Information Security Updates
Email is still one of the primary ways we communicate, both in our personal and professional lives. However, quite often we can be our own worst enemy when using email. Here are the most common mistakes people make with email and how to avoid them. https://www.sans.org/newsletters/ouch/avoid-the-most-common-email-mistakes/
Does it seem like cyber criminals have a magic wand for getting into your email or bank accounts and there’s nothing you can do to stop them? Wouldn’t it be great if there was one single step you could take that would help protect your from cyber criminals and let you securely make the most of technology? While no sole step will stop all cyber criminals, one of the most important steps you can take is to enable something called two-factor authentication (sometimes called 2FA, two-step verification, or multi-factor authentication) on your most important accounts. Read more at https://www.sans.org/newsletters/ouch/one-simple-step-to-securing-your-accounts/
I wrote about ransomware about a year ago. The only things that have changed since then are that the result of becoming infected have gotten far more severe and the number of victims has increased exponentially. Today's variants not only encrypt your data and demand payment to decrypt it, they also steal your data and threaten to expose it to the world if payment is not made. Under that scheme, even if you have proper and sufficient backups to restore your data, making the encryption moot, there is the threat that your data will be published for all to see.
We are not immune from these attacks here in the midwest. Last fall, the University of Nebraska Medical Center and Nebraska Medicine were breached. Associated costs are many tens of millions of dollars. More recently, and even closer to home, DMACC suffered a ransomware attack early last month that shut their network and classes down for almost two weeks.
Phishing provided the initial foothold for the bad actors behind these and many other similar incidents. Vigilance and skepticism when reading email remains key. Don't fall for the emotions that all phishing actors try to evoke -
- Fear - something bad will happen if you don't click on the link in the message
- Greed - something good will happen if you do click on the link in the message
- Urgency - hurry up and click on the link in the message right now
- Concern/Empathy -
- I’m stranded in an unfamiliar city
- I’m falsely accused, in jail, and need bail money
- I’ve been mugged and am in the hospital
Don't click on links in email messages unless you're certain they are legitimate. Don't open attachments in email messages unless you're certain of the sender's identity and the content of the message makes sense to you. If you have any questions about the message, err on the side of safety and seek help by contacting firstname.lastname@example.org.
Mobile devices are an amazing and easy way to communicate with friends, shop or bank online, watch movies, play games, and perform a myriad of other activities. Since these devices are such an important part of your life, it is essential to keep you and your devices safe and secure. Read more at https://www.sans.org/newsletters/ouch/securing-mobile-devices/
Mobile devices, such as tablets, smartphones, and smartwatches, have become one of the primary technologies we use in both our personal and professional lives. What makes these devices so powerful are the thousands of apps we can choose from. These apps enable us to be more productive, communicate and share with others, train and educate, or just have more fun. Here are steps you can take to securely use and make the most of today’s mobile apps. Read them at https://www.sans.org/newsletters/ouch/securely-using-mobile-apps/
Vishing is to your phone as phishing is to your email account. Vishers may use either voice or SMS (text messages) to target you. They do this because there is less protection for your phone than for your UNI email account. Read the SANS OUCH! page at https://www.sans.org/newsletters/ouch/vishing/ for details and advice.
A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. The campaign is aimed at harvesting victims’ email account credentials, researchers said.
According to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined.
“The email impersonated an automated file-sharing communication from OneDrive, informing victims that they had received a file,” researchers explained in an analysis on Tuesday. “The email was sent from a Hotmail ID and was titled ‘RE: Home Loan,’ followed by a reference number and the date, making it seem like the email was part of an ongoing conversation to lend it more legitimacy.”
To read the complete article see:
The [US] Internal Revenue Service (IRS) is warning of ongoing phishing attacks impersonating the IRS and targeting educational institutions. The attacks use tax refund payment baits and mainly focus on universities' staff and students with .edu email addresses.
- The rest of the story: https://www.bleepingcomputer.com/news/security/scammers-target-universities-in-ongoing-irs-phishing-attacks/
- IRS warning: https://www.irs.gov/newsroom/irs-warns-university-students-and-staff-of-impersonation-email-scam
- Researcher's blog: https://abnormalsecurity.com/blog/irs-impersonation/
What is Identity Theft? Identity theft happens when a criminal steals information about you and uses that information to commit fraud, such as requesting unemployment benefits, tax refunds, or a new loan or credit card in your name. If you don’t take precautions, you may end up paying for products or services that you didn’t buy and dealing with the stress and financial heartache that follows identity theft.
Have I Been Hacked? No matter how secure you are, sooner or later you may have an accident and become "hacked". Below are clues you might have been hacked and if so, what to do. See https://www.sans.org/security-awareness-training/resources/what-do-when-hacked for more information.