12 Scams of Christmas

Are you the 1 person out of 4 that will be shopping from a mobile device this year?  McAfee has just released a list of the 12 most popular scams that online shoppers should watch out for this Christmas season.  It's great list!

1. Social media scams: Cybercriminals know social media networks are a good place to catch you off guard because we’re all “friends,” right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays. Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your “friends” that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends’ accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.
2. Malicious Mobile Apps: As smartphone users we are app crazy, downloading over 25 billion apps for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.
3. Travel Scams: Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.
4. Holiday Spam/Phishing: Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the “perfect gift” for that special someone.
5. iPhone 5, iPad Mini and other hot holiday gift scams: The kind of excitement and buzz surrounding Apple’s new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: “Free iPad”) and phishing emails as a way to grab computer users’ attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.
6. Skype Message Scare: People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.
7. Bogus gift cards: Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!
8. Holiday SMiShing: “SMiSishing” is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldn’t do by pretending to be a legitimate organization.
9. Phony E-tailers: Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.
10. Fake charities: This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities.
11. Dangerous e-cards: E-Cards are a popular way to send a quick “thank you” or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.
12. Phony classifieds: Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.

Want more information?  Check out the results of the 2012 Holiday Shopping Study.

25 Most Popular Passwords of 2012

You need a password to access just about anything on a computer today: your bank account, your email, your resources here at KUMC.  So it's important that we choose long and strong passwords to protect our information.  If we don't, the odds that someone can guess our password and get access increase exponentially.

SplashData has just released the results of their annual study on the 25 Most Popular Passwords and, while there are several familiar passwords on the list from last year - "password", "123456", and "12345678" - there are some surprising new additions as well.  Take a look and, hopefully, you don't see your password on the list  (And, if you do, it's time to change it to something more complex!)

Here's the full list, along with how the popularity of the phrase has increased or decreased in the past year:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)

Important iPhone/iPad IOS 6.0.1 Update

Apple released a software update today for iPhone/iPads running IOS version 6. This is a recommended and critical update for anyone planning on using ActiveSync for Calendar scheduling when KUMC migrates to the new Exchange email system on November 9th.  This update addresses a known issue in the initial release that caused calendar entries to disappear.

The IOS 6.0.1 update is available on iTunes as well as wirelessly.

For more details on IOS 6.0.1, see Apple’s Knowledge Base at http://support.apple.com/kb/DL1606

Check Your PC For A MAJOR Java 1.7 Vulnerability

A new zero-day vulnerability in Java has been discovered and exploits are being found in the wild.  The flaw affects all versions of Oracle's Java 7 (version 1.7) on all supported platforms. No patch is available at this time.  Java 6 and earlier are currently unaffected.

In order for this vulnerability to be exploited, you have to visit a web page or follow a link to an infected site.  If you get hit with this, the software can do anything with your computer that you can.  Rapid7, a security research company, has released an online tool to test if your machine is exploitable through Java.  To test your machine with this tool, go to  http://www.isjavaexploitable.com/.

A copy of this message will be posted to TechWeb (www.bu.edu/tech) for reference.  Check there for further updates and information regarding this issue.

Recommendations:

·      If you are not using any programs that require Java, remove it from your system altogether.  Java is one of the most heavily exploited platforms in the world today due to its almost ubiquitous presence.

·      If you have to have Java for a specific program, but don’t need it for the web pages you visit, disable Java for universal use on your browsers. (Links for how to do this are below.)  It is safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs.

·      If you can't do that, at least confine your browsing to regular commercial sites which, while not immune from being infected, are typically more carefully maintained and monitored and represent a lower risk.  This is not a reliable security approach, but it is better than nothing.

How to disable Java:

...in Safari: http://support.apple.com/kb/HT5241

...in IE: http://kb.iu.edu/data/ahqx.html

...in FireFox: http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

                (For Firefox on Mac OS X, it is like Windows XP (Tools > Add-ons))

...in Chrome:  While in Chrome, enter this URL:  chrome://plugins/  then click "Disable" under Java.

For more information:

http://www.huffingtonpost.com/2012/08/27/java-update-hackers_n_1834815.html

http://nakedsecurity.sophos.com/2012/08/28/unpatched-java-exploit-spreads-like-wildfire/

Do You Trust Your Hotel's Security?

You might want to think twice the next time you decide to leave your laptop, iPhone or other valuable in your hotel room on that next vacation or business trip.

As this story by Extreme Tech shows the card-protected locks that are commonly  used on hotel room doors aren't secure.  In fact, it can be easy for someone with $50 off off-the-shelf equipment from Radio Shack to get access and there wouldn't be a trace that they had been in your room.

LinkedIn.Com User? Change Your Password NOW

If you use LinkedIn.com to keep track of professional connections, please continue reading.  If not, please disregard.

 

Earlier today, it was confirmed that 6.5 million LinkedIn passwords were compromised and posted to a Russian hacker site.  As of yet, LinkedIn has not yet notified its users; however, if you have an account on LinkedIn.com, there is a high probability that your LinkedIn password has been compromised and you should change it immediately.

 

As a reminder, you should never use your KUMC password or a derivative of it on any external website.  Additionally, if you use the same password on LinkedIn and other websites, I recommend that you change your password on those other sites as well.

 

For more information on the breach, visit http://www.networkworld.com/news/2012/060612-linkedin-confirms-breach-259937.html.

 

If you are a member of the KUMC community and have a question regarding this situation, please contact Information Security at (913) 588-3333 or email kumc-security@kumc.edu

Students Steal Laptops for Class Credit?

This recent story by Charlie Osborne at ZDNet highlights a research project where students at the University of Twente were told to steal 30 laptops from faculty and staff on campus. The "thefts" were part of a PhD thesis titled "Alignment of Organizational Security Policies, Theory and Practice" that explored the ways in which human behavior and habits can thwart good security practices.

During the project, the laptops had been "loaned" to random individuals by the researcher, Trajce Dimkov, and the recipients were asked to safeguard the laptops by either chaining them to their desk, locking them up, or securing them witha password. Students then used various creative methods of "stealing" the laptops. In over half the attempts that were made, students were successful in stealing the laptops.

What's the lesson? 

•  Pay attention to where your computers are and whether or not they are secure from theft. 
• Unlocked offices are great targets for theft.
• Don't get too comfortable in your habits or think "it will never happen to me."