Columbus State University Print Logo

Office of Information Security

Office of Information Security

Security Archives





 2017 Alerts:

Google Releases Security Updates for Chrome

Mozilla Releases Security Update

TA18-004A : Meltdown and Spectre Side-Channel Vulnerability Guidance

TA17-318B : HIDDEN COBRA – North Korean Trojan: Volgmer

TA17-318A : HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL

TA17-293A : Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors

TA17-181A : Petya Ransomware

TA17-164A : HIDDEN COBRA – North Korea's DDoS Botnet Infrastructure

TA17-163A : CrashOverride Malware

TA17-156A : Reducing the Risk of SNMP Abuse

TA17-132A : Indicators Associated With WannaCry Ransomware

TA17-117A : Intrusions Affecting Multiple Victims Across Multiple Sectors

TA17-075A : HTTPS Interception Weakens TLS Security




2017 Newsletters:

December:   Lock Down Your Login

November:   Shopping Online Securely

October:      Helping Others Secure Themselves

September:  Password Managers

August:        Backup & Recovery

July:            Gaming Online Safely & Securely

June:           Lessons From WannaCry

May:            Securing Today's Online Kids

April:           Passphrases

March:         Securely Using Mobile Apps

February:     Staying Secure on the Road

January:      Social Engineering



2017 Newsletters:

December:    Avoiding Holiday Scams

November:    Shopping Safely Online

October:       National Cyber Security Awareness Month

September:   Staying secure on Social Media

August:        Connected Home Devices: The Internet of Things

July:           Identifying and Reporting Common Scams

June:          Sun, Sand, and Cybersecurity

May:           Are You Really Being Secure Online?

April:           Digital Spring Cleaning

March:       Common IT Wisdom That Keeps You Secure

February:   Staying Safe From Tax Season Scams

January:      Looking Forward: 2017's Top Threat Prediction



Security tips of the week

 How fast will identity thieves use stolen info?
If you've been affected by a data breach, or otherwise had your information hacked or stolen, you've probably asked yourself, "What happens when my stolen information is made public?" At the FTC's Identity Theft workshop on May 24, 2017, the FTC Office of Technology staff reported on research they did to find out.

First, they created a database of information about 100 fake consumers. To make the information realistic, they used popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card).
They then posted the data on two different occasions on a website that hackers and others use to make stolen credentials public. The criminals were quick to pounce. After the second posting, it took only nine minutes before crooks tried to access the information.

In total, there were over 1,200 attempts to access the email, payment and credit card accounts. The identity thieves tried to use our fake consumers' credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza.

The research shows that Identity thieves are actively looking for any consumer credentials they can find: if your account data becomes public, they will use it.
So what can you do to limit your risk? Well, in this study, two-factor authentication prevented thieves from gaining access to the accounts. Two-factor authentication is a process that requires both your password and an additional piece of information (such as a code sent to your phone). Because these thieves did not have access to the second factor, they were unable to access the accounts. It's not a cure-all, but it can help.

Source: Federal Trade Commission - Consumer Information

Tech Support Scams
Last week, the FTC announced a bunch of cases against tech support scammers: the people who act like there's a problem with your computer and then try to convince you to fork over money to fix – ahem – "fix" it. Except there never was a problem, and they weren't really from tech support.

If you get an unexpected pop-up, call, spam email or other urgent message about problems with your computer, stop. Don't click on any links, don't give control of your computer and don't send any money.
Learn more about spotting tech scams and what you can do if you get a call or pop-up.

Source: Federal Trade Commission - Consumer Information

How to defend against ransomware
Here are some tips to protect your devices from ransomware, and what to do if you're a victim :

  1. 1. Update your software. Use anti-virus software and keep it up-to-date. And set your operating system, web browser, and security software to update automatically on your computer. On mobile devices, you may have to do it manually. If your software is out-of-date, it's easier for criminals to sneak bad stuff onto your device.
  2.  Think twice before clicking on links or downloading attachments and apps. According to one panelist, 91% of ransomware is downloaded through phishing emails. You also can get ransomware from visiting a compromised site or through malicious online ads.
  3.  Back up your important files. From tax forms to family photos, make it part of your routine to back up files on your computers and mobile devices often. When you're done, log out of the cloud and unplug external hard drives so hackers can't encrypt and lock your back-ups, too.

What if I'm a victim of ransomware?

  1.  Contain the attack. Disconnect infected devices from your network to keep ransomware from spreading.
  2.  Restore your computer. If you've backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
  3.  Contact law enforcement. Report ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include any contact information (like the criminals' email address) or payment information (like a Bitcoin wallet number). This may help with investigations.

Should I pay the ransom?
Law enforcement doesn't recommend paying the ransom, although it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. If you pay the ransom, there's no guarantee you'll get your files back. In fact, agreeing to pay signals to criminals that you haven't backed up your files. Knowing this, they may increase the ransom price — and may delete or deny access to your files anyway. Even if you do get your files back, they may be corrupted. And you might be a target for other scams.

Source: Federal Trade Commission - Consumer Information

Free movies, costly malware 

"Something for nothing" sounds appealing, but often there's a hidden cost. If the something is a site or app offering free downloads or streams of well-known movies, popular TV shows, big-league sports, and absorbing games, the hidden cost is probably malware. Sites offering free content often hide malware that can bombard you with ads, take over your computer, or steal your personal information.

We recently downloaded movies from five sites that offered them for free. In all five cases, we ended up with malware on our computer. Generally, it served up a slew of unwanted ads.

And if that's not enough to make you pause, downloading pirated content is illegal.

Finally, some free download sites ask for a credit card to process your registration. It's not a good idea to give your credit card number to a site offering illegally downloaded content. They're run by "pirates," not legit business people, and you can't trust them with your financial information.

Source: Federal Trade Commission - Consumer Information