Tuesday, July 17, 2018

Sun, Sand, and Cybersecurity


From the desk of Thomas F. Duffy, MS-ISAC Chair
This month, in partnership with the National Cyber Security Alliance, we aim to provide some valuable tips on staying cyber safe while heading on a summer vacation. Whether you are out exploring or relaxing, it is important to strive to be as secure as possible with your digital devices and information. Unfortunately, travel can open you up to different points of vulnerability compared to normal everyday use at home, and we don’t just mean accidentally going swimming with your cell phone. You see, while traveling you are operating outside of your normal, safe routines. This means using your devices on different networks and putting them down in different locations, including under your beach towel while swimming. By following some smart practices, you can connect with greater confidence during a summer escape.

Getting Ready to Go:

Avoid mayhem and make magical family memories by taking a few simple cyber safety steps before you head out of town. The goal here is to prepare your devices for travel and to keep them from being used against you.
  • Keep a clean machine: Before you hit the road, make sure all security and critical software is up-to-date on your mobile devices and keep them updated during travel. These protections are your best line of defense against viruses and malware.
  • Lock down your login: Your usernames and passwords are not enough to protect key accounts like those you use for email, banking, and social media. Fortify your online security by turning on multi-factor authentication, commonly referred to as two-factor authentication, when available. This typically pairs your username and password (i.e. something you know) with a message sent to your phone (i.e. something you have) or your fingerprint (i.e. something you are).
  • Password protect: Use a passcode or security feature like a finger swipe pattern or fingerprint to lock your mobile device. Also set your screen to lock after a short period of time by default. If you do choose to use a finger swipe, make sure it has at least one turn (preferably two) and that a pin code has at least 6 numbers!
  • Think before you use that app: New apps are tempting! It is important to always download new apps from only trusted sources like the Apple App Store or the Google Play Store. Additionally, consider limiting your apps access to services on your device, like location services.
  • Own your online presence: Set the privacy and security settings on social media accounts, web services, and devices. It is okay to limit how and with whom you share information – especially when you are away.

While on the Go:

Once you and your gang are at your destination, you are in new territory and are facing new potential cyber threats. Here are some ways you can keep up secure practices while out and about.
  • Get savvy about what you do on other peoples’ Wi-Fi and systems: Do not transmit personal info or make purchases on unsecure or public networks. Instead, use your phone carrier internet service for these needs. For laptops/tablets, it is easy to use your phone as a personal hotspot to surf more securely using carrier data. Also, never use a public computer or device to shop, log in to accounts, or do anything personal.
  • Turn off Wi-Fi and Bluetooth when idle: When Wi-Fi and Bluetooth are on, they may connect and track your whereabouts. Only enable Wi-Fi and Bluetooth when required, and disable your Wi-Fi auto-connect features.
  • Protect your $$$: Be sure to shop or bank only on secure sites. Web addresses with ‘https://’ and a lock icon indicate that the website takes extra security measures. However, an “http://” address indicates your connection is not secure (not encrypted) and you should not transmit payment or sensitive information over to such a site.
  • Share with care: Think twice before posting pictures that signal you are out of town. Knowing you are away from home is a great piece of information for a criminal to have and they may target your home for physical crime. Also consider limiting your social media apps’ access to location services on your device, and omit location information while making your posts and sharing your pictures.
  • Keep an eye on your devices: Laptops, smartphones, and tablets are all portable and convenient, making them perfect for a thief to carry away! Keep your devices close to you and hold onto them if strangers approach you to talk, as a common scam consists of a stranger distracting you and placing a map or newspaper over your device and walking away with it when finished talking.
  • Know your destination’s laws: If you are heading out of the country, check up on any specific laws on internet and device usage. Additionally, bring as few devices as possible and consider using a device specifically purchased for international travel.
Armed with these tips and practices, you should have a happy and cyber safe vacation ahead of you. To learn more about staying cyber safe and secure while travelling, head to the MS-ISAC’s Security Primer covering this topic. For more information on NCSA, including countless resources on staying cyber secure, please visit staysafeonline.org.
at No comments:
Labels: , , ,

Monday, July 2, 2018

How to Spot Phishing Messages

The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.” When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages.

Let’s take a look at some example emails of phishing messages:

Message #1

Subject: Low Cost Dream Vacation loans!!!

Dear John,

     We understand that money can be tight and you may not be able to afford to go on vacation this year.   However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.

Please email your completed form to VacationLoans@worldbankandtrust.com.

Your dream vacation is just a few clicks away!

Dr. Stephen Strange
World Bank and Trust
177a Bleecker Street, New York, NY10012

What did you notice in message #1? 

In this message, you can see that the phisher wants to give us a low cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker. Lastly, as much as you might like Dr. Strange, he’s probably not working for a bank part-time.

Message #2

Subject: Free Amazon Gift Card!!!

Dear Sally,

     You name has been randomly selected to win a $1000 Amazon gift card. In order to collect you prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days.  Failure to respond will forfeit your prize and we will select another winner.

www.amozan.com/giftredemption2321


What did you notice in message #2? 

Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to our district website, which is a trustworthy site.

Message #3

Subject: Urgent – Take Action Before Your Email Account is Deactivated

Dear User,

                  Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.

http://www.microsoft.com/

Thank you,
Information Technology
Helpdesk Support Team


What did you notice in message #3?

This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgement and threatens the deactivation of your email account. Additionally the link at the bottom looks like a link to Microsoft, yet it is in fact heading somewhere else! Luckily, for the purposes of this example, that link simply leads to our district website, which is a legitimate site.

With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:

If it seems too good to be true, it probably is;
Hover your cursor over links in messages to find where the link is actually going;
Look for misspellings and poor grammar, which can be good signs a message is a fraud;
And, never respond to an email requesting sensitive personal information (birthday, Social Security Number, username/password, etc.).

Message #4

From: Romero Christine <CRomero10@schools.nyc.gov>
Date: Sat, Jun 30, 2018 at 2:14 PM
Subject: Attn
To:

Your Mail Box Exceeded it storage limit *CLICK HERE TO UNBLOCK
<https://docs.google.com/forms/d/e/1FAIpQLSdbtFbDOA_C0LLZVP9H_jIpaO8TAOIqmJYRa-pY9Tq1kmwGfg/viewform?c=0&w=1&gt;*

Fill and click SUBMIT for more space or you wont be able to send Mail.


What did you notice in message #4?

Notice that the email address is neither a Google address or our district address. Sometimes to identify the sender's address you will need to hover over the username, just like the false links in previous examples. 

This example also contains minor grammatical errors and refers you to a link that requests information. In this case the link directs you to our district website to keep you safe.

What to do if you interact with a phishing email?

If you do happen to respond to a phishing email, please contact our help desk to change your password.


Adapted from Thomas F. Duffy, MS-ISAC Chair: https://www.cisecurity.org/newsletter/how-to-spot-phishing-messages-like-a-pro/

Additional information and a phishing game can be found on the FTC’s website, https://www.ftc.gov/.

at No comments:
Labels: ,
Subscribe to: Posts (Atom)