Archive for 2013

Ransomware Infections on the Rise.

by in , , , , , , , , , , , 0

In a recent news release by US-CERT, the United States Computer Emergency Readiness Team, US-CERT stated they are aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker, a new variant of ransomware, restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.  As of this time the primary means of infection appears to be phishing emails containing malicious attachments.

Everyone who makes use of computer systems, including email, should be on guard for these types of malware infection attempts.  In many cases the email will appear to be legitimate and harmless but you need to ask yourself if you were expecting this communication, and if not, contact the sender to make sure it's legitimate.

To help mitigate any loss of data should you fall victim to this infection, you should take regular backups of your system and store your important files onto your file server which is backed up regularly.

To get more information about CryptoLocker, follow this link to the US_CERT website and think before you click!

NCSAM - Featured Video of the Week - "Don't be a Billy"!

by in , , , , , , , , , 0

In celebration of National Cyber Security Awareness Month this October we will be featuring an Information Security video each week.  Please take the time to review this video which reviews a number of information security safety tips, and also how not to be a Billy.

NCSAM Featured Video of the Week!

by in , , , , , , 0

In celebration of National Cyber Security Awareness Month this October we will be featuring an Information Security video each week.  Please take the time to review this video on MALWARE and how best to combat it.




October is National Cyber Security Awareness Month

by in , , , , , , , , , , , , , , 0



Each and every one of us needs to do our part to make sure that our online lives are kept safe and secure. That's what National Cyber Security Awareness Month—observed in October —is all about!


Please take the time to review some of our resources available to help you become more aware of the current landscape for cyber-threats.


Don't give away your data when you give away your handheld device.

by in , , , , , , , , , , 0

Be careful before you resell or give away your handheld devices such as smart phones or any other device that can store data. The new owner will be able uncover your previous data from the device including id's, passwords or any other personal information that may have been stored. At a minimum, figure out how to reset it to the factory standard before turning it in or reselling it. Refer to your manual or call the manufacturer. Follow this link for more information on deleting data.

How to spot a phishing email.

by in , , , , , , , , , , , , , 0

With the recent flurry of phishing emails being received these days I thought I would post this quick guide to assist you in determining if the email you received may actually be a phishing email.

It could be a phishing email if:

  • There are misspelled words in the email or it contains poor grammar.
  • The message is asking for personally identifiable information (PII), such as credit card numbers, account numbers, passwords, PIN's or Social Security Number.
  • There are "threats" or alarming statements that create a sense of urgency.  For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address".
  • The domain name in the message isn't the one you're used to seeing.  It's usually close to the real domain name but not exact.  For example:
    • Phishing Website:  www.regionsbanking.com
    • Real Website:  www.regions.com



Paper Files Have to be Protected Too!

by in , , , , , , , 0

You've probably heard that "To err is human, but to foul things up completely you need a computer". We know it's important to protect the large databases that we use to store data, but we shouldn't ignore our paper records. The amount of information held on paper may be much smaller than in databases, but many of the most serious leaks happen through very human methods — reports stolen from desktops or read over someones shoulder. Sensitive paper files should be locked away when they are not being used and shouldn't be read public places.

Google Strengthening Keys on SSL Certificates to 2048 Bits

by in , , , , , , 0

As attacks against cryptographic systems and the SSL infrastructure have advanced in recent years, experts have begun to fret about the future utility of the system. Companies that rely on the security of the SSL technology are beginning to take steps to address the issue, with the latest being Google, which is planning to change the length of the keys on all of its SSL certificates to 2048 bits.


Think Before you Click!

by in , , , , , , , , , , 0

Be cautious about all communications you receive, and clicking on links in an email, instant message or a website. Even if you know and trust the sender of the email, or an instant message, or are on a known website or a friend's social networking page, it is still prudent to use caution when navigating pages and clicking on links or photos, because links, images or other content contained on the pages may include malicious code placed there by hackers.

For more information, please visit:
SANS OUCH! Newsletter on "Email Phishing Attacks"

Protect Yourself When Using Cloud Services

by in , , , , , , , , 0

In simplest terms, cloud computing is a subscription-based or free service where you can obtain networked storage space and other computer resources through via the Internet. While these systems may remove the need for owning physical components, they also introduce new risks to your information. Before you float your digital assets to the cloud, make sure you take the appropriate steps to protect yourself.

Know your needs. Before you start, make sure you carefully plan what your security and privacy needs are. This includes knowing what your legal and regulatory requirements are for protecting data.
Read the contracts. End User License Agreements and Service Level Agreements are important because they describe the terms and conditions of the cloud service. If you're not sure of what they do or do not provide, contact the provider to clarify the services.
Protect Your Machine. Enable your firewall, use anti-virus/malware and anti-spyware software.
Protect your data. Don't store unencrypted sensitive information in the cloud. You don't know with whom you're sharing the cloud!

Don't Reply to Unsolicited Email Messages (SPAM).

by in , , , , , , , , , , , 0

By responding to these messages, you're only confirming that your email address is active. Another thing you shouldn't do is click the "remove me" link in the message. Links in email can point to an IP address other than what is being represented or referenced. The best thing you can do is delete the message. 


Many free email service providers (MSN hotmail, Yahoo!, AOL or GMail) will allow you to easily report it as spam if you received it through their email systems.

The Dangers of Peer-to-Peer (P2P) Sharing

by in , , , , , , , , , , 0

Peer-to-peer (P2P) networking is a popular method for sharing files, music, photographs and other information. Just remember that this method can come with its share of major risks. It is best to know with whom you are sharing data and files versus browsing for a site that you believe meets your criteria. The data you receive may be corrupted with malware or expose you to legal ramifications (e.g., copyrights, pirated software or music). So, be safe and know what your P2P buddy is offering before you load a copy onto your device.

For more information, please visit:

Scan Your Computer

by in , , , , , , , , , , , , , 0

Once an anti-virus and/or anti-spyware package has been installed on your computer, you should scan your entire computer periodically. If your anti-virus package has the ability to automatically scan specific files or directories and prompt you at set intervals to perform complete scans, enable this feature.

What can I do to protect my computer?

  • Don't click on pop-up ads that advertise anti-virus or anti-spyware programs 
  • Use and regularly update firewalls, anti-virus, and anti-spyware programs 
  • Properly configure and patch operating systems, browsers, and other software programs. 
  • Turn off ActiveX and Scripting, or prompt for their use.
For more information, please visit:

Newtork Groupshares Now Available

by in , , , , 0

The issue with our groupshares has been identified and corrected. The parties who had their workstations affected have been contacted and are in the process of having their workstations corrected. No data was lost as a result of this issue.

Network groupshares are now available for use.  Public drive Z: will not be available until Noon today.

Network Groupshares Currently Unavailable.

by in , 0

The following network groupshare drives are currently offline, G:\, H:\ and Z:\ drives. T&C Infrastructure is currently researching the issue. Please navigate to the T&C Information Security web page for status updates. The next update is scheduled for 9:00 AM unless the issue is resolved before then.

New Cloud Security Awareness Video Now Available.

by in , , , , , , , , 0

new video released by SANS.org is available this month to help you learn what the cloud is and how you can use it securely.

E-mail is insecure by default. It's more like a postcard than a sealed envelope.

by in , , , , , 0

Many people are under the misconception that when they draft and send e-mail, two things occur. Their message gets sealed in a (virtual) envelope (that's why you have to open e-mail right?) and that it goes directly to the person it was sent to via internet magic. 


The truth is your e-mail is sent in plain open text (i.e. readable by anyone who picks it up along the way) and is passed around the Internet with multiple stops until it reaches its destination. People with evil intentions can intercept your e-mail, read it or even alter it before it reaches your intended recipient.  For this reason you should only be sending information over email that you're willing to have shared with the virtual world.

Check for encryption or secure sites when providing confidential information online.

by in , , , , , 0

Credit card and online banking sites are convenient and easy ways to purchase and handle your financial transactions. They are also the most frequently spoofed or "faked" sites for phishing scams. Information you provide to online banking and shopping sites should be encrypted and the site's URL should begin with https. Some browsers may also have an icon representing a lock at the lower right of the browser window. 


For more information about phishing, please visit http://www.onguardonline.gov/phishing.html

New Social Networking Security Awareness Video Now Available

by in , , , , , , , 0

new video released by SANS.org is available this month to help you learn some of the most common risks of online social networking and the steps you can take to protect yourself and your family.

April 2013 - secureCI Monthly Newsletter

by in , , , , , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands


Social Networking Safely
In This Issue…
  • Overview
  • Privacy
  • Security
GUEST EDITOR
Ted Demopolos is the guest editor for this issue. He is a longtime security consultant and has been teaching SANS courses for a decade, including SEC401/501 and MGT 414/512. Learn more about Ted at http://demop.com.

OVERVIEW
Social networking sites such as Facebook, Twitter, Google+, Pinterest and LinkedIn are powerful, allowing you to meet, interact and share with people around the world. However, with all these capabilities come risks; not to just you, but your family, friends and employer. In this newsletter we will discuss what these dangers are and how to use these sites more safely.

PRIVACY
A common concern about social networking sites is privacy protecting your personal information and the sensitive information of others. Potential dangers include:

Impacting Your Future: Many organizations search social networking sites as part of background checks. Embarrassing or incriminating posts, no matter how old, can prevent you from getting hired or promoted. In addition, many universities conduct similar checks for new student applications. Privacy options may not protect you, as these organizations can ask you to “Like” or join their pages prior to the application process.

Attacks Against You: Cyber criminals can harvest your personal information and use it for attacks against you. For example, they can use your information to guess the answers to your “secret questions” to reset your online passwords, create targeted email attacks called spear phishing or apply for a credit card using your name. In addition these attacks can spill into the physical world, such as identifying where you work or live.

Harming Your Employer: Criminals or competitors can use any sensitive information you post about your organization against your employer. In addition, your posts can potentially cause reputational harm for your organization. Be sure to check with your organization’s policies before posting anything about your employer.

The best protection is to limit the information you post. Yes, privacy options can provide some protection; however, keep in mind that privacy options are often confusing and can change frequently without you knowing. What you thought was private could become public for a variety of reasons. In addition, the privacy of your information is only as secure as the people you share it with. The more friends or contacts you share private information with, the more likely that information will become public. Ultimately, the best way to protect your privacy is to follow this rule: if you do not want your mother or boss to see your post, you most likely should not post it. Also be aware of what information friends are posting about you. It can be just as damaging If they post private information or embarrassing photos of you. Make sure your friends understand what they can or cannot post about you. If they post something you are not comfortable with, ask them to take it down. At the same time, be respectful of what you post about others.

SECURITY
In addition to privacy concerns, social networking sites can be used by cyber criminals to attack you or your devices. Here are some steps to protect yourself:

Login: Protect your social networking account with a strong password and do not share this password with
anyone or re-use it for other sites. In addition, some social networking sites support stronger authentication,
such as two-step verification. Enable stronger authentication methods whenever possible.

Encryption: Many social networking sites allow you to use encryption called HTTPS to secure your connection to the site. Some sites like Twitter and Google+ have this enabled by default, while other sites require you to manually enabled HTTPS via account settings. Whenever possible use HTTPS.

Email: Be suspicious of emails that claim to come from a social networking site; these can easily be spoofed attacks sent by cyber criminals. The safest way to reply to such messages is to log in to the website directly, perhaps from a saved bookmark, and check any messages or notifications using the website.

Malicious Links/Scams: Be cautious of suspicious links or potential scams posted on social networking sites. Cyber criminals can post malicious links and if you click on them, they take you to websites that attempt to infect your computer. In addition, just because a message is posted by a friend does not mean it is from them, as their account may have been compromised. If a family member or friend has posted an odd message you cannot verify (such as they have been robbed and need you to send money), call them to confirm the message.

Apps: Some social networking sites give you the ability to add or install third-party applications, such as games. Keep in mind there is little or no quality control or review of these applications; they may have full access to your account and private information. Only install apps that you need, that are from well-known, trusted sites and remove them when you no longer need them.

Social networking sites are a powerful and fun way to communicate with the world. If you follow the tips outlined here, you should be able to enjoy a much safer online experience. For more information on how to use social networking sites safely or report unauthorized activity, be sure to review the security pages of the sites you are using.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

11 Security Tips for Online Social Networking:
http://preview.tinyurl.com/b28a525

FB Security:
https://www.facebook.com/safety

Your FB Security Settings:
https://www.facebook.com/settings?tab=security

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

Don't Get Caught by an IRS Phishing Scam!

by in , , , , , , 0

As we near "Tax Day 2013", many spamming and phishing groups are increasing their attempts to try and get at your personal information.  Please be sure to execute caution before responding to any email claiming to be from the IRS or any other government group and think before clicking that link.

Wireless Hotspots... Limit activity to web surfing only!

by in , , , , , , 0

A wireless hotspot is an wireless network that is made available (open) to everyone. A good example of an open wireless hotspot would be the wireless network offered at your favorite coffee shop. These wireless networks hook computers into the public Internet — very handy, but dangerous. Because wireless hotspots are for open use, they don't provide much security protection for your data while on them. Some tips to keep in mind before you start using a wireless hotspot include:

  1. Try to limit your activity to web surfing only. 
  2. You should disable peer-to-peer networking, file sharing, and remote access on your computer. 
  3. You should always use a good personal firewall.
  4. You should make sure all your software including your operating system is up to date and patched. 
  5. You should never use hotspots for online banking, bill paying, or for any transaction that would require you to give out confidential information such as a credit card number.

IRS Releases the Dirty Dozen Tax Scams for 2013

by in , , , , , , , 0

The Internal Revenue Service today issued its annual “Dirty Dozen” list of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud.

The Dirty Dozen listing, compiled by the IRS each year, lists a variety of common scams taxpayers can encounter at any point during the year. But many of these schemes peak during filing season as people prepare their tax returns.

"This tax season, the IRS has stepped up its efforts to protect taxpayers from a wide range of schemes, including moving aggressively to combat identity theft and refund fraud," said IRS Acting Commissioner Steven T. Miller. "The Dirty Dozen list shows that scams come in many forms during filing season. Don't let a scam artist steal from you or talk you into doing something you will regret later."

Illegal scams can lead to significant penalties and interest and possible criminal prosecution. IRS Criminal Investigation works closely with the Department of Justice (DOJ) to shutdown scams and prosecute the criminals behind them.


Always lock your computer before walking away from it.

by in , , , , 0

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are outside people in your office. Leaving your computer unlocked can expose sensitive and confidential data to a third party. Even if there is no one in your office, data could be exposed if your computer screen faces an outside window, especially if you are on the ground floor.  Lock your computer using Ctrl+Alt+Del and Enter.

Five Security Tips!

by in , , , 0

  1. Warning Messages: If you don't understand the warning message, say no and consult IT support. It's easier to go back and say yes if you need to than be sorry and have to rebuild your machine. 
  2. Certificates: If you don't understand a website certificate message, say no and consult IT support. It is easier to go back and say yes if you need to than be sorry and have to rebuild your credit. 
  3. Antivirus: Running antivirus does not slow your computer down nearly as much as a virus does. 
  4. Back-up: Backing up your data may seem like a waste of time — er, until you spill coffee all over your laptop. 
  5. Passwords: Writing down your password around your desk is about as secure as leaving a $20 bill lying on the dashboard of your car. How well do you trust anyone these days?

Clean up after yourself!

by in , , , , , 0

Being able to access the Internet from different locations — the library, a computer lab at school, an Internet cafe — is a great convenience, but it can also pose a security risk to personal information. If you do access the Internet from a shared computer, here are a few things you need to remember.

  1. Don't check the "remember my password" box. 
  2. When you're done, make sure you log off completely by clicking the "log off" button before you walk away. 
  3. If possible, clear the browser cache and history.
  4. Never leave the computer unattended while you're logged in. 
  5. Move all documents you've used to "Trash", and empty the recycle bin.

March 2013 - secureCI Monthly Newsletter

by in , , , , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands



Email Phishing Attacks

In This Issue…
  • Overview
  • Phishing Attacks
  • Protecting Yourself

GUEST EDITOR
Pieter Danhieux is the guest editor for this issue.  He works for BAE Systems Detica in Australia (www.baesystemsdetica.com.au) and is an instructor for the penetration testing courses at the SANS Institute.

OVERVIEW
Email is one of the primary ways we communicate. We not only use it every day for work, but also to stay in touch with our friends and family. In addition, email is how companies provide many products or services, such as confirmation of an online purchase or availability of your online bank statements. Since so many people around the world depend on email, email attacks have become one of the primary attack methods used by cyber criminals. In this newsletter, we explain the most common email attacks and the steps you can take to protect yourself.

PHISHING ATTACKS
Phishing was a term originally used to describe email attacks that were designed to steal your online banking user name and password. However, the term has evolved and now refers to almost any email-based attack. Phishing uses social engineering, a technique where cyber attackers attempt to fool you into taking an action. These attacks often begin with a cyber criminal sending you an email pretending to be from someone or  something you know or trust, such as a friend, your bank or your favorite online store. These emails then entice you into taking an action, such as clicking on a link, opening an attachment or responding to a message. Cyber criminals craft these emails to look convincing, sending them out to literally millions of people around the world. The criminals do not have a specific target in mind, nor do they know exactly who will fall victim. They simply know the more emails they send out, the more people they may be able to fool. Phishing attacks work one of four ways:
  • Harvesting Information: The cyber attacker’s goal is to fool you into clicking on a link and taking you to a website that asks for your login and password, or perhaps your credit card or ATM number. These websites look legitimate, with exactly the same look, imagery and feel of your online bank or store, but they are fake websites designed by the cyber attacker to steal your information.
  • Infecting your computer with malicious links: Once again, the cyber attacker’s goal is for you to click on a link. However, instead of harvesting your information, their goal is to infect your computer. If you click on the link, you are directed to a website that silently launches an attack against your computer that if successful, will infect your system.
  • Infecting your computer with malicious attachments: These are phishing emails that have malicious  attachments, such as infected PDF files or Microsoft Office documents. If you open these attachments they attack your computer and, if successful, give the attacker complete control.
  • Scams: These are attempts by criminals to defraud you. Classic examples include notices that you’ve  won the lottery, charities requesting donations after a recent disaster or a dignitary that needs to transfer millions of dollars into your country and would like to pay you to help them with the transfer. 
Don’t be fooled, these are scams created by criminals who are after your money.

Use common sense, 
if an email seems odd or too good to be true, 
it is most likely an attack.


PROTECTING YOURSELF
In most cases, simply opening an email is safe. For most attacks to work you have to do something after reading the email (such as opening the attachment, clicking on the link or responding to the request for information). Here are some indications if an email is an attack:
  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments and only open those that you were expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts. If you get a suspicious email from a trusted friend or colleague, call them to confirm that  they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.
If after reading an email you think it is a phishing attack or scam, simply delete the email. Ultimately, using email safely is all about common sense. If something seems suspicious or too good to be true, it is most likely an attack. Simply delete the email.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

OnGuard Online –
http://www.onguardonline.gov/phishing

Recognizing Phishing Attacks:
http://preview.tinyurl.com/3c2axs8

OpenDNS Phishing Protect:
http://www.opendns.com/phishing-protection

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.


Don't make that call!

by in , , , , , , , , , 0

If you receive an email asking you to call an 800 number related to a banking or credit card issue, don't call the number. Your credit card has a phone number on the back as do your bank account statements. Be safe, don't call a phone number listed in an email; instead look up the number on your credit card or account statements. There's a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.  Don't be a victim.

Evernote Compromised, But Says No User Data Affected

by in , , , , , 0

On Saturday 3/2/2013, Evernote, the online service that enables users to store and sync all kinds of data across multiple devices, sent out a notice to their users stating that their Operations & Security team had  discovered and blocked suspicious activity on the Evernote network that appeared to have been a coordinated attempt to access secure areas of the Evernote Service.


Evernote officials said that they did not think the attackers were able to gain access to any of the data that users store on the service. However, the company said it was requiring that all users change their passwords immediately.

Evernote users have the ability to store just about any kind of data on the service, including text, video and other information. Users can encrypt data within specific notes, and the company doesn't have a copy of users' keys, so if the passphrase is lost or compromised, there's no way for the company to recover that data.

Evernote sent all of its users an email detailing the incident and informing them that they need to change their passwords before logging in the next time (see below).

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
Avoid using simple passwords based on dictionary words
Never use the same password on multiple sites or services
Never click on 'reset password' requests in emails - instead go directly to the service

Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote Team 

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support!

by in , , , , , , 0

No one from the HelpDesk or Technical Support will ever ask you for your password. If access to your account is needed for some reason, and we can't contact you in time, your password will be reset and you'll be notified by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to the network. If you ever receive such a call, notify your supervisor and the HelpDesk immediately.

If you're not sure you've seen an incident, report it anyway

by in , , , , , , , , 0

Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If you receive a phone call from "User Support" doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password and asks you to provide it — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. 


What should you do?  Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are just as responsible to the whole organization as the folks who support information security for the organization! Don't let one person's stress jeopardize the organization's information security.

If you encounter any of these scenarios, please contact the T&C Helpdesk (helpdesk@csuci.edu or (805) 437-8552) or the Information Security Office (infosec@csuci.edu) for assistance and remember, no T&C staff member will ever ask you for any personal information, including your passwords.

Study Shows One in Four Who Receive a Data Breach Letter Become Fraud Victims

by in , , , 0

This article discusses a study released Wednesday 2/20/2013 shows one in four consumers who receive a data breach letter become the victim of identity fraud. That statistic represented 12.6 million victims last year -- one million more than the year before, according to the 2013 Identity Fraud Report released by Javelin Strategy & Research.

Don't Use Unauthorized Software.

by in , , , , , 0

It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost.  Installing them may often cause other programs to stop working and it can take a long time for IT teams to track down the problem.  More seriously, the software can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet.  Most seriously, the software can be infected by viruses or spyware that are intended to damage your PC or steal confidential information.

How to Spot a Phishing Scam

by in , , , , , , , 0

We've all received them, emails from a seemingly trusted source like a bank, delivery company or even your own place of employment, claiming there was some type of issue or another requiring you to offer up some personal information or to click on a link or button to help clear the issue up. If you receive an email similar to this DO NOT CLICK ON ANY LINK OR OFFER UP ANY INFORMATION! 

This is a common form of security attack called a phishing or spear phishing scam.

Groups attempting to steal personal information will often use e-mails that appear to originate from a trusted source to try and trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site look like they are part of a bank or some other organization the user is doing business with.

For example, it could be a phishing email if...

  • There are misspelled words in the e-mail or it contains poor grammar. 
  • The message is asking for personally identifiable information, such as credit card numbers, account numbers, passwords, PINs or Social Security Numbers. 
  • There are "threats" or alarming statements that create a sense of urgency. For example: "Your account will be locked until we hear from you" or "We have noticed activity on your account from a foreign IP address." 
  • The domain name in the message isn't the one you're used to seeing. It's usually close to the real domain name but not exact. For example: 
    • Phishing website: www.regionsbanking.com 
    • Real website: www.regions.com

If you receive an email like this and you think it may be fraudulent, please report it immediately to the T&C Helpdesk at X8552, helpdesk@csuci.edu, or infosec@csuci.edu. Our technicians will assist you and instruct you on how to effectively remove it.

Please remember... nobody from T&C will ever ask you for any personal information, including your password!

President Obama Signs Cybersecurity Executive Order

by in , , 0

The executive order that President Barack Obama signed on February 12th in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure.

Read the executive order on cybersecurity and see what is identified as mandated and what is being classified aside as volunteer initiatives.

Additional information may be found here.

A password should be used by only one person.

by in , , , , 0

Passwords are like bubble gum, they're much better when used by only one person. If you share your computer with others, each person should have a unique account, username, and password. Don't allow another user to know or use your password, and don't ask another user if you can use theirs. When it's your turn to use the computer, log the last user off, and then log on using your own username and password. When you take a break, don't leave your computer open. Log off or lock it, and remember, passwords shorter than 8 characters are easy to crack. Avoid common words, proper names, and use both uppercase and lowercase letters, numbers, and symbols when creating your password.

FTC Endorses New Privacy Guidelines, Do Not Track for Mobile Apps, Devices.

by in , , , , 0

This article discusses recently released endorsements by the Federal Trade Commission (FTC) regarding new privacy guidelines for mobile apps and devices. The guidelines or series of suggestions, have been released to assist developers, advertising networks and device companies better protect their users online.

Control Access to Buildings and Work Areas

by in , , , 0

Each one of us has a responsibility to ensure that our building is secure. When you enter a building from a side door or after hours, make sure the door closes properly and check to see that no one has slipped in behind you. If you see someone you don't know wandering around, don't be afraid to grab a co-worker and ask which room they're looking for or who they're visiting. Security is everyone's responsibility and it's better to be safe than sorry!

Passwords: Be Creative!

by in , , , , , 0

If you can't remember hard passwords no matter how hard you try, put your password in parenthesis. baseball38 is a weak password, but (baseball38) is much better.

Whenever you change your password, you should always change at least half of it and when you do, change the parentheses as well. You can change the parentheses to asterisks, exclamation points or dollar signs. *sallyandbob39* is better than sallyandbob39, and !jimandbetty93! is better than jimandbetty93.

It's 10 p.m. Do you know whom your kids are chatting with online?

by in , , , , 0

While social networking sites can increase a person's circle of friends, they also can increase exposure to people with less than friendly intentions. Here are tips for helping your kids use social networking sites safely:

  1. Help your kids understand what information should be private. 
  2. Explain that kids should post only information that you - and they - are comfortable with others seeing. 
  3. Use privacy settings to restrict who can access and post on your child's website. 
  4. Remind your kids that once they post information online, they can't take it back. 
  5. Talk to your kids about avoiding sex talk online. 
  6. Tell your kids to trust their gut if they have suspicions. If they ever feel uncomfortable or threatened by anything online, encourage them to tell you.

January 2013 - secureCI Monthly Newsletter

by in , , , 0

secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands


In This Issue…
• What is Java?
• Risks of Java
• Best Defenses

Java

OVERVIEW
Software refers to programs or applications you install and use on your computer every day.  Examples include your web browser, word processor, email client, video games and movie players.  The problem with most software is that it is written to run only on specific computers.  For example, software written for Microsoft Windows can run only on Microsoft Windows computers; it cannot run on an Apple Mac computer.  The same applies for software written for Apple's Mac; it can only run on a Mac computer.

Java is different.  It is a computer language that allows programmers to write software you can run on many different types of computers, such as Microsoft Windows and Apple Mac.  To enable programs developed in Java to work on your computer, you need to have Java (often called the Java runtime environment) installed on your computer.  In this newsletter, we are going to explain the dangers of having Java installed on your computer and what you can do to protect your computer.  Note: Javascript and Java are two entirely different things.  This newsletter applies to Java

WHAT ARE THE RISKS?
A common method cyber attackers use to hack into computers is to develop special programs that take advantage of and exploit weaknesses in your computer’s software. These weaknesses are usually specific to  one type of computer. This means the hacking tools they develop to attack Microsoft Windows computers  work only on Microsoft Windows; their tools do not work on any other type of computer such as an Apple Mac, or vice versa.

This limits who they can attack and how.  Java is different. Since it is designed to work on almost any computer, cyber criminals can create a single attack tool that can potentially hack almost any computer in the world as long as it has Java installed. This makes Java’s weaknesses an attractive target for attackers, as they can hack more computers with less effort. Also, Java is complex, which means it can have many weaknesses.

Finally, most people do not even know what Java is or if they have it installed. As a result, Java has become a popular target for cyber criminals.

BEST DEFENSE
Ultimately, the best defense is simple: if you are not using any programs or applications that require Java, then do not install it on your computer. Only install Java if you absolutely require it. If you are not sure if you have Java already installed on your computer, there is a simple way to check. Simply go to the Java website listed below to check if you have Java installed. Be sure to only check if you have Java installed; do not actually install it.

http://www.java.com/en/download/installed.jsp

If you discover you do have Java installed but you no longer need it, uninstall Java from your computer.

IF YOU MUST...
If you absolutely must have Java installed, there are several things you can do to protect yourself.

1.  KEEP IT CURRENT
Make sure you always have the latest version of Java installed on your computer. Old or outdated versions of Java have many known vulnerabilities, making it easy for cyber criminals to hack into your computer. In addition future releases of Java may have additional security features. Keeping Java updated is relatively simple for Windows computers. To verify the version of Java on your computer, click on the Java icon in the Control Panel and confirm you have the latest version installed and that it is configured for automatic updating. If you do not have the latest version, be sure to update it through the Java Control Panel.

Java is software that can expose you to additional risk.
If you do not need Java then do not install it.
If you do need Java always be sure to run the latest version.

For Apple Mac computers, the options for Java are more complex. In an effort to better protect its users, Apple distributes and updates its own release of Java based on Java 1.6. As long as you keep your Mac operating system updated and current, you will keep this version of Java updated also. Apple users can update their Mac computers to Java 1.7 by downloading Java from the Java website; however, you then have to maintain and update that version yourself.

2.  DISABLE BROWSER PLUGIN
One of the most common ways that cyber criminals hack Java is through your web browser. If you have Java installed, your browser will have what is called a Java plugin, which lets your browser use Java. When you connect to a malicious website, bad guys may hack your computer through your Java plugin.
However, very few websites require Java to work, so in most cases you can safely disable your browser’s Java plugin. How you disable your browser’s plugin depends on what type of browser you have. Most browsers have a Preference or Settings option where you can disable your browser’s Java plugin. In addition, newer versions of Java can disable Java plugins from the Java Control Panel. If you do find a website that requires Java to work, you can then enable it for only that website, then disable it when you are done.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link  and asks your permission before proceeding to it.


What is Java?:
http://preview.tinyurl.com/7l7jvb8

Uninstalling Java on Windows:
http://preview.tinyurl.com/4x66uco

Uninstalling Java 7 on a Mac:
http://preview.tinyurl.com/cowkxy4

Disabling Your Browser’s Java Plugin:
http://preview.tinyurl.com/cwptsxv

Browsercheck:
http://browsercheck.qualys.com

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp



LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.

Don't get hooked by a Phishing expedition!

by in , , , , , , 0

Here are a few tips to help prevent getting hooked by a phisher:

  1. Don't reply to email or pop-up messages that ask for personal or financial information.
  2. Don't don't click on links in email messages that you're not familiar with or that ask for personal or financial information.
  3. Don't cut and paste a link from the message into your Web browser -- phishers can make links look like they go one place, but actually send you to a different site.
  4. Use anti-virus and anti-spyware software, as well as a two-way firewall, and update them all regularly.
  5. Don't send personal or financial information by email.  Email transmits data in open text!
  6. Be cautious about opening any attachment or downloading any files from emails you receive regardless of who sent them.
For more information on Phishing visit http://onguardonline.gov/phishing.html for more information.

New Privacy Awareness Video Now Available!

by in , , , , 0

SANS and EDUCAUSE have developed a free privacy awareness video that colleges and universities can use during Data Privacy Month in January, and throughout the year, in their privacy education and training efforts. High and low resolution versions of the video are available.

Attackers Using Fake Chrome Updates to Lure Victims

by in , , , , 0

Google patched nearly two dozen security vulnerabilities in Chrome on Thursday and a day later attackers have begun circulating fake Google Chrome updates that actually are part of a scam related to the Zeus botnet and is designed to steal online banking credentials, among other things.  Follow this link to view the full article from Threatpost.

Security Vulnerability Found in Microsoft's Internet Explorer

by in , , , 0

Internet Explorer users beware, there is a new zero day (previously unknown, unpatched vulnerability) attack targeting your browser.  Follow this link to view the details and what you can do at this time.