Archive for March 2013

Always lock your computer before walking away from it.

by in , , , , 0

Locking your computer before leaving it unattended prevents anyone else from accessing it while you are away. This is especially important when there are outside people in your office. Leaving your computer unlocked can expose sensitive and confidential data to a third party. Even if there is no one in your office, data could be exposed if your computer screen faces an outside window, especially if you are on the ground floor.  Lock your computer using Ctrl+Alt+Del and Enter.

Five Security Tips!

by in , , , 0

  1. Warning Messages: If you don't understand the warning message, say no and consult IT support. It's easier to go back and say yes if you need to than be sorry and have to rebuild your machine. 
  2. Certificates: If you don't understand a website certificate message, say no and consult IT support. It is easier to go back and say yes if you need to than be sorry and have to rebuild your credit. 
  3. Antivirus: Running antivirus does not slow your computer down nearly as much as a virus does. 
  4. Back-up: Backing up your data may seem like a waste of time — er, until you spill coffee all over your laptop. 
  5. Passwords: Writing down your password around your desk is about as secure as leaving a $20 bill lying on the dashboard of your car. How well do you trust anyone these days?

Clean up after yourself!

by in , , , , , 0

Being able to access the Internet from different locations — the library, a computer lab at school, an Internet cafe — is a great convenience, but it can also pose a security risk to personal information. If you do access the Internet from a shared computer, here are a few things you need to remember.

  1. Don't check the "remember my password" box. 
  2. When you're done, make sure you log off completely by clicking the "log off" button before you walk away. 
  3. If possible, clear the browser cache and history.
  4. Never leave the computer unattended while you're logged in. 
  5. Move all documents you've used to "Trash", and empty the recycle bin.

March 2013 - secureCI Monthly Newsletter

by in , , , , 0


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at Channel Islands



Email Phishing Attacks

In This Issue…
  • Overview
  • Phishing Attacks
  • Protecting Yourself

GUEST EDITOR
Pieter Danhieux is the guest editor for this issue.  He works for BAE Systems Detica in Australia (www.baesystemsdetica.com.au) and is an instructor for the penetration testing courses at the SANS Institute.

OVERVIEW
Email is one of the primary ways we communicate. We not only use it every day for work, but also to stay in touch with our friends and family. In addition, email is how companies provide many products or services, such as confirmation of an online purchase or availability of your online bank statements. Since so many people around the world depend on email, email attacks have become one of the primary attack methods used by cyber criminals. In this newsletter, we explain the most common email attacks and the steps you can take to protect yourself.

PHISHING ATTACKS
Phishing was a term originally used to describe email attacks that were designed to steal your online banking user name and password. However, the term has evolved and now refers to almost any email-based attack. Phishing uses social engineering, a technique where cyber attackers attempt to fool you into taking an action. These attacks often begin with a cyber criminal sending you an email pretending to be from someone or  something you know or trust, such as a friend, your bank or your favorite online store. These emails then entice you into taking an action, such as clicking on a link, opening an attachment or responding to a message. Cyber criminals craft these emails to look convincing, sending them out to literally millions of people around the world. The criminals do not have a specific target in mind, nor do they know exactly who will fall victim. They simply know the more emails they send out, the more people they may be able to fool. Phishing attacks work one of four ways:
  • Harvesting Information: The cyber attacker’s goal is to fool you into clicking on a link and taking you to a website that asks for your login and password, or perhaps your credit card or ATM number. These websites look legitimate, with exactly the same look, imagery and feel of your online bank or store, but they are fake websites designed by the cyber attacker to steal your information.
  • Infecting your computer with malicious links: Once again, the cyber attacker’s goal is for you to click on a link. However, instead of harvesting your information, their goal is to infect your computer. If you click on the link, you are directed to a website that silently launches an attack against your computer that if successful, will infect your system.
  • Infecting your computer with malicious attachments: These are phishing emails that have malicious  attachments, such as infected PDF files or Microsoft Office documents. If you open these attachments they attack your computer and, if successful, give the attacker complete control.
  • Scams: These are attempts by criminals to defraud you. Classic examples include notices that you’ve  won the lottery, charities requesting donations after a recent disaster or a dignitary that needs to transfer millions of dollars into your country and would like to pay you to help them with the transfer. 
Don’t be fooled, these are scams created by criminals who are after your money.

Use common sense, 
if an email seems odd or too good to be true, 
it is most likely an attack.


PROTECTING YOURSELF
In most cases, simply opening an email is safe. For most attacks to work you have to do something after reading the email (such as opening the attachment, clicking on the link or responding to the request for information). Here are some indications if an email is an attack:
  • Be suspicious of any email that requires “immediate action” or creates a sense of urgency. This is a common technique used by criminals to rush people into making a mistake.
  • Be suspicious of emails addressed to “Dear Customer” or some other generic salutation. If it is your bank they will know your name.
  • Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
  • Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  • Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different than what is shown in the email, this may be an indication of fraud.
  • Be suspicious of attachments and only open those that you were expecting.
  • Just because you got an email from your friend does not mean they sent it. Your friend’s computer may have been infected or their account may have been compromised, and malware is sending the email to all of your friend’s contacts. If you get a suspicious email from a trusted friend or colleague, call them to confirm that  they sent it. Always use a telephone number that you already know or can independently verify, not one that was included in the message.
If after reading an email you think it is a phishing attack or scam, simply delete the email. Ultimately, using email safely is all about common sense. If something seems suspicious or too good to be true, it is most likely an attack. Simply delete the email.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

OnGuard Online –
http://www.onguardonline.gov/phishing

Recognizing Phishing Attacks:
http://preview.tinyurl.com/3c2axs8

OpenDNS Phishing Protect:
http://www.opendns.com/phishing-protection

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.


Don't make that call!

by in , , , , , , , , , 0

If you receive an email asking you to call an 800 number related to a banking or credit card issue, don't call the number. Your credit card has a phone number on the back as do your bank account statements. Be safe, don't call a phone number listed in an email; instead look up the number on your credit card or account statements. There's a new attack called Vishing, designed to have you call a fake, automated answering system, and get you to enter your account number and other sensitive information.  Don't be a victim.

Evernote Compromised, But Says No User Data Affected

by in , , , , , 0

On Saturday 3/2/2013, Evernote, the online service that enables users to store and sync all kinds of data across multiple devices, sent out a notice to their users stating that their Operations & Security team had  discovered and blocked suspicious activity on the Evernote network that appeared to have been a coordinated attempt to access secure areas of the Evernote Service.


Evernote officials said that they did not think the attackers were able to gain access to any of the data that users store on the service. However, the company said it was requiring that all users change their passwords immediately.

Evernote users have the ability to store just about any kind of data on the service, including text, video and other information. Users can encrypt data within specific notes, and the company doesn't have a copy of users' keys, so if the passphrase is lost or compromised, there's no way for the company to recover that data.

Evernote sent all of its users an email detailing the incident and informing them that they need to change their passwords before logging in the next time (see below).

Dear Evernote user,

Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
Avoid using simple passwords based on dictionary words
Never use the same password on multiple sites or services
Never click on 'reset password' requests in emails - instead go directly to the service

Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote Team 

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support!

by in , , , , , , 0

No one from the HelpDesk or Technical Support will ever ask you for your password. If access to your account is needed for some reason, and we can't contact you in time, your password will be reset and you'll be notified by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to the network. If you ever receive such a call, notify your supervisor and the HelpDesk immediately.