07 Dec 2016
Do you do your holiday shopping online? There are a few easy ways to protect yourself online whether you are purchasing items for yourself or for the University with your P-Card. Follow the tips below for a safe experience:
1. Shop with reputable merchants. Only purchase from online vendors that you are familiar with, or do some research first. If you are not familiar with an online store, use caution. Just because the website looks professional, it doesn’t mean the vendor is trustworthy or has proper security controls in place. Check an independent source that allows customers to rate their shopping experience with a vendor such as Reseller Ratings. You can also refer to the Better Business Bureau to see if there are any complaints listed. You should also be aware that in some cases, you may be purchasing from an individual rather than business, and your legal recourse may be different in the event of a dispute.
2. Check the merchant’s customer information and return policies. Before ordering, be sure to read the terms of sale, return policies and fees, shipping methods and prices, and guarantees. Make note of vendor’s policies for storing and distributing your personal contact information. If you do not want to be included on mailing lists or have your contact information made available to third parties (spam lists), look for an option on the web site to indicate your preference. Do not provide vendors with sensitive personal information, such as your social security number or bank account numbers. Basic shipping and credit card information is all that should be required to make a purchase.
3. Be sure the transaction is secure. When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by looking for “https://” (rather than “http://”) at the beginning of the web site’s address in the browser. Another sign is the presence of a padlock symbol in the address bar of the browser. In Internet Explorer, the padlock symbol will appear on secure pages in the address bar, located to the right side of the web address. You can click on the lock symbol to verify the security of the site.
4. Never send credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text (non-encrypted) format, so it’s possible for someone other than the vendor to see it. Sending a credit card number through e-mail is the equivalent of writing it on a postcard rather than mailing it in an envelope.
5. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
6. Use Identity Finder to protect your data. All FIS-supported computers have a program called Identity Finder installed. It will search your files, e-mails, databases, websites, and web browser data for Social Security numbers, Credit Card numbers, Bank Accounts, Passwords, etc. so you can then take steps to remove the sensitive data from your files. This program is also available for home use by contacting FIS.
7. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
8. Take action if there is a problem. If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, you should contact your bank and ask them to stop the payment. If that’s not possible, you can use an online service such as SquareTrade to resolve your dispute. You can also file a complaint to the state Attorney General’s Office, who will investigate the case. You should also post your experience on a site like Reseller Ratings so other customers can be warned. While you may also wish to contact the Better Business Bureau, note that they have no authority over the vendor. They will simply accept your complaint and allow the vendor to respond.
Take this quiz, Workplace Security Risk Calculator, to find out if you activities while at work are risky and what you can be doing on the front lines to protect our organization!
Welcome to FIS’s 5 days of Cyber Security! October is national cyber security month. This is an initiative to help keep our online community safer and all citizens more informed. Over the next 5 days, we will highlight everything from types of scams to a checklist to complete cyber spring cleaning. Follow along with all of our information, videos, and quizzes! We are going to start with basic tips and advice to be safe online. Be sure to watch the YouTube video to gather 3 easy tips to stay safe on the go.
14 Mar 2016
One of the most common methods that cybercriminals use to gain sensitive information is known as ‘phishing’. Phishing occurs when you receive a message requesting personal information (social security number, email address, birthday, etc.) that appears to come from a reputable source (your bank, business, etc.). Phishing attacks come in different types (spear phishing, whaling, clone phishing, etc.), but the general premise remains the same.
While most phishers are primarily looking to steal your personal information, phishing is also a method used by hackers to install malware onto your computer.
Phishing attacks have become very sophisticated, but they are still vulnerable to a watchful eye and a little common sense. Since your personal data and security are at stake, it is extremely important to know how to identify phishing, and to know what steps to take if you think you are the target of a phishing attack.
How to Identify a Phishing Attack
Inconsistent Email Address
Here’s a typical example of what a phishing email might look like. Take a close look at the sender’s information and email address. In the above example, note that the sender is S-tandard Bank. Also, the email domain “alert-std.co.za” does not match the format at the bottom of the message, “standardbank.co.za.”
False Sense of Urgency
Note that the email from “Amazon,” states “***DON’T WAIT! The Link Above Expires on 12/28!” Scammers try to create a false sense of urgency to get you to react quickly and emotionally. Always take a couple extra seconds to really examine what you are reading before clicking any links.
Note again how the email address does not end in “amazon.com.”
Questionable Information Requests
Phishing attacks will frequently ask for information that they either don’t need or should already have. As a rule, reputable businesses will never ask for your account name, account number, password, Social Security number, etc. There was a recent phishing scam that appeared to come from the IRS, asking for account information from the victim’s financial institutions. If there’s anyone that doesn’t send emails like this, it’s the IRS.
If You Suspect Phishing
There are a number of steps that you can take if you suspect that a message you have received is a phishing attack.
- Verify the identity of the sender. For example, if you receive an email that looks like it’s from PNC Bank, call or email their customer support team to confirm. It’s important not to reply to the email itself, as any links in the message will not point back to a legitimate business entity. If it looks like a friend or coworker sent the message, follow up with them in a separate email (again, do not reply to the original message).
- Change any relevant passwords. Changing your password is almost never a bad idea, and having unique passwords for each site/service that you use is a best practice.
- Go back to the official source. Try to always directly type the web address of the site you want to access in your browser, instead of clicking on links from emails or social media networks. As mentioned, avoid links in the original message, as they will most likely redirect to a fraudulent site.
- Trust your instincts and err on the side of caution. If an email or website doesn’t look or “feel” right, there’s probably a reason.
If you think that your work email has been targeted by a phishing attack, please contact FIS via our Support Portal, or call us at 4-FIS1. If your personal email address has been targeted, please report it to any of the following agencies:
- Federal Trade Commission
- US Computer Emergency Readiness Team
- FBI Internet Crime Complaint Center
- Anti-Phishing Working Group
- PhishKillers Blacklist
For More Information
For additional background and tips, check out the articles in the FIS Knowledge Base, or read any of the following:
29 Feb 2016
The FBI and Apple are currently locked in a legal battle surrounding the iPhone left behind by one of the San Bernardino mass shooting suspects, Syed Farook. Stay informed with FIS on the timeline, details, and stakes in the world of cybersecurity in this pivotal case.
Browse the Article
What Is a Backdoor?
What is the All Writs Act of 1789?
Who Else Has Weighed in on the Issue?
What Might This Mean for Smartphone Users?
Update: iPhone Unlocked without Assistance from Apple
The case from which the below letters stem, the San Bernardino shooting in December of 2015, has led Apple and the FBI into an intense legal battle concerning the FBI’s demand that Apple build a “backdoor” into Syed Farook’s iPhone, which was upheld by a federal judge. The phone, according to the FBI, could contain information related to the San Bernardino attack and Farook’s wife, Tafsheen Malik’s pledge to ISIS on Facebook.
On February 16th, Apple CEO Tim Cook posted the following letter on the Apple website stating,
“The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake. … While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”
Click on the letter below to read more.
On February 21st, FBI Director James Comey posted the following letter on The Lawfare Blog, a blog dedicated to “…that nebulous zone in which actions taken or contemplated to protect the nation interact with the nation’s laws and legal institutions.” The Lawfare Blog is published by the Lawfare Instritue in cooperation with the Brookings Institute.
James Comey writes,
“We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land.”
Click on the letter below to read more.
What Is a Backdoor?
Kim Zetter at Wired penned the article Hacker Lexicon: What Is a Backdoor? in December 2014. The quote that follows is a summary of the article that was posted within it:
A backdoor in software or a computer system is generally an undocumented portal that allows an administrator to enter the system to troubleshoot or do upkeep. But it also refers to a secret portal that hackers and intelligence agencies use to gain illicit access.
In the case of the iPhone, the FBI is requesting that Apple build software that disables the feature that wipes all data from the iPhone after too many incorrect password attempts. In this case, the backdoor that the FBI is requesting falls under the latter half of Zetter’s definition: “A secret portal that hackers and intelligence agencies use to gain illicit access.”
Apple is arguing that in making such a backdoor would compromise the security of all of Apple’s devices, if not more. Tim Cook, Apple CEO states:
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.
Conversely, James Comey, Director of the FBI, states:
We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land.
Thus, one could summarize the FBI vs. Apple legal battle as such: Apple feels the FBI’s request compromises their commitment to encryption and could create a gap in security wide enough to be applicable across devices and accessible to hackers with malicious intent, compromising the personal data (such as photos, financial data, and passwords) of their customers. The FBI states that their intention is to enter one phone, Syed Farook’s, with the hopes of reaching a conclusion regarding the presence of information on the phone that could shed light on the attack and potentially lead to more terrorists, and specifically, members of the group ISIS.
What is the All Writs Act of 1789?
The All Writs Acts of 1789, which was invoked by the federal judge upholding the FBI’s request that Apple build a backdoor into the iPhone, is summarized according to Laura Sydell of NPR thusly:
That law, the All Writs Act, is all of two sentences in length. It gives judges the authority to issue any order necessary — within the law — to further litigation before the court. The relative clause says:
“The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”
A “writ” is defined by Merriam-Webster as “an order or mandatory process in writing issued in the name of the sovereign or of a court or judicial officer commanding the person to whom it is directed to perform or refrain from performing an act specified therein .” Its origin is Middle English, from Old English, with its first known use dating to before the 12th century.
The All Writs Act has been previously used in legal cases involving phones in 1977, in a case involving the FBI and the New York Telephone Company. In this case, the Supreme Court ruled in favor of the FBI, requiring the New York Telephone Company to install a “pen register,” a device that records calls to and from specific phone numbers, in this case, two numbers that were suspected in an illegal gambling case.
Who Else Has Weighed in on The Issue?
In an interview with Financial Times, Bill Gates, founder of Microsoft, has stated,
“This is a specific case where the government is asking for access to information. They’re not asking for some general thing, they’re asking for a particular case…Apple has access to the information, they’re just refusing to provide the access, and the courts will tell them whether to provide the access or not.”
However, in a later interview with Bloomberg, Gates stated that he was “disappointed” with headline that stated he sided with the FBI in the case but that he does “…believe that with the right safeguards there are cases where the government, on our behalf — like stopping terrorism, which could get worse in the future — that that is valuable” and that “These issues will be decided in Congress.”
Microsoft as a company began their involvement in the FBI vs. Apple legal battle by offering only mild support to Apple, stating on February 18th:
“Reform Government Surveillance companies believe it is extremely important to deter terrorists and criminals and to help law enforcement by processing legal orders for information in order to keep us all safe. But technology companies should not be required to build backdoors to the technologies that keep their users’ information secure. RGS companies remain committed to providing law enforcement with the help it needs while protecting the security of their customers and their customers’ information.”
As of February 25th, however, according to Chris Welch at The Verge:
Microsoft president and chief legal officer Brad Smith has announced, “We at Microsoft support Apple and will be filing an amicus brief next week.” An amicus brief is a “friend of the court” filing that allows parties not directly involved in the case to weigh in.
Mark Zuckerberg and Facebook
Facebook CEO Mark Zuckerberg issued this formal statement regarding the FBI and Apple’s current case:
“We condemn terrorism and have total solidarity with victims of terror. Those who seek to praise, promote, or plan terrorist acts have no place on our services. We also appreciate the difficult and essential work of law enforcement to keep people safe. When we receive lawful requests from these authorities we comply. However, we will continue to fight aggressively against requirements for companies to weaken the security of their systems. These demands would create a chilling precedent and obstruct companies’ efforts to secure their products.”
Former NSA contractor and current director at Freedom of the Press tweeted:
— Edward Snowden (@Snowden) February 17, 2016
Google CEO Sundar Pichai and Twitter CEO Jack Dorsey
1/5 Important post by @tim_cook. Forcing companies to enable hacking could compromise users’ privacy
— sundarpichai (@sundarpichai) February 17, 2016
3/5 We build secure products to keep your information safe and we give law enforcement access to data based on valid legal orders
— sundarpichai (@sundarpichai) February 17, 2016
4/5 But that’s wholly different than requiring companies to enable hacking of customer devices & data. Could be a troubling precedent
— sundarpichai (@sundarpichai) February 17, 2016
— Jack (@jack) February 18, 2016
What Might This Mean for Smartphone Users?
Some parties, such as Edward Snowden, given his statement above and others on Twitter, suggest that the real goal of the FBI is to expand surveillance on phones and online correspondence, using the rhetoric of stopping terrorism and terrorists to achieve this goal.
Additionally, the use of the All Writs Acts is under scrutiny for its age, with opponents questioning whether a law in created in 1789 can apply to the iPhone and cybersecurity. Pundits also suggest that if the FBI succeeds in requiring Apple to construct the backdoor at the federal or Supreme Court level, then other world powers’ governments could do the same, at the advantage or expense of citizens.
Finally, while it can be argued that common people do not have much control in the actual legal proceedings between the FBI and Apple, it can be argued that Apple stands to lose thousands of customers if the FBI succeeds in their case against Apple. In a democratic system such as the United States, the people do have some level of social power in the form of free speech and the rights to assemble and support or protest either Apple or the FBI. It is important to consider government dialogue as well as multinational business goals when considering whether or not to support a specific side of the argument: Apple and their supporters or the FBI and their supporters. At the same, it’s important to stay mindful of your rights and responsibilities as a consumer and citizen of the American political and technological worlds.
Update: iPhone Unlocked without Assistance from Apple
In a statement from the Justice Department on Monday, March 28th, the FBI has dropped their case against Apple seeking to unlock the final remaining iPhone in the San Bernardino mass-shooting. The decision to drop the case seems to be linked with U.S. law enforcement’s claim that the iPhone has been unlocked without assistance from Apple, but with help from an undisclosed company outside of the FBI.
If the iPhone has been unlocked, some are now worried about the overall security of the iPhone and are interested in learning the process used to unlock the iPhone in question. Apple’s lawyers have expressed public interest in this information with the intent of strengthening the overall security of the iPhone. However, the government could choose to classify the information, barring Apple and others from accessing it.
No information regarding the contents of the iPhone has been released. Meanwhile, the possibility of not finding relevant information is still a potential.
Both Apple and the FBI have stated that they will continue working towards their goals, Apple regarding securing users’ data from interpersonal and governmental attacks, and the FBI regarding their ability to “obtain crucial digital information to protect national security and public safety” with or without “cooperation from relevant parties.”
25 Jan 2016
A list of the Worst Passwords of 2015 was published this month by SplashData, a company specializing in password management software.
If your passwords are among the those listed or similar, it might be time to consider creating and utilizing stronger passwords. FIS has multiple Knowledge Base articles to assist with the creation of secure passwords.
Avoid dictionary words but consider password phrases, repeated characters, and patterns found on a typical keyboard.
Save the spouse’s, child’s, pet’s names and other personal information for security questions for two-step authentication, but choose the ones that are most unique to you and least guessable. Consider what information regarding such answers can easily be found on your social media profiles.
Be sure to include at least three of the following four character types in your passwords – even if the account in question does not require them and it is possible to include them:
- Uppercase letters (A through Z)
- Lowercase letters (a through z)
- Numerals (0 through 9)
- Non-alphabetic, special characters (!, $, #,%, and others)
Learn about Accounts & Passwords on the FIS Knowledge Base.
- Why does my password expire and why do I have to change it?
- Why does my password need to be so long?
- Why shouldn’t I use common words for my password? They are easier for me to remember.
- Why shouldn’t I use personal names or numbers for my password?
FIS ensures that our customers change their passwords every 60 days, or approximately 2 months. This is to ensure that if a hacker obtains an encrypted password, there is a chance that it will be changed by the customer before the hacker enters the account.
Not all accounts that require a password require customers to change their passwords after a set amount of time. However, it could be a good habit to bring in the new year to change your passwords every two months or so!
Read more about University Accounts and Password Durations.
Questions about changing your FIS Password? Consult the Changing Your FIS Password Article to familiarize yourself with the ways in which you can change you password:
- The Windows Change Password Screen – a voluntary way to change your password
- At the initial login message when your password has expired
- Call FIS Customer Support to reset it
27 Oct 2015
Brought to you by SecuringTheHuman.org, FIS’ Security Awareness Training partner.
A security program that can run on a computer or mobile device and protects you by identifying and stopping the spread of malware on your system. Anti-virus cannot detect all malware, so even if it is active, your system might still get infected. Anti-virus can also be used at the organizational level. For example, email servers may have anti-virus integrated with it to scan incoming or outgoing email. Sometimes anti-virus tools are called ‘anti-malware’, because these products are designed to defend against various types of malicious software.
These attacks exploit vulnerabilities in your browser or its plugins and helper applications when you simply surf to an attacker-controlled website. Some computer attackers set up their own evil websites that are designed to automatically attack and exploit anyone that visits the website. Other attackers compromise trusted websites such as ecommerce sites and deploy their exploit software there. Often these attacks occur without the victims realizing that they are under attack.
Code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system or to provide unauthorized access to affected data or applications.
A security program that filters inbound and outbound network connections. In some ways you can think of firewalls as a virtual traffic cop, determining which traffic can go through the firewall. Almost all computers today come with firewall software installed. In addition, firewalls can be implemented as network devices to filter traffic that traverses through them.
Malware – Virus, Worm, Trojan, Spyware
Malware stands for ‘malicious software’. It is any type of code or program cyber attackers use to perform malicious actions. Traditionally there have been different types of malware based on their capabilities and means of propagation, as we have listed below. However these technical distinctions are no longer relevant as modern malware combines the characteristics from each of these in a single program.
- Virus: A type of malware that spreads by infecting other files, rather than existing in a standalone manner. Viruses often, though not always, spread through human interaction, such as opening an infected file or application.
- Worm: A type of malware that can propagate automatically, typically without requiring any human interaction for it to spread. Worms often spread across networks, though they can also infect systems through other means, such as USB keys. An example of a worm is Conficker, which infected millions of computer systems starting in 2008 and is still active today.
- Trojan: A shortened form of “Trojan Horse”, this type of malware appears to have a legitimate or at least benign use, but masks a hidden sinister function. For example, you may download and install a free screensaver which actually works well as a screensaver. But that software could also be malicious, it will infect your computer once you install it.
- Spyware: A type of malware that is designed to spy on the victim’s activities, capturing sensitive data such as the person’s passwords, online shopping, and screen contents. One popular type of spyware, a keylogger, is optimized for logging the victim’s keyboard activity and transmitting the captured information to the remote attacker.
A patch is an update to a vulnerable program or system. A common practice to keep your computer and mobile devices secure is installing the latest vendor’s patches in a timely fashion. Some vendors release patches on a monthly or quarterly basis. Therefore, having a computer that is unpatched for even a few weeks could leave it vulnerable.
Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to an email. Phishing was a term originally used to describe a specific attack scenario. Attackers would send out emails pretending to be a trusted bank or financial institution, their goal was to fool victims into clicking on a link in the email. Once clicked, victims were taken to a website that pretended to be the bank, but was really created and controlled by the attacker. If the victim attempted to login thinking they were at their bank, their login and password would then be stolen by the attacker. The term has evolved and often means not just attacks designed to steal your password, but emails designed to send you to websites that hack into your browser, or even emails with infected attachments.
A psychological attack used by cyber attackers to deceive their victims into taking an action that will place the victim at risk. For example, cyber attackers may trick you into revealing your password or fool you into installing malicious software on your computer. They often do this by pretending to be someone you know or trust, such as a bank, company or even a friend.
Unwanted or unsolicited emails, typically sent to numerous recipients with the hope of enticing people to read the embedded advertisements, click on a link or open an attachment. Spam is often used to convince recipients to purchase illegal or questionable products and services, such as pharmaceuticals from fake companies. Spam is also often used to distribute malware to potential victims.
Spear phishing describes a type of phishing attack that target specific victims. But instead of sending out an email to millions of email addresses, cyber attackers send out a very small number of crafted emails to very specific individuals, usually all at the same organization. Because of the targeted nature of this attack, spear phishing attacks are often harder to detect and usually more effective at fooling the victims.
This is any weakness that attackers or their malicious programs may be able to exploit. For example it can be a bug in a computer program or a misconfigured webserver. An attacker or malware may be able to take advantage of the vulnerability to gain unauthorized access to the affected system. However, vulnerabilities can also be a weakness in people or organizational processes.