Security & Safe Computing Updates
Passcodes generated by the Duo mobile app have traditionally been HOTP (HASH-based one time password) codes. Many other passcode generating applications, e.g., Google Authenticator, Microsoft Authenticator, have used TOTP (TIME-based one time password) codes. HOTP passcodes remain valid until they are used while TOTP passcodes expire after 30 seconds.
In the past few months, Duo has added the TOTP feature to passcodes generated by the Duo mobile app. Our plans were to make a gradual move from HOTP to TOTP. That had begun for a number of staff in Information Technology. Those plans changed abruptly last evening when a number of UNI accounts became the victim of a phishing attack, one that not only stole the victim's password but also one or two Duo mobile app passcodes from each. The bad actors used that information to add their own device to the victim's Duo account, giving them continued access until the victim's password was changed. Not good!
To stem the tide last evening, Information Security made two changes, one temporary, one permanent, to Duo policy.
- The Duo mobile app will now generate TOTP passcodes instead of HOTP passcodes. This is a permanent change and should be largely transparent to the few users using mobile app passcodes for logging in. There are only 50-60 users of this method per day.
- Duo mobile app passcodes were temporarily disabled to stem the tide of account takeovers. This occurred at approximately 7:30pm last evening and will be reverted this morning.
Thank you for your cooperation and understanding. Also, special thanks to the small team of talented IT staff that worked several hours last evening to respond to and mitigate this incident.
Messaging serves as a primary mode of communication in both our personal and professional lives. However, quite often we can be our own worst enemy when it comes to text messaging safely and securely. Learn the most common mistakes people make and how you can avoid them in your day-to-day lives. Read more at https://www.sans.org/newsletters/ouch/messaging-dos-and-donts/
In today's digital age, your personal information is more valuable than ever. Unfortunately, this also makes it a prime target for identity theft. Understanding this threat, detecting it, and knowing how to protect yourself are essential elements in safeguarding your online digital life. Read more at https://www.sans.org/newsletters/ouch/identity-theft-prevent-detect-respond/
Are you tired of constantly creating complex passwords? Frustrated with having to remember and type all those characters, symbols and numbers? Well, we have a solution for you: the ever-powerful passphrase! Read more at https://www.sans.org/newsletters/ouch/power-passphrase/
For UNI-managed computers, IT takes care of ensuring that the machine you use is kept up-to-date and patched. For personally-owned devices, including many devices that aren't "computers", the update responsibility is squarely on your shoulders. Some devices provide "automatic updates". Turn that on and take advantage of it! Otherwise, set a reminder at least once per month to check for updates and apply those that are available. https://www.sans.org/newsletters/ouch/power-updating/
QR codes are everywhere: you can see them on posters and leaflets, ATM screens, price tags and merchandise, historical buildings and monuments. People use them to share information, promote various online resources, pay for their goodies, and pass verification. And yet you don’t see lots of QR codes in email: users often read messages on their phones without any other device handy for scanning. As such, most letters come with ordinary hyperlinks instead. Nevertheless, the attackers increasingly turn to QR codes delivered through email. Read more at https://securelist.com/qr-codes-in-phishing/110676/
It’s clear that users remain a key target for threat actors looking to gain a foothold in corporate systems. In the past, businesses have placed the onus on users – expecting them to know what to look out for and identify phishing attacks – but with techniques becoming more convincing, a new approach is needed. Read more at https://www.infosecurity-magazine.com/blogs/how-can-users-stay-protected/
UNI IT has chosen Bitwarden as its licensed partner for an enterprise password manager. Bitwarden also offers free accounts that should be more that adequate for most uses. Migration from other password managers is generally available and documented on Bitwarden's website. For more on password managers in general, see https://www.sans.org/newsletters/ouch/power-password-managers/
Phone call scams are sometimes preferred by bad actors because they provide a direct connection between the bad actor and the potential victim. Guidance to protect yourself can be found at https://www.sans.org/newsletters/ouch/stop-phone-call-scams/
Your financial accounts are a primary target for cyber-criminals. You have money, and they will do anything to steal it. By financial accounts, we mean not only your checking or savings accounts, but also investments, retirement, and online payment accounts like PayPal. Fortunately, with some simple, fundamental steps, you can protect yourself. Read the details at https://www.sans.org/newsletters/ouch/securing-financial-accounts/
Pages
- ITTC 36
- (319) 273-5555
