Meltdown & Spectre – How to Protect Yourself

Following up on our previous post sharing what was then breaking information about these vulnerabilities, the UISO would like to share some additional best practices to follow in order to reduce one’s risk to attack.

Install Operating System Updates on Personal Devices

Staying current with security updates on personal for security features is always advised, and all major operating systems not currently end-of-life have patches in place that aid in reducing risk. The following are guides for updating one’s operating system for those not familiar with the process.

Limit JavaScript in your Web Browser

One of the methods by which Meltdown and Spectre can be triggered is via JavaScript, which can be activated by visiting a website hosting malicious code intentionally or via a targeted advertisement. The UISO recommends adding a browser extension that limits exposure to potentially malicious JavaScript.

For performance purposes, it is recommended to install one or the other of these extensions, but not both.

 

Research is still underway, and as further methods to mitigate the risk posed by these vulnerabilities are assessed by the information security community we will share them accordingly.

As always, please subscribe to this blog, our Twitter feed, or our FaceBook page for updates, and contact the UISO with any questions or concerns.

Article:“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws

A major security flaw has been revealed to be prominent in every modern processor. Details can be found below.

Via: Arstechnica

“Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it has been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches.

Now we know what the flaw is. And it’s not great news, because there are in fact two related families of flaws with similar impact, and only one of them has any easy fix.

The flaws have been named Meltdown and Spectre. Meltdown was independently discovered by three groups—researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Google’s Project Zero. Spectre was discovered independently by Project Zero and independent researcher Paul Kocher.

At their heart, both attacks take advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they’ll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.

However, while the discarded effects of this speculative execution don’t alter the outcome of a program, they do make changes to the lowest level architectural features of the processors. For example, speculative execution can load data into cache even if it turns out that the data should never have been loaded in the first place. The presence of the data in the cache can then be detected, because accessing it will be a little bit quicker than if it weren’t cached. Other data structures in the processor, such as the branch predictor, can also be probed and have their performance measured, which can similarly be used to reveal sensitive information.

Meltdown

The first problem, Meltdown, is the one that stimulated the flurry of operating system patches. It uses speculative execution to leak kernel data to regular user programs.

Our original coverage gave a high-level summary of how operating systems virtualize system memory, the use of page tables to map from virtual memory addresses to physical addresses, how processors cache those mappings, and how the kernel’s page table mapping is shared between processes in order to maximize the value of this special cache.

While all modern processors, including those from Intel, AMD, and ARM, perform speculation around memory accesses, Intel’s processors do so in a particularly aggressive way. Operating system memory has associated metadata that determines whether it can be accessed from user programs or is restricted to access from the kernel (again: our original coverage has more detail about this point). Intel chips allow user programs to speculatively use kernel data, and the access check (to see if the kernel memory is accessible to a user program) happens some time after the instruction starts executing. The speculative execution is properly blocked, but the impact that speculation has on the processor’s cache can be measured. With careful timing, this can be used to infer the values stored in kernel memory.

The researchers say they haven’t been able to perform the same kind of kernel memory-based speculation on AMD or ARM processors, though they hold out some hope that some way of using this speculation offensively will be developed. While AMD has stated specifically that its chips don’t speculate around kernel addresses in this way, ARM has said that some of its designs may be vulnerable, and ARM employees have contributed patches to Linux to protect against Meltdown.

For systems with Intel chips, the impact is quite severe, as potentially any kernel memory can be read by user programs. It’s this attack that the operating system patches are designed to fix. It works by removing the shared kernel mapping, an operating system design that has been a mainstay since the early 1990s due to the efficiency it provides. Without that shared mapping, there’s no way for user programs to provoke the speculative reads of kernel memory, and hence no way to leak kernel information. But it comes at a cost: it makes every single call into the kernel a bit slower, because each switch to the kernel now requires the kernel page to be reloaded.

The impact of this change will vary wildly depending on workload. Applications that are heavily dependent on user programs and which don’t call into the kernel often will see very little impact; games, for example, should see very little change. But applications that call into the operating system extensively, typically to perform disk or network operations, can see a much more substantial impact. In synthetic benchmarks that do nothing but make kernel calls, the difference can be substantial, dropping from five million kernel calls per second to two-to-three million.

Spectre

Owners of AMD and ARM systems shouldn’t rest easy, though, and that’s thanks to Spectre. Spectre is a more general attack, based on a wider range of speculative execution features. The paper describes using speculation around, for example, array bounds checks and branches instructions to leak information, with proof-of-concept attacks being successful on AMD, ARM, and Intel systems. Spectre attacks can be used both to leak information from the kernel to user programs, but also from virtualization hypervisors to guest systems.

Moreover, Spectre doesn’t offer any straightforward solution. Speculation is essential to high-performance processors, and while there may be limited ways to block certain kinds of speculative execution, general techniques that will defend against any information leakage due to speculative execution aren’t known.

Sensitive pieces of code could be amended to include “serializing instructions”—instructions that force the processor to wait for all outstanding memory reads and writes to finish (and hence prevent any speculation based on those reads and writes)—that prevent most kinds of speculation from occurring. ARM has introduced just such an instruction in response to Spectre, and x86 processors from Intel and AMD already have several. But these instructions would have to be very carefully placed, with no easy way of identifying the correct placement.

In the immediate term, it looks like most systems will shortly have patches for Meltdown. At least for Linux and Windows, these patches allow end-users to opt out if they would prefer. The most vulnerable users are probably cloud service providers; Meltdown and Spectre can both in principle be used to further attacks against hypervisors, making it easier for malicious users to break out of their virtual machines.

For typical desktop users, the risk is arguably less significant. While both Meltdown and Spectre can have value in expanding the scope of an existing flaw, neither one is sufficient on its own to, for example, break out of a Web browser.

Longer term, we’d expect a future Intel architecture to offer some kind of a fix, either by avoiding speculation around this kind of problematic memory access or making the memory access permission checks faster so that this time interval between reading kernel memory, and checking that the process has permission to read kernel memory, is eliminated.”

Source: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

The Weakest Passwords of 2017

Via: USA Today

Strong passwords, these were not.

With Star Wars: The Last Jedi now in theaters, “starwars” made its debut among the worst passwords used in 2017, according to security company SplashData.

The password “starwars” entered their list in the 16th spot, ahead of passwords including “passw0rd” and “hello.”

“Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words,” said Morgan Slain, CEO of SplashData, in a statement.

SplashData said in a statement Tuesday the list is based on more than five million passwords leaked during the year.

Once again, “123456” is the worst password of the year, followed by “password.” New entrants into SplashData’s list include “123456789” (No. 6) and “letmein” (No. 7).

The company estimates nearly 3% of people used the worst password on the list, while almost 10% have used at least one of the top 25.

To keep accounts secure, users can follow these tips:

Think passphrase, not password. Originally, experts suggested thinking of a super complex password with a variety of numbers, uppercase and lowercase letters, and symbols. The problem is they’re way too tough to remember. Instead, consider a phrase for your password, then tweak it with numbers or symbols you can more easily recall.

Use two-factor authentication. Most big websites offer an additional layer to the login process, where you can request a text message with numeric code or confirmation through an authenticator app to verify your identity.

Make passwords unique. Use a different password for every website. According to SplashData, if hackers get a password for one set of credentials, they will try them across other services.

Consider password managers. If you have a lot of logins to manage, password managers such as Dashlane and LastPass offer automatically generated passwords for the sites you use. The user will have one master password they need to remember to log in to the manager.

View the full article.

Phishing Scams Targeting Direct Deposits

An increase in cyber threat actors sending phishing emails to education employees for the purposes of obtaining account login information has been seen across the education sector and universities. In these incidents, this information is then typically used to modify the employees’ direct deposit account information. By changing this information, the cyber threat actors reroute the employees’ paychecks to a financial account under the actors’ control. No specific payroll platforms are being targeted, as reports indicate the victims have used various platforms for payroll functionality.

This type of attack utilizes the inherent risk behind the use of single sign-on (SSO) features. SSO allows for the use of a single set of credentials to gain access to connected systems, providing authentication, authorization, access control, and password synchronization across an environment. In these incidents the cyber threat actor usually sends education sector staff a phishing email, a PDF attachment or malicious link. The phishing email often spoofs the account of an IT administrator or senior official. Upon clicking the link or downloading the attachment, the user is prompted to enter their login credentials, which the cybercriminal uses to log into the payroll system. The cybercriminal then changes the direct deposit information for that employee so that the employee’s paycheck is sent to a different account or pre-paid credit card. According to the FBI, in some instances the cyber threat actor is also accessing the employee’s email account and creating rules that immediately forward incoming emails containing specific words to the deleted folder so the employee does not get alerted to the criminal activity.

Fordham University has certain protections in place against such attacks thanks in part to the email protection built into Gmail, email protection services from Proofpoint and DUO’s two-factor authentication. The combination of all these security aspects help protect Fordham accounts from being compromised even if one’s credentials are attained.

If you believe you have received a phishing message or similar suspicious message, please do the following:

  • Do not respond to the message.
  • Do not click on any attachments or links.
  • Do not call the number listed.
  • Do not provide any information such as username and password.
  • If you did respond to the email and provided confidential information, please contact Fordham IT Customer Care ASAP at (718) 817-3999 for instructions on how to manually reset your password.
  • Delete the message.

Please note: Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.

To learn more about protecting yourself online against such phishing attacks as these and others, please take the UISO’s online course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. You can login to Blackboard either via the portal, at My.Fordham.edu, or directly from Fordham’s Blackboard portal.

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

Phishing Scams Now Harder to Detect

Via: Krebs On Security

Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Phishers are moving to HTTPS because it helps increase the likelihood that users will trust that the site is legitimate. After all, your average Internet user has been taught for years to simply “look for the lock icon” in the browser address bar as assurance that a site is safe.

Perhaps this once was useful advice, but if so its reliability has waned over the years. In November, Phishlabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.

“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,” he wrote.

What the green lock icon indicates is that the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.

So what can you do to make sure you’re not the next phishing victim?

Don’t take the bait: Most phishing attacks try to convince you that you need to act quickly to avoid some kind of loss, cost or pain, usually by clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment. The best approach is to bookmark the sites that store your sensitive information; that way, if you receive an urgent communication that you’re unsure about, you can visit the site in question manually and log in that way. In general, it’s a bad idea to click on links in email.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.

Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link.

The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged.

If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers.

Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a password-snarfing Trojan that steals all of the sensitive data on victim PCs.

So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

View the full article.

Alert: Phishing Messages from WeTransfer

Please be advised that there are suspicious emails circulating that are targeting members of the Fordham Community. The subject line of these emails contain the words “sent you files via WeTransfer”. The messages contain a file download link from a seemingly legitimate email source. However, the file itself instructs the user to go to a phishing site and enter confidential information.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Files sent via WeTransfer can be easily crafted to look like they are from legitimate email addresses and even trusted third parties. Do not assume a message from WeTransfer is trustworthy based on the displayed name of the sender. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

The content of the email is as follows:

————Start of Message————

From: WeTransfer <noreply@wetransfer.com>
Date:
Subject: fake@notreal.com sent you files via WeTransfer
To:

————End of Message————

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Critical macOS High Sierra Update

Apple has released a security update resolving the widely reported authentication bug known as iAmRoot. The UISO recommends that Apple computers running High Sierra (macOS 10.13.x) install this security update.

Due to its critical nature, Apple has deployed this as an automatically-installing update. However, it is still recommended to check for this and any other pending security updates.

The process to update is:

  • Click the  logo in the Taskbar
  • Click App Store
  • Click Updates
  • Install any security related updates shown
    • The recommended patch is Security Update 2017-001

Please do not hesitate to to contact infosec@fordham.edu with any questions.

Sources:

US-Cert: Apple Releases Security Update for macOS High Sierra

New security update fixes macOS root bug

Holiday Shopping 2017: How to avoid fake retail sites and other scams

Via: USAToday.com

1) Stop chasing any and all deals

“We live in an age where we have all these push notifications and emails,” said Steve Koenig, senior director of market research at the Consumer Technology Association, a trade group in Arlington, Va.

The volume of such activity during the holidays, he said, only makes consumers even more vulnerable to clicking on a $100 coupon before thinking twice.

“We’re all moving super fast, we get distracted,” said Tim Helming, director of product management at DomainTools.

When we’re rushing, we might not notice that the website in an email has an odd name.

Brands that continue to be spoofed include Amazon,Walmartand Target. Other brands that are commonly targeted include PayPal, Yahoo and Apple.

Helming told me that consumers need to be wary of fake sites that play up the “Black Friday” frenzy. Dozens of malicious domain registrations that touted a Black Friday connection cropped up last year beginning around Nov. 20, and he’d expect the same this year, too.

2) Learn how to spot a fake

Watch out for a domain decorated with a few extra, possibly even reassuring words or odd spellings. DomainTools listed some brand-abusing domains that have a dot-com at the end but they’re still frauds, such as Amazonsecure-shop, Target-officialsite or  Walmartkt.

Other fakes include: Amazonshop.gq or Targethome.today or Walmart-outlet.ga.

Helming said domains that include a hyphen and words such as shop or secure can be good clues to a phony site, as many brand names use their names alone for their sites.

Other words in a fake URL site that appears to be connected to a well-known name might be something like outlet, discounts or deals.

Many times, the fraudsters use words like “official site” to make their fake sites look legitimate. Or there might be extra letters, such as “Yahooo” or “Walmaart.”

Take care on social media. Phishers can use of “URL shortening” services to obfuscate phishing URLs. As a result a very short URL, can be used in Tweets, which automatically redirect the visitor to a longer “hidden” URL, according to the Anti-Phishing Working Group’s research.

3) Recognize the risks of rushing

Consumers who click on the links or visit malicious sites are typically unknowingly handing over their name, address, and credit card information.

Never click on links in emails or social media to go to a retailer’s website. A better bet: Take a few extra seconds to go directly to the site yourself. Be sure to take a second look at all URLs.

4) Ask yourself why would Amazon be sending you a free gift card? Really?

Yes, one of those free $50 Amazon gift cards popped up in my email the other day. Of course, it’s a spoofed email. So I just hit delete.

Amazon is warning consumers that phishing emails will direct you to a “false website that looks similar to the Amazon website, where you might be asked to provide account information such as your e-mail address and password combination.”

The fake sites can steal sensitive information that can be used without your knowledge to commit fraud, according to Amazon.

Phishers can steal usernames and passwords from one site to engage in fraud on other sites. Too many consumers carelessly use the exact same usernames and passwords across different sites.

Amazon doesn’t send emails that ask for your Social Security number, bank account information, PIN, or your Amazon.com password.

Amazon offers shoppers a way to report suspicious emails and web pages. You can forward the email or send suspicious e-mail as an attachment to stop-spoofing@amazon.com.

More: Are 2017’s Black Friday deals really as amazing as retailers claim?

More: How to find hard-to-get, out-of-stock gifts without getting ripped off

5) As you order gifts online, don’t get tripped up by fake email alerts

As holiday shipping goes up in November and December, the frequency of phishing emails relating to orders or shipments goes up, too.

Walmart warns that if you received an order confirmation email from Walmart but never placed such an order, it may be a “phishing scam attempting to gather information, or in some cases, spread malware.”

FedEx warns consumers about a  “delivery failure” scam email.

Fraudulent emails claiming to be from FedEx or the U.S. Postal Service “regarding a package that could not be delivered.”

The consumer is then asked to open an attachment in order to obtain the invoice needed to pick up their package. The attachment in the email may contain a virus.

Don’t just rush and assume there’s trouble with something that you ordered.

“Be suspicious of incoming email from unknown or unsolicited sources, especially those that have attachments as well as hyperlinks,” said Jeremy Stempien, detective for the City of Novi, Mich., and a special federal deputy marshal for the Southeast Michigan Financial Crimes Task Force.

“The same should apply to incoming phone calls,” he said.

6) Every deal you find online is not a bargain

Con artists tempt consumers with great deals on hard-to-find items or hot gifts. Maybe you’ll spot some extraordinary deal on an Apple iPhone X or find a crazy bargain price on an L.O.L. Surprise! Big Surprise toy.

Or you think you’ve found a great deal on jewelry. The Better Business Bureau and others warned in 2017, for example, about fake sites that offer up to 70% off on Pandora charms.

Charisse Ford, chief marketing officer for Pandora Americas, said shoppers should be aware that counterfeit sites have some clear indicators, including the “About Us” page that can be very generic without descriptions about the business, company mission or current Pandora images or promotions.

Another clue: Try calling and talking with someone in customer service first before placing an order to ask about return policies or the like. Shoppers are less likely to connect with a real person if going through a fraudulent site.

Companies such as Pandora note that they work hard to help identify and shut down counterfeit sites, including those on social media channels.

Con artists use phony websites to sell counterfeit goods — or engage in cybercrime.

It’s no bargain if, when you click on the link, you download malware.

“You think you are getting the discount of a lifetime or an exclusive offer, but this is a phishing attack,” warned Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Remember, bargains abound throughout the holiday season — so there’s no reason to think you absolutely must get all that shopping done right now.

 

Source: https://www.usatoday.com/story/money/columnist/tompor/2017/11/17/fake-amazon-gift-cards-phony-walmart-sites-and-other-cyber-scams-tempt-holiday-shoppers/862083001/

New Email Scam Using Fake Netflix Website

Via: mailguard.com.au

A scam email has appeared today that is pretending to be from Netflix. MailGuard detected the new scam early this morning, and stopped the malicious emails from entering our client’s inboxes.

This scam email is relatively well designed. The scammers are using a template system to generate individualised messages with specific recipient data.

This works like a mail-merge; the body of the email is generic, but the sender field is designed to show the name of the intended victim, which personalises the scam making it more convincing.

In this case the scammer’s system has not worked as well as they hoped and in the example below – screen-captured by our operations team – you can see that the ‘recipient’ field in the email has not been merged successfully. Instead of the victim’s name, it shows the placeholder instead:

 

Screen Shot 2017-11-03 at 11.23.26-1.png

Aside from the error with the recipient name field, this email looks quite convincing. The message tells the intended victim that their Netflix billing information has been invalidated and urges them to update their details on the website. If the recipient clicks the link in the email they are taken to a fake Netflix page, that asks them to log in and then enter their personal information, including credit card details.

Of course, this website is completely bogus and is just a mechanism for the scammers to steal the victim’s identity and credit card information.

The fake Netflix site this scam is using is built on a compromised WordPress blog. Scammers can break into WordPress sites by making use of vulnerabilities in blog plugins and once in, they can make the website look enough like a real Netflix login page to trick their victims – as shown in the screenshot above.

Screen Shot 2017-11-03 at 11.24.52.png

Screen Shot 2017-11-03 at 11.25.22.png

With the detailed data the fake website form asks for: address; credit card details; driver’s license; mother’s maiden name; etc, the scammers could potentially execute an identity theft and gain access to the victim’s bank accounts as well as their credit cards.

Once the fake website has collected all the sensitive data the scammers want, the victim is shown a reassuring ‘reactivation’ screen.

Screen Shot 2017-11-03 at 11.26.15.png

If you receive an email from Netflix today, ‘Chill,’ but don’t click without thinking first. Scammers can make their fake emails and bogus websites look pretty convincing, so it’s always a good idea to check carefully that the email comes from the actual company domain and not a scammer.

Think Before You Click:

– Always hover your mouse over links within emails and check the domain they’re pointing to. If they look suspicious or unfamiliar don’t open them.

– Cybersecurity threats take many different forms from simple spyware downloads to sophisticated ransomware attacks. Your business can be exposed to a wide variety of different vectors: through peripherals; USB devices; networks; attachments; etc. Security best practice recommends a layered defence strategy to protect users against web threats and malware.

Steps you can take to keep your mobile device safe.

Steps you can take to keep your mobile device safe.

 

(Photo from – https://www.mywot.com/en/blog/6-safe-web-surfing-tips)

Taking precautions on a regular basis can reduce the risk your home or mobile devices will be comprised. There are a few setting options you can enable that will allow you to surf and shop online securely.

  • Did you know aside from locking your mobile device, you may also be able to lock the applications as well.
    • Some applications have the option to be locked separately. Check within the applications settings for options.
    • Android users can also download an app that will allow them to lock additional applications that may not have that option built in.
    • IOS doesn’t offer additional applications with this option, however many apps are offering the option to use fingerprint recognition.
  • If you’re done updating your status, tracking your shipping, and double tapping cat pictures, log out.
    • It may make things easy for you to stay logged into your accounts on your mobile device, but it also makes it easier to compromise your device.
    • If you employ a password manager you don’t have to worry about saving your log in credentials on each app, this way if your device is compromised your accounts won’t be.
  • Android users have the option of installing additional antivirus to their mobile devices
  • Don’t jailbreak your device.
    • The steps you have to take to allow your device to be jailbroken leaves it vulnerable to attacks, by disabling built in security.
  • Avoid public networks when you can.
    • While free wifi is very appealing, using public networks can make you vulnerable to attack.
  • Take advantage of device location offered through your cell or OS provider

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu.