Internet Storm Center Infocon Status

Search ISU Security

RSSSubscribe to the RSS Feed
ISU Information Security

Equifax Isn’t Calling

Friday, September 15, 2017 13:38

If someone calls from Equifax, it’s a scam.

Read more here.

What If I’ve Been Hacked?

Monday, May 15, 2017 14:09

In the past couple of months, we have touched on how to secure our devices, our home network, our passwords and even ourselves.  Even with all of these safeguards in place, there is still a chance that we will be hacked.  So, what are we supposed to do when all of our safeguards fail?

Backups

The first thing we need to take care of is our data.  Regular backups should be made of all of our personal information, be it our desktops, laptops or mobile phones.  If a device is hacked, it could be massively important that we are able to recover any lost data.  Many ransomware attacks, for example, will hold a computer and its data hostage, demanding money to restore access to one’s own information.

Changing Passwords

This one is a bit more straight forward.  If one of our online accounts is hacked, we need to log in to the company’s website and change our password as soon as possible.  This should ensure that the attacker is not only logged out of the account, but that they cannot get back in any time soon, assuming the new password is strong and unique.

Be Mindful

An overall state of mindfulness is useful when it comes to security.  We need to keep an eye on all accounts such as credit cards or bank accounts, and if there is any strange activity noticed, the financial institution needs to be called right away.  This type of diligence will help us minimize the damage caused by a successful attack against us.

Securing Your Passwords

Tuesday, April 11, 2017 16:40

Virtually everyone has to remember at least one password, and most of us have to remember quite a few.  The tricks we use to keep track of these passwords might be convenient, but it’s worth considering if we can find a more secure way.  Here are a few tips to get us started.

Writing Down Your Password

If possible, don’t write passwords down.  It’d be very easy for someone with ill intent to grab a sticky note from a desk.  If it must be written down, be sure to remove the context.  For example, if the note with the password for a particular computer is stuck to that same computer, it’s clear what the password is for.  Likewise, if the password for an email account is written on a note without the email address it belongs to, it would difficult to figure out what the password is for.  Remove the context and it will be much more secure. Again, however, if at all possible, do not write passwords down.

Password Storage

Figuring out how to remember all of our passwords seems to be the glaring issue here.  The good news is that we don’t have to.  There exists what are called “password safes”, which are basically just software applications that store passwords for us.  The software uses encryption to keep the passwords hidden, so it is much more secure than writing the password down.  There are many options for password safes and many of them are free.  A good place to start would be to search for KeyPass or LastPass, but there are plenty of worthy alternatives.

Password Sharing

At some point, we may have to figure out how to get a password to another individual.  Luckily, there are some best practices for this as well.  First, don’t send a password through the body of an email.  This is not considered secure.  There are ways to store a password in an encrypted file and send the file via email, and various other similar methods.  Communicating a password over the phone is acceptable, as a typical phone line conversation isn’t easily intercepted by a third party like an email can be.  A better option, however, is to use password sharing features available in the earlier mentioned password safe applications.  Most password safes have the option to share a password securely with another individual who owns the same software.  This is an especially attractive option for businesses, as it allows for secure password sharing and storage across the board.

Password Best Practices

We not only have to minimize the chance that someone will guess or steal our passwords, but we also have to know what actions to take if they do.  One great method to deal with this is to use different passwords for each service.  This way, if someone gets hold of a password for one service, every other service won’t be compromised as well.  In this case, we would only have to reset our password for one service instead of multiple services.  Further, this makes identifying the service that leaked our password much easier.  The password safes mentioned above make it easy to keep track of multiple unique passwords, and some will even generate passwords set to your specifications.

It should be mentioned that nothing will guarantee that our passwords won’t fall into the wrong hands at some point, but each of the above tips will bring us one step closer to reducing the chances of a compromise occurring.

 

Securing Your Devices

Thursday, March 9, 2017 15:58

Last time, we talked about securing our home network.  This time, we need to address the security of our devices themselves.  Whether it’s a smartphone or a traditional computer, there are a few steps we can take to secure our devices.

Updates Are Your Friend

Although they are not always convenient, software updates are paramount to securing our devices.  Keeping our devices up-to-date means there are fewer security flaws that intruders can use to access these devices.  Not only that, but updates can simply improve the performance and stability of the device, so there aren’t many good reasons to skip updates.  Most newer devices should have automatic updates enabled, but be sure to double-check that this is the case.  Contact the manufacturer of the device or visit their website for detailed updating instructions.

What’s the Password?

Many of us know by now that putting a password or PIN on our devices can be an effective security strategy.  Virtually every modern device, whether a smartphone or other computer, has the capability of locking the device with a password.  Of course, if someone steals or finds a device, they won’t be able to use it if there is a password set.  Many smartphones will go as far as to lock the phone down completely if an intruder incorrectly enters the password too many times.  For the person looking to go the extra mile to secure their device, a password or PIN is a must have.

Protect and Serve

Let’s get to the point: Every computer needs to have a firewall and anti-virus installed — period.  Having these will not only help us ward off potential threats, but they can also aid in eliminating malicious software already running on a device.  Many devices will have a firewall built in to the operating system, but the anti-virus software will likely have to be installed by the user.  There are many affordable and effective options out there, including some free anti-virus programs that really pack a punch.  Just remember, any legitimate anti-virus software is better than none at all.

Dispose With Care

When disposing of computers or mobile devices, be sure they are wiped of any personal information.  Even if the device is going to a relative or trusted friend, it is still worth being safe and wiping the device.  How to do this will vary from device to device, so be sure to contact the manufacturer or visit their website for detailed instructions.

These tips should be followed by anyone looking to make their devices more secure.  The peace of mind gained is worth the time.  Next time, we will look at ways we can secure our accounts and passwords.

Securing Your Home Network

Thursday, February 23, 2017 11:35

By now, many of us are aware that there are people on the internet who want to gain unauthorized access to our systems and information.  To help avoid this, we need to be aware of any weak points in our cyber security stronghold.  This time, we’re going to focus on our home WIFI router.  A router is what our devices use to access the internet at home, be it WIFI or wired, and can be a point of attack for those who want to do us harm.  If an attacker gains access to our WIFI network, often times they can also gain access to any devices on that same network, and any files that go along with it.  So, here are a few things we can do to secure our home router:

Access Router Settings

A router, like many other devices, has settings that can be changed or configured.  Using these settings, we can specify who gets to access the WIFI network, along with many other settings that might be useful.  But first, we need to figure out how to access these settings.  Luckily, this is a simple task that can be accomplished using any modern internet browser such as Chrome, Firefox, or Internet Explorer.  We will need to type the IP address of the router in the address bar of the browser to access the router settings.  Refer to the router’s manual for what this might be.

Log In as Administrator

Now, how do we get the log in details?  They should be listed in your router’s manual, but if we can’t find it, there is a much easier way.  They can be found by simply Googling the brand name and model of your router, which is usually printed on the router itself, along with “admin password”.  There are many sites out there that post the default administrator username and password.  Try to visit only trusted sites, such as the internet service provider or the router manufacturer’s forums.

Lock It Down

Once we have logged in to the router, we will notice a plethora of settings.  With most modern routers, we can use these settings to ensure that our home is cyber secure.  First thing’s first, we need to change the password for the administrator account we just used to log in, as anybody can find the default log in details as we just did.  How to do this will vary widely from router to router, but if we dig through the settings, we should find an option to change account passwords.  Changing the administrator password is the first step to securing our home network.

Tighten the Screws

Once that’s done, we should set up a WIFI password if we haven’t done so already.  This will often be listed as a key of some kind in the wireless section of the router’s settings.  Also, we want to be sure the wireless network is using an effective security protocol, such as WPA2.  If that is an option, be sure to select it.  However, do not use WEP as that is known to be insecure.  There are likely many other options to peruse, so it’s worth browsing through to see if any of them are useful.

Doing these things will go a long way in keeping our systems and information more secure.  For more details on how to access router settings, refer to the router’s manual, contact the manufacturer, or visit their website.  Next time, we’ll be looking at how to secure your devices themselves.

Gooligan Malware Targets Android Users

Tuesday, December 13, 2016 11:28

There’s a new malware campaign in town, and its name is Gooligan.  Attackers are using a type of malware, called Gooligan, to infect Android devices and acquire the users’ Google account credentials. This malware is responsible for the largest known Google account breach to date.   How does it work?  In simple terms, Gooligan takes advantage of known security flaws in out-of-date Android devices. This allows the attacker to do anything the user of the device can do, all from a remote location, including accessing all Google services associated with the device.

The infection can begin with the user clicking a malicious website link, or they could be enticed into downloading an infected app from a third-party app store.  Once the app is installed, the attacker has full control.  There are security patches that can be installed to fix the security flaws, but they may not be available on all versions of Android, or the user has not installed them.  So, if you have any android devices, be sure to check for updates and install them on a regular basis.  Also, don’t install any apps from third-party websites or click on suspicious links.

If you want to check if your ISU Google account has been compromised, visit this website and enter your ISU email address, or any Gmail address, and click the check button.  If you find that your ISU account is compromised, contact the ISU IT Service Desk as soon as possible at (208)282-4357 or email help@isu.edu.  Stay safe out there!

Phishing: Hook, Line and Sinker

Wednesday, November 2, 2016 12:21

Have you ever been tricked by an email?  “What does that mean?”, you might ask.  Well, scammers can trick people into giving them personal information through email.  This is commonly called “phishing”.  This month, there are a few phishing attacks in particular that everyone needs to be on the lookout for.  Fake order confirmations, phony promises of money, and even false scanned document notifications are amongst the most common phishing attacks being performed.

If you want to learn more about phishing, or these attacks specifically, click here to read the full article.

Social Security Scams

Wednesday, August 17, 2016 13:31

Warn_ComputerThere are two Social Security scams you need to watch out for at the moment.

The first one is where you receive an official-looking email from the Social Security Administration with an invite to create an account so you can receive your benefits. You land on a webpage where the scammers hope you will fill out all your confidential information. Don’t fall for it. Never click on links in any of these emails. If you want to sign up for a My Social Security Account go directly to https://ssa.gov/myaccount/

The second scam is where the bad guys actually create an account for someone, and redirect the payments to a bank account controlled by them, not the victim. To prevent this from happening, create your own MySSA account with a strong username and password. This is similar to filing your tax return early before the bad guys file a bogus return and steal your refund.

Another security measure I recommend is that when you create your MySSA account, go to the settings and choose the option that any changes to the bank account into which your check is electronically deposited only be done physically at a Social Security branch office and not using your online account. Note that you may have to travel to that office if you live far away.

Think Before You Click!

Jury Duty Phone Scam

Friday, April 1, 2016 15:14

Warn_GlobeA variation of the bogus computer support phone scam, the fake jury duty scam tries to pressure a victim into paying a fine or fee over the phone.

Scammers posing as federal marshals or court representatives call a target victim, claiming the victim failed to show up for jury duty. With a high pressure pitch, using tactics such as threats of arrest by federal marshals, the scammers attempt to con the victim into paying a “fine” via credit card or wire transfer. The scammers are relying on the average person’s lack of certainty with the law combined with the threat of legal actions to pressure the user into caving in and paying a bogus “fine”.

In truth, a court would not threaten an individual or make demands for immediate payments over the phone for failure to appear for jury duty.

Sophos Labs ( an IT security research company) has some common advice for any phone scam.

  1. Hang up. Now. You’re better able to make a calm, collected assessment of the call when you’ve put some distance between you and the caller.
  2. Find an official way to call back. Don’t rely on anything you’re told by the caller (even if you aren’t suspicious), especially if that’s a phone number or a web address that they gave you.
  3. Be aware of federal court policy on the failure to appear for jury service, of which the US Court says this: “Typically, jurors who miss jury duty will be contacted by the court Clerk’s Office and may, in certain circumstances, be ordered to appear in court before a judge. A judge will impose any fine for failure to appear for jury duty during an open session of court [our emphasis], and the summoned juror will be given the opportunity to explain the failure to appear before any fine would (or is) be imposed.”
  4. Hang up and contact your local court clerk’s office or US Marshals Service office to check for any potential charges.

Related Links

Sophos Lab Article on Jury Duty Phone Scams

FBI’s page on Jury Duty Scams

Bannock County Clerk’s Jury Duty Page

Malware email attack targeting FedEx customers

Wednesday, March 23, 2016 14:56

Warn_NetworkSecurity researchers report that scammers are targeting FedEx customers through email in order to infect victim machines with malware.

In an email, crafted to appear “official”, the scammers inform the victim that FedEx has attempted to deliver a package and that the package will be returned unless the victim claims it at the local FedEx office. In order to claim the package, the victim will have to download and print out an attached form.

The malware is in the attached document and is loaded onto the victims computer once it is opened. Researchers have not identified the specific malware, though it does not appear to be ransome-ware.

FedEx has explicitly stated, “FedEx does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information.”

Users are reminded to be wary of any unsolicited email. Check the sender’s email address, never click links in an email or download attachments from unsolicited sources. Never reply to unsolicited emails. If in doubt, contact the company through verified, publicly available means, never through contact info given in a suspect email.

Related Links

Security posting about the scam

FedEx’s response to the scam

More news on the scam