Jan 272014

Phishing is a method by which someone tries to lure you into revealing your valuable personal information, such as an account password or credit card number. The intent of this type of scam is to gain access to your user accounts or money—something we all want to avoid.

The problem we face today is that phishing scams are becoming more and more convincing. They look like authentic communications from people and organizations that we know and trust. No longer can we depend on finding misspelled words in a hastily written email or obvious mistakes on a fake website to know that something is amiss.

Phishing attacks are being carried out with far greater attention to detail. Emails and websites look surprisingly authentic, easily fooling the casual observer. But how can we tell the difference?

Fortunately, most phishing scams have some telltale signs that will give them away. Here’s what to look for and what to do:

  • BE WARY of any request for your password, account number or other personal information, especially if the request is urgent and a web link is given for you to submit your information. This is the key signature of a phishing scam.
  • DO NOT click on the imbedded link, even if you are curious. Sometimes, these links will take you to a fake website to harvest your information and sometimes they will infect your computer with malware.
  • DO check with your trusted source (e.g., your bank, online retailer, IT department) to determine if the request is legitimate. Be sure to open a new browser window and type in the home address and navigate from there. Or simply give them a call on the phone.

For more information see Don’t be “Phooled” by Phishing Scams at http://www.ecu.edu/cs-itcs/itsecurity/Phishing-Scams.cfm.

Oct 302013

Passwords are the keys to your kingdom; you must use them wisely. In this newsletter we discuss how to create strong passwords that bad guys cannot easily guess and how to use them securely.

Passwords are the keys to the kingdom. Once someone knows your password, they can steal  our identity or access all of your personal information. Let’s learn what makes a good password and how to use them securely. There are two key points to good passwords:

• First, you want passwords that are hard to guess. This means do not use simple passwords such as 123456, your pet’s name or your birth date.

• Second, use passwords that are easy to remember. If you keep forgetting your passwords, they are not very helpful.

The problem is cyber criminals have developed sophisticated programs that can guess (or brute force) your passwords, and they are constantly getting better at it. This means that they can break into your accounts if your passwords are not  strong enough. To protect yourself, you want your password to be as long as possible. The longer your password is, the stronger it is. In fact, instead of using just a single word as your password, use multiple words. This is called a passphrase.

For example, your passphrase could be something simple like: time for chocolate

To make your passphrase even more secure, do the following:

• Use a number in your passphrase.
• Have at least one lower case and one upper case letter in your passphrase.
• Use a symbol in your passphrase.

Let’s take our passphrase and make it even more secure by replacing some of the letters with numbers and symbols, as we just discussed. First, replace the first letter with a capital letter. Next, we can replace letters with numbers or symbols. For example, you can replace the letter ‘a’ with the ‘@’ symbol or replace the letter ‘o’ with the number zero. In addition, we can add symbols using common punctuation such as spaces, a question mark or an exclamation point. As a result, we now have a strong password that is very difficult for cyber criminals to compromise, yet is simple to remember and easy to type: Time for ch0c0l@te!

Using Passwords Securely
In addition to creating strong passwords you must also use them securely. A strong password is of little use if the bad guys can easily steal it from you.

• Never share your password with anyone else, including fellow employees. Remember, your password is a secret; if anyone else knows your password it is no longer secure.

• Do not use public computers, such as those at hotels or libraries, to log into a work or bank account. Since anyone can use these computers, they may be infected with malicious code that captures all of your keystrokes. Only log into your work or bank accounts on trusted computers or mobile devices you control.

• If you accidently share your password with someone else, or believe your password may have been compromised or stolen, be sure to change it immediately.

• Be careful of websites that require you to answer personal questions. These questions are used if you forget your password and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even your Facebook page. Make sure that if you answer personal questions you use only information that is not publicly known.

• Many online accounts offer something called two-factor authentication, or two-step verification. This is where you need more than just your password to log in, such as codes sent to your smartphone. When possible, always use these stronger methods for authentication.

Different Passwords for Different Accounts
Be sure to use different passwords for different accounts. For example, never use the passwords for your work or bank accounts for your personal accounts, such as Facebook, YouTube or Twitter. This way, if one of your passwords is hacked, the other accounts are still safe.

If you have too many passwords to remember, consider using a password manager. This is a
special program you run on your computer that securely stores all of your passwords for you.
The only passwords you need to remember are the ones to your computer and the password
manager program. Check with your supervisor, the help desk or the information security team to see if a password manager is an option you can use.

Print this newsletter: Module07-Passwords-Newsletter

© The SANS Institute 2013  /  Used with permission from The SANS Institute.


Oct 142013

Hacking Your Mind
Cyber criminals have learned that the easiest way to take control of your computer or
steal your information is to simply ask. Use common sense. If a person or a message
seems suspicious or too good to be true, it may be an attack.

The Attack
Today, much of your interaction with other people is done virtually; you no longer need to be  in physical contact to communicate. You talk to people on the phone, chat with them via instant messaging, send SMS messages on your smartphone or communicate with email. These technologies have made it much easier to communicate and work with people from
around the world. However, these technologies also make it much easier for cyber criminals to launch one of their most effective attacks against you: social engineering.

Social engineering is not a technical attack, meaning it does not exploit vulnerabilities in your computer. Instead, it is a psychological attack that exploits vulnerabilities in you. Cyber criminals build trust by pretending to be a person or organization you know. They then exploit this trust to obtain whatever they want, such as access to your computer, your money or your information. Cyber criminals have learned that often the easiest way to steal something is to
simply ask for it. Social engineering attacks use the same tools you use every day, including email, smartphones and the web.

Protecting Yourself
Social engineering attacks are the hardest to protect against because technology alone cannot solve the problem. You are the best defense. Understand that you are a target and that cyber criminals will use any technique they can to fool or trick you. The simplest way to protect yourself is to use common sense. If an email, message on Facebook or phone call seems suspicious or sounds too good to be true, it is most likely an attack. Below are several common social engineering attacks.

Malicious Email
You receive an email from your bank saying that your account has been locked for security reasons. You must log into your account and reset it right away or you will be permanently locked out. The email then provides a link for you to click on. If you click on the link you are taken to a website that looks just like your bank. However, in reality this is a fake website controlled by the hackers, whose goal is to harvest your username and password when you log in. In some cases, instead of sending you to a website to steal your username and password, they send you to a website that will automatically hack into and infect your computer. The best way to protect yourself is not to click on any links in emails you were not expecting. If you are  concerned that the email may be legitimate, open your browser, type in the URL to your bank yourself and then log in instead of clicking on the link. That way you know for sure you are connected to your real bank.

You receive a text message on your smartphone announcing you have won the lottery. To collect your lottery winnings you must contact a person and provide them your banking information. When you contact the person they explain that to receive your lottery winnings you must first pay a transaction fee or taxes. Once you provide your information and pay the fees, the cyber criminals disappear with your money and information, never to be seen again. The simplest way to protect yourself is simply ignore and delete the email.

Your friend posts on her Facebook page that she is on vacation in London and has just been mugged. She needs someone to send her money right away so she can get back home. However, this is a lie; your friend is not really on vacation, nor has she been mugged. Instead a cyber criminal has hacked into her Facebook account, then posted this fake message in an attempt to scam money from her friends, such as you. In this case, the best way to protect yourself would be to call your friend on the phone and confirm if she needs help.

Tech Support Scam
You receive a phone call from someone claiming to be from a computer support company. They believe your computer is infected and have been tasked to investigate and help you secure your computer. They then ask you if there are specific files on your computer and tell you how to find them. When you locate the files on your computer the caller confirms your computer is infected. In reality this is all a lie, your computer is not infected, these files are standard files that every computer has.

Once they have you fooled into believing your computer is infected they will then pressure you into buying their security software. However, this software is really a virus that gives them total control of your computer. In the end, not only has the caller tricked you into infecting your computer for them, but you just paid them to do it.

Print this newsletter: Module02-SocialEngineering-Newsletter

© The SANS Institute 2013  /  Used with permission from The SANS Institute.