PowerPoint Presentation

Living in a World of Hackers, Phishing, Scams and SPAMUpdated for SIDLIT 2016 - Jonathan Bacon, Retired Old Guy

1

From www.informationisbeautiful.net see http://goo.gl/a0pGe

Voter database 191 millionAnthem, 2nd largest health care provider in USA 80M, names, SS#, addresses, phone numbers, DOB, email, employment info Ashley Madison 37MMySpace 164MVerizon 100K customer databaseWendys 1025 stores malware used to steal credit card dataAdult Friend Finder 3.9M names, sexual preferences, email addresses, DOB, postal codesExperian/T-mobile 15M names, SS#, DOB, drivers license numbers, passport numbersEbay 145M hacked several employee accounts and then access all user recordsMinecraft &M users of Lifeboat serves had email and passwords hackedAlso IRS, Apple, NASDAQ, Evernote, SnapChat, Twitter, AOL, Target, Home Depot, UPS, British Airways, Scribd, Dropbox, Sony Pictures, Jet Blue, Dow Jones, 7-Eleven, Citigroup, Medicaid, and on and on

3

What are chances of being hacked?National Cyber Security Alliance: 20% chance per 2013 article PCWorldMay 2014 Ponemon Institute study commissioned by CNN Money: 50% of US adults hacked over 1 yearNational Small Business Association 44% hacked per 2013 studyPretty darn high!

Why talk about this at SIDLIT?

First protect yourselfThen help and protect your studentsOxygen Mask Rule or Pass It On effect

The Big ProblemCyber hunters from Symantec, Trend Micro, Kaspersky, Mandiant, Phishlabs and hundreds of other security firms and government agencies spend days, weeks, months, years tracking the bad folks who prey on peoples ineptitude, gullibility, stupidity, greed and laziness.

Andy Marken, Marken Communications

How do I avoid being hacked and the subject of identity theft?Install and keep virus protection up-to-dateUse strong passwords (upper/lower case, numbers, special characters) and dont reuse passwordsUse a random generator for highly secure passwordsDont provide answers to security questions that can be Googled (make up the answer!)Delete registration emails with temporary passwords and change password immediately

How to Avoid Having Your Google Account Hacked http://goo.gl/3zCg9v7

What should I know about using passwords?Avoid easy to guess passwords (e.g., password, 12345678, important dates, information about you that can be Googled, or previously used passwords)Change passwords frequently. If you suspect youve been hacked, change all passwords now!Store all passwords safely (use a password vault such as mSecure, Dashlane, LastPass, KeyChain); no paper record.Use 2-Step verification, if available (e.g. Google, Amazon)

The Best Password Managers for 2016, PC Magazine, February 9, 2016, http://www.pcmag.com/article2/0,2817,2407168,00.asp8

Top Ten Most Used Passwords12345111111password123456781234567123456789abc123123456123123qwertySource ZDnet

9

Ten Most Used Words in PasswordsabcdmonkeywelcomeiloveyouhellojulylovedragonpasswordqwertySource ZDnet

10

Bad, Better and Best PasswordsBadBetterBest12345678WP19891990*SJdyhGnApassword#33@JcCc!CCvHSMLuadminsf2ut2bUpj3QaSe3iloveyouaNwYcCd4Y4mhCMaGb

The BEST passwords use random letters, numbers and special characters. Password vaults can generate/store random passwords. Or sites like https://www.random.org/passwords/, but read the caveat!

The BETTER passwords use personal info (cant be Googled), with meaning for you (easily remembered), or abbreviated phrase.

11

How do I safely browse?Use product like Norton Internet Security to flag safe sitesGo to website by typing web link in browser, dont use email linkCheck spelling carefully when typing web linkCheck for padlock and https:// and do not log into a site if not secureExamine site carefully (misspellings, fuzzy images)If site feels wrong or fake, do not login, instead call the company directlyLog out of any secure site when you are finished

How do I know if a site is secure and encrypted?Web address in browser starts with https:// andClosed padlock appears in your web browser

Cant a fake website just paste a padlock on the site?Padlock is function of browser, not the web page, butClick on padlock for detailsName of companyThe connection to the server is encrypted and Your connectionis privateTransport Layer Security (TLS) in use Check domain nameciti.support.com vs citi.com

Look for the Padlock!

Note: Different browsers have padlock in different locations

Edge Secure Site

What can I do to protect myself from credit card online fraud? When shopping online, try to use only trusted retailers (Amazon, big name retailers)Even with trusted retailers, check that the web address is not spoofed (more to follow)Preferably, conduct sensitive online activities (banking, purchasing) at homeAvoid making purchases on public Wi-Fi or public computers unless youre sure its secure

How can I be secure on a public WiFi network?Turn off sharing (i.e., network discovery or stealth mode, file and printer sharing) Enable your firewallWindows: Control Panel > System and Security > Windows FirewallMac: System Preferences > Security & Privacy > FirewalliPad: no firewall needed unless jail broken (Firewall IP)Remember use HTTPS and TLS/SSL connections, look for padlockTurn off Wi-Fi when not using it

How can I be secure on a public WiFi network?Consider using a VPN (Virtual Private Network) such as CyberGhost (has 4 profiles)Full automatic Wi-Fi protectionAnonymous browsingSecure streaming (Netflix, Hulu)Compress internet traffic to save data costsUse password vault (LastPass, mSecure) to avoid typing passwords that can be captured

What can I do to protect myself from F2F credit card fraud?Carry cards safely and only what you needWhen traveling, notify card companyConsider one card for local, another for onlineRemove USPS mail from mailbox in timely fashionStop mail when traveling or have neighbor pickupSecurely store or shred statementsReview your account activity frequently Check for unexpected, inflated charges and test ($1.00) charges

What is phishing?Fraud where scammer pretends to be legitimate person and trick you into revealing personal informationCredit card informationSocial security numbersPasswords, PINsExamples:Sends email pretending to be from your bank, a vendor you know, a company you knowHosts a fake (spoofed) websiteCalls you on the phone, urgent message or warning

Warning Signs of Phishing?Requests for confidential information by phone or emailScare tactics, playing on your fearsGeneric-looking requests (Dear Sir/Madam)Forms embedded in email

Curiosity killed your credit and privacy! What SPAM looks likeDont Miss Out!We_have_found_yOu_amazing_credit!

Should I answer when caller ID says Unavailable or Unknown?May be telemarketer, spammer, phisher, scammer, wrong numberDont answerUse voicemail as filterGoogle the number or use reverse lookup app Block the number, if necessary

Long lost friend, emergency call from someone you know (unknown number), vendor (doctor, repair person, bank) that turns off caller IDAnswer but be prepared to hang-up without comment

What are the warning signs of phishing or a fake website?Uses incorrect URLFake: www.chase.com.support.comReal: www.chase.comAsks for banking informationUses a public Internet account (i.e., from an email account that is not from the institution)Misspelled wordsNot a secure siteImages on website are low resolution (fuzzy)

Bad habits that can hurt your privacy and credit!Opening SPAM from strangersFailure to use strong passwords and change them frequently (at minimum every 6 months)Clicking on strange-looking links (or links in messages supposedly from friends with minimal/no explanation)Accepting Facebook Friend requests from:People you dont knowPeople who youve already friendedFailure to back up your data regularlyFailure to educate others (students, spouse, partner, children, grandchildren)

Dont Open Mail From StrangersUsing scare tactics seems to be the most popular amongst cybercriminals, as it presents the user with an urgent scenario, usually involving a banking or another online account. It gives the user the feeling that they need to act urgently, therefore making decisions based on poor impulse control. When you get junk mail in the real world, the chance of it burning down your house is zero. However, if you get aphishing emailwith malware attached, you dont even have to download the attachment for it to do damage to your home network. Thats becausedrive-by downloadscan install malware on your hard drive without you even agreeing to download. In some cases, a drive-by download might disguise itself as a standard system update or another innocuous yes / no question. The bottom line is, dont open email from people you dont know.Use Strong Passwords and Change Them FrequentlyEvery year, its revealed that an astonishing number of people are still using passwords like 12345678 or password. Dont use those, but also dont use your dogs name or your kids birthdays. The best password is one that you can remember, but one that will be hard for other people, even brute force programs that try literally every combination under the sun, to guess.An, abbreviated sentenceis often better than a single word with numbers and symbols inserted. Or you can use apassword management appto generate and store your passwords for you.Dont Click on Strange-Looking LinksViruses andother forms of malware often spreadbecause you click on a link from someone you know. But why is someone you know sending you the strangest looking link youve ever seen in your life? This is a highly subjective area, but you can always send back an email or send off a text message to ask if the link youve been sent was sent on purpose, or if your friend or family member has become the victim of a hacking attack. You might have to wait a few minutes to watch that funny viral video, but better safe than sorry.Back up Your Data RegularlyIf in the unfortunate event you become a victim of malware, such as ransomware, you might not be able to get your data back. Not unless youvebacked up your data. When you back up your data, you can make certain kinds of security breaches far less problematic. If a hacker encrypts your data and demands a ransom to unencrypt it, thats not going to be that big of a deal if you backed it up a week ago.Educate Your FamilyYour home security network is only as strong as its weakest link. You can be taking all the precautions in the world. But if your family and other people using your network arent doing their part to keep everything secure, none of that is going to matter. Make sure that everyone who regularly uses your network isup to speed on how to keep it secure.

25

Good habits that protect against phishing and scammingUse strong passwords and include upper and lowercase letters, numbers and special characters (if allowed)Use two-factor authentication, when availableDo not click on links in messages from unknown sendersUse security software and keep it up to dateNorton/SymantecKasperskyMcAfeeMicroTrend

What should I do if I suspect fraud?Notify all financial institutionsBanksCredit Card CompaniesLendersVisit Federal Governments Identity Theft site: https://www.identitytheft.gov/ Concerning Income Tax Filing? Contact the IRS at (800) 829-1040 or (800) 829-4059 if hearing disabled

I want to report identity theftSomeone else filed a tax return using my informationMy information was exposed to a data breachSomeone got my personal information or my wallet, and Im worried about identity theftSomething else

What is Ransomware?

Ransomware 101Capitalizes on fearRequires payment of fee to (supposedly) regain access to your files or computer$325M paid for single variant in 2015 (CryptoWall)Ransomware families (variants)CryptoWall holds your data (files) hostageReveton/Law enforcement uses federal or local law enforcement warnings (threats) the work of your (the users) computer has been suspended on the grounds of unauthorized cyber activity. Jigsaw - Deletes files at increasing rate until ransom paid

Defense against RansomwareBackup regularly apply 3-2-1 rule (offline backups)Verify email sources/dont click untrusted linksBookmark frequently used and trusted websitesApply OS, application and security updates promptly

The 3-2-1 backup rule implies that you:Have at least 3 copies of your dataKeep these backups on 2 different mediaStore 1 backup offsite

How to Reduce SPAM!

Image courtesy of Mike Garabedian and Santa Monica Public Library32

Evaluating Online Sources (CRAAP)Currency: timeliness of information, current or out-of-date?Relevance: intended audience, related to topic?Authority: source of information, credentials of author, contact information?Accuracy: reliability, truthful and correct content, spelling, grammar or typo errors?Purpose: fact, opinion, propaganda, bias?

You just cant trust everything you read on the web. ~ Abe Lincoln

Questions?

Sources/ResourcesHackers and HackingBiggest Data Breaches Visualization http://goo.gl/a0pGeZone-H http://www.zone-h.org/ Information on daily hacks. How to Avoid Having Your Google Account Hacked http://goo.gl/3zCg9vHackers Are Getting Better, the Rest of Us Are Getting Worse http://goo.gl/InlqpVWhy There is a 1 in 3 Chance Youll Get Hacked in 2016 https://www.bestvpn.com/blog/43225/get-hacked-one-in-three/

Passwords and Password ManagersThe Best Password Managers for 2016, PC Magazine, February 9, 2016, http://goo.gl/uBwhw

Sources/Resources (more)Phone Calls from Unknown, Unavailable, Unlisted SourcesShould you answer unknown phone calls? https://www.quora.com/Should-you-answer-unknown-phone-calls-Why-or-why-notPSA: Missed call from a mystery number? http://techcrunch.com/2014/02/02/missed-call-scam/

Fake Websites and PhishingHow to Spot a Fake Website and Not Get Phished (PDF file) http://goo.gl/ZWXaKr How to Spot a Fake Website http://goo.gl/fEh6PJCan You Really Trust the Browser Padlock ? https://goo.gl/jFks6P Can one reliably show HTTPS status in browser (not just the lock in URL bar)? http://goo.gl/KPUdrd 7 essential tips to beat phishing scams http://goo.gl/a6zHyo

Sources/Resources (still more)Safety AdviceWhat amateurs can learn from security pros about staying safe online http://goo.gl/FRWRZX5 Ways You Can Help Protect Yourself and Stay Secure Online from the Norton Protection Blog https://goo.gl/iBK8B9 Talk: Credit Card Safety Tips, newsletter from Mainstreet Credit Union, Johnson County Kansas.How to Stay Safe on Public Wi-Fi Networks http://goo.gl/E6AJqk6 Ways to Use Public Wi-Fi Hot Spots Safely http://goo.gl/KN5MtX

RansomwareRansomware 101: What, How and Why http://goo.gl/jrxgLR Why the 3-2-1 Backup Rule Still Makes Sense http://windowsitpro.com/blog/why-3-2-1-backup-rule-still-makes-senseThe Current State of Ransomware-Cryptowall https://goo.gl/MZUKAF

Sources/Resources (and more)Evaluating Online Sources

Tips and Tricks forEvaluating Web Sites http://www.library.illinois.edu/ugl/howdoi/webeval.html Choosing Credible Sources https://www.ivcc.edu/stylebooks/stylebook6.aspx?id=14724 Evaluating Internet Resources http://eduscapes.com/tap/topic32.htm The CRAAP Test Worksheet (California State University-Chico) http://www.edutopia.org/blog/evaluating-quality-of-online-info-julie-coiro

Best VPNFive Best VPN Service Providers http://lifehacker.com/5935863/five-best-vpn-service-providers