Information Security Updates
Emily was having a typical busy day. She grabbed her morning coffee, glanced at her phone, and noticed a text from her bank: "Did you make this transaction? Reply YES or NO." She frowned. She hadn't made any purchases yet that day. Maybe it was just a glitch. She replied "NO," and within minutes, a call came in...
Read the rest of the story at https://www.sans.org/newsletters/ouch/dont-let-cybercriminals-swipe-your-savings-lock-down-your-financial-accounts/
One lazy Sunday while on social media, Sarah stumbled upon an ad for a new photo editing app, 'PiksPerfect.' Intrigued by its stunning filters, she downloaded it without hesitation. At first, the app worked great, but soon her phone became sluggish, and random ads began popping up.
Read the rest of the story at https://www.sans.org/newsletters/ouch/download-danger-how-to-outwit-malicious-mobile-apps/
A wide-spread Verizon outage is being felt here as well as in many places across the country. Duo push will continue to work if you are connected to WiFi. If you don't have WiFi available where you are, you can use the Duo mobile app to generate a passcode to use in place of a push. To use that, cancel the push that is trying to complete, click Other Options, and then choose mobile app passcode as your method.
https://istheservicedown.com/problems/verizon/4880889-waterloo-black-hawk-county-iowa-united-states
Voice cloning is when someone uses AI to recreate a person's voice to include their voice patterns, intonations, and speech rhythms, creating a near-perfect replica. A voice cloning attack begins with a cyber-criminal collecting audio samples of the target's voice. Read more at https://www.sans.org/newsletters/ouch/phantom-voices-defend-against-voice-cloning-attacks/
The Information Security Phishing Education project is returning this fall. As has always been the case, this initiative is designed to be educational, with no punitive actions occurring based on the results. Individual results will be kept private but large scale results and trends may shared with appropriate partners within UNI. The sole purpose of the project is to educate the community and provide examples of things to watch for in real-life phishing messages.
Messages identified by the recipient to be part of this project may be forwarded to phishing@uni.edu.
Those are three made-up words that refer to the way bad actors may try to trick you and steal your stuff! Phishing uses email as the primary hook, vishing uses voice phone calls to do the same, and smishing uses text messages (SMS) to interact. The latter two are growing in popularity because they remove the traditional Information Security buffer between the bad guys and the potential victim. More information on smishing can be found at https://www.sans.org/newsletters/ouch/text-messaging-attacks-smishing-saga/
The summer season is upon us, and soon millions of people will be traveling all over the world. If you are going on vacation, here are some travel tips to help keep you cyber savvy and safe. Read more here: https://www.sans.org/newsletters/ouch/simple-steps-vacation-cybersecure/
Social engineering attacks, in which adversaries trick people into doing something they shouldn’t, are one of the most common methods that cyber attackers use to target people. The concept has been used by con artists and scammers for thousands of years. What is new is that the Internet makes it very easy for a cyber-criminal anywhere in the world to pretend to be anyone they want and target anyone they want. Read more at https://www.sans.org/newsletters/ouch/top-ways-attackers-target-you/
Passcodes generated by the Duo mobile app have traditionally been HOTP (HASH-based one time password) codes. Many other passcode generating applications, e.g., Google Authenticator, Microsoft Authenticator, have used TOTP (TIME-based one time password) codes. HOTP passcodes remain valid until they are used while TOTP passcodes expire after 30 seconds.
In the past few months, Duo has added the TOTP feature to passcodes generated by the Duo mobile app. Our plans were to make a gradual move from HOTP to TOTP. That had begun for a number of staff in Information Technology. Those plans changed abruptly last evening when a number of UNI accounts became the victim of a phishing attack, one that not only stole the victim's password but also one or two Duo mobile app passcodes from each. The bad actors used that information to add their own device to the victim's Duo account, giving them continued access until the victim's password was changed. Not good!
To stem the tide last evening, Information Security made two changes, one temporary, one permanent, to Duo policy.
- The Duo mobile app will now generate TOTP passcodes instead of HOTP passcodes. This is a permanent change and should be largely transparent to the few users using mobile app passcodes for logging in. There are only 50-60 users of this method per day.
- Duo mobile app passcodes were temporarily disabled to stem the tide of account takeovers. This occurred at approximately 7:30pm last evening and will be reverted this morning.
Thank you for your cooperation and understanding. Also, special thanks to the small team of talented IT staff that worked several hours last evening to respond to and mitigate this incident.
Messaging serves as a primary mode of communication in both our personal and professional lives. However, quite often we can be our own worst enemy when it comes to text messaging safely and securely. Learn the most common mistakes people make and how you can avoid them in your day-to-day lives. Read more at https://www.sans.org/newsletters/ouch/messaging-dos-and-donts/