LastPass breach

Posted on Categories Security

What Happened?

On December 22, 2022, LastPass announced that they had a data breach a few months earlier. LastPass is a password management software that 25.6 million people use to store their passwords. The password vaults of many people were stolen. This Wired article goes into more details.

What Does This Mean?

If you use LastPass to store your passwords it is possible that your password vault was stolen. The vault is encrypted and individual passwords in the vault are also encrypted. If someone is able to crack your vault password they could see the contents of your vault, minus the actual passwords. This means they could also access your current LastPass vault unless you have additional protections (two-factor authentication) in place.

Though your individual passwords are further encrypted, the websites and usernames are not encrypted in the vault. This means someone would know you have a login to a given website and what your username is. That is enough information to target high-value sites like banking, paypal and so on.

What Should I Do?

If you are a LastPass customer, you should

  1. Change your LastPass vault password.
  2. Turn on two-factor authentication for your LastPass account.
  3. Change passwords on your high value (i.e. financial) logins that were stored in LastPass. Ideally change all passwords that were stored in LastPass.
  4. Consider if you want to switch to another password manager. There are many other products and exporting and importing passwords. This Wired article reviews several products.

What Does IT Think?

We think using a password manager is a great way to use complex passwords and make them easy to use. Most password managers have a web browser plugin so they work with a few clicks and no typing. This is a good reminder that any company is vulnerable to a breach, even a company that offers a security product. Because of this breach we no longer recommend LastPass as an option. We do recommend using a password manager. Again, the above wired article reviews some options and you can make a choice that fits your needs and budget.

Phishing reminder

Posted on Categories Security

Spear Phishing

We’ve been noticing more questions recently about suspicious emails that look like phishing. These days we tend to see more “spear phishing” campaigns.  “Spear phishing” is just a way of saying it’s a targeted phishing campaign. People are studying our website to see our organizational structure to figure out who are people in authority. Then they send an email pretending to be that person from a free account they created (not associated with Augsburg or Luther Seminary).

These campaigns try to instill a sense of urgency from a person of authority needing help.  These are techniques to try to lure you in and in the end get money from you.

Here’s a recent example:

Hello, Are you available?

Notice the carefully crafted signature to make it appear to be from Provost Kaivola. But also notice the email address it is from kaivola@my.com. That is not an institutional email address. That odd email address should be a red flag.

The best course of action is to mark this as spam so Google will be more likely to block it. We see most of these getting blocked as they are becoming very common.

If you did reply they will reply back saying that they are in a meeting and need your help with something important (sense of urgency).

I'm in a meeting right now and I need your help with something important. Can you? I will be waiting for your feedback

If you reply again they will ask for you to buy a gift card from some online store — we’ve seen iTunes and Steam recently — and they say they’ll reimburse you for it.  Again they will say it is urgent. This is a script we’ve seen over and over with these spear phishing campaigns.

I need the you to help me get a steam card from the store right now, I will surely REIMBURSE you back today once I'm done with meeting. I don't know when re meeting will be rounding up. So I need your help urgently. If you can help out I will love to get your feedback.

What should you do?

  1. If it seems fishy or odd, it is likely a scam. Mark it as spam so Google will be more likely to block it.
  2. If you’re truly not sure, contact the person directly by phone or institutional email address to confirm. Do not reply to the suspicious message.

Sharing Google documents or another phishing attack?

Posted on Categories Security

What happened?

The afternoon of May 3 saw a widespread phishing attack across the internet.  The phishing attack is an email that looks like a Google document sharing request as shown below.

It is a convincing phish but note the odd To: address.  That should be a warning sign that something is off.  In some cases people recognized the name of the person but perhaps it was spelled slightly wrong.  That’s another warning sign.

The link, which you should not click on, takes you to a page that appears to request access to your Google account.  Real Google docs do not need this access.  Once you grant access they will try to send more messages using your account to your contact list.

What can I do?

First, if you clicked the link you should change your password on Inside Augsburg.  This is true for any phishing email that has fooled you into clicking on a link.

Second, and more importantly this time, is you need to review all connected Applications and Websites connected to your Google account.  The phish has tricked you into giving their application access to your Google account.  You do not want that.

This is done in three quick steps.

  1. Visit https://accounts.google.com
  2. Under Sign-in & Security pick Connected apps & sites
  3. Click MANAGE APPS and review and remove any sites or apps that you do not recognize.  This phish shows up as “Google Docs” which is very tricky.  If you see that listed, remove it.

 

How can I learn more about information security?

We have a broad information security self-paced course in moodle that anyone at Augsburg can complete to improve their information security awareness skills.  The course has about 35 minutes of short videos (closed captioned, no sound required).  You can find it in moodle community at the following address https://moodle.augsburg.edu/moodlecommunity/course/view.php?id=946.

National Cyber Security Awareness Month – Week 1

Posted on Categories NCSAM

National Cyber Security Awareness Month (NCSAM) – celebrated every October – was created as a collaborative effort between government and businesses to ensure every American has the resources they need to stay safer and more secure online.

At Augsburg, Faculty and Staff should yearly renew their Information Security Awareness Certificate through the short, 30 minute Moodle course.

If you ever have questions regarding information and computer security, an odd email message you receive, or other questions regarding data safety, do not hesitate to contact your LFC or the TechDesk

 

Find out more information about National Cyber Security Awareness Month at their website https://staysafeonline.org/stay-safe-online/

Week 1: Oct. 3-7
STOP. THINK. CONNECT.: The Basic Steps to Online Safety and Security
Staying safer and more secure online starts with STOP. THINK. CONNECT. – the simple, actionable advice anyone can follow. STOP: make sure security measures are in place. THINK: about the consequences of your actions and behaviors online. CONNECT: and enjoy the Internet.

Whether banking, shopping, social networking, tracking our health or downloading the latest app, in today’s interconnected world, practicing good cybersecurity is critical. All digital citizens must learn to stay safer and more secure in their ever-expanding digital lives, including by preventing and responding to identity theft and scams, ensuring that home networks are secure, managing the security of mobile devices and teaching children to use the Internet safely, securely and responsibly. Week 1 shares simple ways we can protect ourselves and communities along with actions to take if impacted by a breach, cybercrime or other online issue. It will also examine the outlook for cybersecurity jobs and how to engage young people in pursuing careers devoted to protecting the Internet.

 

wk1_ncsam_2016
National Cyber Security Month Info Graphic

HeartBleed bug and Augsburg

Posted on Categories Security

You may recently have heard about Heartbleed, one of the biggest internet security flaws known and that essentially is a security flaw that makes many site passwords vulnerable.

While accounts at Augsburg have not been directly affected by HeartBleed, it is worth taking the precautionary measure of resetting passwords you use for social media sites such as Facebook, Instagram, Pinterest, and email accounts through services such as Yahoo and more.

It is especially important that departments and individuals who manage official social media accounts for the College (such as athletic and academic departments) change the passwords used for these sites.

IT staff further recommend that that Augsburg accounts each have unique passwords. A best practice is to avoid using the same password for multiple sites. This situation clearly illustrates the risk.

A full list of all the sites known to have password systems that are vulnerable are listed at http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Please contact your LFC if you have questions about resetting your password.

Phishing – when at first you succeed, try and try again

Posted on Categories Security

Let’s try again.

The phishing attack from about 2 weeks ago is back and it brought friends.  The email is nearly the same too.  The last attack did trick some people so they might have thought they’d try it again.  Here is the first email from today:

Screen shot 2013-02-25 at 8.23.21 AM

This time they fixed the typo.  Did you catch it last time?  I’ll review the phishy aspects of this email.  All of these are red flags that should make you suspicious.  If you feel suspicious then it is likely a scam and you can delete it.  Always feel free to ask us too.

  1. You are being asked to login and update your email address.
  2. The subject is pretty generic.
  3. The From is miami.edu and not augsburg.edu.
  4. The message is not TO: you, it is BC: (blind carbon copied) at you.
  5. If you clicked on the link (which you should not!) it goes to www.verderural.com.br which looks a bit odd.

Shortly after the above email another phishing email was sent that represents a more standard attack.

Screen shot 2013-02-25 at 10.21.01 AM

Let’s count the red flags.

  1. The subject is pretty generic.
  2. The From is info@security.com (not the IRS).
  3. There is an urgency to the message and it involves taxes.  Why would you need to visit a website about tax forms within 48 hours?
  4. The web address actually goes to a totally different website (see below).

About the web address.

Many email programs allow you to move your mouse over the link without clicking on it.  That way you can see where the link will go before clicking on it.  My GroupWise client shows the link at the bottom of the email window (shown below).  In both cases the actual destination is not the same as what the link appears to be in the email (big red flag).

Screen shot 2013-02-25 at 8.41.18 AM

Screen shot 2013-02-25 at 10.21.01 AM

This time I took a picture of the first login page before we blocked it on campus.  They made a copy of one of our web pages to try to fool you.

Screen shot 2013-02-25 at 8.17.29 AM

Even though the page doesn’t have any Augsburg logos it looks rather official.  But again, if you did click on the link (which you should not do!) notice the web address in the browser address bar at the top.  There is nothing there that looks familiar and the .br (Brazil!) should be a big red flag.

The second phishing email’s website is very very tricky. See below.

Capture2

Let’s see what red flags exist on this web page.

  1. The address in the address bar is .br (Brazil).  That should be a big red flag.
  2. The web page is asking for your Social Security Number and birth date.  Those should set off your alarms right away.  Those two pieces of information are critical to your personal information security.  You should never be entering those online in response to an email.  Those two pieces of information are the keys that gain entry into your whole personal financial world — guard them like they are made of gold.

What should I do if I did enter my password?

  1. The first thing you should do is go change your password on Inside Augsburg.
  2. Don’t worry if you can’t login to change your password — try to use the “Forgot password” link to reset it.
  3. If you can’t reset it just call the Tech Desk or your LFC to get your account unlocked.  It is very likely that if you gave up your password that they are already sending spam and Augsburg IT will detect the 100s of emails being sent and will have changed your password to lock out the phishing attacker.
  4. After you have changed your password be sure to update your phone and other mobile devices with the new password.

And to illustrate again, here is another student video this time from CalPoly Pomona.

Phishing – emails that try to get your password

Posted on Categories Security

What is phishing?

We just had an aggressive phishing attack on the campus.  What is phishing you ask?  It doesn’t mean salmon or cod are trying to get into our classes.  Phishing is when someone is trying to trick you into giving up personal information (username, password, financial info) by pretending to be someone else.  There is “bait” to “lure” you in.  They often use that info to take over your email account to send spam but sometimes may try to get at your personal information and financial accounts.

How to recognize phishing?

There is not a perfect test to recognize phishing but you can look out for these red flags.  Also, if something seems suspicious it’s probably a scam and you should just delete the message.

  • You are being asked for your login, password, or being directed to go to a page and login.
  • The message seems to come from out of the blue.
  • The message is poorly written or has spelling errors.
  • It is telling you this is urgent, important, you will lose access if you don’t act now.  They are trying to scare you.
  • The From: doesn’t match the content of the message.  Keep in mind the From: can be made to be anything (just like postal mail, I can send you a letter and put the from to be “President of the United States.”).
  • If you do click on the link (though we recommend you do not) be sure to look at the address in the address bar.
  • Augsburg IT will not ask you for your password and will generally not ask you to login to a website.

Let’s look at the recent phishing email and see how many red flags it raises.

Screen shot 2013-02-13 at 8.42.45 AM

  1. You are being asked to login and update your email address.
  2. The subject is pretty generic.
  3. There is a typo (can you spot it?).
  4. The From is wisc.edu and not augsburg.edu.
  5. If you clicked on the link it goes to alldayivebeenthinking.com/wp-content/themes/augsburg.edu.htm which looks a bit odd.

What should I do if I did enter my password?

  1. The first thing you should do is go change your password on Inside Augsburg.
  2. Don’t worry if you can’t login to change your password — try to use the “Forgot password” link to reset it.
  3. If you can’t reset it just call the Tech Desk or your LFC to get your account unlocked.  It is very likely that if you gave up your password that they are already sending spam and Augsburg IT will detect the 100s of emails being sent and will have changed your password to lock out the phishing attacker.
  4. After you have changed your password be sure to update your phone and other mobile devices with the new password.

This video by students at Cabrillo College will help you remember to watch out next time.