Security Information and Announcements

Tips to Secure Your Semester

 

It's that time of year again - the start of the 2022 Fall semester. This time of year is also a perfect time to consider how to secure your academic and personal information. Here are some tips to ensure you get a safe start to the semester!

  1. Attachments and Links: Cybercriminals are consistent. It doesn't matter if it is the start of the semester, the holiday, or tax season - they know when potential victims are stressed and busy and are perfectly happy to take advantage. With this in mind, use extra caution when receiving email or SMS messages with attachments or links, especially if the message is unexpected or unsolicited. A hoax that is particularly prevalent this time of year is employment scams. Text or email messages promising lucrative jobs with minimal work sound like a dream come true when a student has a full schedule and bills to pay. The message will offer a quick and easy application by simply filling out the attachment or clicking on a link. However, opening the attachment can install malware on your device, and the link may ask for personal data or malware installation to collect data used in Identity Theft. 
     
  2. 2FA or MFA (Multifactor Authentication): SEMO students, faculty, and staff configured MFA to access many Southeast resources from off-campus. However, virtually all the most popular social media, banking, and streaming services offer the ability to set up and configure MFA. Anyone with a mobile device can use Microsoft and Google Authenticator, and both applications are free. So, take time between classes to set up MFA on your LinkedIn, Reddit, Instagram, or bank account. The extra layer of protection provides peace of mind.
     
  3. You knew it was coming - passwords: By and large, passwords are no longer the sole means of protecting accounts and data. But a good password is still the initial method to secure everything from an Amazon account to TikTok. Sadly, too many companies and service providers don't take the security of your password very seriously. Every day, Information Security professionals are greeted with the news of yet another leak of user names and passwords. The daily leak of login information illustrates the need to use a unique password for every account. Further, it is almost trivial for threat actors to crack short passwords, so in addition to ensuring the password is at least 12 characters long, remember to include upper and lower case letters, numbers, and special characters. Also, consider installing and using a password manager to make password maintenance easier.
     
  4. Secure those files: We generate data - lots of it. Sometimes it is hard to realize just how much data can be generated by someone in a single semester. But consider this - assignments, emails, photos, and videos all qualify as data. Leaving data unsecured can lead to leaks of personal information resulting in possible financial losses or identity theft. When storing data in a cloud-based service such as OneDrive or Google Drive, consider who has access to that data. For instance, the photos you snapped from summer concerts or during an internship and then saved in OneDrive may be shared to make it possible for virtually anyone to see them. Perhaps you share a link to the photos with a close friend, and they share it with someone else. You may have shared much more information than you wanted without realizing it. When sharing information, take a moment to consider who has access to what you've shared and apply the permissions required to protect the data.
     
  5. Monitor what you share: It is an exciting time; perhaps you've left friends and family at home who want to know about dorm life, the part-time job you picked up, and the friends you hang out with when you take a break. It seems innocent and precisely what social media does best. Nevertheless, use caution when sharing photos or detailed information about a residence, a job, friends, or the big plans for the weekend. If posted publicly, anyone can determine when an apartment or dorm room is unoccupied, where you work or where you'll be on Saturday. Consider how the information could be used by someone with a grudge against you or a thief looking for an easy mark to rob.
 

Start the Semester Right with a Password Manager


Summer is winding down, and the fall semester is right around the corner. Sometimes ensuring your personal information is secure can feel like a never ending struggle. However, there are tools available, many of them free or for minimal costs, which can assist in protecting your most valuable assets. One of those tools is a password manager.

What does a password manager do? 

Primarily a password manager removes the burden of creating or memorizing lengthy or secure passwords. For example, creating a great password and writing it on a post-it note left under the keyboard entirely negates the password. Likewise, using the same password for every site or login is an invitation for a threat actor to take over an account. Proper use of a password manager helps create and secure storage of lengthy, unique secure passwords.

A good password manager application will suggest strong, unique passwords for every site a user visits requiring a password. This feature eliminates the struggle of multiple attempts to meet the password requirements.

Where can I use a password manager?

Where and how you use a password manager varies slightly depending on the user's needs. However, users of the top five password managers have the option to install it as a plug-in for Chrome, Firefox, and Edge. Additionally, iOS and Android users may install the selected application using the respective store. 

Are there additional benefits of using a password manager?

As mentioned previously, it eliminates the need to write passwords down. However, another benefit of most available password managers is the ability to synchronize across platforms. For instance, if a user installs a password manager in Chrome or Firefox on their laptop but also installs the manager on their iOS or Android devices, the passwords are available on both devices. 

Although this feature is not available in every password manager, several of the most popular password managers can be used to change passwords in bulk. So, if a user wants to be especially security conscious and change all passwords every 90 days, the user selects all the passwords in the manager and specifies "Change Password." The manager then logs into each account and updates the password, making password rotation quick and painless.

Another helpful feature that is, at this writing, not available in all password managers is the "Security Checkup." This feature, more common in pay-for-use applications, monitors accounts for possible breaches, checks passwords against breaches, and suggests when the time has come for password changes.

How much does a password manager cost?

Virtually all the major password manager applications come in two "flavors" - Free and paid versions. The free versions provide the standard functionality of suggesting and storing passwords and password synchronization across devices. However, as noted above, some of the more valuable features, such as the security checkup and bulk password changes, require the user to purchase a license.

Users who decide to purchase a license will find most password managers extremely affordable - but often require a yearly fee. For example, the average annual cost for one of the prominent password managers is approximately $40. However, the price can seem minimal considering some of the features provided by the applications.

July is Ransomware Awareness Month


Ransomware continues to grow as a global information security challenge. To remind computer users of the ever-growing scope of ransomware, July is designated as Ransomware Awareness Month. Below is an intriguing Infographic from KnowBe4 (KnowBe4), one of the leading information security education companies, showing the steady increase in the global cost of ransomware.

The Global Cost of Ransomware
 

Avoid Phishing Scams

Higher Education continues to be an attractive target for many criminal groups - and this week provides clear evidence of one of the primary methods threat actors use to take advantage of Higher Education Institutions. On Tuesday, a significant number of phishing emails were sent by threat actors to the campus community using compromised SEMO accounts. Cybercriminals conduct phishing to collect personal information such as passwords and usernames, and other personal information using email.

Here are five tips to help you avoid falling victim to phishing emails.

  1. Be careful before you click that link:  Phishers include links in their emails, hoping you’ll click on them. Often the hyperlink will lead to a realistic-looking but ultimately bogus login screen as a means to collect a username and password. If you receive an email with a link you were not expecting – do not click on it. If you suspect the link is legitimate, type the link manually into the web browser instead of clicking on the link in the message.
  2. A sense of urgency: Cybercriminals try to increase the odds you’ll provide the information they want by creating a sense of urgency. Sometimes that is as simple as the word URGENT in the subject line. In other instances, the phisher makes it appear you’ll lose money, or a bill is unpaid and must be dealt with immediately. Don’t fall victim to the sense of urgency. Remember, you can always contact the bank, vendor, or government agency by phone to confirm if you have concerns.
  3. Protect your personal information: The primary goal of phishers is to collect as much personal information as possible. The more information they have, the easier it is to perform identity theft. Always be cautious and never send your data through email or an unsecured website. Even if you trust the request’s source, providing sensitive information in an email or an unsecured website means other parties can see your information. If you must share the information, call the requestor on the phone or use an alternate method to contact the requestor.
  4. Spotting a phishing email: Various other signs, such as poor spelling and grammatical errors, give away a phishing email. Other clues include requests to verify your account or warnings your account is compromised. Remember, most vendors and government agencies will not contact you via email for such issues.
  5. Employment or Investment Scams: One of the most disturbing phishing trends has recently been the rise of employment or investment scams. Be aware of two infamous scams making the rounds today. One scam requires the victim to provide debit or credit card information to pay to apply for a specific position. The threat actor indicates the information is needed for services such as background checks or employee supplies. Another popular scam offers to provide information regarding digital currency or NFTs (Non-fungible tokens) - the digital equivalent to trading cards.

Cyber Security Checkup

The end of the semester is a great time to do a bit of cyber spring cleaning. Here are some tips and recommendations to perform a cyber security checkup.

Passwords and authentication

  • PIN or fingerprint protect your mobile devices: longer PINs are more secure
  • Use secure passwords: longer passwords are better. Include numbers and punctuation.
  • Never use the same password for more than one site
  • Use a password safe to manage your passwords
  • Use 2-Factor (2-step) authentication for important accounts
System administration and maintenance
  • Examine and change default settings
    • Disable guest accounts
    • Change default administrator passwords
    • Disable features that you do not use like file sharing and remote desktop
  • Enable encryption
    • BitLocker full drive encryption in Windows 8 and 10
    • File Vault full drive encryption in Mac OS X
    • Veracrypt for thumb and removable drives https://veracrypt.codeplex.com/documentation
    • Android device encryption (varies by manufacturer)
    • iOS devices are encrypted by default
  • Enable the built-in firewall
  • Backup regularly
    • Automatic backup software or services are preferred
    • A second backup to a disconnected removable disk is a good practice
       
Wireless and Internet access
  • Enable WPA2 on your home wireless router
  • Disable Universal Plug-and-Play and device management from the Internet
  • Use web-filtering DNS at home https://www.opendns.com/home-internet-security/
  • Always use a virtual private network (VPN) when connecting to open Wi-Fi hotspots
 
General guidelines for online security and privacy
  • Check your security and privacy settings periodically. Options and defaults may change.
  • Use a separate password for each service. Don’t use “Log in with…. “
  • Don’t post information that can be used for identity theft
  • Don’t post information you use for security questions: pet’s name, high school, etc.
  • Read privacy policies. Check for data collected, data ownership, and uses of data.
  • Configure your web browser to send “Do Not Track.”
  • Use private browsing when accessing sites for which you don’t want cookies
  • Remember location services and possible consequences of geotagging of photographs
  • Use tracking blockers https://www.eff.org/privacybadger
  • Use SSL/TLS whenever available https://www.eff.org/https-everywhere
  • Check short URLs at https://www.virustotal.com/ before clicking
  • Be alert to social engineering, including phishing. If it’s urgent, it may be a trap.
  • Are you a victim of cybercrime? https://haveibeenpwned.com/
 
Privacy settings for LinkedIn
  • Click on your picture and select “Privacy and Settings,” then click “Privacy.”
  • Review all settings, but pay particular attention to
    • The content of your public profile
    • Who can see your connections (Use “Only you” to respect your contact’s privacy)
    • Suggesting you as a connection
    • Sharing with third parties
 
Privacy settings for Facebook
  • Click the lock on the top-right side of the screen
  • Run the privacy checkup. Pay particular attention to application connections.
  • Review all privacy settings
  • Review private information in your security settings, including passwords for other sites.
  • Review linkages with other services like Twitter and Instagram.
 
Privacy settings for Twitter
  • Click on your photo and select “View profile” to see how your profile looks to others.
  • Click on your photo and select “Settings.” Select “Security and privacy” from the menu.
  • Review all settings, but pay particular attention to
    • Tweet privacy controls whether your tweets can be publically viewed
    • Photo tagging, tweet privacy, and tweet location


 

MFA and Social Media

Finals week is here, and summer travel is fast approaching. Social media makes sharing the sites, sounds, and memories of a trip easy. So if you take the time to plan a trip - take some time to use social media properly on vacation. Here are some tips to make social media safer on the road.

Don't Post: Okay, this first tip sounds a bit counterintuitive. However, if you post pictures while traveling, you provide a great deal of information. For instance, you are informing everyone you are not home. If you live alone or travel with your roommates, alerting the world that your house or apartment is unoccupied is like inviting criminals to break in. Additionally, social media has made stalking an epidemic. Remember, if your friends can track your travel, likely everyone can. Please take all the pictures you like, and post them to your social media accounts once you have arrived home safely. 

Set up MFA on your social media accounts: Now that MFA is set up for access to many Southeast resources, now is ideal for securing your social media accounts with MFA. Below are the steps to secure Instagram, Facebook, Snapchat, and LinkedIn. 

Instagram

If your preferred method for MFA is SMS codes sent via mobile text message, the following steps have to be taken to activate the feature.

  • Go to your profile page and tap the menu icon in the top right-hand corner.
  • Select the Settings option from the list.
  • From the list that appears, select Privacy and Security.
  • Choose Two-Factor Authentication.
  • Tap on the switch icon next to Text Message.
  • If you don't have a phone number confirmed and associated with your account, the app prompts you to provide it.
  • After entering the number, tap the following icon to complete the setup.
  •  

Alternatively, if your preferred authentication method is an authentication app, you'll need to follow the steps below.

  • Go to your profile page and tap the menu icon on the top right corner.
  • Select the Settings option from the list.
  • From the list that appears, select Privacy and Security.
  • Choose Two-Factor Authentication.
  • Tap the Get Started button if you haven't previously turned on the two-step authentication feature.
  • Tap on the switch icon next to Authentication App and follow the on-screen instructions.
  • Enter the code you received from the authentication app to complete the process.

 

Facebook:

Although Facebook use is less than in the recent past, it is still a popular platform and should be secured. Here is the process to activate MFA for your Facebook account.

  • Once logged into Facebook, go to your Settings and select the Security and Login option.
  • Go down to the Use two-factor authentication option, then click Edit.
  • Select the authentication method of your choice and then follow the instructions appearing on your screen.
  • Once you have turned on the chosen authentication method, click Enable.
  • Once properly set up, when trying to log in from a new device, you will have the option to
  • Consent to login attempts from recognized devices.
  • You can also use recovery codes for situations when you don't have your phone.
  • Tap your security key on another device. The security key can be added when setting up the two-step authentication process.

Snapchat:

Snapchat also offers two methods. The steps below activate the MFA feature.

  • On the main Camera home screen, tap on the Profile icon located in the top left corner.
  • Tap the Settings icon shown as a cogwheel.
  • Select Two-Factor Authentication:
  • Follow the subsequent instructions that are provided on your screen.

The company also advises users who activate this feature to generate a Recovery Code and save it in a safe location. It will be helpful in scenarios where the phone is missing, or the phone number is changed, or when the phone is restored to original settings.

 

Avoiding Summer Vacation Scams

Classes are winding down, and Finals are just around the corner. Before long, everyone will have the opportunity to make up for travel time lost to the COVID pandemic. Everyone is excited to get out and about, whether headed for the city, the lake, or overseas. Here are some tips to ensure your travels are safe and secure.

Protect your devices while traveling: Just 20 years ago, travelers wanting video or photos of their trip had to pack up a camcorder or a camera with a variety of lenses. Having both consolidated into a single mobile device, whether iPhone or Android, means we travel lighter. But, to ensure a device is secure during traveling, be sure to update the operating system and apps on the device. Additionally, ensure the Bluetooth on a device is disabled unless it is in use. Similarly, turn off WiFi on all mobile devices or laptops and ensure it doesn't automatically connect to hotspots. Finally, be cautious when charging your phone or laptop at public charging stations like those found in many airports. Investing in a personal charging device is a great way to protect your phone or computer data.

Consider using a personal VPN: Ten years ago, a personal subscription to a Virtual Private Network (VPN) was costly. Worse yet, not all VPN solutions genuinely protected user data; some solutions were stealing the very data the VPN intended to protect. Times have changed. There are many affordable, secure VPN solutions for use on mobile devices and laptops. Connecting through a VPN means users can access banking, credit card, and travel apps safely, even on an untrusted WiFi connection. Why? Because a VPN encrypts the data sent between the device and the webpage or application in use. Most VPN providers offer trial periods so take some time to test the best VPN for you.

Check and then double-check the website: Scrolling through social media can make the itch to travel more intense. But, if you run across a travel website offering a bargain hunter's dream, use caution. Cybercriminals create fraudulent travel websites quickly and entice frugal travelers to offer up their credit card or banking information. These scams are highly prevalent on Facebook and Twitter. So, do some research and make phone calls before providing any information. Be especially cautious if a sense of urgency is part of the ad (Only 3 seats left - order now). Urgency is one-way cyber criminals convince people to do something they wouldn't ordinarily. 

Summer travel can be exhilarating and enlightening - don't let cybercriminals take the sun and fun out of your summer.

Protecting Direct Deposit from Phishing Attacks

In 2018, the Internal Revenue Service released an alert regarding a significant rise in fake payroll direct deposit and wire transfer emails. Unfortunately, these scams remain popular for cybercriminals today.
 
More advanced scams require criminals to hack or take over a system or an account. However, payroll scams are attractive to cybercriminals as they only need employee names which are often easy to find using simple web searches. Then, the criminal impersonates the employee and requests via email for a change in their direct deposit information. If the criminal succeeds, the next paycheck is deposited in the bad actor’s account. Unfortunately, the cybercriminal’s actions are noticed only when the employee does not receive their salary. It is important to note that it is unlikely an employer can recover the funds once transferred to the criminal’s account.
 
Here are some tips to protect your paycheck and banking information.
 

  1. Ensure MFA is set up and configured for both SEMO and personal accounts. Please see the following link for assistance in setting up MFA - Setting Up MFA
  2. Take a moment to log in to the portal at Southeast Portal, then select Employee SS. Under Personal Information, on the right side of the page is the option to “Update Addresses and Phones.” Select the option if you have a mobile phone and want to ensure the current number is listed. Providing a cell number allows HR to text you to confirm any changes requested to direct deposit.
  3. Check your payroll details quarterly via the SEMO portal to confirm they are correct and unchanged.
  4. Confirm your paycheck has been deposited and is accurate consistently. Understandably it is easy to become complacent, but vigilance is essential. If funds have been diverted, contacting HR and the bank quickly is vital if there is any chance of recovering the funds.
  5. Do not click on links in emails that appear to pertain to payroll—instead, access payroll information directly through the SEMO portal for enhanced security.
  6. Finally, if you clicked on a link and provided personal or banking information, please contact the payroll office or the Information Security Officer right away.


Security concerns cause companies to go to more extraordinary lengths to entice new cybersecurity staff

A recent article by darkreading.com contributing writer Pam Baker suggests companies are in desperate need of cybersecurity staff and are making significant benefits available in order to acquire cybersecurity staff. However, Barker notes the need for additional staff is not entirely attributable to the ever-increasing rise in cybersecurity threats but to the loss of staff due to the "Great Resignation." Nevertheless, what the catalyst is, the current market is ideal for promising cybersecurity professionals to enter the market.

According to Baker, the need for staff has "led to companies offering ridiculously high salaries, a bevy of benefits, and free training and certifications to woo candidates. Even so, the candidate pool is limited. Employers are exploring ways to help applicants fill in the gaps in their experience so that they can be hired." Southeast students in the University's Cybersecurity program nearing graduation should take notice of the advice of Justine Fox of NuData Security - "The No. 1 thing anyone interested in cybersecurity careers so do is apply."

However, cybersecurity students not yet preparing to graduate have options to prepare for the job market after college. Pam Baker suggests the following:

  1. Get real-life experience while in school. This experience can range from contributions on GitHub to open source security tools to working on bug bounties.
  2. Apprenticeships. Although this suggestion is geared toward workers looking to make a career change in Barker's article, reaching out to employers to assist in security and risk management provides a great experience to include in a resume.
  3. Get a mentor. Finding a mentor may feel like a daunting task. However, LinkedIn provides access to many cybersecurity professionals, many willing to take a student under their wing. LinkedIn, Discord, and even YouTube provide ways to network and possibly find the Information Security professional interested in helping new professionals to find their way into the field.

Tax Season Brings Tax Scams

Well, it is that time of year again...tax time. And while many people dread this time of year, there is one group of people who wait all year for this time to roll around - cybercriminals. Bad actors use nefarious tactics to steal the sensitive data of taxpayers. Here are some ways scammers attempt to steal the information required for identity theft to apply for credit cards and loans - along with ways to avoid being taken advantage of by cybercriminals. 

  1. The Standard Aggressive Phone Call: The aggressive phone call by scammers masquerading as IRS agents have become a perennial favorite of cybercriminals. Each year social media is populated with videos of people recording themselves on the phone with scammers suggesting if the victim doesn't pay a tax at that moment (generally with Apple iTunes cards), local law enforcement will arrive to arrest them. Unfortunately, although the videos are funny, far too many people fall victim to this scam. Worse yet, the victims are often older citizens or those with limited income. Remember - the IRS will NEVER contact a taxpayer by phone, and they certainly will not insist on payment in gift cards.
  2. The Social Security Number Scam: Perhaps the endless videos on Facebook, Twitter, and Instagram of scammers being owned forced the criminals to change their tactics. As a result, scammers changed their methods by threatening to cancel a person's Social Security number for failure to pay taxes. Once again, this scam seems patently ludicrous on its face. Sadly, however, like the previous scam, many vulnerable people do fall for this scam. Again - the IRS never contacts taxpayers by telephone.
  3. Tax Payer Advocate Scam: This scam is a reminder, tragically, that cybercriminals appear to be significantly more creative than most of Hollywood. Scammers contact a potential victim posing as a representative of a tax advocacy scam asking for the victim's Social Security number and other personal information and offer to consult with the IRS on their behalf to ensure the victim has not paid too much in taxes. This scam is fairly new but is expected to be used extensively this tax season.
  4. Sadly...the scams are year-round. Indeed, tax scams see an increase during January through April. But, as the bad actors see a great deal of success using these scams, the criminals may shift to other scams during other times of the year. But, the tax scams continue throughout the year though in smaller numbers. 


Security Resolutions for 2022

A new year brings new beginnings and the chance to create helpful habits to enhance your day-to-day cybersecurity. Here are some suggestions to get your new year started on a sound security footing.

 

Passwords: The start of a new year is a great time to examine password security and hygiene. Take some time to consider the sites and apps you use most - banking, credit card, rideshare, or food delivery? January is the perfect time to update each site and app with a unique, strong 12 to 16 character password. If you use a password manager such as LastPass or KeePass, many of your passwords can be changed automatically and stored securely.

 

Browsers:  Long gone are the days when Internet users had access to only one or two different browsers. Now users can choose from a plethora of browsers. Of course, stalwarts like Chrome and Firefox are readily available and allow users to configure each for specific security concerns. But, other browsers such as Brave or Opera are making headway into the market and are explicitly geared toward more secure Internet browsing. So, January is the perfect time to examine the security settings of your favorite browser to ensure it only stores the data you want, and just importantly, it is only sending the information you choose to vendors and developers.

 

Social Media: The advent of social media has made keeping in contact with friends and loved ones very easy and offers users quick access to the information and news users need. However, some users want quick access to YOUR data and not just add a "Thumbs Up" to your vacation pics from Branson. Make a resolution in 2022 to be much more selective about what you share on social media. The picture you post of you and your family at Disneyland is a convenient (and occasionally jealousy-inducing) way to let your friends know where you are and how much fun you are having. It is also a great way to let criminals know that a house is unoccupied or a car goes unused, depending on who can see your posts. In 2022 decide to take plenty of pictures and post them when you return. Additionally, be cautious about sharing personal or health information on various social media platforms. Be sure to ask permission before posting pictures of others to one of the many social media platforms.

 

Backup, Backup, Backup: The fresh start of a new year is an ideal time to begin the fresh start of properly backing up your data. It is easy to forget to backup your important documents and photos. Whether you use an iPhone or an Android device, most pictures are automatically uploaded to the cloud - click and forget. But, think about the information on your desktop or laptop computer. When was the last time you backed up the documents folder or made a copy of all the Internet links you collected over the years? Loss of your schoolwork, old family photos/videos, or financial information like tax returns can be avoided with proper backups. Fortunately, there are many free or low-cost options available. Have a Gmail account? That means you also have 5 Gb of free storage, and increasing the amount of storage is relatively inexpensive. 20 years ago a 64 Meg USB thumb drive might cost $100. Today, devices with hundreds of Gigs or even Terabytes can be easily purchased very affordably at local stores or online. 


Tips to Avoid Holiday and COVID-based Phishing Attempts

The COVID pandemic continues to be a source of opportunity for cybercriminals. For example, in October of this year, threat actors started a phishing campaign to collect user names and login credentials from Higher Education schools. According to Cybersecurity organization Proofpoint, "Following the announcement of the new Omicron variant in late November, the threat actors began leveraging the new variant in credential theft campaigns." The phishing emails implying guidance on protection from the most recent COVID variant contain a link to a bogus but well-crafted University login page. The page is then used to harvest students, faculty, or staff credentials.
 
Along with the COVID-based phishing campaigns, the holiday shopping season is also a season for threat actors to use phishing to collect credit/debit card information. The phishers count on shoppers using a bit less caution as they rush to grab the best deals or ensure gifts arrive on time.
 
Here are some general tips to avoid being phished.
 

  1. Enable MFA: The best defense currently available to protect credentials is the use of Multifactor or Two-Factor Authentication. Enabling MFA for protection is true not only for SEMO accounts but should be applied where possible to all financial, shopping, or social media accounts as well. 
  2. Use caution purchasing goods via Social Media: Facebook, Twitter, and a host of other social media platforms may be a great way to keep track of family or friends. Unfortunately, scammers also use social media to create fake storefronts. The fake stores are used to collect credit or debit card numbers. If the deal sounds too good to be true... it is.
  3. Use different strong and unique passwords for each account: It is tempting to reuse a great password. It may seem solid and uncrackable, so why not use it for every account? However, the security of a password is only as good as the site's security. LinkedIn, Facebook, and Twitter have all had significant breaches leaking user names and passwords in the past. Suddenly, that uncrackable password is now available for cybercriminals to see and use. Consider using a password manager like KeePass or LastPass to generate and store strong passwords for every login.
  4. Double Check: Someone gets an email from a friend or co-worker, but, the wording or content doesn’t seem familiar. To be cautious always reach out and confirm the validity of the email before clicking on a link or responding with data of any kind.
  5. Semo.edu: Finally, if an email appears to be from the university, and especially if it includes links, ensure all website links and email addresses end with semo.edu

Black Friday and Cyber Monday Shopping Security

Thanksgiving is fast approaching, which means Black Friday and Cyber Monday deals are just around the corner. However, it is essential to use caution when looking for Holiday deals online. Cybercriminals and scam artists plan all year to take advantage of targets during the holiday shopping season. Here are some tips and hints to make your online holiday shopping a little safer.
 

  1. User Credit Cards: If you've been saving to make those holiday purchases, it is tempting to use a debit card to pay for an item. However, using a debit card does not afford as much protection should your account data be stolen or the item never arrives. Many credit cards provide enhanced security for purchases, and some even offer extended warranties to some purchases. Perhaps the most significant benefit is credit cards will not hold the cardholder responsible for bogus purchases. It should be noted most banks will not hold a debit card user responsible for fraudulent charges either; however, in the meantime, it can take weeks or months for the bank to return funds lost in a bogus transaction. So use the money you saved all year to pay off the credit card purchases and enjoy the enhanced security. 
     
  2. But keep an eye on your credit: Cybercriminals are just as happy to have credit card information as debit card info. Therefore, if you are using credit cards for purchases, take the time to monitor your credit cards. Call or log in to the card's web portal to confirm that all the purchases are legitimate. Contact the credit card company immediately if unrecognized purchases appear on the credit card statement. In a similar vein, this is also a great time to check your credit report. Below are links to request a free annual credit report from the three major reporting agencies.

    Experian Free Credit Report
    Equifax Free Credit Report
    TransUnion Free Credit Report
     
  3. Avoid public or free WiFi: Target, Barnes and Noble, and Starbucks are just a few of the merchants offering free WiFi. When you are nearing your data cap, a free WiFi connection seems like a great deal. But, always keep in mind that bad actors have the tools to see all the traffic taking place on that connection. Meaning when you connect to free or public WiFi, any information you are sending or receiving that isn't encrypted can easily be seen. Additionally, cybercriminals have used public WiFi to install a variety of malware on mobile devices.
     
  4. Look for the "s": If you choose to shop at home for your Black Friday or Cyber Monday deals, take a moment to confirm the safety of the website you are using. Ensure the website is using HTTPS:// and not HTTP://. The benefit of websites with HTTPS:// is the traffic between your browser and the vendor is encrypted. This encryption ensures the credit card number and CVV you just entered to purchase that PS5 cannot be seen in cleartext over the Internet.
     

SEMO Cybersecurity Student Provides Great Phishing Information

Jennifer Tenholder, a student in Southeast's Cyberseucrity degree program and Vice President of the Cyber-Defense Club has authored infographics providing great information regarding how to determine if that email in your inbox is a phishing attempt. Check them out!

What is Phishing?


What does a phishing email look like?


Cybersecurity Tips for Students, Staff, and Faculty


Although Cybersecurity Awareness Month recently came to a close - every month is a good time to consider cybersecurity hygiene. Here are some tips to keep in mind to protect your data and your identity.

 

  • Be extra cautious sharing personal information. Whether you are downloading a free app for your mobile device, looking for a bargain, or trying to win a prize online, be very careful about the type and quantity of personal data you provide. Remember, if a website says it will not share or sell your email address, that doesn't mean the company isn't selling your demographic information, interests, or opinions. Be especially cautious with Android and iOS apps requesting access to your contacts and photos during the installation.

  • Use secure, complicated passwords and implement MFA. Long, secure, complicated passwords can be challenging to maintain, especially when following the guidance that each website and application should have a unique password. To make password management easier, use a password manager such as Keepass or LastPass. Remember, no matter how good your password is, it is, in fact, only as good as the security of the website or service you are using.  That is why it is vital to enable Multifactor Authentication for all accounts. MFA is available for all major credit card websites, most banks and credit unions, Gmail and Yahoo! and even Facebook and Reddit. The extra second it takes to log in can be the difference between security and identity theft.
     
  • Use a VPN. A decade ago, VPN services were either complicated, expensive, or both. Now there are a number of trustworthy and economical VPN solutions. Using a VPN protects your data when surfing the web by encrypting all the traffic. Encrypting the traffic means both cybercriminals and the Internet Service Provider can't see your data. In addition, if you combine VPN usage with the Incognito or Private mode on your favorite browser, users can browse the web with a greater degree of privacy and security.  However, steer clear of "Free" VPN solutions. Remember, nothing is free. If the service is free, the provider is also collecting all your information - the exact opposite reason for using the VPN in the first place.

Virtual Meeting Privacy and Security

Although platforms such as Zoom and WebEx were quickly gaining popularity before 2020, remote work and hybrid classrooms caused the use of virtual meeting applications to explode. However, like any application, tool, or device, there are steps required to ensure users do not fall prey to activities such a Zoom bombing or having an unknown or uninvited meeting attendee.

Here are some simple steps to help secure meetings and ensure privacy.

  1. Set a password for the meeting: You lock your home and secure your email because sometimes private discussions occur at both. Meetings, seminars, and classes may also contain conversations requiring protection as well.  Setting a password provides an essential layer of protection to ensure privacy.
     
  2. Enable a meeting waiting room: We've all attended virtual meetings with a significant number of attendees and wondered about the attendees identity with the cryptic name or their webcam turned off. Should that person even be in the meeting? One method to ensure meetings are attended only by those invited is to use a "waiting room." This holding area enables the person hosting the meeting to ensure only invitees are allowed to log in.
     
  3. Use unique meeting IDs: ID reuse is undoubtedly more straightforward for those hosting meetings, but it can also make it exceptionally easy for uninvited guests to "bomb" or "Zoom Bomb" a session as well. If a new meeting ID is not generated for every meeting, ensure a unique ID for sensitive or critical meetings.
     
  4. Use virtual backgrounds, especially at home: The advent of the virtual background has been a great way to let coworkers, friends, or associates know which team you root for, your fandom for The Matrix, or see a photo from your trip to the Grand Canyon. However, it also promotes enhanced privacy. The use of a virtual background means the other attendees don't see your neighborhood or pictures of family or friends hanging on the wall or sitting on a desk. It is a great way to be unique while protecting your privacy.

 

Multi-Factor Authentication (MFA) Using Microsoft Authenticator


1. Download and install the Microsoft Authenticator app from the appropriate app store (iOS and Android).

2. Open a browser on your computer and point it to https://portal.office.com and sign in with your SEMO account.

3. Logging into O365 for the first time after MFA has been enabled, you will be prompted to setup additional security verification for MFA.

4. Click Next.

5. Choose Mobile App from the drop down.

6. Make sure "Receive notifications for verifications is selected. Click setup.

7. Wait for configuration pop-up box. You should see a windows on your computer similar to the one below.



8. Open the Microsoft Authenticator App on your phone.

9. Tap the + and then select Work or School Account.

10. Use your phone to scan the QR square that is on the computer screen.

NOTE: iPhone users may have to enable the camera in Settings in order to scan. If you can't use your phone camera, manually enter the 9-digit code and the URL.

11. Your account will be added automatically to the app and will display a six-digit code.

12. Switch back to your computer and click Next.

13. Now wait for the Checking Activation Status text to finish configuring your phone.

14. When it's complete, you'll be able to click the Next button.

NOTE: If configuration fails, just delete and retry the previous steps again.

15. Switch back to your phone and you'll see a notification for a new sign in.

16. Go to the Microsoft Authenticator App.

17. Tap Approve to Allow the Log In

18. Returning to your computer, follow any prompts that you might see such as adding a mobile number.

From now on, whenever you have a new sign in or add your Office 365 work or school account to an app, you'll open the Authenticator app on your phone and tap Approve
 

Breaking Cybersecurity News

IRS warns of large-scale Smishing Attacks

 

It is not unusual for threat actors to use all the techniques at their disposal to take advantage of the US Tax Season each year. Generally, these attempts start in January and continue to ramp up until April 15th - and sometimes even beyond. However, the IRS is warning taxpayers of possible phishing attempts using text or SMS (an approach called Smishing) so advanced and prevalent it is being called "Industrial Scale" in size and scope.

In an alert from the IRS released on Wednesday, September 28th, The IRS noted the identification of "thousands of fake domains" set up to conduct smishing scams. Threat actors perform scams to collect personal and financial data. The scam works like this:

  1. The target receives a text message crafted to appear the IRS sent it. The lure is fake COVID relief funds or tax credits. 
  2. The text contains a hyperlink. When the target clicks on the link, the target is directed to a webpage. Some pages request information such as Social Security number or routing and account numbers for a bank account.
  3. Sometimes the hyperlink installs malware on the target's device. With the malware installed, threat actors collect personal information from the device.

IRS Commissioner Chuck Rettig notes, "This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages." In addition, Commissioner Rettig indicated, "In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity."

The IRS is asking everyone who receives a smishing message to report it to help the agency track the spread of the smishing attempts. The method for reporting smishing attempts to the IRS is:

  • Create a new email to phishing@irs.gov
  • Copy the caller ID number (or email address)
  • Paste the number (or email address) into the email
  • Press and hold the SMS/text message and select “copy”
  • Paste the message into the email
  • Include the exact date, time, time zone and telephone number that received the message, if possible
  • Send the email to phishing@irs.gov
 

Uber Ride Share Service breached in Massive Hack
 

The rise of ride-sharing services such as lyft and Uber has made getting from one place to another significantly easier and increased safety for many. However, ride-share service Uber appears to be struggling with a massive breach. The breach is being called a "total compromise." But, what can we take from the Uber hack?

  1. If you have used Uber in the past, it is advisable to monitor the payment method associated with your Uber account. Although this hack is less than 24 hours old at this writing, if the compromise is, in fact, a total takeover of the Uber environment is very likely the threat actor has acquired payment card information. for past customers.
     
  2. In addition to payment card information, it seems likely, at least in these early hours of the hack, geographic locations of each rider may also be compromised. The data, if stolen, can be used to compile the to and from destinations for each ride in an Uber vehicle. For some, finding out the Internet knows about the late-night trip to Huddle House is unimportant, but can be an issue for other trips or locations.
     
  3. Finally, be aware of something called MFA fatigue - which appears to be the method used to social engineer the Uber engineer. MFA fatigue occurs when a threat actor acquires a user's password but does not have access to the user's method of multi-factor authentication. This often results in multiple MFA requests alerting on a phone or other mobile device. Some users don't understand the multiple messages indicating an attempt to hack their account finally answers "yes" or acknowledge the login attempt as legitimate simply as a means to put an end to the multiple messages. Once that happens, the user's account is completely compromised and the bad actor can change a user's MFA to something they have access to in an effort to lock out the actual user from their account.


If you experience a series of unexpected prompts from your MFA method it is recommended to change the password and alert the IT help desk.



Credit Reporting Firm Experian Fails to Protect Data

 

Recent reports from Brian Krebs Experian, You Have Some Explaining to Do and Security Boulevard's Richi Jennings Experian Fails Yet Again - Hackers can Change Your Email Address indicate that one of the "Big Three" US credit reporting bureaus, Experian, had a web-based vulnerability which permitted threat actors to take over user accounts, change the password and email address and even alter the security questions. In short, the cyber criminals were able to effectively lock users out of their own Experian accounts, while allowing threat actors access to all the data needed for identity theft and credit card fraud.

The Southeast Information Technology department wants to make all students, faculty, and staff aware of this issue and encourage everyone to: 

  • Monitor all credit card and bank accounts for suspicious activity. Better still, change the passwords for those accounts and configure two-factor authentication.

  • Monitor your credit report. Every consumer can receive a free annual credit report. Additionally, Discover and Master Card also provide information regarding changes in a customer's credit rating.

  • Help is also available from the US Federal Trade Commission at Report Identity Theft and Get a Recovery Plan

  • Finally, if you suspect your identity or credit is being abused or you simply want to ensure it can't be, consider freezing your credit. This does require contacting each of the credit reporting bureaus but can be done at no cost and it prevents any credit cards or loans to be opened in your name.

 

Mobile Banking Apps linked to Trojans

Mobile devices are great tools for enhancing productivity "on the go." For example, the Google Play Store offers various Android applications, including apps for managing a checking or saving account. As a result, a user no longer is tethered to a desktop computer to check balances or transfer funds. However, there lurks danger in the ease of access tools available on Android devices.

Mobile security provider Zimperium recently conducted research that provided startling results. Zimperium's research indicates that cybercriminals target 639 financial apps currently available on the Google Play Store to install Trojan software on mobile devices. Worrisome for US citizens that 121 of the apps are for US-based companies.

A Trojan application derives the name from the story of the Trojan Horse - a ruse used by the Greeks to sneak troops into the city of Troy. Likewise, a Trojan application appears to be useful financial or banking applications but is, in fact, simply a method for cybercriminals to steal important information. Research determined some of the Trojan software is capable of intercepting SMS text messages used for Multifactor authentication; additionally, other software can install keyloggers for use in stealing login credentials.

The trend becomes even more troubling as Ziperium's research suggests that 75% of Americans studied use banking or financial applications on mobile devices.

Below is a sample of the financial apps Ziperium determined infected with Trojan malware:
Barclays Mobile App, Commonwealth Bank, Halifax Mobile Banking, Lloyds Bank Mobile, Santander Mobile Banking, NatWest Mobile Banking, PayPal, Binance, Cash App Mobile, Bank of America Mobile Banking, Capital One Mobile, and Coinbase.

So, the big question is - how to get access to these tools without having a Trojan attached. The best method is to visit the bank or credit card website and request a link sent to the mobile device. However, cybercriminals count on users visiting the Google Play Store, searching for the app, and simply choosing the first option.

 

Borat RAT malware is being sold on the dark web

Cyble, an information security company, performed a deep dive analysis of the Borat RAT (Remote Access Trojan/Tool) and released the analysis conclusions on March 31st. The research indicates that the RAT, available for purchase on the dark web, is exceptionally easy to use (meaning the attacker need not be sophisticated). Additionally, the RAT offers a toolkit providing remote desktop access, a remote shell, access to the task manager, a keylogger, and the ability to disable installed antivirus applications among other uses. 

Journalist Charlie Osborne notes in her Zdnet.com article, "The malware will harvest data including operating system information before sending it to an attacker-controlled command-and-control (C2) server. Furthermore, Borat RAT will hone in on browser information such as cookies, browser histories, bookmarks and favorites, and account credentials. Browsers such as Chrome and Chromium-based Microsoft Edge are impacted. Discord tokens, too, can be stolen." The combination of tools, low-cost on the dark web, and ease of use indicates the potential for nation-states and entry-level bad actors to use the tool to cause significant havoc. This threat is undoubtedly a concern considering the increase in high-level threats to the Internet and high-profile systems due to the war in Ukraine.

However, concern regarding the Borat RAT is not universal among all Information Security professionals. For example, Dr. Gerald Auger of Simply Cyber indicated during his "First Things First" broadcast that "...this is just another RAT folks." This opinion is not entirely unfounded as both the dark web and well-funded APT organizations create additional RATs with great frequency. Nevertheless, the ease of use of this particular RAT should be a cause for some concern. 

What is the best way to avoid this malware (and others)? 

  1. Use caution and be suspicious of any link or attachment in an email, even if the message is from someone you know or trust. Threat actors can successfully take over a user's email account and send malicious links to all users in the address book.

  2. Use official web pages for downloads and files. Whether downloading a product from Adobe, Microsoft, Google, or Apple, it is always safer to go to the official website for all downloads.

  3. Use antivirus and keep it updated and run regular, scheduled system scans.

CISA Russian Cyber Threat Overview and Advisories

CISA (Cybersecurity & Infrastructure Security Agency), part of the Department of Homeland Security, is currently maintaining a publicly available website providing details on the Russian government's ongoing malicious cyber activities. As the situation in Europe continues to escalate, the public can visit CISA's page at  Russia Cyber Threat Overview and Advisories


QR Code Safety

The Super Bowl brings excitement, parties, and commercials. This year's Super Bowl was no different, with one of the most talked-about advertisements being Coinbase's sixty-second spot featuring a floating, color-changing QR (Quick Response) code. Reportedly so many viewers scanned the code the Coinbase application stopped working for some users. In addition to the Coinbase Super Bowl spot bringing QR codes into the mainstream, some restaurants struggling to maintain health and safety protocols during the pandemic have ditched physical menus for QR codes. The shift to QR codes also allows for easy menu updates. 

However, here are some things to keep in mind about QR codes. First, bad actors can use QR codes in phishing attacks, a method known as QPhishing. Second, Cybercriminals can use QR Codes to send victims to websites rife with malware - some sites require only the user to visit to initiate a malware download. Finally, is the danger of financial theft. Although the number is currently low, restaurants, services stations, and other businesses use QR Codes to carry out financial transactions. A cybercriminal quickly and easily replaces the QR code and steals a customer's financial information.

To securely use QR codes, remember -

Verify:  If someone sends a QR code to a device, always contact the sender to verify the code came from them. This simple measure adds only seconds but is invaluable.

Trusted Sources: Increasingly, stores, restaurants, and other businesses may display QR codes on ads, websites, and displays - especially because of the popularity of the Coinbase ad. Companies may do this without considering the security risks. Before scanning a QR code, consider whether the vendor or location is a trusted source for a QR code.

Patch and Update: Bad actors distributing QR code malware target iOS and Android devices. Although not a panacea, always ensure devices are updated and patched. Well-maintained mobile devices deprive cybercriminals of the ability to exploit unpatched vulnerabilities.

Software: Mobile devices require special software to scan QR codes. Ensure the software displays the entire site URL. For example, if you are scanning a QR code at a bookstore or restaurant, ensure the URL the code is redirecting to contains the domain name for the business.

SMS Phishing Rising as Holiday Shopping Begins

A recent article on darkreading.com indicates SMS Phishing (also known as smishing) is on the increase due to two distinct factors. The first factor, according to Security Vendor Proofpoint, is the extraordinarily high "Open Rate" of 98%, "and 90% of messages are opened in the first three minutes."  The other factor is the holiday shopping season. End-of-the-year shopping creates a perfect storm of scammers targeting distracted shoppers on the lookout for bargains.

The article also notes SMS Phishing is a growing concern for businesses with "60% of companies around the world, and 81% of US companies" having been targeted by smishing attacks.

To read more, check out the DarkReading article at Holiday Scams Drive SMS Phishing Attacks

Spoofed Amazon Order/Fraudulent Customer Service Agent Phishing Attack
 

Information security website darkreading.com published an article regarding an extensive, multistage phishing campaign using bogus Amazon order notifications. An attack of this nature is especially worrying as the Winter shopping season is already underway.  The attack is considered multistage because it combines email and voice/phone components.

Users targeted by the bad actors receive an Amazon order notification in their email.  In addition to a fake order of over $300, the message also includes a link to a customer service number that appears to be from South Carolina. The victim, attempting to alert Amazon they did not make the purchase clicks on the link. However, when "customer service" calls back several hours later from a spoofed number in India, the fake customer service representative requests the targets credit card number and CVV (the credit or debit card security code).  For more information, check the link below for the full story from DarkReading.

Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents


Squid Game-based Malware making victims of show's fans

The Netflix-hosted series Squid Game is getting the kind of viewership broadcast television would love to have. To date, the series has well over 100 million views. However, the show's popularity is just too much for many cybercriminals to ignore, and they are using the show's massive viewership to scam fans.

Recently, a Squid Game-themed malware application was made available on the Google Play store. Additionally, a "large cybercrime actor" has taken to email to send messages appearing to be from someone associated with the show. Arriving in mailboxes with subject lines similar to "Squid Game is back, watch the new season before anyone else", "Squid game new season commercials casting preview," or "Squid game scheduled season commercials talent cast schedule."  The messages have malicious Excel spreadsheet attachments. The recipient is urged to fill out the attachment to access the new Squid Game season before it becomes available on Netflix. However, if the user has Excel macros enabled on their system, the macro downloads the Dridex banking trojan onto the computer.

The takeaways? First, always be suspicious of Google Play store downloads and stick to more common commercial downloads. Remember, if an app is free, you're paying for it with sensitive information.

Secondly, ensure macros are disabled, or at the very least, require user approval to run. But, most importantly, never download any attachment from an unknown sender. And, even if you know the sender, it never hurts to reach and confirm the attachment is legit.


1M Users Data Exposed in Massive VPN Leak

Every year more and more consumers move to VPN usage to protect their privacy and their surfing history. However, sometimes users get what they pay for when subscribing to Free VPN services.

Read More Here!
VPN Exposes Data for 1M users, Leading to Researcher Questioning

 

Information on the Best Information Security Certifications

 

Cybersecurity is a field that continues to expand each year because of the ever increasing risk from criminal threat actors and Nation-state groups. Unfortunately, there simply are not enough trained professionals in the market.  A market that will require an additional 1.8 million security professionals by the end of next year.

With those numbers in mind, Information Security website Dark Reading has published a "deep dive" on some of the more important...and marketable security certifications currently available.

Read Here!
Digging Deep Into the Top Security Certifications