All posts by Gary Farris

W-2 Scam still prevalent

As we were warned in March by the state Office of Cybersecurity may happen, there has been a significant increase in the number of individuals across the state who have been victims of phishing schemes related to W-2 forms.

As the deadline for filing federal income taxes looms, the Office has announced that during the first quarter of this year, 55 data breaches were reported, with more than two-thirds of those related to a W-2 phishing scheme.

Those numbers compare poorly to the numbers for all of 2016, with a total number of breaches of 68, with 10% related to W-2 scams.

Read the full article at: https://cybersecurity.wa.gov/firms-across-u-s-falling-victim-to-email-scam-e45950d6da0f

Safe Computing!!

W-2 Scams

This is the time of year when everyone has their annual income tax filings on their mind and may be paying attention more than usual to information from or about the IRS .  This heightened attention is made-to-order for malicious actors who seek to exploit others.

The Washington State Office of Cybersecurity has posted some new information related to a rise in scams related to W-2 forms.  The article is worth reading as it addresses a specific scam that is prevalent this year, and provides some good basic information related to dealing with these types of malicious attacks.

The article can be found at:

http://cybersecurity.wa.gov/security-news/irs-beware-scam-targeting-w-2-forms

Safe Computing!

FBI Warning for Students

Hope your new year is going well!

The FBI has recently posted a warning about a scam that is targeting students in search of employment.

I won’t go into details here, as the FBI has published the full information they have as a public service announcement on their website at: https://www.ic3.gov/media/2017/170118.aspx

Even if you are not a student it is worth reading for the insight it gives to how malicious actors are trying to exploit the desire of students and graduates to find work.

Safe Computing!

Office of Privacy and Data Protection

As Washington state lawmakers continue to emphasize state-wide information security and data privacy efforts within state government, an office called the Office of Privacy & Data Protection was created to provide information and advice related to privacy issues affecting the public.  The Governor also appointed Alex Alben as the state’s first Chief Privacy Officer.

Efforts by this new office and others, such as the state Office of Cybersecurity and the Office of the Chief Information Officer, illustrate how important it is for each of us as college officials to protect data entrusted to state agencies and institutions, such as Bellevue College.

It is also important to understand that these efforts related to privacy and security are not just part of the job of each state employee, they also reflect the protections each one of us also have a right to enjoy as private citizens.

Therefore, all well-informed college officials and residents of the state should benefit from reading the Privacy Guide published by the new state office and from periodically taking a look at the Tips and Tools page they have put online related to both public and private use of information technology.

If you have any questions or concerns about information security and the privacy of data on campus, please feel free to contact me (x4077) or the Technology Service Desk (x4351)

Safe Computing!

PRIVACY RELATED SITES

Holiday Season Security

The state of Washington Office of Cybersecurity has recently posted a good article related to information security and online shopping at http://cybersecurity.wa.gov/resources/security-tips/.  This is a good time of year for this kind of reminder as we all are taking advantage of the convenience and ease of shopping online.

It cannot be emphasized enough that we each must constantly take care with our private information, particularly financial information like bank accounts and credit cards, and particularly when using or accessing such information using mobile devices.

Don’t trust public computers or wireless networks (even the college’s public Wi-Fi network) to be secure enough for these kinds of transactions.  It is not difficult for a malicious actor to be able to intercept wireless signals as they pass between your phone and the most secure wireless access point, thus having access to obtain whatever information you type into your device.  This could include account numbers, user names, passwords and personal identification numbers (PIN).

Do your online shopping with a trusted wired connection as often as you can (not with public computers like in a library or college computer labs–you never know if the person using it before you compromised the machine).  If you must use a mobile device, like a phone or tablet, be certain to follow the OCS guidelines to make your shopping “trip” as uneventful as possible.

Safe Computing!

 

Seasonal Phishing

Did you know that Phishing has a season, just like real fishing?

Statistics show that during the year-end holiday period, malicious users are more successful with phishing attacks about holiday giving or shopping because they tailor their message to fit the hustle and bustle and activities of the season.

Here is a short videowhich reminds all of us not to let our guard down just because we are too busy or distracted to carefully scrutinize an e-mail advertises a sale or touches our heart.

Have a good holiday season, and Safe Computing!

Video Reminders

The links below are to a couple of very short awareness videos published by a third-party which remind us of some of the basics related to the information security topics of malware and phishing.  Clicking on the links below will open the videos in a new browser window.

The principles discussed in each of these videos apply to both the workplace and to your use of technology at home.

If you are using Internet Explorer 10 or better, once you have gone to the shared OneDrive folder where these are stored, you can use the white pointers to move between the Individual videos without having to return to this page.

The arrows look like these:Right-pointing arrow head graphicLeft-pointing arrow head graphic

 

Other browsers will require you to click on each link individually.

Safe Computing!


Videos:

Don’t Let Malware Spoil the Fun! (1:50)

Phishing: What Would You Do? (1:24)

Cybersecurity Awareness… or not?

An interesting exchange of opinions recently occurred between two of my favorite news sources related to information technology security.

Since we are still in the midst of a month declared by the federal government as “Cybersecurity Awareness Month” (see both https://www.dhs.gov/national-cyber-security-awareness-month and https://staysafeonline.org/ncsam/), which is an effort to increase security awareness among regular technology users, the disagreement is interesting.

The premise of “cybersecurity awareness” is that all computer users need to be trained to be more knowledgeable and to apply their experience, knowledge and expertise in making the use of modern technology more secure.  This is a worthy goal, I believe.

However, Bruce Schneier,  a highly respected security expert and author, persuasively argued recently that maybe the computing industry should be less focused on educating the user and more on fixing the current state of technology:

Stop Trying to Fix the User

I am sure that many technology users will agree that there are basic technology fixes that should happen!  However, Lance Spitzer, the training director for the Securing the Human of the SANS Institute and security blogger for Educause disagreed with Bruce’s emphasis on the technology:

Why Bruce is Wrong

The college’s Information Technology Services division does as much as can be done technically to ensure that all users have as safe a computing experience as they can on campus.  However, given the state of computing technology, solving IT security issues with technical solutions is never going to be enough to make them non-existent.

Every one of you, as users of college systems, are still an important part of a robust security solution, and your ability to recognize something is wrong often proves better than the best technology solution.

So in a way, both of these authors are correct:  There absolutely should be better, more secure technological ways of doing some of the everyday things we do with computers, like click a link or login, but until that exists, users need to be better trained and more aware of how to evaluate the risks inherent in technology use on a daily basis and to respond when they experience attacks by malicious users.

This  will continue to be an interesting discussion, I think…

Safe Computing!

Lock Down Your Login

As October’s Cybersecurity Awareness Month continues, I thought I would refer once again to the federal Stop.Think.Connect information campaign and focus briefly on one particular topic currently being emphasized there.

Be careful and turn your speakers down before clicking on this link, as the page automatically plays a cutesy animated YouTube video, but the Lock Down Your Login page is a good introduction to what is known as Multi-Factor Authentication (MFA).   This site calls it “strong authentication.”

Once you as a user have been authorized to use a particular technology system, such as a banking website or your work computing network, authentication is the process of verifying your identity to that system so it can provide you the access needed.

Commonly, this is done by prompting a user to provide a login name and password, which in computing terms is considered “single-factor” authentication.

Multi-Factor Authentication is a mechanism through which a user is granted access only after more than one form of authentication is presented.  MFA may sometimes be referred to in the media or on websites as two-step authentication or two-factor authentication (2FA) , but technically 2FA is a subset of MFA.

One very common example of two-factor authentication is the use of a debit card (factor one-something you HAVE) and a PIN (factor two-something you KNOW) to withdraw money from an ATM.

Another example of MFA you may already experienced is the use of your thumb or finger print to unlock your cell phone.  In this case, the first factor (something you HAVE) is the phone, the second factor (something you KNOW) is the password you have previously saved on the phone, and a third factor (something you ARE) is the ability of the phone to read your thumbprint (also called biometrics).  If any of these factors are not available, you cannot access the information on the phone.

Most information security experts now recommend the use of MFA in all cases of authentication, particularly as more and more of our login information is being stored on servers all over the world and more and more of those servers are compromised.

For instance, commerce websites such as Amazon.com asks that you create a username and password (single-factor) to be able to use their service.  A compromise of that information on their servers by hackers or even company insiders could allow malicious users to pretend to be you and make purchases on your account without your knowledge.

The problem multiplies if you happen to employ the same password for different accounts on different systems.  Once one is compromised, all your accounts secured with a single-factor using the same password are potentially compromised.

If, however, if you have set up MFA with your Amazon account,  which allows you to receive a one-time random code via text message, automated phone call or third-party app (such as Google Authenticator or Microsoft Authenticator),  the malicious user cannot get into your account without using that code which only you have on your phone.  Even if they have somehow obtained both your username and password, they cannot login to the MFA protected account.

Other websites or networks now also use phone-based MFA, but there are also methods that are not phone-based, such as the use of security token generators or smart cards.

A few people think the extra step of obtaining and using a random code is too onerous to do every time you log into a particular account.  But this simple extra step increases the security of that account so significantly that most major online companies are preparing or already offering some sort of MFA for use with their accounts.  If that extra step prevents the use of your personal credentials even after a security breach, it is obviously worth it.

As someone who pays close attention to information security and the scary trending online threats and growing malicious practices, I choose to use MFA for my personal accounts whenever it is available, and use both phone text-based codes and app-based code generators.

The use of MFA is also growing quickly in the work place as institutions and business work to protect their internal technology resources, and is currently being tested here at Bellevue College for possible use with Office 365.

If you are worried about this, remember that a couple of decades ago our typewriters didn’t require a login at all, but after computers became ubiquitous, we learned how to function with usernames and passwords. Now it seems natural.

MFA will be the same kind of cultural revolution.   I think it is safe to predict that one day we will be using MFA for all of our accounts as another line of defense against malicious users, and won’t think twice about it.

Safe Computing!

State Office of CyberSecurity

The Washington State Office of Cyber Security (WA-OCS) was created in 2015 to help coordinate state-wide efforts to protect the electronic data and information held by state institutions and agencies (such as BC).

In addition to up-to-date advisory information for security professionals in state agencies, the website for WA-OCS also includes news articles, videos, security tips, lists of recent scams, and information about other resources that the general public may be interested in as they work to be safe online at home and protect their own and their family’s personal data.

As society continues to conduct more and more commerce and social interaction online and “in the cloud”–both professionally and personally–it can never hurt to be informed of the latest cybersecurity information.  So you may consider adding the WA-OCS website to your personal list of important information resources.

Safe Computing!