12 Scams of Christmas

Are you the 1 person out of 4 that will be shopping from a mobile device this year?  McAfee has just released a list of the 12 most popular scams that online shoppers should watch out for this Christmas season.  It's great list!

1. Social media scams: Cybercriminals know social media networks are a good place to catch you off guard because we’re all “friends,” right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays. Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your “friends” that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends’ accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.
2. Malicious Mobile Apps: As smartphone users we are app crazy, downloading over 25 billion apps for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.
3. Travel Scams: Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.
4. Holiday Spam/Phishing: Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the “perfect gift” for that special someone.
5. iPhone 5, iPad Mini and other hot holiday gift scams: The kind of excitement and buzz surrounding Apple’s new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: “Free iPad”) and phishing emails as a way to grab computer users’ attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.
6. Skype Message Scare: People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.
7. Bogus gift cards: Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!
8. Holiday SMiShing: “SMiSishing” is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldn’t do by pretending to be a legitimate organization.
9. Phony E-tailers: Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.
10. Fake charities: This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities.
11. Dangerous e-cards: E-Cards are a popular way to send a quick “thank you” or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.
12. Phony classifieds: Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.

Want more information?  Check out the results of the 2012 Holiday Shopping Study.

25 Most Popular Passwords of 2012

You need a password to access just about anything on a computer today: your bank account, your email, your resources here at KUMC.  So it's important that we choose long and strong passwords to protect our information.  If we don't, the odds that someone can guess our password and get access increase exponentially.

SplashData has just released the results of their annual study on the 25 Most Popular Passwords and, while there are several familiar passwords on the list from last year - "password", "123456", and "12345678" - there are some surprising new additions as well.  Take a look and, hopefully, you don't see your password on the list  (And, if you do, it's time to change it to something more complex!)

Here's the full list, along with how the popularity of the phrase has increased or decreased in the past year:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)

Important iPhone/iPad IOS 6.0.1 Update

Apple released a software update today for iPhone/iPads running IOS version 6. This is a recommended and critical update for anyone planning on using ActiveSync for Calendar scheduling when KUMC migrates to the new Exchange email system on November 9th.  This update addresses a known issue in the initial release that caused calendar entries to disappear.

The IOS 6.0.1 update is available on iTunes as well as wirelessly.

For more details on IOS 6.0.1, see Apple’s Knowledge Base at http://support.apple.com/kb/DL1606

Check Your PC For A MAJOR Java 1.7 Vulnerability

A new zero-day vulnerability in Java has been discovered and exploits are being found in the wild.  The flaw affects all versions of Oracle's Java 7 (version 1.7) on all supported platforms. No patch is available at this time.  Java 6 and earlier are currently unaffected.

In order for this vulnerability to be exploited, you have to visit a web page or follow a link to an infected site.  If you get hit with this, the software can do anything with your computer that you can.  Rapid7, a security research company, has released an online tool to test if your machine is exploitable through Java.  To test your machine with this tool, go to  http://www.isjavaexploitable.com/.

A copy of this message will be posted to TechWeb (www.bu.edu/tech) for reference.  Check there for further updates and information regarding this issue.

Recommendations:

·      If you are not using any programs that require Java, remove it from your system altogether.  Java is one of the most heavily exploited platforms in the world today due to its almost ubiquitous presence.

·      If you have to have Java for a specific program, but don’t need it for the web pages you visit, disable Java for universal use on your browsers. (Links for how to do this are below.)  It is safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs.

·      If you can't do that, at least confine your browsing to regular commercial sites which, while not immune from being infected, are typically more carefully maintained and monitored and represent a lower risk.  This is not a reliable security approach, but it is better than nothing.

How to disable Java:

...in Safari: http://support.apple.com/kb/HT5241

...in IE: http://kb.iu.edu/data/ahqx.html

...in FireFox: http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

                (For Firefox on Mac OS X, it is like Windows XP (Tools > Add-ons))

...in Chrome:  While in Chrome, enter this URL:  chrome://plugins/  then click "Disable" under Java.

For more information:

http://www.huffingtonpost.com/2012/08/27/java-update-hackers_n_1834815.html

http://nakedsecurity.sophos.com/2012/08/28/unpatched-java-exploit-spreads-like-wildfire/

Do You Trust Your Hotel's Security?

You might want to think twice the next time you decide to leave your laptop, iPhone or other valuable in your hotel room on that next vacation or business trip.

As this story by Extreme Tech shows the card-protected locks that are commonly  used on hotel room doors aren't secure.  In fact, it can be easy for someone with $50 off off-the-shelf equipment from Radio Shack to get access and there wouldn't be a trace that they had been in your room.

LinkedIn.Com User? Change Your Password NOW

If you use LinkedIn.com to keep track of professional connections, please continue reading.  If not, please disregard.

 

Earlier today, it was confirmed that 6.5 million LinkedIn passwords were compromised and posted to a Russian hacker site.  As of yet, LinkedIn has not yet notified its users; however, if you have an account on LinkedIn.com, there is a high probability that your LinkedIn password has been compromised and you should change it immediately.

 

As a reminder, you should never use your KUMC password or a derivative of it on any external website.  Additionally, if you use the same password on LinkedIn and other websites, I recommend that you change your password on those other sites as well.

 

For more information on the breach, visit http://www.networkworld.com/news/2012/060612-linkedin-confirms-breach-259937.html.

 

If you are a member of the KUMC community and have a question regarding this situation, please contact Information Security at (913) 588-3333 or email kumc-security@kumc.edu

Students Steal Laptops for Class Credit?

This recent story by Charlie Osborne at ZDNet highlights a research project where students at the University of Twente were told to steal 30 laptops from faculty and staff on campus. The "thefts" were part of a PhD thesis titled "Alignment of Organizational Security Policies, Theory and Practice" that explored the ways in which human behavior and habits can thwart good security practices.

During the project, the laptops had been "loaned" to random individuals by the researcher, Trajce Dimkov, and the recipients were asked to safeguard the laptops by either chaining them to their desk, locking them up, or securing them witha password. Students then used various creative methods of "stealing" the laptops. In over half the attempts that were made, students were successful in stealing the laptops.

What's the lesson? 

•  Pay attention to where your computers are and whether or not they are secure from theft. 
• Unlocked offices are great targets for theft.
• Don't get too comfortable in your habits or think "it will never happen to me."

Mozilla Fixes Critical Bug in Firefox 10

Just one week after Firefox version 10 was released, Mozilla has pushed out a fix for a critical flaw that could be exploited to crash the browser.  Students and home users are encouraged to download and apply the fix immediately.  The security patch will be pushed automatically to all University and UKP-owned workstations.

For more information, read the Mozille Security Advisory.

How Do I Secure My Mobile Apps?

iPad, Xoom, Evo, GalaxyTab....whatever your mobile device is, you've probably thought about or even downloaded apps onto it.  Everybody wants to play Angry Birds, right? 

But you need to be aware of the risks that come with downloading apps as well.  In this SANS Securing The Human newsletter, you'll learn what the risks are and great tips on how to make sure your apps are useful and not harmful.

Apple Issues First Mac Security Update for 2012

Apple has released its first 2012 security update to address more than 50 vulnerabilities for Mac OS X.
Updates are available for Mac IS X 10.7 (Lion), and for 10.6 (Snow Leopard).  OS X users should apply the appropriate update as soon as possible.

NOTE:  There have been reports of issues with version 10.7.3 including rendering the system unbootable, so users with that version should be careful applying the patches.  More info on the issues can be found at Apple: OS X Lion 10.7.3 and Security Update 2012-001

For more information:

EWeek:  Apples Fixes 52 Bugs in OS X
Cnet: OS X 10.7.3 Update Causing Issues
ComputerWorld: Apple Update Patches 51 bugs in Mac OS X

Symntec Releases pcAnywhere patch

Symantec has released hotfixes for its pcAnywhere software. The updates address all known  security issues in versions 12.0, 12.1 and 12.5 (including SP2, SP2, and SP3). Concerns still abound because the source code has been stolen by hackers, giving them unlimited access to find other security issues within the software.

We are already seeing someone scanning for open pcAnywhere installations on the Internet on port 5631.  Users of pcAnywhere software should apply the patch immediately.

For more information:

Symantec Vulnerability Advisor
Information Week:  Symantec Patches pcAnywhere, but should you delete?

lol...OMG! Managing Your Online Reputation

As part of the celebration for Data Privacy Month, check out this archived presentation by esteemed author Matt Ivester titled "lol...OMG!:  What Everyone Needs to Know About Online Reputation Management".

Brief Summary:  The ease with which digital content can be shared online, in addition to its many benefits, has created a host of problems for today’s high school and college students. All too often, students are uploading, updating, posting and publishing without giving a second thought to who might see their content or how it might be perceived. Ivester will provide a cautionary look at the many ways that today’s students are experiencing the unanticipated negative consequences of their digital decisions – from lost job opportunities and denied college and graduate school admissions to full-blown national scandals. He will be using real-life case studies and offering actionable strategies and best practices that empower students to clean up and maintain a positive online presence.

Today is Data Privacy Day

Have you thought about how your personal information is collected, shared, and stored online as your surf the Internet? Here are some tips on how to keep your information secure:

Smartphones and Mobile Devices

•  Your smartphone contains a host of personal information about you. Secure your phone with a strong passcode or other privacy feature.
• Think before you text. Keep in mind how the message might be read before you send it. Be aware that texts can be forwarded.
• Only give your mobile number out to people you know and trust and never give anyone else's number out without their permission. When in doubt, don’t respond. Text and call only the people and businesses you know in real life.
• Make sure you know how to block others from calling your phone. Using caller ID, you can block all incoming calls or block individual names and numbers.
• Make sure you have someone’s permission before taking pictures or videos of them with your phone. Likewise, make sure you’re comfortable before allowing someone to take pictures or videos of you.
• Learn how to disable the geotagging feature on your phone at icanstalku.com.
• Smartphones store and transmit a wide range of personal data which third parties can obtain access to – often without the user’s awareness or consent ‐‐ including contact lists, pictures, browsing history, certain identifying information and stored location data.
• Research apps before you download them. Apps on smartphones can transfer unique IDs (essentially supercookies), phone numbers, demographic information and location data to ad companies without users’ consent. Your unique ID, together with your location, age and sex, are valuable information to marketers. Most apps do not have privacy policies. Consumers who download apps often don't know what information they are revealing about themselves, to whom and for what purpose.
• If your phone is lost or stolen, report it to your local police station and your network operator immediately.
• Learn about Privacy in the Age of the Smartphone offered by Privacy Rights Clearinghouse.

Social Networking (Facebook, Twitter, FourSquare, LinkedIn, etc.)

•  STOP. THINK CONNECT. Think carefully about the kinds of information, comments, photos and videos you share online.
• Know your audience: Consider who may have access to your profile: family, friends, friends of friends, your school, college admissions officers, potential employers. Use available privacy settings to manage your audience.
• Own your online presence: When available, set the privacy and security settings on websites to your personal comfort level for information sharing. Do not rely on “recommended” settings or default settings. Make your own decisions. It's okay to limit who you share information with. It is okay to not accept a friend request.
• Your online reputation can be a good thing: Recruiters often respond to a strong, positive personal brand online. So show your smarts, thoughtfulness, and mastery of the digital environment.
• Your privacy is only as protected as your least reliable friend allows it to be: Keep in mind that privacy settings protect information from people you choose to exclude from your personal networks. When you choose to share information with friends, those friends can make their own decisions about forwarding your content. Avoid sharing compromising photos and information. Think carefully before sharing.
• Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password. To protect your privacy, don’t share your passwords with others.
• As a general rule, do not share the following information on a profile page: your phone numbers, home address, full date of birth, travel plans, social security number, passwords, family financial information, bank or credit card numbers.

Want more?  Visit http://bit.ly/A8dHCK for more details on how to keep your information secure.

Using pcAnywhere? STOP NOW!

If you're not familiar with pcAnywhere, it's a software package that allows you to remote control a computer.  The manufacturer, Symantec, has announced that the source code for the software has been stolen by a hacker group and that there are some serious issues that they need to address.  The company's recommendation is that you stop using the software immediately until they can issue a patch.  For the full story, go here.

Fun Friday: Can You Spot What's Wrong?

It's Friday the 13th and what better way to celebrate than with a fun quiz.  CSO Magazine has published the "Clean Desk Test".  Can you spot the 20 violations of a good clean desk policy in the photo below?  Click on the photo to get started and to see the answers.

Microsoft Patch Notifications for January 2012

Microsoft released 7 patches today designed to address 20 vulnerabilities, including the one exploited by the Duqu worm. There are two patches that have been given a "PATCH NOW" rating by SANS:  one of them, MS12-004 or KB2636391, addresses a currently exploited issue in Windows Media Player . Windows, Office and Internet Explorer are all affected and many of the updates will require you to restart your computer.

Members of the KUMC community will have these patches deployed automatically to your on-campus computers, so no further action is needed. However, you should ensure that your personal computer is  updated as soon as possible.