State of Security – Cyber Security Awareness Month 2017

The State of Security 2017
October is the first full month of fall (and sometimes even feels like it), National Pizza Month, National Dental Hygiene Month (so brush your teeth after you finish your pizza) and National Cybersecurity Awareness Month. I would prefer to write about pizza, but since I work in IT, it think we will look at some cybersecurity issues.

Most areas of cybersecurity concern showed an increase through the first part of 2017. One area where that is not true has been exploit kits, which are software packages used by cybercriminals to attack computers. Three major exploit kits vanished in 2016: Angler, Nuclear and Neutrino. Angler disappeared following a series of arrest of Russian cybercriminals; it is unknown what prompted Nuclear and Neutrino to go offline. (One reason may be the patching of a number of Flash-related vulnerabilities and Oracle’s removal of the Java browser plugin, both of which were popular targets for exploit systems.)¹ (more…)

Mobile Device Security When Traveling Abroad – Cyber Security Awareness Month 2017

Securing Your Data: Mobile Device Security When Traveling Abroad

If you need a laptop computer, borrow a loaner from your departmental IT support group. Ensure the laptop has the necessary software you plan to use on your trip. When you return, the IT Specialists should clean the computer (wipe the drive and reinstall software). Assume the laptop computer will become infected with malware while traveling; the cleaning process protects other devices from becoming infected once the laptop computer returns to the local network.

• If your departmental IT support group has a loaner mobile device (for example, iPad, Android tablet), you may consider using it rather than your personal device.
• Unless it is absolutely necessary, disable wireless technologies on your laptop computer and cell phone such as Bluetooth and Wi-Fi. Bluetooth headsets are strongly discouraged and should not be taken with you. When these technologies are needed, make sure all local shared folders are password protected. Wireless technologies can be used to gain entry to hosted devices such as laptop computers, mobile devices and cell phones. Once entry has been gained, access to intellectual property, proprietary information, files and passwords becomes available. In addition, keyloggers can be installed which collect all keystrokes and store them into a file that is later downloaded.
• Never let your cellular phone and mobile devices out of sight. When not being used, turn off your cell phone and mobile devices. Minimize the data contained on the device. Some phones can be remotely controlled so that the microphone and camera are enabled which allows remote users to listen to, watch, and record conversations.
• When connecting to the internet via wired or wireless, use OSU’s virtual private network (VPN) software to access the internet. A VPN provides for a secure and encrypted connection to the internet.
• Be aware of all usernames and passwords you use while traveling. Once you return, change these passwords. Consider creating a temporary account on Gmail or Yahoo before you leave that can be used for email communication. Limit use of instant messaging and text messaging.
• When using thumb/USB drives, use a PIN and encryption code to protect the data. If the drive is scanned or lost, the data is more secure when protected with an extra layer of encryption technology.
• Unless calls from your cell phone are encrypted, the foreign government can monitor them even if you use a U.S. cellular company’s service. Be aware of communicating confidential or proprietary information. Some users may consider a pre-paid cellular phone that can be disposed of upon returning to the U.S.
• Do not take unneeded car/house keys and credit cards. Clean out your billfold/purse of any financial information such as bank numbers and logins/passwords.
• The U.S. Government’s “Smart Traveler Enrollment Program” can be helpful in planning your trip and ensuring a safe return: https://step.state.gov/step/.

Preventing Phishing – Cyber Security Awareness Month 2017

With the increase in fraudulent emails to Oklahoma State University employees over the past year, now is as good a time as any to develop best practices for keeping your devices malware free and your information secure. October is National Cyber Security Awareness Month and with the help of the Department of Homeland Security and the National Cyber Security Alliance, DASNR IT is here to shed some light on phishing attacks.

Phishing (pronounced “fishing”) is the attempt to obtain sensitive information such as usernames, passwords, and credit card details often for malicious reason, by disguising as a trustworthy entity in an electronic communication.[1]

A phishing email can look like it comes from a financial institution, your favorite online shopping website, or even Oklahoma State University itself. Many of these emails are asking you to act quickly because, for example, your account has been compromised and a recent online order cannot be fulfilled without payment. Stop and think before deciding to click any links or open any attachments that might have come with these emails.

According to Symantec [2] the vast majority of malicious emails will contain links that will take you to websites containing malware or the message will have attachments infected with malware. If you are unsure if an email request is legitimate, try contacting the company directly using information you already know or info that can be easily obtained online.

Phishing, spam, and other scams aren’t limited to just email. Social networking sites such as Facebook are also prevalent with malware. Online advertisements, Facebook status updates, and tweets can also contain malicious links, so “when in doubt, throw it out.” Most online sites, including social networking and media websites, have ways to report spam and phishing as well.

Oklahoma State University has a way to report fraudulent email. You can forward any email you receive to your okstate.edu account and believe to be malicious to spam@okstate.edu which is monitored by OSU IT Security. When they find malware that is contained in the email links or attachments, they can respond to the email administrators and then initiate filters to, hopefully, prevent anyone else from getting the email as well.

Below are some links with more information to help you remain vigilant against phishing attacks and, as always, contact your support specialist if you need any further information.

• https://www.dhs.gov/publication/ncsam-phishing-awareness-2017-poster
• https://www.dhs.gov/science-and-technology/cyber-tip-become-cyber-savvyprotect-against-phishing-attacks
• https://www.dhs.gov/sites/default/files/publications/Phishing_0.pdf
• https://staysafeonline.org/stay-safe-online/online-safety-basics/spam-and-phishing/

[1] https://en.wikipedia.org/wiki/Phishing

[2] https://www.symantec.com/security-center/threat-report

Recovery After A Data Breach – Cyber Security Awareness Month 2017

You have done everything you are supposed to: You don’t use the same password more than once, you don’t click on the fake links in your email or on websites, you use two-factor authentication when you log into websites[1] and you have credit monitoring on your accounts. Then you learn a company you rely on to keep your data private has been hacked. The company has suffered a massive data breach and hackers have your private information. Now what?

First, be aware scammers may have obtained your email address and sent you a falsified email message. After a major data breach, such as the recent one with Equifax[2], hackers often send emails to people trying to get anxious individuals to click on provided links to phishing websites, sites that may look legitimate but ask people to enter private information the cyber criminals then steal. Instead of clicking on links in these types of messages, look up the stated company online and go directly to the website identified by the search engine rather than clicking the link in the possibly falsified original email; better yet, contact the company by telephone and check things out verbally first. In the case of Equifax, the company added a web link and additional information on their page enabling people to check and see if they were affected.

Second, understand your options. The Federal Trade Commission has set up a site that provides additional information[3]: https://identitytheft.gov/. This site can help put together a plan of action both before and after your information has been used by hackers[4]. The FTC offers preventative measures like freezing your credit and signing up for credit monitoring. They also include a list of sites you can visit to see if your information was leaked.

As we become more and more digitally connected, we know these types of issues will continue to happen. Being prepared and having a plan when – and it is when and not if – a data breach happens will allow you to minimize further damage.

[1] http://spotlight.okstate.edu/dasnrit/2017/10/04/passwords-cyber-security-awareness-month-2017/
[2] https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
[3] https://identitytheft.gov/Assistant
[4] https://www.identitytheft.gov/Info-Lost-or-Stolen

Cyber Security Awareness Month: Malware on my phone!

October is Cyber Security Awareness month, which makes it a great time to review security on your mobile devices. Instead of elaborating on the staggering statistics showing that malware infections on mobile devices is at an all-time high[1], I wanted to share a personal experience of malware on my cell phone.

A couple months ago I experienced a malware attack on my phone. While at home, I scrolled through Facebook and noticed a link to an article about an accident that had taken place in my home city. The article piqued my curiosity so I clicked the link and instantly regretted my decision. The link opened a website that had been hacked: Multiple popups displayed on my phone screen stating my phone had a virus, and then my phone started vibrating and buzzing like a swarm of bees. After a couple seconds of utter shock I took the following steps to ensure my device was safe and my accounts had not been hacked.

First, I closed the Facebook app without selecting any icon on the screen or attempting to close out the page. I returned to the home screen by pressing the home button. Then, I pressed the button to open recent apps and closed all open applications. (Both Android and Apple devices have this ability.) Using Lookout[2], a mobile security app, I ran a full security scan on my phone. Thankfully, Lookout found that my phone was not infected.

Second, I needed to ensure that my password had not been stolen. On my computer I logged into Facebook and changed my password. From within Facebook, I could force a log out on all devices currently connected to Facebook. I reviewed recent posts to my account. Every post was mine and there was no suspicious activity. As a precaution I uninstalled the Facebook app on my phone then reinstalled it to be sure there were no remnants of malware left on my device. Over the next few days I kept a close eye on the accounts currently connected from my phone to ensure they had not been compromised.

Thankfully, my phone was not infected but it was a frightening experience that emphasized the importance of mobile security. When a similar experience happens to you, it is important you have a plan to lessen its impact. Perhaps the single most important thing you can do to protect your mobile device – and the apps that affect your personal identity – is install an anti-malware security program. Avast[3] and McAfee[4] are great security programs available for both iOS and Android phones. Another good tip is to only save login information for accounts that contain non-critical information. Finally, be cautious with links on social media sites, when downloading new apps, and with any pop-ups on your mobile device. Had I been more cautious, I would not have followed the link in Facebook.

[1] https://www.networkworld.com/article/3185766/security/malware-infection-rate-of-smartphones-is-soaring-android-devices-often-the-target.html

[2] https://www.lookout.com/

[3] https://www.avast.com/

[4] https://www.mcafee.com/

P@55w0rdS! – Cyber Security Awareness Month 2017

Creating secure passwords is critical to protecting your online accounts, your personal data, and your identity. October is National Cyber Security Awareness Month, and it is a perfect time to review your passwords!

Through websites and smartphone apps we shop, read email and scan social media sites, review credit card transactions, and check bank accounts. In the process, we create and maintain a number of passwords. Today’s news of companies whose databases of stored passwords are compromised quickly reminds us: no password is unimportant!

We are encouraged to create secure passwords, but what constitutes a secure password? According to Google strong passwords contain a mix of letters, numbers and symbols. “An eight-character password with numbers, symbols and mixed-case letters is harder to guess because it has 30,000 times as many possible combinations than an eight-character password with only lower case letters.”[1] But it may be a challenge to remember each unique password! If you create password from a mix of random characters, you may find yourself writing them down to ensure you don’t forget it. StaySafeOnline[2] recommends to “focus on sentences or phrases that you like to think about and are easy to remember.” I like to choose lyrics of favorite songs. For example, using the OSU Alma Mater I might choose the first letter of the opening lyrics: Proud And Immortal Bright Shines Your Name. So it would look like ‘paibsyn.’ Then I would adjust it to include some capitalized letters, a number and symbol. Such as “Pa!bsyN2017”. Keep in mind, when adding a number to your password, it is recommended to avoid using a number of importance such as an anniversary or birthday.

Another recommended practice for securing your accounts and your passwords is to enable two-factor authentication which adds a layer to your login process. Many sites, such as Google, Apple and credit card companies, now use this feature either as an option or as a mandatory practice. For example if I log into my Gmail account from a new device, I receive a text message with a code I must enter before I can access my email. This helps prevent hackers from accessing your account as it is one more step to access your personal data.[3]

Following these practices to maintain secure passwords may not prevent your personal information from being compromised, but it will make it harder for cyber criminals. Your online security should always be a priority. It’s far easier to protect yourself now then after your data has been compromised.

[1] https://support.google.com/accounts/answer/32040?hl=en

[2] https://staysafeonline.org/cybersecure-business/protect/

[3] https://www.dhs.gov/blog/2015/10/13/staying-protected-while-always-connected