Tag Archives: Jason Benedict

Don’t be a Billy

When you begin college, you are probably on your own for the first time. You are taking on new responsibilities, making your own decisions, and becoming part of the campus community. There is an important role that you can play in your Fordham’s cybersecurity efforts that combines these elements of responsibility, decision-making, and community.

http://www.youtube.com/watch?v=nPR131wMKEo

Beware of Tabnapping

Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.

As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

See the video here:
http://vimeo.com/12003099

Social Engineers Favorite Pick Up Lines

Congrats on your inheritance! Okay, you knew that one’s the start of a scam. Here are other come-ons you’ll encounter when criminals come knocking

http://www.csoonline.com/article/480589/9_Dirty_Tricks_Social_Engineers_Favorite_Pick_Up_Lines

Security experts push to require federal information security guidelines

The final version of the National Institute of Standards and Technology’s computer security controls will incorporate recommendations developed by security experts in industry and government for dealing with attacks on federal networks. Those professionals hope that including their prescriptions in official NIST guidance will be the first step toward a federal mandate for compliance.Read more @ http://www.nextgov.com/nextgov/ng_20090723_4109.php?oref=topnews

Phishing — bait or prey?

“Phishers” send spam or pop-up messages claiming to be from a business or organization that you might deal with for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to “update” or “validate” your account information. It might threaten some dire consequence if you don’t respond. The message directs you to a website that looks just like a legitimate organization’s, but isn’t. What is the purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name. Don’t take the bait: don’t open unsolicited or unknown email messages; don’t open attachments from people you don’t know or don’t expect; and never reply to or click on links in email or pop-ups that ask for personal information. Legitimate companies don’t ask for this information via email. If you are directed to a website to update your information, verify that the site is legitimate by calling the company directly, using contact information from your account statements. Or open a new browser window and type the URL into the address field, watching that the actual URL of the site you visit doesn’t change and is still the one you intended to visit. Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems. To ensure you’re not being victimized and to detect unauthorized purchases, use the same practices as you do in the offline world. Check your credit card bill at least every month, and consider using services that inform you if someone has requested credit in your name.

Know who you’re dealing with online.

And know what you’re getting into. There are dishonest people in the bricks and mortar world and on the Internet. But online, you can’t judge an operator’s trustworthiness with a gut-affirming look in the eye. It’s remarkably simple for online scammers to impersonate a legitimate business, so you need to know whom you’re dealing with. If you’re shopping online, check out the seller before you buy. A legitimate business or individual seller should give you a physical address and a working telephone number at which they can be contacted in case you have problems.

Social Networking Sites: How To Stay Safe

The popularity of social networking sites–such as MySpace, Facebook, Twitter and others–has exploded in recent years, with usage in the United States increasing 93% since 2006, according to Netpop Research. The sites are popular not only with teenagers, but with adults as well: the number of adult Internet users having a social networking profile has more than quadrupled in the past four years, according the Pew Internet & American Life Project.

While there are many positive aspects of using social networking sites, it is also important to understand the potential security risks and know what precautions to take to protect yourself and your information.

What are social networking sites?

Social networking sites are online communities of Internet users who want to communicate with other users about areas of mutual interest, whether from a personal, business or academic perspective. The specific functionality of the various sites may differ, but in general, the sites allow you to provide information about yourself and communicate with others through email, chat rooms and other forums.

What are the security concerns of social networking sites?

Social network sites are growing in popularity as attack vectors because of the volume of users and the amount of personal information that is posted. The nature of social networking sites encourages you to post personal information. Because of the perceived anonymity and false sense of security of the Internet, users may provide more information about themselves and their life online than they would to a stranger in person.

The information you post online could be used by those with malicious intent to conduct social engineering scams and attempt to steal your identity or access your financial data. In addition, the sites are increasingly sources of worms, viruses and other malicious code. You may be prompted to click on a video on someone’s page, which could bring you to a malicious website, for example. If you are accessing a site that has malicious code your machine could become
infected. For examples of some common social networking scams, visit the Council of Better Business Bureaus.

It’s also important to realize that information you post can be viewed by a broad audience, and could have lasting implications. College admissions officers and school administrators, for example, do visit these sites and in some cases, admissions have been denied to applicants, or disciplinary actions have been taken because of information or photos posted online. Employers also review these sites for information about potential job applicants.

What can you do to protect yourself?

  • Make sure your computer is protected before visiting sites – make sure you have a firewall and anti-virus software on your computer and that it is up-to-date. Keep your operating system up-to-date as well.
  • Do not assume you are in a trusted environment – just because you are on someone’s page you know, it is still prudent to use caution when navigating pages and clicking on links or photos, because links, images or other content contained on the pages may include malicious code.
  • Be cautious in how much personal information you provide – remember that the more information you post, the easier it may be for an attacker to use that information to steal your identity or access your data.
  • Use common sense when communicating with users you DO know – confirm electronic requests for loans or donations from your social networking friends and associates. The communications could be from someone who has stolen the credentials of the person you know with the intent of scamming as many people as possible.
  • Use common sense when communicating with users you DON’T know – be cautious about whom you allow to contact you or how much and what type of information you share with strangers online.
  • Understand what information is collected and shared – pay attention to the policies and terms of the sites; they may be sharing your email address or other details with other companies.
  • Make sure you know what sites your child is visiting – be involved in your child’s activities and know with whom he/she is communicating and what information is being posted by them, or about them by others.

Conficker Scareware Scammers Use Symantec as Lure

Scammers are using Symantec’s name as part of a ploy to lure those panicked by the Conficker worm into buying fake antivirus. Meanwhile, vendors such as IBM are stating the number of infections may be higher than they thought.

http://www.eweek.com/c/a/Security/Conficker-Scareware-Scammers-Use-Symantec-as-Lure-713448/

University of Florida Admits to Third Data Breach in Three Months

The University of Florida in Gainesville has disclosed that a breach discovered in January exposed personal data on 97,200 students, faculty and staffers who attended or worked at the school between 1996 and 2009. The latest breach involved servers that hosted free email services and online course offerings for faculty members, as well as websites for fraternities and sororities. Hackers accessed names and Social Security numbers. The University is notifying those affected by the breach, but does not have current contact information for about 5,000 potential victims. Meanwhile, the school said in November that the names, birth dates, Social Security numbers and addresses of more than 330,000 current and former College of Dentistry patients had been exposed in a computer intrusion discovered on October 3, 2008. An undated statement now on its website says a configuration error in the school’s online directory service opened a path for hackers to access personal information for about 100 people.

More information:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=335087&intsrc=news_ts_head

Passwords that Work

A good password is a system for creating codes that are easy to remember but hard to crack. Here are guidelines for creating effective and memorable passwords:
  • Choose a phrase that’s at least 8 words long. It could be a book, a song title or quote. Draw your core password from that, perhaps by using the first letter of each word. For example, the first letters of the book title The Cat in the Hat by Doctor Seuss are: tcithbds. This step protects you from an attack where someone tries to crack your phrase using known words and proper names.
  • Now alter some of it. Replace some lowercase letters with capital letters or numbers or symbols. For example: Tc1thbdS capitalizes the first and last letter and replaces the “i” with a “1”.
  • Establish different levels of passwords. Use a core phrases to develop passwords for systems provided by Fordham and separate passwords for online banking, and other personal, non-Fordham related accounts. If you can’t change your password every 90 days, do so whenever daylight-saving time starts and stops.