“Symantec has observed an increase in a “particular” type of
spear-phishing attack targeting mobile users. The purpose of the attack
is to gain access to the victim’s email account.
“This social engineering attack is very convincing and we’ve already
confirmed that people are falling for it,” the security firm said.
To pull off the attack, the bad guys need to know the target’s email
address and mobile number; however, these can be obtained without much
effort. The attackers make use of the password recovery feature offered
by many email providers, which helps users who have forgotten their
passwords gain access to their accounts by, among other options, having a
verification code sent to their mobile phone.
The majority of cases observed affect Gmail, Hotmail, and Yahoo Mail users.
Symantec warns that users should be suspicious of SMS messages asking
about verification codes, especially if they did not request one. If
uncertain about an unexpected request, users can check with their email
provider to confirm if the message is legitimate. Legitimate messages
from password recovery services will simply tell you the verification
code and will not ask you to respond in any way.”
LastPass has sent out a notice to its users, notifying the community that on Friday, their team
discovered and blocked suspicious activity on their network. ” In their investigation, they found no evidence that encrypted user vault data
was taken, nor that LastPass user accounts were accessed. The
investigation has shown, however, that LastPass account email addresses,
password reminders, server per user salts, and authentication hashes
LastPass stated “We are confident that our encryption measures are sufficient to
protect the vast majority of users. LastPass strengthens the
authentication hash with a random salt and 100,000 rounds of server-side
PBKDF2-SHA256, in addition to the rounds performed client-side. This
additional strengthening makes it difficult to attack the stolen hashes
with any significant speed.”
They are taking additional measures to ensure that users’ data remains secure. They are requiring that all users who are logging in
from a new device or IP address first verify their account by email,
unless they have multifactor authentication enabled. As an added
precaution, they will also be prompting users to update their master
An email is also being sent to all users regarding this security incident.
Four million current and former federal employees, from nearly every government agency, might have had their personal information stolen by Chinese hackers, U.S. investigators said.
U.S. officials believe this could be the biggest breach ever of the government’s computer networks. China called the allegation irresponsible.
The Office of Personnel Management, which is conducting background checks, warned it was urging potential victims to monitor their financial statements and get new credit reports.
The breach was initially thought to have impacted the Office of Personnel Management and the Department of Interior, but government officials said nearly every federal government agency was hit by the hackers.
An assessment continues, and it is possible millions more government employees may be affected.
A recent article highlights how users and organizations respond to phishing messages and breaches.
“Verizon noted that 23 percent of recipients open phishing messages. But
simply opening an email won’t necessarily install malware on a machine.
More dangerous are the 11 percent of recipients who go so far as to
click on malicious attachments.”
Dear Colleagues and Students,
Recently a flaw, called the Heartbleed bug, was discovered in OpenSSL, a security method used on the Internet. Fordham IT is aware of the issue and our team is following best practices to ensure the security of Fordham’s systems and mitigate risk.
We have no reason to believe that Fordham’s secure systems have been compromised. However, this vulnerability is not an isolated issue affecting the Fordham community. It affects your online life outside of Fordham, as well. The website Mashable has a list of potentially affected sites and actions you should take to protect your sensitive data: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Be on the lookout for criminals requesting your password via phishing emails or websites that claim your information has been compromised. Criminals will take advantage of this opportunity to prey on fears about the Heartbleed bug.
If you have questions, contact IT Customer Care at 718-817-3999 or HelpIT@fordham.edu
. Follow us on Twitter for news and alerts: @FordhamIT.
Elizabeth Cornell, PhD
IT Communications Specialist
Fordham University | Fordham IT
Did you know that your AccessIT ID password is an integral aspect of Fordham IT’s online security program? Your password adheres to certain rules that make it complex enough to thwart the potential theft of sensitive information accessed through your Fordham account.
Passwords are often stolen when individuals accidentally respond to fraudulent requests for personal information. This is called a phishing attack and is the most common way for credentials like passwords and credit card information to be stolen. Sophisticated hacking techniques can steal many passwords at one time from large institutions. A password is not just an institution’s first line of defense against a cyber attack. It may also be the weakest link.
A victim of password theft might not discover that their password was stolen because it may not be used immediately. When a stolen password is used, however, it can wreak havoc on the lives of those affected and damage an institution’s reputation. That’s why changing passwords every now and then helps to limit the amount of time a stolen password remains useful.
To help keep personal information and other sensitive data as secure as possible, Fordham IT has implemented the Password Expiration Initiative. All AccessIT ID passwords are set to expire in Spring 2014 unless they are changed by individual users beforehand. Changing your password takes less than two minutes. Once you change your password, it will be set to expire again, in 180 days. (Be advised that the first time you attempt to access your Gmail from a mobile device after changing your password, you will be prompted to enter your new AccessIT ID password.)
Everyone is responsible for protecting Fordham’s systems. The Password Expiration Initiative is an important way for individuals to do their part and help Fordham IT fulfill its commitment to ensuring the online security of the entire campus community.
Please remember that Fordham IT will NEVER request passwords or other personal information via email. Messages requesting such information are fraudulent and should be reported to IT and then deleted. Fordham IT is committed to maintaining the integrity of the university’s online resources.
We can tell you more about the Password Expiration Initiative!
Visit our website http://www.fordham.edu/PWExpire to learn about
- Town Hall dates and locations
- Instructions for changing your password
- Password complexity rules
Follow us on Twitter: @FordhamSecureIT
Malware writers adopt ‘a la carte’ development approach – IT News from V3.co.uk
Criminals are not going to make it easy for us. We ALL need to be secure. This means you too!!!
Keep those credit card statements handy and check ’em, check ’em often!!!
Global Payments: Data breach is contained ZDNet