It’s that time of year again. Enjoy this fun and informative list of tips to help you become more cyber-aware.
When is a USB not a USB?
A USB is not a USB when it has been weaponized and staged to deploy some type of malicious code. Did you know that the worst cyberattack in the U.S. Department of Defense’s history was launched when someone plugged in a USB stick found lying in a parking lot?
It’s true. What is worse is that an experiment conducted eight years later found that dropping a USB in parking lots was still an effective attack strategy. An experiment conducted on the University of Illinois Urbana-Champaign campus dropped approximately 300 USB sticks and detected 45% of them were not only plugged in, but a file hosted inside was clicked on. The moral of the story: If you find a random USB stick serendipitously placed, just pick it up and destroy it!
What is your Apple device telling people?
Did you know your Apple device remembers each Wi-Fi network you join? It will also broadcast an SSID search for those previous joined networks. So, what’s the big deal? Using any number of Wi-Fi scanning or snooping tools, a nefarious individual could determine what networks you routinely connect to by capturing this broadcast information. With this information in hand, they could then conduct a search using WiGLE (Wireless Geographic Logging Engine) to potentially determine places you connect, live, or frequent … information is power. Don’t want this information available for capture? Just forget the wireless network you use when you’re done with it.
A charging cable with benefits
In the same manner a USB stick can be weaponized, security researchers have performed similar modifications to USB charging cables in what is called “juice jacking.” A security researcher who goes by the name MG, modified an Apple lightning cable that facilitates remote access when plugged in. It is an actual Apple cable and is undistinguishable from a normal cable. Consider the possibilities of this the next time you plug into an airport kiosk charging station or casually happen to find a lone USB charging cable laying around in the wild …
Internet search tool specifically for finding open access! Say what?
Promoted as the world’s first search engine for internet connected devices, “Shodan.io” searches the web for IoT, webcams, smart TVs, refrigerators (yep, I said refrigerators), security, buildings, powerplants and more. It reports on the various access parameters and ports based on typing in a natural language query like “webcam.” Shodan can perform other functions as well, such as network security monitoring and tracebacks. You can even see what other users have discovered and shared. To get extended results, you will have to register but is very interesting to see what you can discover. If you want to learn more, visit https://www.shodan.io/.
Do you have unwanted guests using your IoT devices for lodging?
One of the easiest ways you can increase security on your home network is to ensure none of your IoT devices are still using the default factory user/password settings. As a result of recent state regulations and regulations abroad, vendors are starting to force factory default changes during initial setup and configuration. Every internet connected device on your network is a target for potential exploitation and can be used as a staging ground or launch pad into other parts of your network. If your vendor offers two-factor authentication (2FA), I urge you to use it!
Email is still the #1 method networks are infected with malware.
Business email comprise (BEC) comes in many forms. A recent stat I read stated that 91% of cyberattacks starts with email. Yikes! That is a high number. On the rise are phishing attacks that attempt to trick someone into giving them personal information or direct you to click on a malicious link. Also, up on the list are email impersonation attacks that portray a trusted individual, usually directed toward an activity that will divulge sensitive information. You cannot be too careful with email today. Be sure you know who the sender is and for any email containing links or attachments, do not click or open anything unless you are 100% sure it is from a trusted source.
What is a “rouge chat box?”
Have you ever been browsing a web page when suddenly, a small chat windows pops up offering you some type of assistance? It turns out that offer of “friendly assistance” might not be as friendly as you think. This type of nefarious activity first appeared several years ago, but it remains a threat. If someone or something offers you unsolicited help and then starts prodding you for sensitive information, beware! Chances are that they are not who they purport themselves to be.
Privacy Glass for the frequent traveler
I travel quite a bit for work and it always amazes me how openly people display what they are working on. I’m also guilty of taking my work on the road and try to best utilize my time regardless of where I am. However, I also do my best to remain cognizant of my surroundings and who might have line of sight to my computer screen. For this reason, I use a 3M privacy filter that prevents anyone from seeing my screen unless seated directly in front of it. I mention 3M, but there are many manufacturers offering similar products. It is an excellent security best practice to deter potential prying eyes from viewing the content of your computer screen.
Everyone loves free Wi-Fi access! Who doesn’t? Just beware, hackers can offer up free Wi-Fi in public places too. Using readily available solutions, a hacker can broadcast their own hotspot for the purpose of capturing login credentials or even gaining device control. Just beware in public areas when you connect that the Wi-Fi looks legit and that there are not several sites with names that look interestingly similar to each other.
Not all ads are created equal
Even though you may be visiting a trusted web site, did you realize the content can come from multiple sources? This includes content sources outside the control of the web host you are visiting. For this reason, you want to make sure that a bad actor has not slipped you a mickey by inserting a bogus banner ad or an enticing coupon that redirects you to a malicious site. If something looks suspicious, you can right click and “inspect” where the banner or ad may be attempting to redirect you. There are also software offerings that protect against “malvertising.”
Why your passwords should be unique for each login you use
Yes, it is a pain to keep up with too many different passwords, but it doesn’t have to be! There are several awesome password managers available to help you keep your sanity and stay more secure at the same time. And before you ask, no – do not store your passwords on your browser regardless of how many times it offers to do so for you. It is just a bad idea for a number of reasons that we are not diving into here. Using a password manager can allow you to confidently use more complex passwords, because you don’t have to remember them! Yes! Equally important, you want your passwords to be unique for each site you use them at and the reason for it is simple. If a site gets hacked and your password is exposed, it will only be exposed for that site. You don’t want a single password to grant access to every site you use once it becomes compromised!
Hey! Have I been clickjacked?
Much like the malvertising we discussed earlier, clickjacking is also a malicious technique that tricks a user into clicking on something other than what they perceive it to be. This is achieved by compromising a website with transparent frames that essentially overlays the bad actors’ own buttons and selections onto the webpage. When you click on what you believe to be a normal button, you are actually clicking on another page that has just hijacked your click! A plethora of ugly things can happen from there – a redirect, UI redress attack, or simply exposure of sensitive information. The good news is that modern web browsers and web design can employ mechanisms to protect against clickjacking. Like all cyber battles though, new ways to exploit are constantly surfacing.
The post 12 Days of Cyber Awareness appeared first on FireMon.
*** This is a Security Bloggers Network syndicated blog from FireMon authored by Tim Woods. Read the original post at: https://www.firemon.com/12-days-of-cyber-awareness/