13 Sep 2018
Scammers pretending to be the Chinese Consulate office have recently started contacting people in the hopes of obtaining your bank account or credit card information. This social engineering attack has been recognized by the Federal Trade Commision (FTC). An attack like this reminds us that scammers are always trying new tactics to rob people by simply tricking them into making a mistake. This article intends to help you learn how these attacks work and how to identify them.
What is Social Engineering
According to SANS.org, social engineering is a psychological attack where an attacker tricks you into doing something that you shouldn’t do. This concept is not new. Con artists have been attempting to steal money from unknowing people for thousands of years. Scammers are essentially con artists using today’s technology to aid them in stealing. What makes this tactic so effective is that today’s technology allows them to not be physically seen and contact millions of people around the world either by phone call or email.
Take for example the recent attack from scammers pretending to be the Chinese Consulate. According to the FTC’s website, people across the country have reported getting a call or message saying they have to pick up a package at the Chinese Consulate office, or they need you to give them information to avoid being in trouble with the Chinese Consulate. We actually had multiple people at FIS receive this phone this week! This type of phone call is a perfect example of what social engineering is and what it is trying to accomplish.
Another example is a CEO fraud, which is an email attack that most often occurs at work. The way this attack work is a scammer researches your company and identifies the name of your boss or coworker. This is especially easy to obtain here at the University of Pittsburgh as most information like this is public knowledge. The attacker then creates an email pretending to be that person which asks you to take some sort of action such as wiring them money or emailing sensitive company/employee information.
You should know that social engineering attacks are not limited to emails and phone calls. They can occur in any form. The best thing you can do is be as informed as possible on the subject and never, ever send money or sensitive data over the phone or via email if someone is asking for it.
How to Detect a Social Engineering Attack
While social engineering attacks are dangerous and tricky, stopping such an attack is simpler then it seems. Often times, common sense is your best defense. Listed below are some of the more common clues of a social engineering attack.
- Someone creating a sense of urgency that requires immediate action. For example, you may receive a phone call from someone claiming to be from a computer support company that tells you your computer is infected and you need to purchase their security software or risk losing all of your computer data.
- Someone asking for information they should not have access to such as bank account numbers or social security numbers.
- Someone asking for a password. Legitimate companies will not ask you for your password.
- Something that seems too good to be true. For example, being notified you won an iPad or the lottery.
- Receiving an email from a friend or coworker that contains verbiage that does not sound like it’s from them.
If any of those scenarios occur, you should take appropriate action such as hang up the phone or delete the email. In the instance of receiving an odd email from a friend or coworker, it is recommended to reach out to them through some other means of communication. For more information, please submit a ticket through the FIS portal or review your security awareness training.
We all know the role that social media now plays in the world. Between Facebook, Twitter, Instagram, SnapChat, and LinkedIn, social media has become nearly inescapable. While these sites are amazing resources for connecting people across the globe, they all come with risks. These risks not only could affect you but also your friends, family, and employer. This article is going to cover some key steps for securely using social media.
Perhaps the most important and obvious step towards securely using social media is to be careful of what you post. Even if you enable privacy features and think your posts are not viewable to everyone, you should still post with the mindset that it can be viewed by everyone. If it could negatively impact your reputation and future, it should not be posted on any social media platform.
Even though privacy features should not be viewed as a filter that blocks your posts from being viewed by anyone, they should still be enabled. Almost all social media sites have strong privacy features. However, with strong privacy features comes change and confusion. You should make it a habit to check for any changes and to confirm they are working the way they are intended.
Another seemingly obvious security step is to create a strong, unique password. This has been drilled into all computer users head’s but it is still avoided by many people. The reason for its avoidance is simple. People have a hard time remembering complex passwords and do not want to have to remember passwords for multiple systems. While we recognize the annoyance in having multiple complex passwords, it is still a key step in securely using not only social media sites but computers in general.
Unfortunately, creating a strong password for all of your accounts is no longer enough. You should still have a strong password but you should also enable two-factor authentication on all of your social media accounts. Pitt has already enabled two-factor authentication when logging into my.pitt.edu in order to protect you from people who could potentially obtain your password. While this may seem like more work, your personal information will be substantially more secure. To look at it another way, you would not want simply having your ATM card as a way to withdraw money. Banks knew this and decided a pin was also necessary to access the features of an ATM card.
You should also be careful of what you click on when using social media sites. There is a good chance you can be tricked into providing personal information by clicking on a fraudulent post or link. If a friend’s post seems suspicious you should avoid accessing it.
Being careful of what you post, creating a strong password, enabling two-factor authentication, and being careful of what you click on when using social media sites are all effective ways to securely use social media. If you have any questions or would like to learn more, please submit a ticket through the FIS portal.
24 May 2018
Home network security as defined by the United States Computer Emergency Readiness Team refers to the protection of a network that connects devices to each other and to the internet within a home. With technology becoming more and more prevalent in our daily lives, it becomes increasingly important to protect against security risks. This article hopes to better your understanding of the risks associated with being connected to the internet as well as the importance of properly securing your home networks and systems.
Most people are under the assumption that their home network will never be attacked. This is a very common misconception for a couple of reasons. Home users believe their network is not big enough to be at risk of a cyber attack, and they think the devices they are provided by companies such as Comcast and Verizon are plenty secure. This line of thought is wrong and can be costly because attacks can occur to any network connected to the internet no matter the size, and the devices you are provided by Internet Service Providers (ISPs) are preconfigured with factory issued settings such as default usernames and passwords that create opportunities for cyberattackers to gain unauthorized access to information, amongst other problems.
The good news is that there are ways to prevent these types of problems. By improving the security of your home network, you can significantly reduce the chances of being successfully attacked. The list below are ways to improve the security of your home network.
- Regularly update software as the updates often include critical patches and security fixes for the most recent threats and vulnerabilities
- Remove/uninstall unnecessary services and software to reduce security holes on a device’s system
NOTE: This is especially important on new computers as they are often pre-installed with many software and application trial versions
- Adjust factory default configurations on software and hardware because the configuration settings are created to be user-friendly and are not geared towards security
- Install up-to-date antivirus software and make sure to enable automatic virus definition updates
- Install a network firewall to block malicious traffic from entering your home network and alert you to any potential dangerous network activity
- Install firewalls on network devices to inspect and filter a computer’s inbound and outbound network traffic
- Back up your data on a regular basis to minimize the impact if your data is lost, corrupted, infected, or stolen
- Enable wireless security by:
- Using the strongest encryption protocol available
- Changing the router’s default administrator password
- Changing the default SSID (often referred to as the network name)
- Disabling WPS (WiFi Protected Setup)
- Reducing wireless signal strength
- Turning the network off when not being used
- Disabling UPnP (Universal Plug and Play) when not needed
- Upgrading firmware
- Disabling remote management
- Monitoring for unknown device connections
- Familiarize yourself with the most common elements of a phishing attack
- Create strong passwords by:
- Making the password long and complex
- Creating a unique password for each account
- Never use personal information within the password
For more information about home network security, please visit the United States Computer Emergency Readiness Team website.
27 Apr 2018
Microsoft has recently announced new advanced security features available to Office 365 subscribers. Since the University of Pittsburgh migrated to Office 365, these new protection capabilities are available to you.
The new security features offered are:
- File recovery for OneDrive
- Outlook prevent forwarding
- Email encryption
File Recovery for OneDrive
This feature allows you to restore your entire OneDrive to a previous version within the last 30 days. This can be very helpful when a file or multiple files are accidentally deleted, become corrupt, or some other disastrous issue. Keep in mind the file restore will only work for files that were stored on your OneDrive. If the file was stored somewhere else, this feature will not work.
To use file restore:
- Go to http://portal.office.com
- Login with your University email address and password (may not be required if you are already logged into Office 365).
- Click the OneDrive icon.
- Click the Settings icon in the top right-hand corner.
- Click OneDrive – Restore your OneDrive.
- Select a date from the dropdown menu and click Restore.
Outlook Prevent Forwarding
This feature allows you to restrict your email recipients from forwarding or copying your emails. Prevent forwarding should be used when an email you send contains sensitive information.
To send an email with the prevent forwarding feature:
- Open Outlook and compose a new email.
- Go to the Options tab and click the dropdown arrow under Permission.
- Select Do Not Forward.
- Send the email.
This feature offers an added layer of protection to sent emails. Some email providers don’t encrypt their connection, which means your communication could be susceptible to being intercepted and read. If you use the email encryption feature offered by Office 365, the email you send will remain encrypted over a secure connection. This should be used when sending an email to an external user.
To send an email with the email encryption feature:
- Open Outlook and compose a new email.
- Go to the Options tab and click the dropdown arrow under Permission.
- Select either University of Pittsburgh – Confidential or University of Pittsburgh – Confidential View Only.
NOTE: Selecting University of Pittsburgh – Confidential will allow recipients to modify the content but not copy or print it. Selecting University of Pittsburgh – Confidential View Only will not allow recipients to modify the content.
- Send the email.
For more information on all of these features and more, please visit Office 365 new capabilities.
When you are scrolling your Facebook feed or taking a Buzzfeed quiz online, do you answer historical questions? Questions about your childhood home, your family dog, or the first car you drove can expose you to cyber criminals. These seemingly harmless games can lead to Facebook or quizzes online can help the company store and potentially sell your data. That is not to mention the other people that are seeing your answers online.
You may think to yourself, who care if they knew my first dog was a Boxer named Luna. Well, if you ever used that as a security question to reset your password, you may be more concerned. These data-harvesting schemes have become more and more prevalent and give identity thieves and scammers easier ways to access your online accounts.
There are many examples of this but, lets take a look at a few from krebsonsecurity.com
San Benito Tire Pros created a post that says, “What car did you learn to drive stick shift on?” This seems like a harmless answer, but by answering this question you could be giving them the answer to “What was the make and model of your first car?” This questions is one of the most commonly used by banks and other companies to verify customers before they reset their password.
Another from Good Old Days asks “What was your first pet, and what was it’s name?” This one is a little more obvious as it directly asks the question that you will frequently see as your security questions from companies online.
This can also happen when Facebook pages post quizzes or articles but pose questions as their caption. Texas asked “What was your high school mascot?” with a link to the most unusual texas high school mascots.
Protect yourself online and don’t share your historical data or make sure you answers to security questions are fictional. However, then you have to remember what you wrote.
07 Dec 2016
Do you do your holiday shopping online? There are a few easy ways to protect yourself online whether you are purchasing items for yourself or for the University with your P-Card. Follow the tips below for a safe experience:
1. Shop with reputable merchants. Only purchase from online vendors that you are familiar with, or do some research first. If you are not familiar with an online store, use caution. Just because the website looks professional, it doesn’t mean the vendor is trustworthy or has proper security controls in place. Check an independent source that allows customers to rate their shopping experience with a vendor such as Reseller Ratings. You can also refer to the Better Business Bureau to see if there are any complaints listed. You should also be aware that in some cases, you may be purchasing from an individual rather than business, and your legal recourse may be different in the event of a dispute.
2. Check the merchant’s customer information and return policies. Before ordering, be sure to read the terms of sale, return policies and fees, shipping methods and prices, and guarantees. Make note of vendor’s policies for storing and distributing your personal contact information. If you do not want to be included on mailing lists or have your contact information made available to third parties (spam lists), look for an option on the web site to indicate your preference. Do not provide vendors with sensitive personal information, such as your social security number or bank account numbers. Basic shipping and credit card information is all that should be required to make a purchase.
3. Be sure the transaction is secure. When you are in the checkout process, the web site should be using encryption called SSL (Secure Sockets Layer). SSL ensures secure transmission of your credit card information across the internet. You can tell if the web site is using SSL by looking for “https://” (rather than “http://”) at the beginning of the web site’s address in the browser. Another sign is the presence of a padlock symbol in the address bar of the browser. In Internet Explorer, the padlock symbol will appear on secure pages in the address bar, located to the right side of the web address. You can click on the lock symbol to verify the security of the site.
4. Never send credit card numbers via e-mail. Although it is generally safe to enter your credit card number on a secure web site, it is not safe to send it through e-mail. E-mail is sent through the internet in clear text (non-encrypted) format, so it’s possible for someone other than the vendor to see it. Sending a credit card number through e-mail is the equivalent of writing it on a postcard rather than mailing it in an envelope.
5. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
6. Use Identity Finder to protect your data. All FIS-supported computers have a program called Identity Finder installed. It will search your files, e-mails, databases, websites, and web browser data for Social Security numbers, Credit Card numbers, Bank Accounts, Passwords, etc. so you can then take steps to remove the sensitive data from your files. This program is also available for home use by contacting FIS.
7. Keep a record of your transaction. Before you leave the transaction page of the web site, print a copy of the screen and keep it for your records. Check your credit card statements to verify you were charged the proper amount. Also, keep any e-mail confirmations about your order for later reference.
8. Take action if there is a problem. If you do have a problem with an online vendor, first attempt to work it out with them directly. Don’t just rely on e-mail; call them as well. If you cannot resolve the problem to your satisfaction, you should contact your bank and ask them to stop the payment. If that’s not possible, you can use an online service such as SquareTrade to resolve your dispute. You can also file a complaint to the state Attorney General’s Office, who will investigate the case. You should also post your experience on a site like Reseller Ratings so other customers can be warned. While you may also wish to contact the Better Business Bureau, note that they have no authority over the vendor. They will simply accept your complaint and allow the vendor to respond.
Take this quiz, Workplace Security Risk Calculator, to find out if you activities while at work are risky and what you can be doing on the front lines to protect our organization!