Information Security News Alert October 2016
Surf’s Up
Using Common Sense to Ride the Internet’s Riptide Longer is Stronger
Building Better Passwords
Real Life Spear Phishing Attack Public WiFi is Public & More!
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
Surf’s Up, Dude! Y
ou’re probably not familiar with the added complication of accessibility. From our homes name Jean Armour Polly, but you are familiar to our mobile devices to our computers at work, we with the common catchphrase she coined. are connected, we are surfing. If we’re not doing it The phrase “surfing the internet” came from safely, we can easily drown in a sea of malware, her paper written back in 1992, before internet spyware, viruses and even identity theft. connections were mainstream. But what does it mean to be a safe surfer? It begins According to Polly, she wanted something that and ends with common sense. We can install and metaphorically expressed the fun of using the run all the anti-virus and anti-malware services in internet – the way we go from the world. We can spend top-dollar From our homes to our website to website, link to link – on hiring security experts to set mobile devices to our but that also evoked a sense of up our networks with all the latest computers at work, we are randomness, chaos, and even and greatest firewalls, but none of danger. Her paper, “Surfing the connected, we are surfing. If it will matter if we don’t use oldInternet” is still available for free via we’re not doing it safely, we fashioned logic. Project Gutenberg, for those of you Meaning? Don’t click on any can easily drown in a sea of who want a little light reading. suspicious links. Verify sources malware, spyware, viruses We still use her now famous before downloading apps on and even identity theft. phrase, but the phrase “safely mobile devices. Follow policy at surfing the internet” is the one we’re most interested work. Keep devices up to date at all times. These are in, especially here at work. The randomness, chaos all simple, non-technical steps to take that promote and danger Polly spoke of is greater than she could good cyber hygiene and keep us away from the have imagined in the early ‘90s. We now have the many dangers our beloved internet presents.
social media: where sharing isn’t caring There are 7.3 billion humans on our planet, and over 2.3 billion of them use social media. Data scientists expect that number to rise above 2.5 billion by 2018, which means a third of Earth’s population will be on social media in the very near future. It also means that everything you share, depending on your privacy settings, is shared with a whole lot of people. The keywords here are “depending on your privacy settings.” Social media platforms update
their security policies all the time; how often do you review them? When was the last time you checked who can view your profile and who has access to the information you post? The average person has five social media accounts. That’s five completely different methods of sharing and five completely different sets of privacy settings. While it’s important to know everything you can about privacy settings, you should also consider just sharing less.
A Real Life Spear Phishing Attack Are you familiar with spear phishing? You should be, because the spear phisher is familiar with you! Unlike phishing emails that are usually sent at random from an aggregated list, spear phishing targets specific people. A spear phisher knows your email address, the company you work for and just enough information about you and your position that he or she can use that information to appear to be a friend, a colleague, a boss or even law enforcement!. What does a spear phishing attack look like? Here’s a real life example below. (Actual names and information have been changed.)
1 At first glance, the email to the right seems legitimate. It addresses the recipient by name. The signature includes a phone number. The body of the email includes Jessica’s actual place of employment. So how would she know this is a scam?
3
2
1
Let’s start at the top. Who is Lucas? And why does his email address look so strange? His name isn’t in the email address, it doesn’t look professional and if it were actually from Lawyers-R-Us PLLC, wouldn’t the domain name reflect that?
2
This is the first Jessica is hearing of any sort of testimonial or legal issue. Why would she be subpoenaed out of the blue and via email at that? Wouldn’t her supervisors or company lawyers inform her of such things well before she was advised to appear in court?
3
Finally, doesn’t it seem strange that there’s an attachment when everything she needs to know is written in the body of the email? What is it for?
This very well-crafted spear phishing attack hits all the right notes. If Jessica had let her fear take control without studying the email closely, she may have downloaded the attachment and launched it on her work computer, infecting it with malware.
What should you do if you receive an email like this? At home: delete, delete, delete. At work: follow policy, know how to report any security incidents and, if you’re not sure, ask someone immediately!
FAMILY PRACTICE It goes without saying that we need to take extra precautions at work to ensure that the confidentiality, integrity and availability of our data stays intact. But what about at home? How do we protect our families? It starts with leading by example. We teach our children to be kind to others, to eat right, and to look both ways before crossing the street. We also need to teach them how to be good digital citizens with strong online safety habits. The best way to do that is by holding ourselves to the same high standards. When it comes to kids and the internet, the “why” is just as important as the “what.” Why do we need strong passwords? Why do we need to be careful with whom we share? Why are certain websites and social media platforms not allowed? As parents, we must also teach our children how to report an incident, especially when it comes to cyberbullying. Encourage them to speak up if they
are a victim or if they see someone else being bullied. Furthermore, we need to know what to do should we suspect our own children of being cyberbullies, which is never an easy conversation.
Implementing and enforcing a Family Cyber Security & Privacy Policy is the first step to protecting our families.
A good policy emphasizes strong and unique passwords, regular backups of family data (such as pictures and videos), utilizing anti-virus software, limiting what information is shared online, and knowing what files are safe to download or click on. There is also another layer of policy a lot of us don’t add: device disconnect. You might already have a “no phones at the dinner table” rule, which is a great start, but setting aside a few nights a week where no screens are allowed helps teach the value of unplugging, helps minimize device dependency, and enhances development of important face-to-face social skills!
PASSWORDS: LONGER is STRONGER Passwords are the first defenders in the privacy universe. Without them our cyber lives would be less secure than they are now.. The average person has over 25 internet accounts and some reports suggest that number is closer to 90! It goes without saying that we need strong, unique passwords for every single online account. The question is, what constitutes a strong, unique password? Let’s run a test. Head over to PassFault.com, a password strength analyzer, and play around with a few you think are strong. (DO NOT USE YOUR ACTUAL PASSWORDS.) Here are some interesting results we found:
LogMeIn
Pr0tectMe!
kpD59lgOA0D!
The Dog Wants To G0 Out!
Time to Crack: < 24 HOURS
Time to Crack: < 24 HOURS
Time to Crack: ~ 48 DAYS
Time to Crack: ~ 3,127,836 CENTURIES
This is obviously a weak password that shouldn’t be used for anything. Let’s beef it up a bit. Many accounts will say “Password must be at least eight characters long, contain at least one uppercase and one lowercase letter, contain at least one number and one special character.” No problem!
Wait! What happened here? We followed the instructions. You’re telling me that a criminal could crack this in less than a day? That’s right. Even though this passcode is complex and satisfies the requirements set by most account admins, it’s still not strong enough. Let’s kick it up a notch!
Alright, this password scores a little better. But even though it’s completely random and complex, it’s still not optimal. A determined criminal will crack this in under two months, which will certainly occur before the user changes it. We need to do better!
Now that’s what we call a strong password! Capitalized with spaces between each word. One number, effectively misspelling “Go.” One special character. It’s a phrase, not a single word. And the best part? It’s easy to remember! So go ahead, criminals, try to crack this passphrase. We’ll be waiting.
A Moving Target Last year more than half a billion mobile devices were added to global networks. Experts project that by 2020, the total number of devices will be 11.6 billion — 1.5 times that of the world’s population. Guess what’s coming to a smartphone near you? If you guessed MALWARE, you’re correct. With everyone and their dog carrying around a connected device, you can bet that criminals are targeting smartphones, tablets and whatever mobile tech is next. We’ve already experienced alarming reports of malware hitting both Android and iOS, such as the socalled “Hummingbird” — which infected over 10 million Android devices — or the “AceDeceiver” malware that hit iPhones right out of the box. The fact of the matter is, our lives have gone mobile. Assuming the devices we take everywhere are immune to cyberattacks is pure negligence. Criminals look at the booming tech industry with the Internet of Things and see untapped, and nearly unlimited, potential.
So what are we going to do about it? Treat your mobile devices like you would your computers. Install antivirus and malware detection scanning software. Don’t click on suspicious or unsolicited links sent to you in any form. Research and verify the source before downloading apps. Stay up to date from both a software standpoint and a news standpoint so you are familiar with today’s threats. And as always, follow work policy when it comes to personal devices you bring to the office and devices issued to you by our organization. Most importantly, use common sense. The benefits of mobility far outweigh the downsides, but the sheer volume of connected devices has made them the top targets for cybercriminals.
Public WiFi is Public What’s the first thing we all do when we go to a café, bar or hotel? Look for a WiFi connection, of course! We live in a world where public WiFi is nearly everywhere. But here’s the thing about public WiFi: it’s public. It’s easy to forget that once you connect to the same hotspot as everyone else, every bit of your internet traffic can be easily intercepted. Your passwords, your user IDs, your online banking credentials, all of your texts — both personal and professional — private Facebook chats, pictures and videos sent over SMS, Skype conversations, email contents, EVERYTHING is wide open. For that matter, there’s always a chance that a bad guy has set up a rogue network at a popular place. These networks look legitimate because they will use a common name like “CaféWiFi.” A great example of this happened recently when Avast, an anti-virus developer, set up a bogus WiFi hotspot at the US Republican National Convention. Around 1,200 users connected, giving Avast full access to the their information. The solution? A virtual private network, or VPN. VPNs encrypt your traffic so all of your private and personal data stays private and personal. A criminal hacker won’t be able to easily snoop your information while you’re on a public network. In a world where we are always connected, a VPN is your best friend. They are inexpensive, easy to use, and can be installed across multiple devices. But only install a VPN on personal devices.
Always
organizational
check
policy
for
work-issued devices before installing software!
HEADLINE NEWS New Ransomware Can Find Victims’ Physical Location
THN
A new version of ransomware called “Cry” has stepped
out onto the scene, and it’s arguably more unsettling than
previous types of the malware. Pretending to come from a fake organization called the Central Security Treatment
IS
Organization (CSTO), this ransomware gathers the device
The Hacker News @TheHackersNews • Sep 5 Breach of Russia’s biggest portal leaks nearly 100M plaintext passwords bit.ly/2chOLm0
Infosecurity @InfosecurityMag • Sep 2 Global smartphone malware infections up 98% in first half of 2016 bit.ly/2cBv6K7
information and location of its victims then posts the
details on public sites such as Imgur.com and Pastee.org.
Researchers are unsure why the attackers determine their victims’ locations, unless it’s a scare tactic used to convince
T
people to pay the 1.1 Bitcoin ransom (about $625). For more
Tripwire @TripwireInc • Sep 1 Leoni AG loses 40M Euros to email scammer using spear phishing bit.ly/2ckqURg
information and technical details about how Cry works, visit http://bit.ly/2cIYulY.
Dropbox Breach Exposes Credentials for 69 Million Accounts Reports surfaced recently of a major data breach involving
the cloud storage service Dropbox. Criminal hackers were
AR BBC
able to obtain almost 69 million account credentials from a breach dating back to 2012.
AppRiver @AppRiver • Sep 1 Phishing email distributes malware via download with a convincing imitation of Dropbox notification bit.ly/2chQdF0
BBC News @BBCNews • Aug 29 UK Pokémon GO players involved in hundreds of thefts, assaults, harassment & driving offenses bbc.in/2cdmRWr
When the breach was initially made public four years
ago, it was believed that only email addresses were leaked. Updated reports now say that passwords were also stolen,
and are in danger of being sold on the dark web. Security
G
Google Europe @GoogleEuropeRSS • Aug 29 Google is latest American tech giant to sign on to US-EU Privacy Shield bit.ly/2c4W8d5
L3
Level 3 @Level3 • Aug 25 1M+ “Internet of Things” devices are enslaved to DDoS botnets bit.ly/2bTljx8
professional Troy Hunt was able to verify that the hack
contains legitimate passwords and that even the strongest passwords could be vulnerable to advanced cracking techniques. Read more by visiting http://bit.ly/2ccY3uq.
If you have a Dropbox account, you are strongly advised
to change your password immediately, even if you are not prompted to do so by a mandatory password reset
notification. Despite Hunt’s findings, it’s always best to maintain strong, unique passwords for each of your
accounts and to change them often. This important security
habit makes it far less likely that breaches like this one will compromise any sensitive information.
L
Lookout @Lookout • Aug 25 Sophisticated Israeli mobile attack “Trident” targets iOS; need to update to the latest version immediately! bit.ly/2c8gkJm