Every device introduces vulnerabilities to our network, even your phone. Keeping your mobile device up to date with the latest software release not only protects your personal data it helps to protect the Middlebury network as well. A recent survey showed that fewer then 20% of all mobile devices on the Middlebury network were found to be clean of vulnerabilities. That means that 80% of all mobile devices are susceptible to some form of compromise which could result in data loss, or system performance issues on both the device or the Middlebury network. To help protect the network please update your phones, iPods and other mobile devices and patch all of your mobile applications.
SANS publishes a security paper every month called OUCH!. This month it discussed Social Engineering. I felt it was worth sharing the article here.
A common misconception people have about cyber
attackers is that they only use advanced hacking tools and
technology to break into people’s computers, accounts and
mobile devices. This is simply not true. Cyber attackers
have learned that one of the easiest ways to steal your
information or hack your computer is by simply talking to
and misleading you. In this newsletter, we will learn how
these types of human attacks (called social engineering
attacks) work and what you can do to protect yourself.
Social engineering is a type of psychological attack where an attacker misleads you into doing something they want you
to do. Social engineering has existed for thousands of years; the idea of scamming or conning someone is not new.
However, cyber attackers have learned that using this technique on the Internet is extremely effective and can be used
to target millions of people. The simplest way to understand how social engineering works is to take a look at a common,
You receive a phone call from someone claiming to be from a computer support company, your ISP or perhaps Microsoft
tech support. The caller explains they have noticed that your computer is behaving strangely, such as scanning the Internet
or sending spam, and they believe it is infected. They have been tasked with investigating the issue and helping you secure
your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your
computer is infected.
For example, they may ask you to check to see if you have certain fies on your computer and walk you through on how to
fid them. When you locate these fies, the caller will assure you that these fies are a sign that your computer is infected,
when in reality, these fies are nothing more than common system fies found on every computer. Once they have tricked
you into believing your computer is infected, they will pressure you into going to a website and buying their security software
• Social Engineering
• Detecting/Stopping Social Engineering Attacks
• Preventing Future Attacks
IN THIS ISSUE...
OUCH! | November 2014
Learning how to prevent, detect and
stop social engineering attacks is one of
the most effective steps you can take to
or ask you to give them remote access to your computer
so they can fi it. However, the software they are selling is
actually a malicious program. If you purchase and install
the software, not only have they fooled you into infecting
your computer, but you also just paid them to do it. If you
give them remote access to your computer to fi it, in reality,
they are going to take over and infect it.
Keep in mind that social engineering attacks like this are
not limited to phone calls; they can happen with almost
any technology, including phishing attacks via email, text
messaging, Facebook messaging, Twitter posts or online
chats. The key is to know what to look out for.
Detecting / Stopping Social
The simplest way to defend against social engineering
attacks is to use common sense. If something seems
suspicious or does not feel right, it may be an attack. Some
common indicators of a social engineering attack include:
• Someone creating a tremendous sense of urgency. If you feel like you are under pressure to make a very quick
decision, be suspicious.
• Someone asking for information they should not have access to or should already know.
• Something too good to be true. A common example is you are notifid you won the lottery, even though you never
even entered it.
If you suspect someone is trying to make you the victim of a social engineering attack, do not communicate with the person
any more. If it is someone calling you on the phone, hang up. If it is someone chatting with you online, terminate the
connection. If it is an email you do not trust, delete it. If the attack is work-related, be sure to report it to your help desk or
information security team right away.
Preventing Future Social Engineering Attacks
Fortunately, there are precautions you can take to help prevent exposing yourself to future social engineering attacks:
OUCH! | November 2014
• Never Share Passwords. No organization will ever contact you and ask for your password. If someone is
asking you for your password, it is an attack.
• Don’t Share Too Much. The more an attacker knows about you, the easier it is for them to fid and mislead
you into doing what they want. Even sharing small details about yourself over time can be put together to create
a complete picture of you. The less you share publicly, including posts on social media sites, product reviews or
public forums and mail lists, the less likely you will be attacked.
• Verify Contacts. At times, you may be called by your bank, credit card company, mobile service provider or other
organizations for legitimate reasons. If you have any doubt as to whether a request for information is legitimate, ask
the person for their name and extension number. Then fid the company’s phone number from a trusted source,
such as the number on the back of your credit card, the number on your bank statement or perhaps the number
on the company’s website. (Be sure you type the URL in your browser yourself.) This way, when you call the
organization, you know you are really talking to them. Though it seems like a hassle, safeguarding your identity and
personal information is well worth the additional step.
Protect Against Phishing Attacks
Phishing has become one of the most common and successful attack vectors for hacking into an organization. Training and
testing your employees is a proven way to minimize this risk.
OUCH! | November 2014
Mobile devices are increasingly used in the same way as PCs, potentially making them susceptible to similar threats affecting PCs connected to the Internet. Since mobile devices can contain vast amounts of sensitive and personal information, they are attractive targets that provide unique opportunities for criminals’ intent on exploiting them.
Mobile devices have become an integral part of society and, for some, an essential tool. However, the complex design and enhanced functionality of these devices introduce additional vulnerabilities. These vulnerabilities, coupled with the expanding market share, make mobile technology an attractive and viable target. Mobile phones share many of the vulnerabilities of PCs. However, the attributes that make mobile phones easy to carry, use, and modify open them to a range of attacks.
Perhaps most simply, the very portability of mobile phones makes them easy to steal. The owner of a stolen phone could lose all the data stored on it, from personal identifiers to financial and corporate data.
Many seemingly legitimate software applications, or apps, are malicious. Anyone can develop apps for some of the most popular mobile operating systems, and mobile service providers may offer third-party apps with little or no evaluation of their safety. Sources that are not affiliated with mobile service providers may also offer unregulated apps that access locked phone capabilities.
Even legitimate smartphone software can be exploited. Mobile phone software and network services have vulnerabilities, just like their PC counterparts do. For years, attackers have exploited mobile phone software to eavesdrop, crash phone software, or conduct other attacks. A user may trigger such an attack through some explicit action, such as clicking a maliciously designed link that exploits a vulnerability in a web browser. A user may also be exposed to attack passively, however, simply by using a device that has a vulnerable application or network service running in the background.
Email phishing is a common attack on PCs, and it is just as dangerous on email-enabled mobile phones. Mobile phone users are also vulnerable to phishing voice calls (“vishing”) and SMS/MMS messages (“smishing”).
The consequences of a compromised smartphone can be severe. If the phone is stolen, attackers could use this information to access the user’s bank account or credit card account. An attacker could also steal, publicly reveal, or sell any personal information extracted from the device, including the user’s information, information about contacts, and GPS locations. Even if the victim recovers the device, he or she may receive many spam emails and SMS/MMS messages and may become the target for future phishing attacks.
In his first public appearance since being named Microsoft's new CEO, Satya Nadella unveiled the next evolution of Office. The ubiquitous productivity suite, which includes apps such as Office and Excel, has been optimized for use with touch screens and fingers.
Microsoft had done some work on Office 2013 to make it more finger friendly, but with Office for iPad, it's a full-fledged step forward. The look of Office isn't radically changed, but many features have been subtly streamlined to make things less painful.
The biggest difference is that Microsoft isn't trying to push every formatting option in front of your face, instead identifying the most essential features, and using that screen space to make those icons bigger.
Microsoft Word, for example, closely resembles Word 2013, but the interface has been simplified to highlight just the most important formatting options. Text and images can easily be highlighted and manipulated with the finger--as is the case most iPad word processors.
Microsoft Excel is able to interpret what type of data you're working with and automatically suggest formatting options to save time digging through menus for a specific type of graph.
Powerpoint has been the most straightforward and tablet-ready product of the bunch, but on the iPad it’s as touch-optimized as you'd expect, allowing users to build presentations with a few taps and swipes.
Also notable is the more pronounced integration of Microsoft OneDrive into Office. All documents are automatically backed up and synced to Microsoft's Cloud, with an easy-to-use interface. Multi-user collaboration has also been integrated deeper into the experience.
That the tablet-optimized version of Office launched on Apple's iPad first, and not a Windows or Android tablet, is a testament to the influence of the iPad in the tablet space.
But while all of what Microsoft showed off looks and sounds fine, it doesn't seem to solve the problem of productivity apps on touch devices as much as it just makes them more tolerable to use.
Of course, the larger question is whether it matters that Office is now available for the iPad. For years, there have been scores of productivity apps available in the app store, including Google Drive and Apple's own iWork suite, both of which are free. There have also been third-party apps, such as the word processor Writer Pro and the spreadsheet app Grid, which are helping to evolve or even reinvent the entire concept of what productivity software.
But do enough people care that much about productivity and file compatibility on a tablet to make the leap to Office for iPad? That's a big, unanswered question.
Office for iPad will be available in the iTunes App Store on Thursday afternoon (3/27/14) for free. But only reading documents will be free. Those wanting to create and edit content will have to purchase an Office 365 Subscription, starting at $70 a year.
Following the best practices regarding mobile phone security can reduce the likelihood or consequences of an attack:
- Do not follow links sent in suspicious email or text messages, such links may lead to malicious websites.
- Limit exposure of your mobile phone number.
- Think carefully before posting your mobile phone number to a public website. Attackers can use software to collect mobile phone numbers from the web and then use those numbers to target attacks.
- Carefully consider what information you want stored on the device.
- Be choosy when selecting and installing apps. If the permissions seem beyond what the app should require, do not install the app; it could be a Trojan horse, carrying malicious code in an attractive package.
- Maintain physical control of the device, especially in public or semi-public places. The portability of mobile phones makes them easy to lose or steal.
- Disable interfaces that are not currently in use, such as Bluetooth, or Wi-Fi. Attackers can exploit vulnerabilities in software that use these interfaces.
- Set Bluetooth enabled devices to non-discoverable. When in discoverable mode, your Bluetooth enabled devices are visible to other nearby devices.
- Avoid joining unknown Wi-Fi networks and using public Wi-Fi hot spots. Attackers can create phony Wi-Fi hot spots designed to attack mobile phones and may patrol public Wi-Fi networks for unsecured devices.
- Delete all information stored in a device prior to discarding it.
Spyware is also known as "adware." It refers to a category of software that, when installed on your computer, may send you pop-up ads, redirect your browser to certain web sites, or monitor the web sites that you visit. Some extreme, invasive versions of spyware may track exactly what keys you type. Attackers may also use spyware for malicious purposes.
The following symptoms may indicate that spyware is installed on your computer:
- you are subjected to endless pop-up windows
- you are redirected to web sites other than the one you typed into your browser
- new, unexpected toolbars appear in your web browser
- new, unexpected icons appear in the task tray at the bottom of your screen
- your browser's home page suddenly changed
- the search engine your browser opens when you click "search" has been changed
- certain keys fail to work in your browser (e.g., the tab key doesn't work when you are moving to the next field within a form)
- random Windows error messages begin to appear
- your computer suddenly seems very slow when opening programs or processing tasks (saving files, etc.)
To avoid unintentionally installing it yourself, follow these good security practices:
- Don't click on links within pop-up windows - Because pop-up windows are often a product of spyware, clicking on the window may install spyware software on your computer. To close the pop-up window, click on the "X" icon in the titlebar instead of a "close" link within the window.
- Choose "no" when asked unexpected questions - Be wary of unexpected dialog boxes asking whether you want to run a particular program or perform another type of task. Always select "no" or "cancel," or close the dialog box by clicking the "X" icon in the titlebar.
- Be wary of free downloadable software - There are many sites that offer customized toolbars or other features that appeal to users. Don't download programs from sites you don't trust, and realize that you may be exposing your computer to spyware by downloading some of these programs.
- Don't follow email links claiming to offer anti-spyware software - Like email viruses, the links may serve the opposite purpose and actually install the spyware it claims to be eliminating.
As an additional good security practice, especially if you are concerned that you might have spyware on your machine and want to minimize the impact, consider taking the following action:
- Adjust your browser preferences to limit pop-up windows and cookies - Pop-up windows are often generated by some kind of scripting or active content. Adjusting the settings within your browser to reduce or prevent scripting or active content may reduce the number of pop-up windows that appear. Some browsers offer a specific option to block or limit pop-up windows. Certain types of cookies are sometimes considered spyware because they reveal what web pages you have visited. You can adjust your privacy settings to only allow cookies for the web site you are visiting.
- Run a full scan on your computer with your anti-virus software - Some anti-virus software will find and remove spyware, but it may not find the spyware when it is monitoring your computer in real time. Set your anti-virus software to prompt you to run a full scan periodically.
- Run a legitimate product specifically designed to remove spyware - Many vendors offer products that will scan your computer for spyware and remove any spyware software. Popular products include Lavasoft's Ad-Aware, Microsoft's Window Defender, Webroot's SpySweeper, and Spybot Search and Destroy.
- Make sure that your anti-virus and anti-spyware software are compatible - Take a phased approach to installing the software to ensure that you don't unintentionally introduce problems.
FakeAV is a virus designed to look like real anti-virus software in the hopes that the victim will click a link and download a malicious package. The malware often does not stop there. Many FakeAV packages continue the con by disabling true anti-virus packages claiming that they are harming the system they are intended to protect. These viruses come in many forms but are well crafted to present like a trusted virus prevention source such as the example above.
What to do when presented with a suspicious AV Warning?:
If your computer presents a virus warning that is not clearly part of your installed anti-virus software (Here at Middlebury that is Sophos Anti-Virus) you should power off your computer without closing any windows. A hard shutdown is the most secure way to guarantee that Fake AV will not be installed on your computer. Even closing the window has the potential of installing the most well-crafted FakeAV downloader.
Where does this FakeAV come from?:
Most of this malware comes from what are often termed drive-by attacks. In other words, you may visit a web site that has been compromised or that is hosting a third party advertisement that has been compromised. It is nothing that you have done but the active content on many of these sites provides the opportunity for these attackers to pop-up these attacks on your system. The good news is that unless you interact with the threat or the site directly there is little risk to your system from these FakeAV attacks. The down side is that some of these attacks are becoming harder to distinguish from a true Microsoft warning or other messages. Here at Middlebury we use Sophos AV. At Home you should know what kind of AV software you have installed and what the warning messages will look like.
Learn more about safe computing at: