August Cyber Bytes

US govt warns Americans of escalating SMS phishing attacks

Source: BleepingComputer by Sergiu Gatlan on July 29, 2022

The Federal Communications Commission (FCC) warned Americans of an increasing wave of SMS (Short Message Service) phishing attacks attempting to steal their personal information and money. Such attacks are also known as smishing or robotexts (as the FCC calls them), and scammers behind them may use various lures to trick you into handing over confidential information. "The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog's Robocall Response Team said.

"In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June." False-but-believable smishing baits reported by American consumers to the FCC include claims about unpaid bills, package delivery issues, bank account problems, or law enforcement actions. Some of the most devious and convincing lures used in text message phishing attacks are links redirecting the targets to landing pages impersonating bank websites and asking them to verify a purchase or unlock frozen credit cards. Phishing text messages can also be spoofed to make it appear that the sends is someone you're more likely to trust, such as a government agency like the IRS or companies you may be familiar with. While some attackers will attempt to steal payment details, others are not as picky and will be happy to steal any personal information they can get their hands on, use in subsequent scams, or sell to other malicious actors.

To defend against SMS phishing attacks, FCC recommends taking the following measures:

•    Do not respond to texts from unknown numbers or any others that appear suspicious.
•    Never share sensitive personal or financial information by text.
•    Be on the lookout for misspellings or texts that originate with an email address.
•    Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
•    If a business sends you a text you weren't expecting, look up their number online and call them back.
•    Remember that government agencies almost never initiate contact by phone or text.
•    Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
•    File a complaint with the FCC.

"If you think you're the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts," the FCC added.

Your Home Away From Home May Not Be as Cybersecure as You Think

Source: ThreatRavens by Abby Ross on July 13, 2021

Home is where the ‘smart’ is. A recent study revealed the average American household has 25 connected or Internet of Things (IoT) devices. The number of consumers who have smart home devices connected to their home internet has grown by 38% since the pandemic began. The findings don’t surprise Brad Ree, the chief technology officer (CTO) of Internet of Things solutions at the ioXt Alliance. Nor do they surprise Adam Laurie, IBM Security X-Force Red’s lead hardware hacker. Ree has more than 80 connected devices in his home. Laurie recently found five connected or IoT devices that he didn’t know existed inside his home. Even more, when he looked at the firewall rules on his internet service provider’s router, the universal plug and play (UPnP) was switched on, adding firewall rules for smart devices in his home unbeknownst to him.

In addition, with the pandemic nearing the rearview window, employees are starting to travel again. This increase also means vacation rental home bookings are up. One vacation home company notes that by the end of March 2021, 90% of its homes in New Jersey and Cape Cod were booked for July. Another company revealed the booking lead time for summer stays at its rental properties is 147 days this year.

Internet of Things Security in Vacation Homes
While renting a vacation home can provide more space for less money, it can also create more attacker opportunities. For example, Ree shared a story about a recent family vacation. He, his wife and kids stayed in a vacation rental home from where he worked for a week. Being the security savvy CTO that he is, the minute he entered the home, Ree performed a port scan to see if anyone else could connect to the network. To his surprise, various past visitors had added multiple firewall rules to the home network. Any one of the rules could have enabled the visitors to remain connected, even remotely. The access also meant if the visitors had malicious intentions, they could compromise Ree’s laptop and potentially his employer’s network. “You are staying in an open environment,” says Ree. “Don’t assume it is your house. In a vacation rental home, an attacker could easily scan open ports and see what’s connected.”

Invisible Connections
Every time you rent a vacation home and connect to its network or an IoT device, you leave a footprint behind that can be leveraged by an attacker. Laurie gave an example. Let’s say your children play video games while on vacation. They may use a headset, which plugs into the game console, to chat with other players. The console connects to the router, which creates a firewall rule that allows players to connect to a shared port. Then, whenever someone connects to that port on the internet service provider’s external address, that person can also connect to your children’s game console. Removing access, as Laurie points out, is tough. You would need a UPnP daemon, which the average consumer most likely does not have.

“When you leave the house, you can always connect to that port,” says Laurie. “If an attacker were to connect to that port, she would be routed to an address assigned to the game console.” Worse yet, imagine if the next visitor connected his work laptop to that same network. The visitor could run a business process on that same open port. Therefore, they can expose the laptop to other users with previous access. Vacation rental home networks typically do not adhere to the same security protocols as businesses. In business environments, routers are usually under an administrator’s control. That admin also likely limits IoT devices. The network isn’t open and insecure protocols are off. Many businesses apply the zero-trust model to their networks. Home and vacation rental home networks, on the other hand, typically do not have that kind of commercial-grade security. Ree refuses to even charge a phone in vacation rental homes for that reason.

Protecting Against Loose Internet of Things Rules
So how can you protect your own devices the next time you stay in a vacation rental home? The easiest step is to immediately connect to the corporate virtual private network. Savvier technology users may want to go an extra step and run their own port scans. Laurie applies those kinds of extra security measures when he rents homes and cars. In a rental car, he always checks the Bluetooth history and conducts a factory reset before and after using the vehicle. You could do the same in a vacation rental home, although it may create a conflict with homeowners if they set up their own rules.

Ree stresses the need for IoT and smart home device manufacturers to step up their security controls and processes. Routers, for example, should not allow routing between nodes. The Federal Bureau of Investigation recommends that UPnP be turned off, although in some routers it may be turned on by default. Implementing a standard security label or certification could also help from a consumer and manufacturer standpoint. Manufacturers can validate their devices and have security controls and processes built-in before they go to customers, and customers can know which devices are more secure based on the security label.

5 reasons not to use work mail for personal matters

Why using a corporate mail account for personal matters is not a good idea

Source: Kaspersky Daily by Roman Dedenok on August 10, 2021

Many people know that using a personal mail account for business correspondence is a bad idea, yet they see nothing wrong with using a corporate address to register on social networks, online services, and other nonwork resources. It’s handy, after all, to receive all work and personal messages in one mailbox. That said, you’d be hard-pressed to find a reputable resource recommending it. From work-life imbalance to privacy violations (management and administrators may have access to your work mail), loss of access to services in case of dismissal, and more, the reasons not to mix business e-mail with personal are legion. In fact, the first consideration that should stop an employee from using a corporate mail account for personal matters is information security.

1. It makes profiling easier
Before sending a phishing e-mail to a specific employee, cybercriminals harvest information online, using specialized tools to learn which address someone uses on social networks, online platforms, and so forth. Using a corporate address for nonbusiness purposes makes you easier to profile by helping attackers build a social portrait of you, thereby making you more vulnerable to spear-phishing in the first stage of an attack on the company.

2. It facilitates spear-phishing
Cybercriminals choose the tricks they think will best ensnare their victims. If they learn you’ve used your corporate mail address to register elsewhere, they know you’re likely to fall for a phishing e-mail. All they have to do is disguise their message as a legitimate notification from a service that you really are registered on.

3. It provides criminals with a smoke screen
Typically, all a cybercriminal needs for an attack to succeed is time. That’s why many services send a note to the account holder if you or anyone else tries to log in from an unknown IP address or attempts to change the password. Of course, to get ahead of the hackers, you need to know about those warnings as soon as possible. To that end, arrange a riot of notifications in your mailbox. If you’ve linked your address to outside resources, when hackers (or their bots) begin trying to brute-force your social network and other personal accounts, your inbox will quickly fill with warnings and alerts.

4. More mass phishing and malware in the inbox
When it comes to securing customers’ data, not all online resources were born equal — hence the near-daily headlines about online leaks. And leaked databases are very popular with mass spammers, who simply buy lists of addresses to flood with malicious links or phishing messages. Essentially, the more resources you tie to your corporate mail account, the more potential threats you’ll see in your inbox.

5. The eyes glaze over
Speaking of seeing more messages in your inbox, that extra volume can lead to trouble. With greater variety — for example, nonwork e-mails among business messages — dangerous items become harder to spot. The more personal e-mails you read during business hours, the more likely you are to accidentally click on a malicious attachment or follow a phishing link.

Even if you don’t use a work address for personal matters, it’s important to deploy technical means to protect against spam and phishing. The more layers of protection, the better. We recommend securing the corporate infrastructure against phishing at both the mail server and the workstation levels.

How to Password Protect Any File

Put a digital lock on your most important data.

Source: Wired by David Nield on June 19, 2022

YOU NEVER KNOW when one of your files might reach someone it wasn't intended to reach—perhaps through an email forward, a USB stick left behind on a desk, or maybe even an unauthorized user accessing your computer. Should that happen, password protection is all that stands between your data and the people whom you don't want to see it. It's an extra layer of security you can add to your most sensitive files without too much trouble. How you go about this will depend on the software you're using to create the file in the first place. Some applications have password protection features built in, while in other cases you'll need to lock up your files using a different method.

Microsoft Word, Excel, and PowerPoint
In Word, Excel, or PowerPoint for Windows, open the file you want to protect with a password, then select File and Info. You should see a Protect option at the top of the next list: Click this button, choose Encrypt with Password, and type out your password. Passwords can be up to 15 characters long and are case-sensitive, so double-check what you're typing in. If you forget the password for a document, spreadsheet, or presentation, you won't be able to get back into it—you'll have to start again from scratch. If you're using Office on macOS, the process is slightly different: Open the Review tab in the ribbon menu at the top, then click the Protect button to enter a password. (The button will be labeled slightly differently depending on which program you're in.)

Google Docs, Sheets, and Slides
There's no password protection feature as such in Google Drive, because your files are already protected by a password: The password linked to your Google account that you use to log in and view your documents, spreadsheets, and presentations. If you choose to share a file from Google Docs, Sheets, or Slides—via the big Share button in the top-right corner when you're working on something—you can either invite specific users to see it (via their email addresses) or generate a link that anyone can use. We'd recommend the former option (inviting individual users) for maximum security. This means they'll need to log in with their own Google account password—another layer of password protection—before being able to view the file you've shared.

Apple Pages, Numbers, and Keynote
If it's the Apple office applications that you're using, the process of adding a password couldn't be much easier. With the file open in Pages, Numbers, or Keynote, select File and then Set Password to choose and apply your password. The same warning applies as it does with Microsoft Office—if you can't remember your password then you're not going to be able to get back into your document, spreadsheet, or presentation (otherwise hackers would be able to get in as well). Note the Open with Touch ID checkbox on the password dialog. This gives you the option of using a Touch ID–enabled keyboard on macOS to open your own protected files, saving you the trouble of typing out a password each time.

Protecting Other Files
We can't cover every application out there in terms of password protection, but if you dig around in the programs that you're using you might find that they offer this form of additional security while saving files. If not, you've still got a few options. Keeping files in cloud storage lockers (like Google Drive) is one option: The act of sharing files on these services usually requires a username and password to log in, so your files are kept safe in that way. Sometimes there are extra features. In the case of Dropbox, for example, on the folder-sharing pane on the web, you can click Settings and then change Who has access to People with password—so both a unique URL and a password are required for access. If you need another option, create a password-protected archive containing the file or files that you need to keep safe. 7-Zip is a free tool for Windows that is able to build password-protected archives, for example. Should your files be on an external hard drive, you can encrypt the entire drive and add a password to guard against unwanted access: In Windows, right-click on the drive in File Explorer and choose Turn on BitLocker; on macOS, go through the Disk Utility. Third-party applications such as VeraCrypt (free for both Windows and macOS) are also able to encrypt drives for you, adding password protection at the same time. It's a sensible choice if you're putting sensitive data on a portable storage device.

How to Safely Lend Someone Else Your Phone

The next time someone wants to borrow your device to make a call or take a picture, take these steps to protect your privacy.

Source: Wired by David Nield on July 24, 2022

FROM THE NEPHEW who wants to play games for a few minutes, to the friend who wants to see your vacation snaps, to the stranger who needs to make a call, there are going to be people who want to borrow your phone. That's quite a privacy and security risk if you think about everything that your phone gives you access to social media profiles, banking details, instant messenger conversations, photos and videos that you'd rather the world didn't see, and so on. However, there are ways to hand over your phone to someone else without having to worry about what they might get up to on it. You just need to make sure that you've taken a few precautions before the exchange takes place.

The feature you need to know about on the iPhone is called Guided Access, and you can enable it by opening up iOS Settings and choosing Accessibility and Guided Access. Turn the Guided Access toggle switch on and the feature is ready to go—just make sure you use Passcode Settings to set a passcode to protect Guided Access mode. To actually turn Guided Access on, you need to triple-tap the home button if your iPhone has one, or the side button if it doesn't. You can then tap Options to configure how Guided Access is going to work: You're able to restrict access to the volume buttons, for example, and the software keyboard. You can even turn off touchscreen functionality and put a limit on Guided Access mode. Tapping Start launches Guided Access.

Whoever is using the iPhone is then locked into the current app, so you need to open up the app in question—the Phone app, a particular game, or whatever it is—before you triple-tap the button on your device to launch Guided Access. You get out of Guided Access with another triple-tap of the same button, at which point you'll need the passcode that you set at the start. The idea is that without the passcode, the person using your iPhone can't get out of the app you've put them in—there's no way to switch apps, open up the Control Center, or even turn the phone off. It's worth being aware of the app that they're in, though, and what they can do inside that app: If you're showing someone your photos, they'll be able to access all of them. One extra option in the Photos app is to hide photos and videos by opening them, tapping the share button (bottom left), and choosing Hide. This hides these pictures and clips in a special Hidden folder. They won't be visible in normal view in the Photos app, and they won't appear in searches, but the person borrowing your smartphone can still get at them by choosing Hidden from the Albums tab.

If you're using an Android device, you can take advantage of a feature similar to Guided Access on iOS. It's called App Pinning, and again the idea is that the person borrowing your phone is limited to one app. They're not able to get to another app or access the phone's settings without a PIN code set by you. There are certain software variations among Android phone makers when it comes to finding and enabling App Pinning, but you should be able to find it without too much trouble. On the stock version of Android that Google puts in its Pixel phones, you can enable it by going to the main Android Settings menu, then choosing Security, Advanced Settings and App Pinning. Turn on the Use App Pinning toggle switch, and make sure that Ask for PIN Before Unpinning is enabled as well—this prevents everyone but you from switching apps. To find the app you want to pin, swipe up and hold from the bottom of the screen until you see thumbnails of your recently used apps. Find the one you want, tap the app icon at the top, and choose Pin from the drop-down menu. To get out of app pinning, swipe up and hold from the bottom of the screen again. The phone will be locked, and your PIN code will be required to regain access and move between apps. Assuming that the person borrowing your phone doesn't know your PIN, you'll be able to keep them in one app. Like Apple Photos, Google Photos can also hide photos and videos, which can help if someone is browsing through your pictures. Open an image or clip, tap the three dots (top right), then choose Move to Locked Folder—the photos and videos that you send here can't be accessed without unlocking your phone first, which will require a PIN, a fingerprint scan, or a face scan, depending on how you've set it up.