Cyber Safety for Students: The Back to School Edition

As the summer break comes to an end, many students will be returning to school with mobile devices, such as smart phones/watches, tablets, and laptops. Although these devices are a great aid in helping students complete school assignments, projects as well as stay in touch with family and friends, there are numerous risks associated with using them. The goal is to help our students manage their digital lives responsibly.  Here are a few simple steps parents and students may use to help keep them safe while using their devices.

Kellep Charles, Digital Protection Expert, Researcher and Educator at SecurityOrb.com recommends:

For the student:

No matter what social media platform you are using, consider the type of information you are sharing with others and ensure you are limiting it to prevent your identity from being compromised. Here are the common cyber risks you may face when using social media:

  • Sharing sensitive information – Sensitive information includes anything that can help a person steal your identity or find you, such as your full name, Social Security number, address, birthdate, phone number, or where you were born.
  • Posting questionable content – Remember when applying for school or future employment, they may look at your social media accounts before bringing you on board. Questionable content can include pictures, videos, or opinions that may be offensive, rude, vile, seem unprofessional or mean and can damage your reputation or future opportunities.
  • Tracking your location – Many social media platforms allow you to check in and broadcast your location, or automatically adds your location to photos and posts. Think twice before allowing that to happen.

 

SIMPLE TIPS

  1. Remember, there is no ‘Delete’ button on the Internet. Think before you post, because even if you delete a post or picture from your profile only seconds after posting it, there is a good chance someone still saw it and may have obtained a copy.
  2. Don’t broadcast your location. Location or geo-tagging features on social networks is not the safest feature to activate. You could be telling a stalker exactly where to find you or telling a thief that you are not home.
  3. Connect only with people you trust. While some social networks might seem safer for connecting because of the limited personal information shared through them, keep your connections to people you know and trust.
  4. Keep certain things private from everyone. Certain information should be kept completely off your social networks to begin with. While it’s fun to have everyone wish you a happy birthday, or for long-lost friends to reconnect with you online, listing your date of birth with your full name and address gives potential identity thieves pertinent information. Other things to keep private includes sensitive pictures or information about friends and family. Just because you think something is amusing does not mean you should share it with the world.
  5. Speak up if you’re uncomfortable. If a friend posts something about you that makes you uncomfortable or you think is inappropriate, let them know. Likewise, stay open-minded if a friend approaches you because something you’ve posted makes them feel uncomfortable. People have different tolerances for how much the world knows about them, and it is important to respect those differences. Also report any instances of cyber bullying you see.

 

For the Parents:

BE AWARE OF WHAT YOUR KIDS POST ONLINE. Understand the cyber risks kids face when using social media. Talk to your kids about the following risks:

  1. What they are posting – Talk to your kids about the information they post online. Many of them don’t understand the damage they could do to their reputation or future prospects with unkind or angry posts and compromising photos or videos.
  2. Ensure your kids are not sharing or posting sensitive information – Sensitive information includes anything that can help a person steal your child’s identity or find them, such as their/your full name, Social Security number, address, birthdate, phone number, or place of birth.
  3. Compromising content – This includes photos or status updates that may damage your child’s reputation or future prospects.
  4. Unkind or angry content – This includes anything malicious directed at themselves or another person, as well as opinions that are probably better left unshared.
  5. Who they are connecting with – Social media allows kids to connect with their friends, but there is also a risk of connecting with someone they do not know or who is only pretending to be a kid.
  6. What level of privacy they are using – Many social media platforms have privacy settings that allow users to limit who sees their content. There are also settings for location tracking and geo-tagging of photos or statuses.

 

SIMPLE TIPS FOR PARENTS

  1. Talk to your kids. Help them understand the importance of owning their digital lives and only sharing things that will not put them in danger, negatively affect their future, or harm others.
  2. Emphasize the concept of credibility to teens: not everything they see on the Internet is true and people on the Internet may not be who they appear to be.
  3. Watch for changes in their behavior. If your child suddenly avoids the computer, it may be a sign they are being bullied or stalked online.
  4. Review security settings and privacy policies for the social media sites kids frequent. These settings are frequently updated so check back regularly.
  5. Periodically review social media accounts to ensure no questionable content or inappropriate connections are established.

 

The bottom-line mobile devices and the Internet are wonderful things and every step should be taken to be a good digital citizen.  Unfortunately, even when you follow the proper steps, bad things can occur.  Understanding what to do and where to go can be the difference maker.

EC Council Coming to Capitol Technology University

November 14 and 15 Capitol Technology University is hosting a cybersecurity conference. Day 1 will be EC Council Advanced workshops. You may sign up here https://iclass.eccouncil.org/capitol-technology/.  Day two will be presentations of accepted research papers. All papers must be submitted by October 15 and accepted papers will be published in a special edition of the American Journal of Science and Engineering ( you can get their template here:http://ajse.us/instruction-for-authors/ ) Send submissions to:wceasttom@captechu.edu

The Capital One Data Breach and What Can You Do to Protect Yourself

In one of the biggest data breaches, a hacker by the name Paige Thompson gained access to more than 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information.  However, the company stated no credit card account numbers or log-in credentials were compromised in the breach.

Capital One first heard about the hack on July 19th, but waited until July 29th to inform customers as they worked with law enforcement to investigate the breach.

Paige who is 33-year-old, and lives in Seattle, had previously worked as a software engineer for Amazon Web Services, the cloud hosting company that Capital One was using. She was able to gain access on March 22 and 23 by exploiting a misconfigured web application firewall.

Thompson posted the information on GitHub, a site where developers store their projects and network with like-minded people, using her full name and also boasted on social media that she had Capital One information and the method she used to obtain the data.

What will Capital One do for you?

The breach affected around 100 million people in the United States and about 6 million people in Canada, according to Capital One.  Consumers and small businesses who applied for Capital One credit cards from 2005 through early 2019 are most at risk at this time.  Capital One will offer $125 to anyone whose data was hacked or free credit monitoring for 10 years.

What should you do to protect yourself?

SecurityOrb.com recommends the following steps to protecting yourself after a possible data breach:

  • Change your passwords immediately and when creating the new password use a combination of upper and lower case letters, numbers and symbols, and that each website you visit should have a unique password.

 

  • You should consider using multifactor authentication instead of passwords.

 

  • You should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address.

 

  • You need to be careful whenever you are contacted by an unsolicited caller. Hang up and call the number on your card.

 

  • You should immediately freeze your credit reports at the three major firms: Equifax, Experian and TransUnion.

 

  • You should check your credit card statement to make sure there are no unauthorized charges.

 

  • You should file your taxes as early as possible.

 

This is the latest in a long line of data breaches, privacy violations and hacks affecting hundreds of millions of Americans.

  • Two years after Equifax revealed that hackers accessed the personal information of up to 147 million people.

 

  • Last year, Facebook announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data.

 

  • WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and Apple

Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.

CentOS Update for bpftool CESA-2018:3651 centos7

CentOS Update for bpftool CESA-2018:3651 centos7 (OID: 1.3.6.1.4.1.25623.1.0.882981)
SummaryThe remote host is missing an update for the ‘bpftool’ package(s) announced via the CESA-2018:3651 advisory.

Vulnerability Detection Result

Package kernel version kernel-3.10.0-862.el7 is installed which is known to be vulnerable.
SolutionSolution type: VendorFix

Please install the updated package(s).

Affected Software/OSbpftool on CentOS 7.

Vulnerability InsightThe kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: stack-based buffer overflow in chap_server_compute_md5() in iscsi target (CVE-2018-14633)

* kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable() allows for denial of service (CVE-2018-14646)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Vincent Pelletier for reporting CVE-2018-14633 and Christian Brauner for reporting CVE-2018-14646.

Bug Fix(es):

These updated kernel packages include also numerous bug fixes. Space precludes documenting all of the bug fixes in this advisory.

Vulnerability Detection MethodChecks if a vulnerable package version is present on the target host.

Details: CentOS Update for bpftool CESA-2018:3651 centos7 (OID: 1.3.6.1.4.1.25623.1.0.882981)

Version used: $Revision: 12880 $

References

CVE: CVE-2018-14633, CVE-2018-14646
CERT: CB-K18/1124, CB-K18/0942, DFN-CERT-2019-0115, DFN-CERT-2018-2579, DFN-CERT-2018-2458, DFN-CERT-2018-2421, DFN-CERT-2018-2398, DFN-CERT-2018-2366, DFN-CERT-2018-2318, DFN-CERT-2018-2304, DFN-CERT-2018-2280, DFN-CERT-2018-2252, DFN-CERT-2018-2129, DFN-CERT-2018-2099, DFN-CERT-2018-2039, DFN-CERT-2018-2029, DFN-CERT-2018-1995, DFN-CERT-2018-1990, DFN-CERT-2018-1963
Other: CESA:2018:3651
http://lists.centos.org/pipermail/centos-announce/2018-December/023132.html

MyFitnessPal Data Breach

Breach: MyFitnessPal
Date of breach: 1 Feb 2018
Number of accounts: 143,606,147
Compromised data: Email addresses, IP addresses, Passwords, Usernames
Description: In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to “BenjaminBlue@exploit.im“.

I’ve Been Hacked – What To Do After You’ve Been Hacked

By Carter Graydon at Hacked.com

There’s nothing quite like that feeling of dread that slowly envelops you when you realize you’ve been backed. Regardless if it’s just your social media account or something as serious as your bank account or credit card, you can’t escape those first few moments of confusion, anger, and the overwhelming sense of fear. You don’t know how they got your information, what other accounts they’ve had access to, how long they’ve had access, and it’s terrifying. So I’ve come up with a checklist to help you protect yourself from further damage and begin the repairing process.

Do Not Panic

First off, breath. It might sound silly, but you need a clear head to proceed. Panic and fear will only lead to confusion. You can easily forget crucial steps you need to take or repeat ones and waste time.

Change your Passwords

Change your passwords, especially if you use the same password for multiple accounts. You should change your passwords once every 3-6 months. Consider using a password management software like LastPass or KeePass. In the future, set up two-factor authentication when possible.

Identity Theft? Notify Credit Agencies

If your personal information (such as social security number) has been compromised, notify the credit agencies (Equifax, Experian and TransUnion) and request a 90-day credit alert. Activating this tells businesses to contact you before any new account can be opened in your name. This alert can be renewed every 90 days. It can also stay in effect for seven years – so long as your identity has been stolen, and you’ve filed a report with the police.

The Federal Trade Commission also offers some excellent advice and includes details on how to get your life back after your identity has been stolen.

Monitor your Credit Card Bills

Monitor your credit card bills and double check any charges you don’t recognize. Criminals are known to make small charges to begin with, hoping they’ll go unnoticed, before running your card for something really big. If you see a charge you didn’t make, call the credit card company and alert them right away.

Close Accounts

If someone has already stolen your identity and opened an account, immediately contact the credit issuer and have the account closed. Dispute any charges that were made. Request your credit report from one of the three credit agencies and ask for any unauthorized accounts or incorrect information be removed from your record. This will help preserve your credit score.

Record Calls

Submit your report through the FTC website and keep copies of all your reports and correspondences with these agencies. Record everything, use certified mail and get delivery receipts. Most of the places you’ll need to call will have a notice, “This call may be recorded for quality assurance purposes”, but don’t rely on them for recording the conversation. Record the call yourself, but be sure to inform the person on the other end of the line that you are recording the call. Check your state for telephone recordings laws.

Check the Sent Folder in your Email

hack

Check your sent folder of your email and look for any messages that may have gone out that you didn’t send. Hackers might request personal information from banks or send viruses to your friends. If you see anything suspicious, contact the recipients and let them know.

If the hacker has gained access to your account and locked you out by changing the password, you’ll need to contact the email provider and prove you’re the rightful account holder. And remember, if you’ve used your email address and the same password for other websites, those are all compromised as well. Change those as fast as you can to beat them to the draw. Even if you don’t use the same password for those accounts, the hacker can still use the “forget my password” feature and have a new one email to them.

If you’re concerned, your computer may have a virus, avoid making online purchases until you have run comprehensive anti-virus and malware software. Some virus installs keyloggers on your computer, letting the hacker see every keystroke. Typing in your credit card information is all they would need.