Information Security Updates
Social engineering is a term you often hear IT pros and cybersecurity experts use when talking about Internet threats like phishing, scams, and even certain kinds of malware, such as ransomware. But its definition is even more broad. Social engineering is the manipulation or the taking advantage of human qualities to serve an attacker’s purpose. It preys on a number of human traits to gain an advantage: curiosity, fear, desire, doubt, empathy and sympathy, ignorance, naivete', inattentiveness, and complacency. This blog entry from Malwarebytes helps you recognize potential attacks and counter them. https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2018/08/social-engineering-attacks-what-makes-you-susceptible/
In the recent "Sextortion" campaign, attackers used one of the victim's actual compromised passwords to try to convince the victim that they had access to the victim's system and had recorded video of them watching pornography. The hacks were false; in reality, the attackers used old data breaches and had only passwords, names, and email addresses with which to work. Nonetheless, the threat of potential exposure of claimed browsing habits was an enticing lead-in to "give me some money". Five key takeaways to avoid being caught by phishing:
- Avoid clicking on links and attachments in email
- Urgency should be a giant red flag
- Don't re-use passwords
- Don't respond to spam or phishing emails
- Don't pay off extortionists
Read more at https://krebsonsecurity.com/2018/08/the-year-targeted-phishing-went-mainstream/
Other universities are reporting a new phishing effort that starts with an email message from the university president containing a malicious PDF. The PDF has a link that goes to a fictitious "Microsoft Reader" that requires credentials to access. In our case, the credentials would be CatID of course.
Subject: [ACTION REQUIRED] <university> Revised and Updated Business Integrity & Policy Guidelines For All Employees
Please forward any examples of this or similar messages to security@uni.edu and phishing@uni.edu
Because I routinely recommend KeePass as a good choice for a standalone password safe, I think it's important to bring this fake KeePass site to your attention.
A French security researcher has stumbled upon an adware delivery scheme that involves clone websites that use legitimately-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware.
The first of these websites was discovered three days ago by Ivan Kwiatkowski. This website was located at keepass.fr, a domain name trying to pass as the app's official site located at keepass.info.
The complete article is available at https://www.bleepingcomputer.com/news/security/fake-websites-for-keepass-7zip-audacity-others-found-pushing-adware/
January 28th is National Data Privacy Day, an educational initiative focusing on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.
To understand the importance of Data Privacy day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.
Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.
Privacy Rights:
Organizations that honor your privacy will not only protect confidentiality, but should follow a set of principles related to how they manage your information, including:
- Not collecting more information than they need to conduct their business with you;
- Informing you of what they will do with the information that they collect and not doing more with it than they have promised;
- Retaining the information for only as long as it is needed and then properly destroying the information;
- Not sharing your information with others without your permission, except as required by law;
- Allowing you to review and correct information if necessary.
To understand your privacy rights it is essential that you read the privacy policies of any organization to whom you provide information, especially PII. This includes websites, health care providers, insurance companies, and financial institutions. If you do not agree with how they intend to protect your privacy, consider not using their service.
Privacy is a Shared Responsibility:
While organizations and websites have a responsibility to protect your privacy, which most will outline in their privacy policy, this is also your responsibility. Social media users are especially susceptible to privacy concerns. Individuals voluntarily place enormous amounts of information about themselves, their friends, and associates, on social media. It is critical that everyone is aware of the information they post on social media services, such as Facebook, LinkedIn, Snapchat, and Twitter. This awareness is not limited to what you post about yourself, but what you post about others as well!
Identity Theft Protection:
Despite many organizations best efforts in handling and using your private information properly, the countless breaches of PII by cyber criminals in the past few years have resulted in the exposure of information about millions of people. One reaction to such breaches can be to provide credit monitoring for one year. This is a very short amount of time to have such a protection. Those that have stolen the information, or those to whom they have passed it on, may hold it for much longer than a year before using it to steal your identity, commit credit card fraud, or worse in your name. If you have been a victim of a breach, check out some of the FTC’s resources on starting a credit freeze to protect yourself.
If you are considering Identity Theft protection services, research the firms that you are considering engaging and ensure you understand the services they will and will not provide. Also, read their privacy policies, because for them to deliver these services you must provide them with varying amounts of PII.
Protecting privacy is both your responsibility and that of those individuals and organizations that have information about you. Do everything in your power to be aware of how you personally can compromise your privacy and hold those organizations that you engage with accountable for their management, or mismanagement, of your personal information.
For More Information:
US-CERT Data Privacy Day Events
Online Trust Alliance Data Privacy & Protection website
Stay Safe Online website: National Cyber Security Alliance
Forbes, Data Privacy Day: Easy Tips to Protect Your Privacy
Pages
- ITTC 36
- (319) 273-5555
