Missouri State University
Computer Services Information Security
Information Security News & Info

5 tips to protect yourself on Facebook

Posted on by Charla Berry

Stay safe and protect your privacy online with these suggestions

Sharon Gaudin, August 13, 2010 (Computerworld)

After news hit this week that Facebook developers are furiously trying to fix a bug that lets spammers harvest users’ names and photos, the issue of online safety has reared its ugly head again.

Privacy and security problems have plagued Facebook and its more than 500 million users — a lot — over the past several months.

Much of the most recent turmoil was kicked up this past April when Facebook unveiled a list of new tools that allow user information to be easily shared with third-party Web sites.

That move caused an online uproar among users, and even prompted a handful of U.S. senators to write an open letter calling on Facebook to amend its privacy policies.

Facebook responded to the unrest with the release in May of a set of simpler privacy controls. However, despite the social network’s efforts, concern about privacy and security seems to always be boiling just under the surface among users.

Oddly enough, though, that doesn’t mean that most users have battened down their security hatches or have even rethought the kind of information they routinely post about themselves.

In light of the concern about privacy and security — and the fact that users don’t seem to doing what they should be doing to safeguard their information — Computerworld talked with analysts to come up with five suggestions to protect you and your personal information if you’re one of the half a billion Facebook users sharing pictures, videos and updates about your latest dates or upcoming vacations.

1. Understand Facebook’s security settings and use them

Most analysts called this step absolutely mandatory. Larry Hawes, an analyst at Gilbane Group, noted that users need to find out where the security settings are on Facebook and take the time to learn how to use them to control what information is shared with people, applications and Web sites.

Augie Ray, an analyst at Forrester Research, added that people should seriously consider only sharing their information with their online friends.

To do that, Ray noted that users can access their privacy settings by clicking on “Account” in the upper right-hand corner of their Facebook page, and then clicking “Privacy Settings.” People who want to set their privacy settings as tight as possible can select “Friends Only.” Also uncheck the box marked “Let friends of people tagged in my photos and posts see them,” and then click “Apply these Settings.”

2. Who’s your buddy?

Come on. This is not high school and Facebook isn’t a popularity contest. You don’t need to be “friends” with everyone.

Actually, a good reality check is if this person is actually a friend or family member in real life. If they’re not an actual friend, why would you want them to know when you’re stuck working late, getting ready to go on vacation or that you just bought a new computer or flat-screen TV?

“Remember that sharing with friends only is the strictest level of security that exists on Facebook,” Hawes said. “Be sure the people you friend are ones that you know and trust.”

3. Beware of those applications

Ray warns that using a Facebook application can give broad permission for whoever developed that application to access your data … and your friends’ data.

That means you may want to think twice before you take quizzes with titles like “Would you make a good FBI agent?” or “What’s the theme song to your high school years?”

Only use applications from sources you trust, Ray added. And periodically check the list of applications you’ve used and given permissions to. “You might be surprised how many you’ve approved,” he said. “Much like your PC, you probably want to regularly remove any applications you don’t use and trust.”

Ray advised users to go to the bottom of Facebook’s Privacy Settings page to find the “Applications and Websites” link. There, they can click on the “Remove unwanted or spammy applications” option.

4. Ummm, sorry Grandma! Think before you type

You have to protect yourself and think through every post that you put online. The golden rule, say several analysts, is to think about whether you want your mother, your boss (and any potential future bosses) and your significant other to read what you’re about to write. If you don’t want any of them to see it, don’t post it.

It’s a simple concept, but people still just don’t get it, said Dan Olds, an analyst at Gabriel Consulting Group.

“It’s so important for users to realize that when they post personal details on social networking sites, they have to assume that information could be exposed to everyone with a computer and a screen,” Olds added.

“One approach is to ask yourself if you’d wear a T-shirt with the details you’ve posted about yourself. If you would, then you’re probably OK. But if that thought makes you cringe, then you’d better re-evaluate what you’re putting on the Web,” he said.

5. Malicious eyes

Sit down and closely look at your Facebook page and consider what a malicious person could do with any of the information you’ve posted.

“Try to be objective and ask yourself, ‘If I really hated this person or wanted to take advantage of her, is there anything I could do with this information to mess with her?’” said Olds. “If the answer is yes, then consider what kinds of information you’re posting on your Facebook page and make the appropriate adjustments.”

Analysts also warned users to not post any information that could be used in an identity theft scheme. Avoid listing your birth date, home address, children’s names, phone numbers and social security numbers.

Source: http://www.computerworld.com/s/article/9180642/5_tips_to_protect_yourself_on_Facebook?source=CTWNLE_nlt_security_2010-08-13

Send feedback to the author
Posted in Uncategorized | Leave a comment

Wireless Security is an Oxymoron, But There is Hope

Posted on by Charla Berry

WiFi is everywhere. Whether you travel for business or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. What are your risk factors when accessing wireless? There are plenty. WiFi wasn’t born to be secure. It was born to be convenient. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.

Anyone using an open unsecured network risks exposing their data. There are many ways to see who’s connected on a wireless connection, and to gain access to their information. As more sensitive data has been wirelessly transmitted over the years, the need for security has evolved. Today, with criminal hackers as sophisticated as they ever have been, wireless communications are at an even higher risk.

When setting up a wireless router, there are two different security protocol options. WiFi Protected Access (WPA and WPA2) is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security.

There are a few things you should do to protect yourself while using wireless.

Be smart about what kind of data you transmit on a public wireless connection. Only transmit critical data from secure sites, ones where “HTTPS” appears in the address bar. These sites have additional encryption built in.

Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s no data on either device that would compromise my identity or financial security.

If you have file sharing set up on a home network, when venturing to wireless hot spots you need to manually turn it off on your laptop.

Turn off WiFi and Bluetooth on your laptop or cell phone when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.

Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is being used as bait.

Beware of evil twins. Anyone can set up a router to say “T-Mobile” “ATT Wireless” or “Wayport”. These are connections can appear legitimate but are actually traps set to snare anyone who connects.

Keep your antivirus software and operating system updated. Make sure your antivirus software is automatically updated and your operating system’s critical security patches are up to date.

Robert Siciliano  

Source: http://information-security-resources.com/2010/07/05/wireless-security-is-an-oxymoron/

 

Send feedback to the author
Posted in Uncategorized | Tagged , | Leave a comment

“Smishing” Is New Twist On Old “Phishing” Computer Scams

Posted on by Charla Berry

May 20, 2010 5:20 pm US/Central

Latest Trend In Identity Theft: Bank Text Alerts

“Smishing” Is New Twist On Old “Phishing” Computer Scams

Mai Martinez

CHICAGO (CBS) ―

 ”Smishing” is the latest trend in identity theft. Criminals are basically cashing in on the popularity of banking text alerts, by sending their own SMS or text messages to gather sensitive banking information.

We’ve all heard of those “phishing” computer scams, but how about “smishing?” It’s a new twist on the old scam, aimed at taking advantage of people who use banking text alerts. As CBS 2′s Mai Martinez reports, one text could cost you everything.

On the surface, it looks like a legitimate text message from your bank, warning you that your account has been locked. But call the number and provide the information requested, and you could lose every cent in your bank account.

“They can act on it within seconds,” said Steve Bernas, President and CEO of Chicago’s Better Business Bureau.

Bernas explained “smishing”, as it’s called, is the latest trend in identity theft. Criminals are basically cashing in on the popularity of banking text alerts, by sending their own SMS or text messages to gather sensitive banking information.

“It’s the new medium for them, and the scam artist picked up on it, and we get calls every day,” said Bernas.

One of those calls came from Tina Chapa who received a text message saying her Visa account was closed due to insufficient funds.

“I knew that was not true because I keep up with it,” said Chapa, who had her identity stolen nine years ago in an unrelated incident.

Chapa said she was suspicious, so she called the number to find out more.

“It’s like an automated machine that says ‘type in your Visa number.’ Then it hung up on me,” she remembered about the call.

Chapa said she knew something was wrong, so she called the BBB.

According to the BBB, you don’t even have to be signed up for the banking text alerts to get the scam text messages. Bernas says the criminals just use computers to generate random cell phone numbers, and then text message unsuspecting consumers.

“They just throw everything at a wall, the proverbial wall, and see what sticks,” said Bernas.

And he added, unlike computers, cell phones don’t have spam filters to catch suspicious text messages, so if it’s a working number, the text goes through.

Knowing what was at stake, Tina Chapa feels lucky she was smart enough to use a fake account number when she called.

“It takes your number and hangs up on you,” she said. “And you don’t talk to a person, and next thing you know, you have no money in your account. That’s actually scary.”

The BBB says if you receive one of these text messages you should alert them and your bank.

If you think it might be legitimate, call your bank, but use a number you know, not the one provided in the text message.

The BBB also says consumers are often protected against this type of financial loss by their bank’s insurance, but they caution, clearing up the identity theft could take years.

(© MMX, CBS Broadcasting Inc. All Rights Reserved.)

Send feedback to the author
Posted in Uncategorized | Tagged | Leave a comment

Five Hidden Dangers of Facebook

Posted on by Charla Berry

Security Expert on Big Risks You Should Be Aware You’re Taking When You Use the Site  May 8, 2010

(CBS)  Facebook claims it has 400 million users. But are they well-protected from prying eyes, scammers and unwanted marketers?

Not according to Joan Goodchild, senior editor of CSO (Chief Security Officer) Online.

She says your privacy may be at far greater risk of being violated than you know when you log onto Facebook, due to security gaffes or marketing efforts by the company.

Facebook came under fire this week, when 15 privacy and consumer protection organizations filed a complaint with the Federal Trade Commission, charging that the site, among other things, manipulates privacy settings to make users’ personal information available for commercial use. Also, some Facebook users found their private chats accessible to everyone on their contact list – a major security breach that’s left a lot of people wondering just how secure the site is.

In two words, asserts Goodchild – not very.

On “The Early Show on Saturday Morning,” she spotlighted five dangers she says Facebook users expose themselves to, probably without aware of it:

• Your information is being shared with third parties

• Privacy settings revert to a less safe default mode after each redesign

• Facebook ads may contain malware

• Your real friends unknowingly make you vulnerable

• Scammers are creating fake profiles

Is Facebook a secure platform to communicate with your friends?

Here’s the thing; Facebook is one of the most popular sites in the world. … Security holes are being found on a regular basis. … It is not as inherently secure as people think it is when they log on every day.

Continue reading at source article: http://www.cbsnews.com/stories/2010/05/08/earlyshow/saturday/main6469373.shtml?tag=contentMain;contentBody 

Send feedback to the author
Posted in Uncategorized | Leave a comment

Fake Anti-Virus Software a Growing Online Threat, Google Warns

Posted on by Charla Berry

NewsCore     Updated April 28, 2010

Google said Tuesday that fake software security programs rigged to infect computers are a growing online threat, with hackers tricking people into installing nefarious code on machines.

An analysis of 240 million web pages by the internet search giant during the past 13 months revealed that fake anti-virus programs accounted for 15 percent of malicious software it detected, AFP reported.

“The Fake AV threat is rising in prevalence, both absolutely and relative to other forms of web-based malware,” Google said in its findings.
“Clearly, there is a definitive upward trend in the number of new Fake AV domains that we encounter each week.”

Fake anti-virus (AV) peddlers rig websites to frighten visitors with pop-up messages warning that supposed scans have found dangerous malicious software on machines. The scam goes on by selling victims programs that hackers claim will fix the purported problems — but which in fact usually plant nefarious computer code on machines.

Such transactions can also leave credit card information in the hands of cyber crooks.

“Surprisingly, many users fall victim to these attacks and pay to register the Fake AV,” Google said. “To add insult to injury, Fake AVs often are bundled with other malware, which remains on a victim’s computer regardless of whether a payment is made.”

Google has refined tools to filter out booby-trapped websites and hackers have evidently responded by flitting from one domain name to another.

The Google study was presented at the Usenix Workshop on Large-Scale Exploits and Emergent Threats in California, and analyzed websites between January 2009 and February 2010.

source: http://www.foxnews.com/scitech/2010/04/28/fake-anti-virus-software-online-threat-google/

Send feedback to the author
Posted in Uncategorized | Tagged | Leave a comment

Anti-fraud tips and tools for tax season

Posted on by Charla Berry

As April 15 approaches, U.S. citizens preparing to file their taxes are susceptible to online scams designed to steal their personal information and, ultimately, their money. Here is a roundup of tips for how people can protect themselves.

First off, the Internal Revenue Service does not initiate taxpayer communications through e-mail, and the agency does not request details on personal information via e-mail. The IRS has detailed information on how to report and identify phishing and e-mail scams and bogus IRS Web sites here. More information about specific tax fraud schemes is here.

Microsoft’s Security Tips & Talk blog recommends that people filing taxes online should learn to recognize the official IRS Web site. In addition, people should make sure that the Web address of the site they are filing on is secure and begins with “https,” the secure version of the Hypertext Transfer Protocol, and that there is a locked padlock icon at the bottom of the screen, the blog post says.

Tax-related phishing attacks have been going on for a few weeks, at least, according to Proofpoint. One particularly pernicious one arrives in e-mail in-boxes with a subject line of “Notice of Underreported Income” and asks recipients to review their tax information with a link to a site that is represented as an IRS site. Instead, according to this Proofpoint blog item, the link leads to a fake IRS page with an executable that installs the data-stealing Zeus Trojan.

For more on this story, read Anti-fraud tips and tools for tax season on CNET News

By Elinor Mills CNET News
Posted on ZDNet News: Apr 14, 2010 4:46:31 AM

Source: http://news.zdnet.com/2100-9595_22-413564.html?tag=wrapper;col1

Send feedback to the author
Posted in Uncategorized | Leave a comment

Social networking: Think before you link

Posted on by Charla Berry

March 5th, 2010

Social networking: Think before you link

Posted by Jennifer Leggio @ 9:05 am, Guest editorial by Anthony James     Source: http://blogs.zdnet.com/feeds/?p=2519&tag=wrapper;col1

It strikes me as somewhat of a mystery that the social networking explosion has not given rise to equal amounts of reaction to the security concerns it can create.  Besides the obviously sensationalized issue of “bullying” or intimidating through this personal medium, the greater issue of security is a significant concern that should be thoroughly thought about and discussed.

Consider a typical social networking environment in which users are able to link with friends, distribute topical commentary and share endless bounds of content treasures discovered by even more endless “circles of friends.”  I will admit, there are some nuggets of gold to be had within these social circles and content sharing, but there are also many nuggets of pyrite (fools gold) with sinister intention hidden in the seemingly endless treasure trove of links.

By dissecting the nature of social networking, it is easy to see how a threat can flourish at an alarming rate on a large scale of unknowing recipients. Given that the “circle of contacts” users typically befriend are people that they know and inherently trust.  And since there is an assumed trust, one would not expect these contacts to knowingly distribute malicious links or content.  Unfortunately, trust is not 100 percent guaranteed, and is possibly compromised by hackers discovering login credentials and pushing their attack items to the trusted contacts from that login.  Even more alarmingly, third-party applications inherent to social networks have been identified as sources of malicious intentions.  Obviously the social networking vendors are taking security seriously and scrutinizing externally developed applications before they are published on their networks, but unfortunately, as seen in 2009, there will always be a highly motivated developer determined to don their wares on unsuspecting recipients and figure out a way to bypass security measures.

What does this mean? Is it safer to boycott social networking and step back into non-digital mediums for social interaction? This won’t work, as social networking has an established foothold in the everyday lives of millions, and the perceived value far surpasses the potential threats.  So that leaves us with the question of security and how can we apply security processes, tools and techniques to this new generation of applications, ensuring freedom of use without risk of compromise.

Think about the basics – regardless of the increasingly sophisticated delivery method of threats, many of the traditional protection methods are still valid.  By ensuring the most recent security patches and updates for operating systems and applications are applied, you are staying ahead (or just behind) the curve of attack opportunities.  Use of desktop security software is an absolute must, as the vast majority of attacks will still rely on the ability to install and execute some code from the desktop system.  If you have a reliable desktop security product and it is up to date, much of these attempts by attackers will be thwarted ensuring you are not falling victim to an attack carried by social networking.

As Fortinet cyber security and threat researcher Derek Manky says, “Think before you link.” Make a judgment call on links proposed to offer “so-called internet gold”.  Does that YouTube link forwarded to you actually take you to YouTube? Did you verify the domain in the URL? Youtube.com can look like y0utube.com at a glance.  Avoid links on a Web page that suggest updates to applets or applications – more than likely the application will have their own update mechanism and will guide you through an update if necessary vs. a “click to upgrade” propose link.

Be social, but be safe.

Send feedback to the author
Posted in Uncategorized | Tagged | Leave a comment

When Looking for News Stories About the Olympics, Stick with Mainstream News Sites

Posted on by Charla Berry

Cybercriminals exploiting luger’s death, Winter Olympics

Cybercriminals have been capitalizing on the world’s interest in the Winter Olympics in Vancouver to spread malware, experts warned.

Attackers have been using Twitter and black hat search engine (SEO) optimization tactics to promote fake Olympics videos that are spreading malware.

Within hours after Friday’s death of Georgian luge athlete Nodar Kumaritashvili, searches for “Olympic luge crash video” were poisoned to yield a malicious link near the top of search results, Roger Thompson, chief research officer at anti-virus vendor AVG Technologies, told SCMagazineUS.com on Tuesday. Users who visited the site were told they needed to download a codec to watch the video. The codec was actually malware.
During the middle of last week, cybercrooks began poisoning general Winter Olympics search queries, but significantly ramped up their efforts following Kumaritashvili’s death, Thompson said.

By Tuesday, the SEO campaign appeared to be winding down, but some search queries related to the Olympics still yield malicious links, Thompson said. Some of the poisoned search queries have included: “Sports Illustrated Olympic preview,” “luger who died video,” “luge accident video” and “luge tragedy video.”

“These guys organize a campaign and they treat it like a business,” Thompson said.

Cybercriminals also used Twitter over the weekend to lure users to a fake Olympics video that was propagating malware. Within minutes after the opening ceremonies ended Friday evening, cybercriminals began posting tweets from an account called “gamesvancouver,” Michael Sutton, vice president of security research at web security vendor Zscaler, told SCMagazineUS.com on Tuesday.

The postings read: “2010 olympics vancouver opening ceremony video,” and included a shortened URL, Sutton said. Users who followed the link were diverted to a site that mimicked the official website for the 2010 Vancouver Olympics. To view the supposed video of the opening ceremonies, users were told to download a codec, which was actually a trojan.

The malicious site was taken down by Sunday evening, Sutton said.

“It looks like they set it up solely for this attack and ran it for about a 24-hour period,” Sutton said. “This was a very methodical attack, where they were planning to take advantage of the hype around the ceremonies.”

Users should be cautious over the next few weeks of similar cyberthreats exploiting the Winter Games, experts said.

“I think end-user diligence is absolutely critical here,” Sutton said. “All these attacks — they aren’t actually taking advantage of a vulnerability — they are social engineering attacks convincing you to download a trojan.”

When looking for news stories about the Olympics, stick with mainstream news sites, Thompson recommended. And as a rule of thumb, don’t ever download a codec to watch a video.

“The attackers follow current events pretty closely,” Sutton said. “As soon as a story emerges on the news wire, you can guarantee there will be social engineering attacks taking advantage of it.”

Poisoned search results generally include a jumble of keywords, whereas legitimate search results typically include a full, coherent sentence, Thompson said.

February 16, 2010

Source: http://www.scmagazineus.com/cybercriminals-exploiting-lugers-death-winter-olympics/article/163849/

Send feedback to the author
Posted in Uncategorized | Tagged | Leave a comment

Crooks try to romance users with Valentine’s Day spam

Posted on by Charla Berry
February 01, 2010

Eat your heart out, cupid. Valentine’s Day still is nearly two weeks away, but the lover’s holiday is already attracting the attention of the web’s criminal element.

Researchers at Trend Micro on Monday said they have spotted two spam campaigns — one promoting a fake gift card promotion, the other counterfeit watches — in the wild, Maria Alarcon, an anti-spam engineer, said Monday in a blog post. As Valentine’s Day nears, internet users should expect the scams to get more malevolent.

“Every special occasion and/or holiday is, in today’s threat-laden internet landscape, not just a time for people to celebrate but also a time for spammers to scam unwitting users with their devious scams,” Alarcon said, adding that in more malicious cases, the fraudulent emails show up containing links or attachments to viruses.

And if previous holidays and media events are any indication, users also should be on the lookout for poisoned search results, also known as black hat search engine optimization (SEO). Attackers use this tactic to get their malicious links near the top of search results so users are fooled into believing the results are legitimate.

Black hat SEO is the new spam, Mike Geide, senior security researcher at Zscaler, a web security firm, said in a blog post last week. The recent Haiti earthquake is a prime example of this, he said.

“It used to be that when you checked your email and/or email spam folder, there would be a slew of messages with links or attachments that would have titles related to the popular subjects of the time, and would be used to spread malware,” he said. “Now the game seems to be that you sip your morning coffee and browse the web — largely driven from search results from Google. However, many of these search results cannot be trusted.”

Google has said it uses manual and automated processes to remove malware from its search index.

Source: http://www.scmagazineus.com/crooks-try-to-romance-users-with-valentines-day-spam/article/162893/

Send feedback to the author
Posted in Uncategorized | Tagged , , | Leave a comment