Security Tip

Identifying Hoaxes and Urban Legends

Chain letters are familiar to anyone with an email account, whether they are sent by strangers or well-intentioned friends or family members. Try to verify the information before following any instructions or passing the message along.

Why are chain letters a problem?

The most serious problem is from chain letters that mask viruses or other malicious activity. But even the ones that seem harmless may have negative repercussions if you forward them:

  • they consume bandwidth or space within the recipient’s inbox
  • you force people you know to waste time sifting through the messages and possibly taking time to verify the information
  • you are spreading hype and, often, unnecessary fear and paranoia
What are some types of chain letters?

There are two main types of chain letters:

  • Hoaxes – Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category (see Avoiding Social Engineering and Phishing Attacks for more information).
  • Urban legends – Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted bandwidth and time.
How can you tell if the email is a hoax or urban legend?

Some messages are more suspicious than others, but be especially cautious if the message has any of the characteristics listed below. These characteristics are just guidelines—not every hoax or urban legend has these attributes, and some legitimate messages may have some of these characteristics:

  • it suggests tragic consequences for not performing some action
  • it promises money or gift certificates for performing some action
  • it offers instructions or attachments claiming to protect you from a virus that is undetected by anti-virus software
  • it claims it’s not a hoax
  • there are multiple spelling or grammatical errors, or the logic is contradictory
  • there is a statement urging you to forward the message
  • it has already been forwarded multiple times (evident from the trail of email headers in the body of the message)

If you want to check the validity of an email, there are some websites that provide information about hoaxes and urban legends:

Authors

Mindi McDowell and Allen Householder, http://www.us-cert.gov/ncas/tips/st04-009

 

 

Protecting portable devices

What is at risk?

Only you can determine what is actually at risk. If a thief steals your laptop or mobile device, the most obvious loss is the machine itself. However, if the thief is able to access the information on the computer or mobile device, all of the information stored on the device is at risk, as well as any additional information that could be accessed as a result of the data stored on the device itself.

Sensitive corporate information or customer account information should not be accessed by unauthorized people. You’ve probably heard news stories about organizations panicking because laptops with confidential information on them have been lost or stolen. But even if there isn’t any sensitive corporate information on your laptop or mobile device, think of the other information at risk: information about appointments, passwords, email addresses and other contact information, personal information for online accounts, etc.

How can you protect your laptop or internet-enabled device?

  • Password-protect your computer: Make sure that you have to enter a password to log in to your computer or mobile device (see Choosing and Protecting Passwords for more information).
  • Keep your valuables with you at all times: When traveling, keep your device with you. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially wary—these venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms.
  • Downplay your laptop or mobile device: There is no need to advertise to thieves that you have a laptop or mobile device. Avoid using your device in public areas, and consider non-traditional bags for carrying your laptop.
  • Be aware of your surroundings: If you do use your laptop or mobile device in a public area, pay attention to people around you. Take precautions to shield yourself from “shoulder surfers”—make sure that no one can see you type your passwords or see any sensitive information on your screen.
  • Consider an alarm or lock: Many companies sell alarms or locks that you can use to protect or secure your laptop. If you travel often or will be in a heavily populated area, you may want to consider investing in an alarm for your laptop bag or a lock to secure your laptop to a piece of furniture.
  • Back up your files: If your mobile device is stolen, it’s bad enough that someone else may be able to access your information. To avoid losing all of the information, make backups of important information and store the backups in a separate location (see Good Security Habits for more information). Not only will you still be able to access the information, but you’ll be able to identify and report exactly what information is at risk.

What can you do if your laptop or mobile device is lost or stolen?
Report the loss or theft to the appropriate authorities. These parties may include representatives from law enforcement agencies, as well as hotel or conference staff. If your device contained sensitive corporate or customer account information, immediately report the loss or theft to your organization so that they can act quickly.
Author
Mindi McDowell through US Computer Emergency Readiness Team (US-CERT)

Keep kids safe online

SafeKids.com offers advice and tools for keeping youth and teens safe online.  Not just about computers, they also provide information and another look at photo sharing apps, cyberbullying, smartphone use and other ways to keep adults informed about what youth are doing online.  Here, you can also use Google’s SafeSearch engine which filters out sites that contain inappropriate content, including images.

Following are the first three rules for safe family cell phone use SafeKids.com has published.

  1. Have a conversation about when it’s okay and not okay to use the phone for talking, texting, apps and other functions. This should include both time and place. Talk about rules for cell phone use during dinner, at social events and in public places like movie theaters and restaurants.
  2. Consider having a centralized resting place for the phones to charge up while family members are sleeping. There are lots of reasons why phones shouldn’t be used or sending out audible alerts after bedtime. Just because your phone may also be an alarm clock doesn’t mean it necessarily should be sitting on your or your kid’s nightstand.
  3. Talk about the polite use of the phone, such as not talking in a loud voice (people think it’s necessary but it usually isn’t) and not talking or texting in a way that will disturb others or violate your privacy.

See the rest here.

Who is really on the other end of the line?

Beware of fake support scams!

Your phone rings. The caller ID says ‘Windows Support,’ so you answer.

“Hi,” the caller says, giving a name. “I’m calling from Windows support. We’ve been receiving some error messages from your computer.” The caller says he can fix those errors if you give him remote access to your computer. You’re worried, so you agree.

Next, the caller says he needs to download software to your PC to fix the problem. He also requests your credit card number to pay for the software and tech support services.

Sound suspicious? It is. The tactic is commonly known as a ‘Windows support scam’ or ‘tech support scam,’ and anecdotal evidence suggests it’s on the rise.

In October 2012, the Federal Trade Commission (FTC) announced an international crackdown on Windows support scammers. But since then, publications such as Computerworld, Forbes, the San Francisco Chronicle and others have reported that the scam appears to be occurring more frequently.

The Scare Tactics
Windows support scammers succeed too often because they scare their victims into thinking something’s terribly wrong with their computer. The scenario described above is just one of their tactics. Here’s what can happen during a ‘Windows support call.’

  • In some cases, the caller ID may say ‘Windows Support’ or it displays a number from area code 425, which serves the Washington state area including Redmond—Microsoft’s headquarters. This doesn’t mean the call is legitimate, however, as scammers often use caller ID spoofing to mask the true phone number from which they’re calling.
  • The caller usually identifies himself as being from Microsoft, Dell, Cisco, an Internet Service Provider (ISP), or other known computer/service companies.
  • When you ask for proof that the caller has seen error messages from your computer, he may direct you to look at a Windows Event log on your PC. The log typically displays harmless error messages, however, which could look like legitimate problems to less savvy computer users.
  • Once they gain your confidence, scammers will try to convince you to pay for their ‘tech support services,’ which may be a one-time fee or a subscription. Not only do you pay for useless tech support, you’re giving your credit card information to a criminal, who may use it for unauthorized charges or sell it to other criminals.
  • The software that the caller downloads onto your PC to ‘fix’ it may contain Trojan horse malware designed to steal your online account information and passwords.

Windows Support Scam Variations
If all that weren’t enough, there are other types of tech support scams you should be aware of.

In January, the FTC’s website reported scams in which callers say that if you previously paid for their tech support services, you may be due a refund. They’ll ask if you were happy with their services (chances are, your answer is “no”). Or they’ll explain the company is going out of business. Because you paid for a tech support subscription from them, you’ll get a ‘refund.’ Their motive, of course, is to convince you to give them your credit card or banking information so they can steal your money instead of refunding it.

Separately, tech support scammers have been targeting mobile users, too, though cold calls or online ads, according to PC World. The mobile scam goal is usually to get you to pay for bogus tech support subscriptions of $300 a year, more or less.

There’s also the old ‘scareware’ ploy, in which some websites display bogus pop-up windows or banners telling you that your computer may be infected with spyware or viruses. The goal is to get you to purchase and download fake security software, which could be malware.

What You Can Do About It
Never give strangers remote access to your PC. Microsoft, ISPs and other companies aren’t going to call you out of the blue claiming to have seen errors coming from your computer.

Did you fall for the scam? Ask your credit card company to block or reverse the charges ASAP. You may need to be issued a new credit card.

Scan your PC for viruses, spyware and other malware using your computer’s security software. In worst-case scenarios, you may have to backup your data, reformat your hard drive, and reinstall Windows to be sure you’re rid of any downloaded malware.

Of course, the best step is to be aware of the Windows support scam so you don’t fall for it. Tell friends and family about it, too—especially those who are less savvy about computers and Internet-related scams.

Posted on December 10, 2014 by ZoneAlarm

Scam of the Week: Holiday Coupon Alert

It’s the Holiday Season for the bad guys too! But not the way you might think. They go into scam-overdrive mode, and starting with Black Friday and Cyber Monday (the busiest online shopping days), they are out to get rich with your money until the holidays are over. Bryant Bradburd, City of Seattle Chief Technology Officer, passes on this advice:

  1. At the moment, there are too-good-to-be-true coupons that offer free phones or tablets on sites all over the Internet. Don’t fall for it. Make sure the offers are from a legitimate company.
  2. Watch out for alerts via email or text that you just received a package from FedEx, UPS or the US Mail, and then asks you for some personal information. Don’t open any attachments and don’t enter anything. Think Before You Click!
  3. There is a fake refund scam going on that could come from Amazon, a hotel, or a retail chain. It claims there was a “wrong transaction” and wants you to “click for refund” but instead, your device will be infected with malware. Again, don’t open any attachments and don’t enter anything.

So, especially now, be constantly alert and willing to fight back by using common sense. Remember to only use credit cards online, never debit cards. Be super-wary of bulk email with crazy good BUY NOW offers and anything that looks slightly “off.”

If you think you might have been scammed, stay calm and call your credit card company, have that card disabled and get a new one. Happy Holidays!

Erasing your computer

As we head into the holiday season, there are a lot of ads for new computers at reasonable prices.  However, before selling or discarding an old computer, or throwing away a CD or DVD, you will want to make sure that you’ve copied all of the files you need. You’ve probably also attempted to delete your personal files so that other people aren’t able to access them.  Unless you have taken the proper steps to make sure the hard drive, CD, or DVD is properly erased, people may still be able to resurrect those files.

Published by US-Cert.gov, is a security tip for Effectively Erasing Files, by Mindi McDowell and Matt Lytle, provides this tip in a way that is easy to understand.  Visit this site to read the full article, which includes information about where deleted files go, what the risks are for not erasing them completely, information about reformatting and advice for ensuring that all your information is completely erased.

Kids and online safety from Microsoft

With the start of the school year comes the increased use of computers and the Internet at home, school and on the go.  At Microsoft’s Safety and Security Center, you can find resources in their Family Safety Center on setting rules of online safety, online bullying, social media use, playing games online and using tech on the go.  Each topic area provides tips, resources and tools you can use to help your kids stay safe online.  This information is also available in eleven languages, including Chinese, Korean, Russian and Spanish.

Online safety for college-bound kids

Previous generations didn’t need to have “the digital talk” but in a world where what goes online stays online, it’s essential.  Here are eight tips for the college-bound from our City of Seattle Office of Information Security:

1. The Internet is forever – Think about future employers, including those coveted summer internships. Don’t post anything online, including inappropriate photos, which would make a future employer think twice about hiring you. Good judgment is something employers look for, show that you have it.

2. Don’t add your address to your Facebook profile – Keep your address private. Anyone who needs your address can get it from you directly.

3. Don’t broadcast your location – Go ahead and check-in at your favorite coffee place and post photos of you and friends at a concert. Just do it sparingly. People don’t need to know where you are all the time or when your dorm room or apartment might be empty.

4. Don’t “friend” people you don’t know – Be choosy when it comes to friending people on social media. Just because someone sends you a friend request doesn’t mean you have to accept it—especially if you have no idea who they are.

5. Guard your social security number – Your social security number is a winning lottery ticket to a fraudster. It is the key to stealing your identity and taking over your accounts. Keep your social security card locked away in a safe place. Memorize the number so you can minimize using the card itself. Question anyone who asks for your social security card. Employers, banks, credit card companies and the department of motor vehicles are some of the few legitimate entities who may need your social security number. Never give it out online or in email.

6. Don’t use the same password everywhere – All your accounts need a password, but not the same one. Consider using an all-in-one password manager. If you choose this option make sure that you log out of the service when not in use. Get in the habit of locking your computer and shutting it off at night.

7. Beware of emails phishing for personal information – Be very wary of any email with a link that asks you to disclose your credit card details, username, password or social security number. These emails can look official but no bank, or other legitimate business, should email asking for this information.

8. Be Wi-Fi savvy and safe – Free Wi-Fi at coffee shops, libraries and restaurants make these great places to hang out and study. However, free comes at the cost of security. Unsecured networks create the risk of identity theft and other personal information being stolen. Make sure sites you visit use encryption software (website addresses start with https:// and usually display a lock in the browser address bar) to block identity thieves when using public Wi-Fi. Additionally, be careful to avoid using mobile apps that require credit card data or personal information on public Wi-Fi as there is no visible indicator of whether the app uses encryption. In general it’s best to conduct sensitive transactions on a secured private network or through your phone’s data network rather than public Wi-Fi.

 

Should your organization consider The Cloud?

Once upon a time, all software had to be directly installed onto computers—but more and more, vendors are hosting software that users access via the Cloud. Maybe you use Google Drive or Dropbox, Office 365, or a Cloud-based database. Maybe you’re interested in what such hosted services offer, but are worried about the security risks. Moving to the Cloud is not for everyone–how do you know if it’s right for your organization? The answer is simple: by evaluating it against your own particular needs.

Idealware.org, a nonprofit organization helping nonprofits make smart software decisions, has created a free new workbook, Should Your Organization Consider The Cloud, to help you to make decisions about using cloud software.

Read the full article here and receive your free copy of  help to get you started.

Have a scam free vacation

Heading out of town? Make sure you come back with a nice post-vacation glow and not a case of identity theft. Here are some things you can do to lessen the chances you’ll be a victim.

Limit what you carry. Take only the ID, credit cards, and debit cards you need. Leave your Social Security card at home. If you’ve got a Medicare card, make a copy to carry and blot out all but the last four digits on it.

Know the deal with public Wi-Fi. Many cafés, hotels, airports, and other public places offer wireless networks — or Wi-Fi — you can use to get online. Two things to remember:

  • Wi-Fi hotspots often aren’t secure. If you connect to a public Wi-Fi network and send information through websites or mobile apps, the info might be accessed by someone it’s not meant for. If you use a public Wi-Fi network, send information only to sites that are fully encrypted (here’s how to tell), and avoid using apps that require personal or financial information. Researchers have found many mobile apps don’t encrypt information properly.
  • That Wi-Fi network might not belong to the hotel or airport. Scammers sometimes set up their own “free networks” with names similar to or the same as the real ones. Check to make sure you’re using the authorized network before you connect.

Protect your smartphone. Use a password or pin, and report a stolen smartphone — first to local law enforcement authorities, and then to your wireless provider. In coordination with the Federal Communications Commission (FCC), the major wireless service providers have a stolen phone database that lets them know a phone was stolen and allows remote “bricking” so the phone can’t be activated on a wireless network without your permission. Find tips specific to your operating system with the FCC Smartphone Security Checker at fcc.gov.

ATMs and gas stations — especially in tourist areas — may have skimming devices. Scammers use cameras, keypad overlays, and skimming devices — like a realistic-looking card reader placed over the factory-installed card reader on an ATM or gas pump — to capture the information from your card’s magnetic strip without your knowledge and get your PIN. The FBI offers tips to avoid being scammed by a skimmer.

Watch that laptop. If you travel with a laptop, keep a close eye on it — especially through the shuffle of airport security — and consider carrying it in something less obvious than a laptop case. A minor distraction in an airport or hotel is all it takes for a laptop to vanish. At the hotel, store your laptop in the safe in your room. If that’s not an option, keep your laptop attached to a security cable in your room and consider hanging the “do not disturb” sign on your door.

Still, despite your best efforts to protect it, your identity may be stolen while you’re traveling. Here’s what you can do.

http://www.consumer.ftc.gov/blog/scam-free-vacation