CAM Week 3 – Phishing and Healthcare Devices

Welcome to week 3 of Cybersecurity Awareness Month!

I hope you are all advancing in the Virtual Scavenger Hunt (VSH), but if not, there are some clues later in the article to help you along. If you haven’t yet started, you still can, giving you a chance to win the Monster Isport Ear Buds Monster Clarity 102 AirLinks Wireless Ear Buds. If you’ve been paying attention, you’ll notice that our grand prize has changed. Unfortunately, everyone else thought the Isport Ear Buds were cool, too, and we ran into a supply problem, as in, we couldn’t get a pair. Fortunately, Monster makes several great sets of ear buds and we picked a comparable pair to replace the Isports. You can click the link above to check them out on the Monster website.  You can head over to the VSH start page using the link at the bottom of the article, but hang here for a little longer to read about the main topics.

Those main topics are phishing and what the Office of Information Technology (OIT) is doing to combat it, and securing Internet-connected devices in healthcare. While this second topic doesn’t seem appropriate, as Berry is a college, not a hospital, we will specifically talk about the many different healthcare devices that are available to consumers, from smart watches and athletic trackers to insulin pumps and smart asthma monitors.

Phishing And The Phish Alert Button

Before we talk about all those incredible Internet of Things (IoT) devices, let’s return to discussing phishing. If you read last week’s article, you’ll remember that there was a quick blurb at the end talking about the importance of detecting and reporting phishing emails you receive.

The first step, of course, is to detect a phishing attempt. How do you do that? What’s the secret to knowing that an email is a phishing attempt? Here’s some items to check in an email to make sure you don’t get hooked.

    1. Make sure the “From” address matches the purported sender.  For example, if an email claims to be from Amazon, but the “From” address is from some account at a Gmail address, it’s probably a phishing attempt
    2. If the greeting is generic, as in “Dear Customer” or “Dear Sir/Madam”, there’s a good chance it is a phishing attempt. Legitimate emails from companies you do business with will seldom start this way. They will either have no greeting, or the greeting will address you by name. Also beware of greetings (and subjects) that refer to you by your email username. These are most likely phishing emails as well
    3. Poor grammar and spelling. No legitimate company will send out email with poor grammar or spelling. It would reflect poorly on them.
    4. Urgency is another warning sign. Emails that require “immediate attention” or warn of dire consequences if you don’t act quickly are most likely phishing attempts.
    5. Links and attachments are both signs that an email is a phishing attempt. Even if you are expecting an attachment from someone, it can be a good idea to simply confirm with them via phone or other method that they sent it.
    6. Lotteries, donations, investment opportunities, get rick quick schemes, unsolicited job opportunities and inheritances from people you don’t know are almost always too good to be true.

If you would like to see real examples of phishing emails, you can visit the Berry College Phishbowl, located here on the InfoSec News and Alerts site.

If you receive a phishing email, even if you are not 100% sure, report it. If it is not a phishing email, you’ll get a reply explaining why it is not. To help OIT combat phishing, please report these phishing attempts using the “Report Email as Phishing” button, which is available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. In Outlook, it should appear in the ribbon menu as an open envelope with an orange hook. On the web and mobile, you will find the button under the “three dots” menu in the top right corner of the window when you open an email.

It’s very important to report these emails using the button and not to simply forward them to Information Security or delete them, as this allows us to take action on these emails to protect the community. OIT has invested in a system to be able to mitigate phishing emails, but its effectiveness relies on you reporting phishing attempts. So report all the ones you receive to help us protect you.

IMPORTANT OPPORTUNITY ALERT!!!

If you want to learn more about how to spot phishing emails, there is a Virtual LunchITS scheduled for October 22nd at noon. It will be held over Zoom, will last under an hour and will give you a definite edge in spotting phishing emails. I encourage you to sign up to attend. You can do that right in the event. Just click on it in the Event calendar on the InfoSec News and Alerts site and fill out an RSVP. There is no cost, but to make the Zoom meeting secure, you must request access to the LunchITS so I can send you the course resources and the meeting link and password.

Securing Internet-Connected Devices in Healthcare

Everything can be connected these days, from smart watches, like the Apple Watch, to dedicated fitness trackers like FitBits, to shoes like Under Armour’s HOVR running shoes. Healthcare devices are prime candidates for connecting to the network, as they can produce historical data that can be used to make health decisions, or can be controlled remotely with a smartphone app. Once they are connected, they are targets, just as we mentioned last week about IoT devices on your home.

How can we make sure that these devices are securely connected? Here are some tips to help you make a secure connection with your “healthy” devices.

    1. Choose well-known, reputable brands that won’t disappear on you after you purchase the product.
    2. Make sure you follow the vendor-provided instructions for connecting it to the network.
    3. Once it is connected to the network, make sure you update the device to the latest version of the software or firmware running on it.
    4. Be sure to continue to update the device, or, if it is capable, set it to auto-update when updates are available.
    5. Keep track of your devices, particularly those that collect data about you and your activities, like smart watches and fitness trackers.

Those of you who have consumer medical devices like insulin pumps, continuous glucose monitors, pacemakers, asthma monitors or inhalers and other devices that can potentially disrupt your health should be extra careful in following the tips above. Most of these devices have online communities and vendor supplied resources that can help you stay aware of any potential issues with your particular device. If you’re not connected to any resources like this, use your favorite search engine and see what’s out there.

One more thing before we get to the VSH clues…you will soon be receiving, or may have already received, an email informing you of when multi-factor authentication (MFA) will be enabled on your account. Don’t delete these emails or report them as phishing! They are real. The emails will provide you with resources about how to set up MFA. If you want to have MFA enabled on your account before your appointed date, email computing@berry.edu and let them know you want MFA.

OK, it’s time to throw some hints to those of you who can’t seem to make your Week 2 Virtual Scavenger Hunt answers get you to week 3.

    • For the first question – The Events calendar for the InfoSec News and Alerts Site is right on the main menu. Once you go there, choose the monthly view, if it is not the current view. You’ll see the event in question as the only single day event in October.
    • For the second question – be sure you put a leading zero on your answer to come up with a four digit month and day answer
    • For the third question – Be sure to jump into the section on ransomware to find the answer.
    • For the fourth question – The largest breaches in the Have I Been Pwned database are listed on the left side of the main page.
    • For the fifth question – Follow this link to the security awareness poster that is in the residence halls and in Krannert.

IMPORTANT: You don’t have to resubmit your answers on the week 2 form, but these clues should help you get the correct URL for week 3 of the scavenger hunt.

If you haven’t started the scavenger hunt, here is the start page. Good luck and happy hunting!

Virtual Scavenger Hunt Start Page

 

Photo Credit: Photo by Solen Feyissa on Unsplash

Data Breach Notification: Covve

In February of 2020, it was revealed that Covve, who bills their address book app as the “smartest, simplest, contacts app”, experienced a data breach. Covve left a database exposed to the Internet without a password. There were nearly 23 million records exposed by the site, which included email addresses, job titles, names, phone numbers, physical addresses and social media profiles. Your data might have been included in the breach even if you did not use the service, as the data was provided by users of the service who chose to sync their phone and email contact lists with the site.

There were 57 berry.edu or vikings.berry.edu email addresses included in the breach.

To find out if your information was included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up to be notified when your information appears in a breach by clicking on “Notify Me” at the top of any page on the Have I Been Pwned site.

If your information was included, there is not much that can be done to remove it from circulation. There were no passwords exposed by the breach, but there was plenty of personal information, as mentioned above. Hackers may attempt to impersonate your contacts or you using the information. As always, be very cautious when dealing with unexpected texts or emails, especially when they contain links or attachments.

Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any site page.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

February News from Information Security

Welcome to the much delayed February newsletter! I apologize for the tardiness of this edition.

There is a fair amount of news to share, some of it WAY overdue, so I’ll start there.

First, if you are using multi-factor authentication (MFA), you experienced a change in your password settings this week. I apologize for the unannounced change, that was not the way it was planned. The change includes two very important modifications to your password requirements – first, and most importantly, your password does not expire for 365 days! That’s a whole year to not have to worry about changing passwords. Second, and still very important – your minimum password length has changed from 8 characters to 14 characters. Yes, that is a big change, but it shouldn’t be an issue, as you have a whole year to come up with another password! The change was important due to the increased maximum password age. A 14 character password is exponentially harder to crack than an 8 character password. Your basic password security is still important. If you have issues creating a 14 character password, please take a look at the good password guidelines Quick Info guide here on the site. It is a good quick resource for creating strong passwords.

Second, please check the recent post on this site about a data breach on the Adult Friend Finder website. There were 22 Berry email addresses included in that breach.

The third item on our list refers back to the first one. If you are not using MFA, you should be! In addition to only having to change your password once a year, you get the added security of multi-factor authentication. All faculty, staff and students are eligible and encouraged to use MFA, not only for Berry accounts, but for all of your accounts that support it. Multi-factor authentication and creating secure passwords are two life skills many of us never thought we would have to learn, but here we are!

Fourth, there is a LunchITS planned for Thursday, February 13th from noon until 1PM in Krannert 109. Bring your sack lunch or grab something in Krannert and come learn how to quickly spot phishing attempts and get a clearer understanding of the tactics, techniques, and procedures used by phishers as they attempt to sink a hook into our organization.

Finally, in lieu of a topic of discussion here in the newsletter, take a look at this great SANS OUCH! newsletter for February about Social Media Privacy. It goes right along with information from our recent Data Privacy Day back on January 28.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit – Photo by Yura Fresh on Unsplash

Data Privacy Day – Krannert Table

Come by the Information Security table in Krannert between 11:30 and 1:00 PM for information about protecting your privacy, the chance to ask questions and get answers face to face, and to pick up some delicious edible items.

Data Breach Notification: Data Enrichment Exposure

In October, a large database was left unsecured and exposed to the Internet. This database contained “enriched” data profiles, which means that someone had taken some basic information about a person, like an email address or social media profile, and then searched and cross-referenced publicly available data to gather as much information as possible about that person. Companies do this for millions of people and then sell these “enriched” profiles to ad companies to help them target potential customers. It’s one of the reasons you get SO MUCH SPAM.

There were over 600 million accounts in the exposed database. There were 2,789 berry.edu or vikings.berry.edu email address in those records. There were NO passwords included in this breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up for breach notifications from Have I Been Pwned by clicking on “Notify Me” at the top of any page on the site.

The information included email addresses, employers, geographic locations, job titles, names, phone numbers, and social media profiles. While none of the individual pieces of this information alone are considered damaging or sensitive, the accumulation of this data in a single profile not only helps advertisers, but it also helps scammers more accurately target people by sending focused phishing emails that seem more credible.

Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any site page.

 

NCSAM Week 4 – BYOD, Know Your Devices, and Keep Up With Your Devices

This week’s discussion of “Own IT, Secure IT, Protect IT” is all about devices – smartphones, laptops, tablets, watches, and other “smart” things.

Students, faculty, and staff have been “bringing their own devices” (BYOD) here at the college for nearly two decades. The nature of our network requires us to modify how we use these devices compared to how we use them on our home networks, but the end goal is the same. We want to be able to connect quickly and safely to the Internet. The Office of Information Technology (OIT) has worked tirelessly over the years to make connecting to the network easy, reliable and secure. There have been times when the sheer number and diversity of devices made that hard to accomplish, but with cooperation from everyone, it is possible.

Own IT

First, make sure your device, whatever it is, is fully up to date with all software patches. This will be one of the first troubleshooting steps (after rebooting it) that OIT will ask you to complete when having issues with connectivity. Devices with unpatched issues can disrupt our networks or, if infected with malware, even compromise other devices. Second, make sure you lock your devices to protect the data on them. Finally, if you have any issues connecting to the wireless network, be sure to contact OIT by emailing computing@berry.edu. Please refrain from using the guest wireless network, as it does not provide the same level of security as the Berry or EZConnect networks.

Here is OIT’s web page about connecting to the wireless network. Consult it first before contacting OIT. The answer to your question may be there. On that page are links to operating system and device specific instructions.

Secure IT

Know how to secure your device. Before you dive into all the whiz-bang features on a new phone or tablet or other device, find out how to secure the device. Do you need to change a default password? Do you need to run updates? Are there additional ways to secure your device, like fingerprint scanners, facial recognition, PINs, or other methods? Device security is all about layering multiple protections, so be sure to enable all your available mechanisms. Also, be sure to register your device, especially phones and watches and other devices that could potentially be lost, with a locating service. Both Apple and Google have mechanisms that could potentially allow you to find a lost device. Here are the links to that information (the Google link asks you to log in to your Google account, so there is an additional link to an article to walk you through the process without logging in to Google:

Apple Find-My                                         Google Find My Device                          Here is the article that clearly explains the Google process

Protect IT

Speaking of lost devices, take steps to ensure you can keep up with your device. Does it need a case? Phones these days are so slim and built with rounded corners and edges that it is easy to drop them or for them to slide out of a pocket. Find a good case that affords you a good grip and makes sure it doesn’t easily slip from where ever you carry it. Popular these days are the extendable stands like the PopSockets and some cases have stands or handles built into them. Be sure you can keep track of your devices. Choose cases and accessories for your phone that make them stand out from the sea of phones identical to them everywhere. Colorful cases, stickers, and other identifying items tend to discourage the casual phone-grabber, as it may make it harder for them to get rid of the phone. It will most certainly make it easier for you to spot your phone if you leave it laying around somewhere.

Here is the link to the PopSockets site

OtterBox makes great cases, but their prices can be premium

To find something that suits your style and budget, fire up your favorite shopping site and search for “smart phone cases” or “cell phone cases”. You are sure to find something.

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for the prize bag worth over $75 to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Now for some fun… enjoy this one man show video about passwords and password managers, starring your Director of Information Security (who is not a paid actor…)

You will have to log in with your email credentials to view the video on Microsoft Stream:

Students – here is your link

Faculty and Staff – here is your link

Tune in for our last article next week when we talk about the IoT, MFA and PhySec! If you don’t know what those are, definitely check out the article next week.

NCSAM Week 2 – Privacy, Safe e-Commerce, What’s Out There About Me?

Welcome to week 2 of National Cyber Security Awareness Month!

This week we will again explore all three aspects of this year’s theme – “Own IT, Secure IT, Protect IT”. Remember, the “IT” stands for “information technology”, and, just like we have to do regular maintenance on our cars or bikes, we have to do regular maintenance on our digital presence.

We talked about safe social media posting last week in relation to “owning” our IT. Let’s continue to talk about social media, but this week we’ll focus on making sure you have checked the privacy settings of all your social media accounts. There are a lot of resources to help you with this; the best ones should be on the specific sites themselves. Go to the support section of all your social media sites and look for information on default privacy settings and make sure you are comfortable with them. If not, change them to suit your comfort level. Beyond the support section of your social media sites, here are a couple of links to more privacy resources:

10 Ways to Protect Your Privacy on Social Media

How To Manage Your Social Media Privacy Settings

Realize that social media sites are continually updating their systems and therefore, some of these tips may no longer be applicable or accurate.

We buy more and more things online these days, from electronics to cars to tonight’s dinner. As part of “securing” our IT, let’s talk about staying safe while using e-commerce sites. Any time you make purchases online, be very careful to only provide as much information as is needed to complete your purchase. Unless you use a particular site almost daily, don’t allow sites to save your credit or debit card info. Data breaches happen every week. The fewer places your financial information is stored, the better. Always make sure any page you submit credit or debit card info on (or any sensitive or private info) is secured via HTTPS. Browsers have changed how they display this now. Until recently there was a green padlock in the address bar of the browser; now the padlock is either gray or missing entirely if the page is secured. If it is NOT secured, the browser should clearly indicate this and how this is done varies from browser to browser. Finally, make sure the sites you purchase on are reputable. If you’re not sure, open another tab in your browser and look for reviews. The Internet is great for that! Click here for a resource with more details about shopping securely from the folks at the SANS (SysAdmin, Audit, Network and Security) Institute. This is an OUCH! newsletter, a free resource from SANS you can subscribe to on their site, sans.org.

Finally, to “protect” our IT, go hunting for yourself online sometime. You can do a simple Google search, or use some of the many available resources to see how much of your information is out there. One great resource is Troy Hunt’s Have I Been Pwned website. Here you can input your email address(es) into a search form and the site will tell you if your information has been a part of any of hundreds of data breaches, spanning back for years. If you are really curious about what exactly is out there, you can use one of a number of people search engines like Spokeo or Pipl. To get details requires a purchase of some kind on either site, but they can be spookily accurate and precise about who knows what about you.

Now that you have some idea what is out there, how do you get rid of it? Or fix it, if it is inaccurate? If you can pinpoint the source of inaccurate information, you can usually go directly to the site and get help remediating the issue. If not, there are other resources out there to help you with this. Here are a couple:

UnListMy.Info

Privacy Rights Clearinghouse

I hope you found this article informative. If you have any questions about any of this information, please either email me directly at infosec@berry.edu or, if your question is not about sensitive information and you think others might benefit from the answer, you can post your question to the Q&A page of this site. Just click on the “Q&A” in the top menu.

Check the table in Krannert on Thursday for info and goodies and another chance to put your name in the pot for a prize to be awarded on Halloween. Also, please take a moment to read each week’s article as they post.

Here is this week’s video, a funny clip about over-sharing on social media, which would have been more appropriate last week, but I couldn’t not share it with you:

Social Media Privacy by Habitu8, The Security Awareness Video Company

Tune in next week when we talk about data and phishing!