All ITS Blogs

These 2 seemingly distinct topics are very related.  In the last 10 days I have been alerted to 16 data breaches that date back to 2017 and contain some number of accounts that have @wesleyan.edu in their account information.  The reasons for the delayed notifications can be varied–companies are just finding out, companies don’t want to tell customers, companies are still sorting-out what data has been compromised, …    This goes back to three previous articles that speak to the need for distinct passwords for each online account you have, the accompanying need for a Password Manager and finally, for Muti-factor/Dual-factor/2-factor Authentication.  Her is the list of what I have been notified of in the last 10 days, alone.

Flash Revolution (2019 breach)

Stronghold Kingdoms data breach

GameSalad data breach

Armor Games data breach

Roll20 data breach

Artvalue data breach

EatStreet data breach

Bulgarian National Revenue Agency data breach

YouNow data breach

Animoto data breach

SHEIN data breach

piZap data breach

Netlog data breach

Evite data breach

“Hulu and HBO accounts”–A Paste of accounts was found with this title on the web sites frequented by criminals. This is not to say either Hulu nor HBO have been compromised

MindJolt data breach

The data breaches provide varying degrees of value to thieves based on what they contain. But with enough data points a pretty complete picture of a person can be created. The source of the 2017 report of ID value that I came across below came from the same Equifax that was breached and lost all of the Credit Bureau data for 147 million accounts. Anyone else see the irony?

Personal data and identity theft have been a concern for years.  However, due to these numerous breaches I came across some very interesting statistics.

• Social Security number: $1
• Credit or debit card (credit cards are more popular): $5-$110 
• With CVV number: $5
• With bank info: $15
• Fullz info: $30—-Note: Fullz info is a bundle of information that includes a “full” package for fraudsters: name, SSN, birth date, account numbers and other data that make them desirable since they can often do a lot of immediate damage.
• Online payment services login info (e.g. Paypal): $20-$200
• Loyalty accounts: $20
• Subscription services: $1-$10
• Diplomas: $100-$400
• Driver’s license: $20
• Passports (US): $1000-$2000
• Medical records: $1-$1000*

*Depends on how complete they are as well as if its a single record or an entire database

• General non-Financial Institution logins: $1

Because these data breaches are so frequent the value of the once coveted SSN (Social Security Number) is now, $1. The most recent statistic I heard was a 2018 report (podcast) of $.05.  A nickel but I can not find that written siting. The point in either case is there is so much data available on us that the value of things has plummeted in many cases.  But your bank account, full medical records and passport information still fetch a fair sum. Making it as hard as possible for the bad guys to get your information is the best we can do if you have to provide that data.  But if you do not need to put in information then do not. Do not volunteer anything not specifically, requested.  And if it is a request for your SSN, Drivers Lic number, bank acct number(s) or passport number then ask why it is needed.  If it seems suspect then stop, cancel the process and get the answer. If it is a form in an office then ask the desk attendant.  As companies hemorrhage data the best we can do to protect ourselves is to secure the information from simple access  and limit what is provided.

Securing accounts has been a problem for quite a while.  We often rely solely upon passwords.   If done right, we use unique passwords for each account.  Yes, that can become unwieldy and I wrote an article about password managers that very much takes most of the pain away from that process.  However, there is an additional item that can be done in order to improve security of your information even further. Setting up Multi-factor or Dual-Factor Authentication is pretty simple to do and can really help to mitigate account compromise. Usually, you are offered receiving a text messaging, an email to a specified secondary account or a phone call.

Now, these steps (unique passwords and MFA/DFA) do nothing to stop criminals from breaking in to  a company, scavenging data and stealing your account information.  But the MFA/DFA does block them from accessing your account via the front-door methodology of cracking your password and logging in as you.

Some Sites/tools/applications that use or offer MFA/DFA–Yahoo Mail, Gmail (currently, not Wesleyan Gapps Gmail account), Outlook.com, Facebook and Messenger to name a few. Please, look in to and enable MFA/DFA where you can. The few seconds it requires up -front will save you countless hours of frustration if your account gets compromised.

Vince Spiars

Information Security and Operations Manager–ITS

Wesleyan University

Some IT terms to know

1)Social Engineering—in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

2)Dox/Doxxing—Doxing or doxxing is the Internet-based practice of researching and broadcasting private or identifying information about an individual or organization. The methods employed to acquire this information include searching publicly available databases and social media websites, hacking, and social engineering.

3)IoT (Internet of Things)—household and other non-computer-like devices that connect to the internet for data streaming or data dissemination (“Smart TVs”, bathroom scales, refrigerators (you’r low o milk), Washers and dryers, garage door openers, thermostats—NEST, doorbells (Ring) to name a few

4)CyberSecurity—catchy name for securing your information and devices. Such devices include phones, computers, tablets, household devices that use internet connectivity

5)AI—Artificial Intelligence—The ability to have a computer extrapolate a single answer and a best answer based on inout about the situation

6)Cloud computing and Cloud Storage—Put simply to simply means servers/storage/computers that are housed elsewhere.  Not housed on-premises. Yahoo and gmail are examples of cloud services.  But they weren’t called cloud service. It is a marketing term more than anything.

7)password spraying—is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password.

8)password stuffing—the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.

8)phishing (spear, whaling)

9)MFA/2FA—Multi-Factor Authentication/ 2-factor Authentication—an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. Two-factor authentication is a type, or subset, of multi-factor authentication

10)Hacker—Often interchangeably used with criminal in the news and common vernacular. A hacker is actually, anyone who tinkers and looks for efficiencies and ways to automate or improve a product.  This includes looking for weaknesses and security holes in a product.  Criminals take that information and use it to their benefit independent of harm to others.

How to better cybersecure your home—

The home is our place of comfort and implied security. However, cybersecurity is not in a default secure state of “on” when devices come from the factory. That is up to us to when we bring the device(s) home and turn them on. This is a small list of items that can and should have the admin account password reset before it is put in to use in your home—

-app controlled light bulbs
-toaster
-refrigerator
-bathroom scale
-security cameras (wireless and those connected to a security console that records to a hard drive and is accessible via the internet)
-Wifi printer and remote-printing capabilities (example—email-to-print)
-“Smart” TV

Any device that connects to your home network or you connect to at home should have the local administrator password changed. Manufacturers put in a standardized default password to allow them to program and update the devices as they leave the factory. But once they arrive home those default admin passwords are still set. All of these default passwords are available via the internet. Just do a quick search for “default admin password” and your device model and manufacturer. Example—“default admin password linksys MR83000”. This unit does not have a default account but requires you create one during your setup process. However, there are a lot of Admin account user IDs and passwords for numerous other Linksys models. Secure your device(s) before you get hacked at home. You may not think you have anything of value but tax forms, bank account information, banking and financial applications reside on so many home computers. All the bad guys need is a way in to your network to allow them make their way to your computer/desktop that may house this private information. Sadly, we are protecting against “crimes of convenience”. These won’t be State actors (criminals from China, Russia, Iran or the US working on behalf of the government). These will be neighbors, passers by and people targeting neighborhoods with higher likelihood of better return rates for time spent rifling through your network. By putting on a password or changing it from the default you have put up a barrier for a criminal. That is likely, enough to have them move to the next house and try them.

Curiosity is a strong driver.  Sometimes it is “can I do this”, “How do I do this”, “Oooooh. Something new to try”.  I was faced with this, yesterday with a SUB stick. My CIO asked I come see him in the office, held up a USB stick and said he had found it while walking. He then asked what he should do with it. “Should I break it with a hammer and throw it out, try to see what’s on it, give it to you, or something else?”

I was immediately, energized.  Who’s was this? Would the files on the drive provide this information? Could I get it returned to the person? Was this person really missing the data? The adrenaline started to flow.

“I can take a look and see what’s there” I replied. I have ways to open USB items and files without concern for infection of malware/viruses/spyware/ransomeware, etc.  I was handed the USB drive, walked to my office, put the disk down and went back to what I was working on before the call.

A few minutes later I looked at the drive and thought, “There are too many variables.  There are too many possibilities of bad things going wrong no matter how careful I am. I genuinely, have no idea where this came from.  Was it from a someone with no computer programming experience? Was it already unknowingly infected by the original owner via a compromised file they downloaded? Or was it from a very malicious programmer that is intentionally leaving drives around with the design of propagating their new attack mechanisms in to the wild?”  Knowing my limits and the potential risks I decided my excitement to test my skills and tools was over-riding my better judgement.  I have returned the untouched USB drive to my CIO with the recommendation to destroy the drive and dispose of it without accessing it on his systems. The bad guys are very smart and very effective at their craft. If you do not know from where something comes, do not use or open it.  If you have to attach unknown USB storage then be sure to have your AntiVirus software scan these before they can be accessed. And be prepared to possibly lose all of your data, have to wipe your machine and start over. The risk does not out-way the reward. Stay vigilant.

Best,

Vince Spiars

Information Security & Operations Manager

Exley Science Tower rm 513

ext 3072

Notice–Elsevier platform (e.g. Mendeley, Scopus, ScienceDirect) system compromise–PLEASE CHANGE YOUR ACCOUNT PASSWORD

 

https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online

 

According to the article they’ll be notifying users, but if you have an account on an Elsevier platform (e.g. Mendeley, Scopus, ScienceDirect) you should change your password now, as well as changing the password on any other accounts you have that use the same password as your Elsevier accounts.

 

Here are some more detailed guidelines from another library: https://library.carleton.ca/library-news/possible-leak-personal-information-elsevier

Beware what looks too good to be true–easy money. How this works is pretty straight-forward.  Once the communication begins between the two of you more information will be asked.  Things like SSN and bank numbers will be needed to deposit money.  The funds will be far beyond your pay range to cover costs of some items.  What happens next is your bank account will be cleaned out and your money will be gone and untraceable. Never respond to email or phone job offers. If they can not identify themselves with how they got your contact information and your resume then block them and report it to security[at]wesleyan[dot]edu.

Her is the latest students are receiving in their Wesleyan Gapps accounts—-

I am Michael Richie and I work as a clinical counselor for the department of Disability Resources and Educational Services (DRES). I provide individual and group therapy, coaching, assessment and academic screenings to support students with disabilities (physical, chronic, psychiatric, and invisible) registered with DRES. A large percentage of the students served by the mental health unit have psychiatric disabilities or co-morbid psychiatric disabilities and need mental health support to be successful at the university. In addition, many University students with academic difficulties and no prior diagnosis are seen and assessed through the academic screening and assessment process. I’m also the director of supervision, training and coordination of counseling psychology and clinical psychology graduate students of the United States who have practicums at DRES and APA-accredited school psychology predoctoral interns. You have received this email because you have an offer from the University Office for Students with Disabilities to work with me while we help Students with disabilities frustrated with ignorance and lack of services but as my temporary personal assistant. I care about Animal Welfare, Arts and Culture, Children, Civil Rights and Social Action, Education, Environment, Disaster and Humanitarian Relief, Social Services and lots more. This is a very simple employment. You will only help me Mail letters, Make payments at Walmart and purchase some Items when needed. This employment only takes an hour a day and 3 times a week for $320 weekly. I am unable to meet up for an interview because I am currently away and helping the disabled students in Australia. You will be paid in advance for all tasks and purchases to be done on my behalf and some of my personal letters and mails will be forwarded to your residence or nearby post office for you to pick up at your convenience. Upon my arrival we will discuss the possibility of making this a long-term employment if I am impressed with your services while I am away. My arrival is scheduled for the last week of May 2019. To Apply, Please email your Full name, Address, Alternate email (different from school email) and mobile number. Regards Michael Richie.

Though this article looks dated (2018) it is a current notification—-

As of May 2018, the FBI has seen an increase in cyber criminals exploiting the cardless ATM feature of mobile banking applications to compromise accounts and fraudulently withdraw cash from ATMs. Cardless ATM transactions use a code and a mobile phone for authentication rather than a debit card’s magnetic strip or EMV chip. Cyber criminals used SMS and email phishing campaigns to collect victims’ banking credentials, or SIM swapping to intercept communication, which criminals then used to withdraw cash. FBI reporting showed a significant decrease in the duration of this fraud scheme, from credential acquisition to ATM withdrawal, indicating criminals are quickly adapting to financial institution security measures. As more financial institutions adopt this feature, the exposure of loss increases.

Staying secure while traveling 

Whether its personal or work-related travel, there are things you can do to protect your information and systems. 

Before you go 

• If a device, credit card, or document is not required for your travel, leave it at home. 

• Ensure that all your electronic devices are password protected and encrypted if possible in case of loss or theft. 
• Run all updates to systems and applications prior to travel. Updates and patches acquired from unsecured networks may be malware in disguise. 
• Enable remote wiping features, like Apple’s Find My iPhone, if possible. 
• Backup any data on those devices in case of damage, loss, or theft. 

While traveling 

• Always keep portable equipment (cellphones, laptops, flash drives, DVD/CDs, PDAs, etc.) in your possession. 
• Assume that any networks or devices other than yours are not secure. 
• Use Wesleyan’s VPN on your laptop, smartphone, or tablet to create an encrypted connection to University resources. 
• Disable services such as Bluetooth, Wi-Fi, and GPS when they are not needed. 

• Avoid connecting to charging stations that do not involve direct connections to electrical outlets. 
• Be careful about the information that you share via social media. (you don’t want to let the world know that your home is unoccupied) 
• Consider using RFID-blocking wallets or bags to protect cards and passports from skimmers. 
• If presenting or sharing research, be cognizant of different laws and social norms regarding intellectual property. 

Back on Campus 

• Change the passwords and PIN numbers on any accounts that you accessed while traveling. 
• Reformat devices that have been used abroad, especially on unsecured networks. 

Sender: microsoftexchange329s7d8ae4615bbc36ab6ce471ec88aae4615bbcaae4615

Subject: You have received a document from Onedrive

If you click the link it takes you to some non-wesleyan location:

hxxp://servicesll.blob43.core.windows.net/$web43/microsoft.html?sp=r&st=2019-01-20T14:15:43Z&se=2019-01-29T22:15:43Z&spr=https&sv=2018-03-28&sig=+IIeYA/DfQgEtvhP0WRlUzdgz0HAZz8sV1xx1S0nVvE=&sr=b#userID@wesleyan.edu

Please, just delete this email.