May News from Information Security

Wait?

It’s May already?

Where did April go?

It passed by as we were stuck at home and no, you didn’t miss the the April newsletter, as it was lost in the work-from-home shuffle. There’s a hint of a light at the end of the coronavirus tunnel as some businesses are opening and some restrictions lifted, but that’s all I’m going to say about that…

While we may not have been as busy during this time, phishers, scammers, and other bad actors have gone into overdrive. Some sources have placed the increased fraudulent traffic as 300% higher this last quarter over the same quarter from 2019. The amount of emails attempting to leverage the coronavirus and associated fears has grown astronomically and the phishers have an edge in this environment – we’re already stressed and uncertain.

There are emails purporting to have a cure for the disease, others with great deals on PPE (who figured that acronym would ever become common?), some trying to steal CARES relief funds, and others trying to convince people they have come in contact with someone with the virus. That’s just a tiny sample. There are some new articles on this site covering social media surveys, Skype password phishing, and complaint scams. The COVID-19 article was updated multiple times with new information. If you haven’t read those yet, you should check them out after you’re done reading this.

Myriad opportunities abound to phish, scam, and deceive people who have severe cases of cabin fever, restlessness and real fears about jobs and finances. No stress point is neglected in the daily attacks from bad actors trying to compromise accounts, steal credentials, and wreak havoc in an already chaotic environment. Many people are learning new ways to work, communicate, shop, eat, and socialize. All of the “new” is irresistible to scammers and phishers. Here is what I consider the number one safety tip (with some examples) to safely navigate this new (hopefully temporary) normal.

  • Almost all email should be considered suspect at this point. Apply a much higher grade of scrutiny to any and all emails you receive.
    • Emails like the ones mentioned in the Skype phishing article will appear to come from a variety of services, all of them trying to get you to click on that link or button in the email to check your notifications. Don’t!!! Simply log in to the site or service like you normally would, and if you have notifications, they will be there.
    • Emails asking for banking information or other financial information should be VERY carefully scrutinized. Most will be fraudulent. If you or a family member need to supply banking information to receive CARES funds or are having to deal with unemployment, make sure you are going to the right resources. Numerous government sites are available including the Health and Human Services site  and the primary government site about coronavirus information. The Georgia Department of Labor site is where to get answers about the process of receiving unemployment benefits.
    • Phishers haven’t given up on old themes. We have received plenty of emails to campus inboxes purporting to be from college department heads, all the way to President Briggs, asking you to for a “favor” or with an “urgent request”. Don’t fall for these! Check the From address and look for the external email banner to determine the validity of emails like this. The fact that they should be EXTREMELY rare should immediately render them suspect.

On a somewhat different topic, check out the new voicemail notification Quick Tip here on the site. It explains how to tell if a voicemail notification received via email is valid or not.

Here’s hoping that things will get back to normal soon, even if normal is slightly different. As always, if you ever have a question about an email or other questions about information security, please don’t hesitate to contact me at infosec@berry.edu, extension 1750 or 706-236-1750. I’m still working at home, like many others.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to the point we can do that).
Photo Credit: Photo by Jose Antonio Gallego Vázquez on Unsplash

March News from Information Security

Welcome to March and welcome to the March newsletter!

The arrival of March means all kinds of things are happening. Daylight savings time starts on the 8th, spring break follows not far behind that, we celebrate St.Paddy’s day, and spring is around the corner, but it might snow before that happens. Don’t believe me? Ask those of us who were here in 1993 about the BIG March snow…or don’t…you might make us feel old.

We’re two months removed from the holiday shopping season, but there’s ALWAYS online shopping happening, so check out this information from EDUCAUSE about protecting electronic payments.

Online sales in the United States grew to a record high of nearly 19 percent during the 2019 holiday season. At the same time, the convenience of using credit cards and other electronic payment services is compelling consumers to rapidly reduce their use of cash. The 2019 Diary of Consumer Payment Choice report shows that cash is used about 50 percent of the time for in-person transactions under $10 (for things like lunch or coffee). For larger purchases of $25 or more, cash is used only 10 percent of the time. Cybercriminals are taking advantage of the increase in electronic payments. According to the 2020 Cybersecurity Report from Check Point Research, mobile banking malware attacks increased 50 percent from 2018 to 2019. Here are some tips to help you safely use electronic payment sites.

  • Verify websites before entering important information. Clicking on a link may not take you where you expect to go. When shopping, banking, or making payments online, manually type in the website name (e.g., chase.com) instead of clicking on links in an email, social network post, or text message.
  • Look for deceptive emails and texts. Your bank or electronic payment processor won’t ask you to provide personal information or passwords via email, but scammers will. Watch this Consumer Reports video for examples.
  • Ignore phone calls from unknown and unfamiliar numbers. If you receive a phone call from someone who is urgently asking for money, there’s a good chance it’s a scam. Most of these calls can be safely ignored, but if you want to check, search for the organization’s website and find out for yourself. Don’t be rattled by threats over the phone.
  • Look for the lock icon in your browser. The lock icon in the address bar of your web browser shows that the website you’re visiting sends data in encrypted form. Never send money or pay for goods on a site without this important safeguard.
  • Public computers aren’t for private information. The computers in a hotel lobby or a public library may have a virus that records your activity, including any passwords you enter. Shop and make electronic payments only on a computer that you control.
  • Don’t use free Wi-Fi when making an electronic payment. The open nature of free Wi-Fi at cafes, airports, and other public venues makes it possible for others who are on the same Wi-Fi network to spy on your activities. If you cannot wait for another time to do your banking, use a VPN when using free Wi-Fi.
  • Consider getting a credit card just for electronic payments. If you decide to get a credit card or online account just for electronic payments, make sure the credit limit or available balance is low. This can protect you from a large loss due to online fraud.
  • Review your transactions regularly. Online banking allows you to check your account quickly and easily. Take time each day or each week to quickly review electronic payments. If you see charges you don’t recognize, notify your bank or payment application vendor (e.g., Venmo, PayPal, or Apple Pay) as soon as possible.
  • Check your credit reports to help spot fraud. Credit reporting services Experian, Equifax, and TransUnion are required to provide you with a free credit report once per year, so try to check one report every four months.

We depend more and more on electronic payments, so lets be sure to protect them.

There will be a LunchITS during March, it’s just not scheduled yet, so check back on the site to find out when it will happen. It will be on account security, covering passwords, password managers, and multi-factor authentication. If any of that sounds unfamiliar, then this one-hour training session is for you!

Security awareness posters will go out this week! Be looking for them in residence halls, Krannert, and college offices.

Check here on this site on the front page for some new data breach announcements. There are three (currently) and they should be posted by Wednesday.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo credit: Photo by rupixen.com on Unsplash

Data Privacy Day – Krannert Table

Come by the Information Security table in Krannert between 11:30 and 1:00 PM for information about protecting your privacy, the chance to ask questions and get answers face to face, and to pick up some delicious edible items.

December News from Information Security

It’s December out there (and inside wherever you are reading this)!

December brings with it lots of spending, lots of new gadgets, and lots of fraud! Cyber-criminals are chomping at the bit to steal your money, credentials, and anything else they can get their hands on. As you go about your holiday shopping, most of it probably online, keep these tips in mind for a safe holiday shopping experience.
1. As always, if it looks too good to be true, it probably is not true.
2. Don’t be sucked into shady shopping sites. Stick with reputable all-and-everything sites like Amazon, Walmart, and Target, or popular brand sites, like Gap, American Eagle, Home Depot and REI.
3. If you don’t regularly shop at a particular online store, don’t save your credit or debit card information there. Make your purchase as a guest, or fill out a one-time purchase form.
4. Be wary of brand look-alike offers and emails. Scammers know you are in a hurry already this time of year, so be extra cautious with all those “amazing deal” emails.
5. Be sure to check your credit card and bank statements regularly, but especially around the holidays.

In addition to these holiday shopping tips, I want to remind everyone that the idle workstation lock policy will go into effect in January 6th. Again, this simply means that most college maintained computers on campus, if left idle for ten minutes, will lock the desktop, requiring the user to enter their credentials to regain access. Information Technology has been working hard to make sure this policy does not impact computers in classrooms, meeting rooms, and other places where there is a potential for the policy to interrupt classes or meetings.

There will not be an Information Security table in Krannert during December or security awareness posters distributed, but both will return in January. Also returning in January will be the LunchITS security awareness sessions. There will be two of these in January, one on account security, and the other on general security awareness. They will be posted to the Events Calendar here on the News & Alerts site and on the college calendar.

Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Also coming in the new year is another in-house written, filmed, and produced security awareness video. There will be an announcement in the January newsletter with more information.

It will be 2020 before there is another newsletter, so I hope you like the image above.

I hope you all have a wonderful holiday break, find amazing deals, and enjoy your time with your friends and family.

 

Photo by Annie Spratt on Unsplash

NCSAM Week 4 – BYOD, Know Your Devices, and Keep Up With Your Devices

This week’s discussion of “Own IT, Secure IT, Protect IT” is all about devices – smartphones, laptops, tablets, watches, and other “smart” things.

Students, faculty, and staff have been “bringing their own devices” (BYOD) here at the college for nearly two decades. The nature of our network requires us to modify how we use these devices compared to how we use them on our home networks, but the end goal is the same. We want to be able to connect quickly and safely to the Internet. The Office of Information Technology (OIT) has worked tirelessly over the years to make connecting to the network easy, reliable and secure. There have been times when the sheer number and diversity of devices made that hard to accomplish, but with cooperation from everyone, it is possible.

Own IT

First, make sure your device, whatever it is, is fully up to date with all software patches. This will be one of the first troubleshooting steps (after rebooting it) that OIT will ask you to complete when having issues with connectivity. Devices with unpatched issues can disrupt our networks or, if infected with malware, even compromise other devices. Second, make sure you lock your devices to protect the data on them. Finally, if you have any issues connecting to the wireless network, be sure to contact OIT by emailing computing@berry.edu. Please refrain from using the guest wireless network, as it does not provide the same level of security as the Berry or EZConnect networks.

Here is OIT’s web page about connecting to the wireless network. Consult it first before contacting OIT. The answer to your question may be there. On that page are links to operating system and device specific instructions.

Secure IT

Know how to secure your device. Before you dive into all the whiz-bang features on a new phone or tablet or other device, find out how to secure the device. Do you need to change a default password? Do you need to run updates? Are there additional ways to secure your device, like fingerprint scanners, facial recognition, PINs, or other methods? Device security is all about layering multiple protections, so be sure to enable all your available mechanisms. Also, be sure to register your device, especially phones and watches and other devices that could potentially be lost, with a locating service. Both Apple and Google have mechanisms that could potentially allow you to find a lost device. Here are the links to that information (the Google link asks you to log in to your Google account, so there is an additional link to an article to walk you through the process without logging in to Google:

Apple Find-My                                         Google Find My Device                          Here is the article that clearly explains the Google process

Protect IT

Speaking of lost devices, take steps to ensure you can keep up with your device. Does it need a case? Phones these days are so slim and built with rounded corners and edges that it is easy to drop them or for them to slide out of a pocket. Find a good case that affords you a good grip and makes sure it doesn’t easily slip from where ever you carry it. Popular these days are the extendable stands like the PopSockets and some cases have stands or handles built into them. Be sure you can keep track of your devices. Choose cases and accessories for your phone that make them stand out from the sea of phones identical to them everywhere. Colorful cases, stickers, and other identifying items tend to discourage the casual phone-grabber, as it may make it harder for them to get rid of the phone. It will most certainly make it easier for you to spot your phone if you leave it laying around somewhere.

Here is the link to the PopSockets site

OtterBox makes great cases, but their prices can be premium

To find something that suits your style and budget, fire up your favorite shopping site and search for “smart phone cases” or “cell phone cases”. You are sure to find something.

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for the prize bag worth over $75 to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Now for some fun… enjoy this one man show video about passwords and password managers, starring your Director of Information Security (who is not a paid actor…)

You will have to log in with your email credentials to view the video on Microsoft Stream:

Students – here is your link

Faculty and Staff – here is your link

Tune in for our last article next week when we talk about the IoT, MFA and PhySec! If you don’t know what those are, definitely check out the article next week.

NCSAM Week 2 – Privacy, Safe e-Commerce, What’s Out There About Me?

Welcome to week 2 of National Cyber Security Awareness Month!

This week we will again explore all three aspects of this year’s theme – “Own IT, Secure IT, Protect IT”. Remember, the “IT” stands for “information technology”, and, just like we have to do regular maintenance on our cars or bikes, we have to do regular maintenance on our digital presence.

We talked about safe social media posting last week in relation to “owning” our IT. Let’s continue to talk about social media, but this week we’ll focus on making sure you have checked the privacy settings of all your social media accounts. There are a lot of resources to help you with this; the best ones should be on the specific sites themselves. Go to the support section of all your social media sites and look for information on default privacy settings and make sure you are comfortable with them. If not, change them to suit your comfort level. Beyond the support section of your social media sites, here are a couple of links to more privacy resources:

10 Ways to Protect Your Privacy on Social Media

How To Manage Your Social Media Privacy Settings

Realize that social media sites are continually updating their systems and therefore, some of these tips may no longer be applicable or accurate.

We buy more and more things online these days, from electronics to cars to tonight’s dinner. As part of “securing” our IT, let’s talk about staying safe while using e-commerce sites. Any time you make purchases online, be very careful to only provide as much information as is needed to complete your purchase. Unless you use a particular site almost daily, don’t allow sites to save your credit or debit card info. Data breaches happen every week. The fewer places your financial information is stored, the better. Always make sure any page you submit credit or debit card info on (or any sensitive or private info) is secured via HTTPS. Browsers have changed how they display this now. Until recently there was a green padlock in the address bar of the browser; now the padlock is either gray or missing entirely if the page is secured. If it is NOT secured, the browser should clearly indicate this and how this is done varies from browser to browser. Finally, make sure the sites you purchase on are reputable. If you’re not sure, open another tab in your browser and look for reviews. The Internet is great for that! Click here for a resource with more details about shopping securely from the folks at the SANS (SysAdmin, Audit, Network and Security) Institute. This is an OUCH! newsletter, a free resource from SANS you can subscribe to on their site, sans.org.

Finally, to “protect” our IT, go hunting for yourself online sometime. You can do a simple Google search, or use some of the many available resources to see how much of your information is out there. One great resource is Troy Hunt’s Have I Been Pwned website. Here you can input your email address(es) into a search form and the site will tell you if your information has been a part of any of hundreds of data breaches, spanning back for years. If you are really curious about what exactly is out there, you can use one of a number of people search engines like Spokeo or Pipl. To get details requires a purchase of some kind on either site, but they can be spookily accurate and precise about who knows what about you.

Now that you have some idea what is out there, how do you get rid of it? Or fix it, if it is inaccurate? If you can pinpoint the source of inaccurate information, you can usually go directly to the site and get help remediating the issue. If not, there are other resources out there to help you with this. Here are a couple:

UnListMy.Info

Privacy Rights Clearinghouse

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Here is this week’s video, a funny clip about over-sharing on social media, which would have been more appropriate last week, but I couldn’t not share it with you:

Social Media Privacy by Habitu8, The Security Awareness Video Company

Tune in next week when we talk about data and phishing!

March News from Information Security

March is here! Spring Break can’t be far away. This month we are focusing on protecting your rights as a consumer. We are all consumers at some point and we should take proactive steps to make sure we are making good financial decisions and setting ourselves up to be able to recover from identity theft.

This article is posted today so that you can read it before National Consumer Protection Week (March 3-9) begins. This week is dedicated to helping consumers know their rights and make well-informed decisions about their finances. Check out the FTC site linked above for more information

Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.

First, take control of your credit reports. Examine your own report at each of the “big three” bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there’s nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security. To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.

Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:

  1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in. Be sure to update. It takes a few minutes, but could protect you from serious financial harm.
  2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/antimalware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
  3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
  4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to “security questions” that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
  5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won’t open you up to fraud at other sites. See the article posted right here on this website about password managers
  6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom. Check into cloud storage like Dropbox and OneDrive and backup options like iDrive, Acronis, and Carbonite.
  7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night. This is available in both Windows and MacOS operating systems and almost all smartphones.
  8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts. Make a recurring calendar reminder to check every account for activity that you don’t recognize.
  9. Manage those old-style paper statements. Don’t just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.

If you’ve been a victim of identity theft:

  • Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
  • Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).

Set aside some time in March to manage your financial accounts and take precautions like those listed above.

For more information check out the FTC video “Five Ways to Help Protect Your Identity”

The content above is provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

Be on the lookout for new security awareness posters in the residence halls and other locations on campus. There will be a table in Krannert toward the end of the month, after Spring Break. There will be two more chances to win a prize, one related to the posters and another at the table in Krannert.

Below is a list of useful resources, including some mentioned above.