Data Breach Notification: Nitro PDF

In September of 2020 there was a breach of the Nitro PDF service. There were 77 million records exposed, which included email addresses, names and passwords for the service.

There were 161 berry.edu or vikings.berry.edu email addresses included in the breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. While you are there, you can also sign up for breach notifications involving your Berry or other email addresses by clicking on “Notify Me” at the top of any page on the site.

If your information was included, be sure to change your password for the Nitro PDF service. Also, check your settings to make sure they have not been altered.

Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any page on this site.

If you haven’t signed up for multi-factor authentication (MFA), you will soon be enrolled by the Office of Information Technology. You can still request this additional security measure so you can set it up on your timeframe, before it is required.. MFA adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and Virtual LunchITS will be posted.

December News from Information Security

Welcome to one of the strangest Decembers we’ve ever had here at Berry. It is certainly the strangest of my 30 years here. The students are gone, but not done. Finals loom for some of them, then almost two full months of no school. What will we do in the silence?

I’m sure we all have different answers to that question, so I’ll leave it hanging rhetorically.

This newsletter will be a little different from previous ones. We’ll be focusing on a minimal number of topics, but for one in particular I will ask for a couple of extra minutes of reading time from you.

If you have perused this site much you will know that I post breach and data exposure announcements here periodically, usually when they affect a good number of the community. If you’ve been unlucky enough to be impacted by a breach, you may have received an email from me explaining what data was exposed and what you should do about it.

A recent notification came to me, announcing that 189 emails belonging to Berry community members had information exposed, specifically passwords. Most breaches affect no more than a couple dozen Berry email addresses and when I get the notices I will sort through them, compose an email and send it out to those affected. This number of emails was larger, but still manageable. Then I read further into the announcement. Those 189 emails were scattered across more than 23,000 potential websites and services. The data did not include enough information to determine which email address went with what service or website.

The bottom line is, 189 Berry community members, who could be faculty, staff, students, alumni, or even retirees, have had a password for some service exposed. You can find out if you were one of these 189 by going to the Have I Been Pwned website and putting in your Berry email address in the search form.

You may find that in addition to this massive exposure notification containing 226 million unique emails, named Cit0day, you may have had information related to your Berry email address exposed by other data breaches. I encourage you to not only check your Berry email, but your personal email accounts as well, and those of your family if you are so inclined. I also strongly encourage you to sign up for notifications from Have I Been Pwned. The link (Notify Me) is at the top of the main page there. It is free and if your email address shows up in a data breach, you’ll get an email notification directly from Have I Been Pwned giving you as much information about the breach as is available.

The important question, once you determine that you are indeed affected by a data breach is this – What do I do now?

Generally, I will suggest you change your password for the service or website that experienced the breach, check that your account information is correct, and if financial data was involved, to closely monitor your bank account and credit card accounts. In the case of the Cit0day notification, you will have no idea which of your twenty to one hundred or more accounts has been affected. What do you do then?

The “nuke the site from orbit” approach would be to reset the password on EVERY account you have. Do you even know all of your accounts? Who hasn’t signed up on a site for a specific purpose, never to return? What data might you have had to give up to create that account? Did it include a credit/debit card number or bank account number?

The real question to ask at this time, if you are affected by the Cit0day announcement is – Did I reuse the password for this account, whatever account it was? Realizing, again, that there is no way to tell what specific service or website exposed the password.

That question leads to the next – How many other accounts are now vulnerable because I reused this exposed password? The scary part is, you don’t have an answer to this question, because you don’t know what account is compromised.

Which leads to the most important question in this article – Why are you not using a password manager to create a unique password for EVERY account, service, and website you use?  Yes, it takes time to set it up.  For some, time is money, right? How much does thirty minutes cost you? The entire amount in your bank account? Unlikely. The maximum amount on your credit line? Probably not.

If you had used a password manager to create a unique password for your account on whichever site among the 23,000 possible  ones that were affected , the potential damage to you would have been limited to that one site. If you reused a password, or worse, use the same password for everything, then the damage could be much greater.

Please, if you are not using a password manager now to manage your accounts, start using one. I’ve written on the subject multiple times here in the monthly newsletter and during Cybersecurity Awareness Months, both this year and in years past (all of which are available from the main menu of this site).

Take a few minutes and visit the links below. Check out the flyer linked at the Quick Info page for some password managers. If you don’t want to follow links,  just type “best password manager” into your favorite search engine. There are password managers for all platforms (Windows, macOS, Linux, Android, iOS, web browsers), needs, and budgets.

Quick Info page on Password Managers

In-depth knowledge article on password managers on this site

Why you need a password manager flyer (PDF)

Two-sided password flyer linked in the Quick Info page above (PDF)

Good password policies flyer with a paragraph at the bottom about password managers (PDF) Don’t try to use the link at the bottom, it is broken.

Because the link in the above PDF is broken, here is a link to a great article on password managers-the good, the bad, the ugly, and the beautiful. My apologies for the pop-up ads, but the article is worth the annoyance. If you read nothing else, read this article.

Whew! That was password managers. The next and final item I want to emphasize in this newsletter is multifactor authentication (MFA). MFA is coming to all accounts at Berry – faculty, staff, and students. With some personnel issues that have come up, the rollout may be delayed a bit, but it is still coming.

Again, I have written about this multiple times over the course of maintaining this site. There is a Quick Info page on MFA for the impatient, or you can go read the instructions for setting up MFA here on the main Berry website. If you are still unclear about why we are requiring this, check out this FAQ article, also on the main Berry website.

You can still request MFA for your account by emailing computing@berry.edu.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets.

Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

Food for Thought

 

Featured Image: Photo by Science in HD on Unsplash

“2020 Anti Virus Protection” Emails are Fake

One of the first things you will notice about these fake “anti virus” protection emails is the odd font in the subject line. A small font, sized at half the height of normal fonts, it looks…odd. This is red flag #1. If you bother to open the email and hover on any of the links, you will notice they do NOT go to either a Norton site or a Symantec (the owner of Norton) site. This is red flag #2. Closely related to this is red flag #3…the email did not come from an address of either company.

The email does contain an image, shown below, which purports that this email came from an “affiliate” of Norton, but does provide a name. All links in the email go to the same domain, flagged as a phishing domain by security company Kaspersky – red flag #4.

You should just delete these emails. If you have opened one and clicked on a link, please let me know so we can discuss the potential impact of this action and what steps you may need to take next. You can email me at infosec@berry.edu.

 

 

Featured Image credit: Photo by stephen momot on Unsplash

Emails offering a personal assistant job opportunity are fraudulent

UPDATE: A new version of this fraud was sent from a compromised Berry account recently. The subject of the email was “P.A Job Offer”. It was offering $500 a week to be a personal assistant. As mentioned below, do not reply to this email, as it is an attempt to steal money from you.

An email has been sent to the majority of the Berry College students claiming to offer a work-from-home assistant job. This offer is fraudulent and is not a valid job offering. Do not send information to the address in the email or give out any personal information. The full text of the email is shown below for reference. The most obvious indicator of fraud is the fact that the sender in the “From” line ( not shown, but is in fact Jane.Lee@vikings.berry.edu) does not match the closing signature line (Jane Hickman). This type of email may show up again, slightly modified, with different names, wages or responsibilities, so be very careful with offers like this.

Hello and Good day,
Dr. Alex is currently looking out for an assistant who is self motivated, reliable, articulate and eager to learn with minimal supervision required to work-from-home part time as his Personal Assistant.

Job Scope:

> Manage diary and schedule meetings and appointments??
> Screen and direct phone calls and distribute correspondence
> Produce reports, presentations and briefs
> Make travel arrangements

Hours:  An Average of 12hrs weekly
Wages: $200.00 weekly

If interested, Submit your resume/cover letter directly to Dr. Alex via: alexwaton27@gmail.com

Sincerely,
Jane Hickman

Originally posted June 18, 2019. Updated June 22, 2020.

VM Notifications and Signature Requests are Fraudulent

Many of you have received (and some have reported – thanks!) two fairly new phishing emails to appear in our inboxes.

The first one is a (sometimes incorrectly) targeted voice mail notification. It appears to come from a Berry address if you don’t look closely. The subject line states “VM message from” and then has an area code and prefix, but the last four digits of the phone number are starred out. It also states that the VM was “received and processed” on a specific date. Opening the email shows an “Office365” logon and “Voicemail Service” in a large, plain type. It tries to get you to open an attachment which has an HTML link which most likely redirects to a fake Office365 login page.

Here is an image of the email:

The second type of phishing email is a fraudulent request for a signature on a document, ostensibly an auto proposal. These email also  purport to be from Berry, but actually come from another educational institution. The phishers have either compromised a mail server there or have simply rewritten the From address to look like “<your username>@<the other institution>.edu. The phishers also insert your username into the subject line, which is intended to grab your attention. The full subject line reads: Signature requested for “<your username> – Auto Proposal 20-21”

It gets weirder when you open the email to see the following in the body of the message:

Message Duration: 00:29 secs
Sent by berry.edu – Audlo Management Conferenclng System.

There is an attachment that is supposed to be a voice message, but is actually a document with a link in it, probably going to a fake login page, but you are not explicitly instructed to open it. Apparently, the phishers assume you will open it. Don’t do that…
If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

Photo Credit: Photo by Mael BALLAND on Unsplash

COVID-19 Job Offer Emails are Fraudulent

An email has been sent to campus inboxes about a COVID-19 “Work Online From Home Job” paying $500 a week. This email is fraudulent. Do NOT reply to the email with your information. The email did not have a warning banner because it came from a compromised Berry account. Below is a picture of the email.

Please report these emails using the “Report Email As Phishing” button in your client or forward them to infosec@berry.edu and then delete them from your computer/device.

May News from Information Security

Wait?

It’s May already?

Where did April go?

It passed by as we were stuck at home and no, you didn’t miss the the April newsletter, as it was lost in the work-from-home shuffle. There’s a hint of a light at the end of the coronavirus tunnel as some businesses are opening and some restrictions lifted, but that’s all I’m going to say about that…

While we may not have been as busy during this time, phishers, scammers, and other bad actors have gone into overdrive. Some sources have placed the increased fraudulent traffic as 300% higher this last quarter over the same quarter from 2019. The amount of emails attempting to leverage the coronavirus and associated fears has grown astronomically and the phishers have an edge in this environment – we’re already stressed and uncertain.

There are emails purporting to have a cure for the disease, others with great deals on PPE (who figured that acronym would ever become common?), some trying to steal CARES relief funds, and others trying to convince people they have come in contact with someone with the virus. That’s just a tiny sample. There are some new articles on this site covering social media surveys, Skype password phishing, and complaint scams. The COVID-19 article was updated multiple times with new information. If you haven’t read those yet, you should check them out after you’re done reading this.

Myriad opportunities abound to phish, scam, and deceive people who have severe cases of cabin fever, restlessness and real fears about jobs and finances. No stress point is neglected in the daily attacks from bad actors trying to compromise accounts, steal credentials, and wreak havoc in an already chaotic environment. Many people are learning new ways to work, communicate, shop, eat, and socialize. All of the “new” is irresistible to scammers and phishers. Here is what I consider the number one safety tip (with some examples) to safely navigate this new (hopefully temporary) normal.

  • Almost all email should be considered suspect at this point. Apply a much higher grade of scrutiny to any and all emails you receive.
    • Emails like the ones mentioned in the Skype phishing article will appear to come from a variety of services, all of them trying to get you to click on that link or button in the email to check your notifications. Don’t!!! Simply log in to the site or service like you normally would, and if you have notifications, they will be there.
    • Emails asking for banking information or other financial information should be VERY carefully scrutinized. Most will be fraudulent. If you or a family member need to supply banking information to receive CARES funds or are having to deal with unemployment, make sure you are going to the right resources. Numerous government sites are available including the Health and Human Services site  and the primary government site about coronavirus information. The Georgia Department of Labor site is where to get answers about the process of receiving unemployment benefits.
    • Phishers haven’t given up on old themes. We have received plenty of emails to campus inboxes purporting to be from college department heads, all the way to President Briggs, asking you to for a “favor” or with an “urgent request”. Don’t fall for these! Check the From address and look for the external email banner to determine the validity of emails like this. The fact that they should be EXTREMELY rare should immediately render them suspect.

On a somewhat different topic, check out the new voicemail notification Quick Tip here on the site. It explains how to tell if a voicemail notification received via email is valid or not.

Here’s hoping that things will get back to normal soon, even if normal is slightly different. As always, if you ever have a question about an email or other questions about information security, please don’t hesitate to contact me at infosec@berry.edu, extension 1750 or 706-236-1750. I’m still working at home, like many others.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to the point we can do that).
Photo Credit: Photo by Jose Antonio Gallego Vázquez on Unsplash