April 2020 Safe Computing

PAGE CONTENT


Five Steps to Securely Work from Home

From the SANS Institute

Working from home may be new to you, and overwhelming as you adjust to your new environment. Below are five simple steps to working securely. These steps will not only help secure your work, but they will make you and your family far more safe as you create a cyber secure home.

1. You

Technology alone cannot fully protect you – you are the best defense. Attackers have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. If they want your password, work data or control of your computer, they’ll attempt to trick you into giving it to them; often by creating a sense of urgency. 

For example, they can call you, pretending to be Microsoft technical support and claim that your computer is infected. Or, they may send you an email warning that a package could not be delivered, fooling you into clicking on a malicious link. The most common indicators of a social engineering attack include: 

  • someone creating a sense of urgency; 
  • pressure to bypass or ignore security procedures; 
  • an offer too good to be true; 
  • a message from a friend or co-worker in which the signature, tone of voice or wording does not sound like them.
  1.   Home Network

Almost every home network starts with a wireless network (wi-fi). Wi-fi enables all of your devices to connect to the internet. Most home wireless networks are controlled by your internet router or a separate, dedicated wireless access point. Both broadcast wireless signals to which home devices connect. This means securing your wireless network is a key part of protecting your home. 

To secure your home network: 

  • Change the default administrator password. The administrator account is what allows you to configure the settings for your wireless network. Contact your service provider if you need assistance. 
  • Allow only people that you trust to use your network. Require a password for anyone to connect to your wireless network, and provide this password only to people you trust and not to infrequent guests or others entering your home, such as maintenance personnel. 
  • Make passwords strong. Longer passwords are more secure. Use a passphrase such as “smiling Mascot eats lobster”, with special characters and numbers inserted.
  1. Use Strong Passwords
  • The more characters a password has, the stronger it is. Use a passphrase such as “smiling Mascot eats lobster”, with special characters and numbers. 
  • Use a unique passphrase for each device or online account. This way if one passphrase is compromised, all of your other accounts and devices are still safe. 
  • Use a password manager, which is a specialized program that securely stores all your passphrases in an encrypted format. 
  • Enable two-step verification whenever possible. It uses your password, but also adds a second step, such as email or a code sent to your smartphone.
  1. Updates

Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Companies that created the software for these devices are hard at work fixing them by releasing updates. Update your computers and mobile devices promptly, and enable automatic updates where possible. Enable where possible, on any device connected to a network, including your work devices, but also internet-connected TVs, baby monitors, security cameras, and gaming consoles.

  1. Family Members and Guests

Make sure that family and friends understand they cannot use your work devices. Information can be accidentally corrupted, erased or modified, or the device may be accidentally infected.


Personally-Owned Devices

 

While not recommended, you may find that you have to use a personally-owned device for work purposes. You are responsible for securing your personally-owned devices. The University offers guidance on the Use of Personally Owned Devices.

Information is provided on:

  • General best practices
  • Passwords and screen savers
  • Disk encryption
  • Automatic updates
  • Anti-virus
  • Firewalls
  • Data storage, protection and backup
  • Home network.

Cyber Criminals Take Advantage of COVID-19 Pandemic

 

In recent weeks, cyber criminals have engaged in phishing campaigns against first responders, launched Distributed Denial of Service (DDoS) attacks against government agencies, deployed ransomware at medical facilities, and created fake COVID-19 websites that quietly download malware to victim devices. Cyber actors target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and business communications.

Cybersecurity companies have identified a number of campaigns that attempt to exploit concerns about the COVID-19 outbreak for criminal ends. Phishing campaigns have included email messages: 

  • appearing to offer advice from the Centers for Disease Control (CDC) and World Health Organization (WHO)
  • messages with subjects such as “Coronavirus Customer Advisory Issue” that appear to come from companies offering updates on the impact that the virus is having on operations
  • malicious maps including an apparent live coronavirus tracking map originating from Johns Hopkins University
  • requesting donations for victims of COVID-19.

Malicious cyber actors may use legitimate-looking phishing links or malicious mobile applications that appear to come from legitimate telework software vendors. Cyber criminals may target communication tools to overload services and take them offline. Cyber actors have also used video-teleconferencing hijacking to disrupt sessions by inserting pornographic images, hate images, or threatening language.

Phishing scams may target the ability to send wire transfers, checks, or gift cards. In a typical scheme, the victim receives an email purported to be from an individual or company the victim normally conducts business with; however, the email requests money be sent to a new account, gift cards purchased, or that standard payment practices be altered. 

The University has been seeing these phish attempts for months, often with the subject line “Are you available?”, “Quick Request”, or “Urgent”. There is a new Phish campaign with the subject line “COVID19 Update” that requests you open a document named “COVID19 Update.docx”. It looks like a google document and asks that you open the document and enter your credentials. Peers are also reporting phishing attempts with legitimate-looking subjects, such as “From Your Health Team”, “Notice on Class Cancellations”, and targeting Tax Stimulus checks. 

Watch out for the look-alike, non-University accounts to convince you it is legitimate (e.g. umpresident@yahoo.com, dannel.malloy.maine@gmail.com.  

Be on the lookout for the following:

  • the use of urgency and last-minute changes in wire instructions or recipient account information
  • last-minute changes in established communication platforms or email account addresses.
  • communications only in email and refusal to communicate via telephone
  • requests for advanced payment of services when not previously required
  • requests from employees to change direct deposit information.

By responding to prompts from malicious email or sites, users may be tricked into creating accounts and providing personal information such as name and social security number; or infecting their devices with malware.

The National Cyber Security Centre (NCSC) offers tips on how to spot and deal with suspicious emails.

If you discover you are the victim of a fraudulent incident, immediately contact your financial institution to request a recall of funds. Report irregularities with payroll deposits. As soon as possible, report the incident to the Information Security Office at infosecurity@maine.edu.


 

Tips on Protecting Against Cyber Crime

  • Take a few seconds to search suspect email, text, call or post claims on Google, or visit the legitimate site of the individual or party claiming to have sent the message.
  • Verify information via the recipient’s contact information on file—do not contact the individual through the link or number provided in the email.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.
  • Check for last-minute changes in financial or payment instructions or recipient account information.
  • Verify the web address of legitimate websites and exercise caution with auto-complete addressing.
  • Check for misspelled domain names within a link (for example, confirm that addresses for higher education end in .edu, government websites end in .gov, and non-profit end in .org).

Teleconferencing (“Zoombombing”) and Online Classroom Hijacking 

Zoom has become more heavily utilized and large numbers of people turn to video-teleconferencing platforms to stay connected in the wake of the COVID-19 crisis. Reports of hijacking (“Zoombombing”) are emerging nationwide. The University has received multiple reports of classrooms and conferences being disrupted by pornographic and/or hate images and threatening language.

As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. The steps below can be taken to mitigate teleconference hijacking threats. Information on how to update your version of Zoom is available on the US:IT Zoom Support Resources page. You will also find tips and instructions on mitigation in the US:IT What Can I Do to Prevent Zoombombing page.

  • Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Never click on a link provided in chat, email or elsewhere by someone that you do not know or trust.
  • Ensure you are using the updated version of remote access/meeting applications. Zoom has updated security settings by adding passwords by default for meetings and disabling the ability to randomly scan for meetings to join. 
  • When possible, do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • When possible, manage screen sharing options. In Zoom, change screen sharing to “Host Only.”

For meetings where the meeting link is posted on a publicly-accessible site:

  • Avoid using your Personal Meeting Room – a room permanently reserved for you and that you can access with your Personal Meeting ID (PMI). Think of this ID as your phone number. Your Personal Meeting Room is ideal for use with people you meet with regularly. However, because it is always accessible with the same Meeting ID and personal link, it should not be used for back-to-back meetings or people you do not meet with regularly. Once a participant has the link to your PMI, they can join it at any time the meeting is in use, unless you lock the meeting or use the Waiting Room feature to admit participants individually. To use a meeting ID that is not your PMI, open Zoom; click Schedule a Meeting; and under Meeting ID, select Generate Automatically. 
  • Use the Waiting Room feature. The Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them. To use the Waiting Room, open Zoom; click Schedule a Meeting; and under the Waiting Room option, make certain it is Enabled.
  • Once the meeting has started, you can Lock the meeting, so that no new participants can join. With the meeting underway, click Participants at the bottom of your Zoom window; in the Participants pop-up, click the button that says Lock Meeting.

US:IT has been working with Zoom to provide the most secure web conferencing environment possible. As of Thursday, April 9, US:IT has changed the default setting for new meetings to require a password.

If you are a victim of a teleconference hijacking, or any cyber-crime, contact the Information Security Office at infosecurity@maine.edu.


The Information Security Office has new information resources available, including a page on remote work and COVID-19 cyber security available from the Information Security portal.

Questions? Comments? Contact UMS Information Security at infosecurity@maine.edu.

(Content for this page was provided by Jean Schmidt, UMS Information Security Analyst)