least with hard drives, you are still in possession of your data, and if you encrypt that data it will be very difficult for a bad guy to steal your information. So difficult, in fact, they probably won’t even try.
Clouds are a different story. They are a huge target for cybercriminals simply because of how much valuable data is stored. As a result, when choosing a cloud backup service, it’s important to compare and contrast security measures. Find out what kind of encryption is used. Find out who has access to your data and how that access is protected. Finally, determine how much data storage you need before getting out your checkbook. At work, know and always follow our policy for cloud backups. If you’re not sure, ask!
Wireless cameras are inexpensive and
to have bought and returned a set of
easy to set up. Most of them offer
wireless cameras only to later receive
software that will alert you via
notifications of motion, even though the
email or SMS when motion is
cameras were no longer in his possession.
detected. All you have to do is
He logged into his account and came to a startling
sign in to your online account
revelation: he could see the new owners in their house
(the cloud!) and you can watch your house or business with 24-hour access to surveillance via your computer or mobile device.
and watch everything they were doing. This is a valuable reminder that the Internet of Things and the cloud are inherently insecure. It’s vitally
This might also be known as a false sense of security. Or
important we stay aware of the security risks at all times,
even worse, a major security risk. One Reddit user claims
and do our best to mitigate those risks whenever possible.
HEADLINE NEWS 10 Million Android Devices Infected with Chinese Ad Agency’s Malware
IS
According to Check Point, a leading cyber security
Infosecurity @InfosecurityMag • July 6 UK cops responsible for 2000+ data breaches from insiders abusing positions bit.ly/29k93Fk
company, malware known as “HummingBad” has infected more than 10 million Android devices globally. HummingBad
generates false advertisement revenue through forced downloading of apps and clicking of ads. It is estimated the
BBC
BBC News US @BBCNewsUS • July 5 FBI recommends no criminal charges against Clinton over private emails bbc.in/29nda5l
CM
Cheetah Mobile @CheetahMobile • June 29 Chinese mobile trojan “Hummer” infected 1.4M devices daily in 2016 bit.ly/29oKjxQ
malware is generating close to $300,000/€270,600 a month for its distributors, Chinese ad agency Yingmob. HummingBad
infects
devices
by
using
drive-by
downloading in which it is maliciously installed when
users visit certain websites. In addition to generating false advertising revenue, the malware also installs fraudulent
apps, further increasing the revenue stream for the attackers. The majority of victims are in China and India, but it has spread globally with the US, UK and Australia contributing to the growing number of infected devices.
M
It’s important for us to remember that our mobile devices
are at just as much risk to cyber security threats as our
Motherboard @motherboard • June 29 “Muslim Match” dating site hacked; 150K creds & 500K private msgs posted online bit.ly/29hTHAQ
desktop computers. As always, think before clicking on any
links or downloading any attachments, and remain skeptical
at all times! Learn more about the malware here: http://bit. ly/20euvyy.
Latest CryptXXX Ransomware has Generated $60K+ for Bad Guys
T
Tripwire @TripwireInc • June 29 Hard Rock notified customers of data breach compromising payment cards bit.ly/29mQYci
KP
KyivPost @KyivPost • June 25 Hackers stole $10M from Ukranian bank via SWIFT network vulnerability bit.ly/2961gvp
Since June 4th, the latest update of the CryptXXX
Ransomware malware has generated $60,478 in ransom
payments for the authors of the code. This particular variant had received updates that corrected a flaw that allowed
DR
decryption tools from security firms like Kaspersky to restore
ransomed files without the need for the victim to pay the bad
Dark Reading @darkreading • June 24 NASCAR crew chief hit with ransomware, pays to save $2M worth of race car specs ubm.io/29hrN7Q
guys. It also allows the victim to decrypt a single file of their
choice (less than 512 KB), a great psychological tactic to prove to the user that if they do pay, their files will be restored.
Learn more here: http://bit.ly/29ygRWh, and again, don’t
forget to think before you click!
AT
Ars Technica @arstechnica • June 23 “Godless” malware apps can gain root access to 90% of Android phones bit.ly/28U6azy