Embed Size (px)
Citation preview
June 2015
Volume 2, Issue 6
Indiana Department of
Transportation
Learn How to Avoid Scam in a Video Game
To Report SPAM
Open a new message
1. Address message to [email protected]
2. Type "SPAM" on the subject line of the message
3. Drag and drop the SPAM email as an attachment in the new "SPAM" message.
4. Send message
5. Delete SPAM message from your
mailbox
Once the SPAM postmaster has received your message you will receive an email acknowledging its receipt.
Please Note:
Do not respond to the SPAM, this will
alert the spammers that they have a
valid email address and can potentially
increase SPAM received.
Inside this issue:
ICANN Blog 2
Educating Yourself to
Protect Your Children
3
Protect and Educate Your
Children
4
Try Not Using Adobe Flash
Player
5
Adobe, Microsoft Issue
Critical Security Fixes
6
Security Awareness
The best way to spot and avoid investment fraud is to learn how con artists think.
At least that is the idea behind a new video game released by the Financial In-dustry Regulatory Authority Investor Education Foundation called “Con 'Em If You Can.” Visitors to www.conemifyoucan.org (hyperlink removed) team up with a crooked character named Connor to swindle people living in the idyllic neighborhood of Shady Acres of their savings. With Connor as their mentor, players learn the tactics used by fraudsters.
The “goal is to give investors an interactive tool they can use to help them rec-ognize the red flags of fraud,” said Gerri Walsh, president of Finra’s Investor Education Foundation, in a release. “Con 'Em If You Can challenges users to really understand the psychology behind scams.”
The Finra Investor Education Foundation partnered with Doorways to Dreams Fund, a nonprofit that aims to bolster financial security and opportunity for low- and moderate-income families, to develop the game. Research shows that “learning to spot persuasion tactics in pitches can reduce their effect, and in-crease an individual’s ability to spot and avoid fraud,” according to the release.
Americans lose about $50 billion to fraud each year, according to Finra, and eight in 10 people are approached for a potentially fraudulent offer.
This site has been vetted by the STH user community and is valid and safe. It was validated by the SVP of FINRA Member Relations and Education. It will teach you things to look for that are fraudulent and in a fun way.
Page 2 Security Awareness
cause the individual to act in haste; for example, an email notice that informs you that your credit card has been sus-pended due to suspicious activity, or a notice that you've won an item or lot-tery. This is the "lure". The criminal hopes that you will take the action indi-cated in the message you receive; e.g., visit a link in the text or email, or call a telephone number. The link is the "hook": a link from a "phishing" email or text often takes you to a fraudulent site that impersonates your bank's login page where the criminal hopes you will submit account credentials or personal information that he can use or perhaps sell. A telephone number may be just as dangerous: the party you call may be an individual skilled at eliciting personal information from you. The most adept criminals make very convincing impersonations of legitimate and well-intentioned correspondence. To better understand how to protect yourself against social engineering, visit such sites as stopthinkconnect.org or apwg.org.
The Internet has finally, and in so many ways, become an integral part of our every day lives. As familiar as we are with it, however, we still need to understand how best to navigate our way in this vast digital territory securely. We all face challenges when trying to understand how to protect ourselves, our families and workplaces, and increasingly, all of our sensitive information from Inter-net attacks. Before we can begin to practice Internet security, we need to learn the language. Security terminology is unquestionably daunting. The vo-cabulary used in Internet Security is nearly as large and dense as that found in the fields of medicine or the military. In fact, many Internet Security terms borrow from medical or military terminology, and like these, they require more than a one-line definition and are best accom-panied by examples. This post is the first of a series where I will attempt to explain common –
and confounding – security terms. I hope this and future posts help you navigate the twisty little maze of Internet Security passages and your input will definitely be food for thought for future posts. What is social engineering? Social engineering is an attempt to influence or persuade an individual to take an action. Some social engineering has benefi-cial purposes; for example, a com-pany may distribute a healthcare newsletter with information in-tended to influence you to get a flu shot. But social engineering is com-monly used by criminals to cause the recipient of an email, text, or phone call to share information (such as your online banking username and password, or personal identifying information such as your social secu-rity or passport number) or take an action that will benefit the criminal, not the individual. Criminal social engineering often has an emotional component, to
ICANN (The Internet Corporation for Assigned Names and Numbers) Blog
Volume 2, Issue 6 Page 3
June is Keep Kids Online Safety Month.
There are many great sites out there for Parents wanting to learn how to keep their kids safe when using electron-
ics, but one great one I have found is called NetSmartz Workshop. It is run by the National Center for Missing and
Exploited Children, located at : http://www.netsmartz.org/Parents . On this site you can find a great deal of tools
for you and your children, related to such topics as Cyberbullying, Identity Theft, Sexting, Social Networking, Email,
IM and Chat Rooms to name a few. I recommend that if you are a parent that you visit this site and see some of
the great tools at your disposal.
Educating Yourself to Protect Your Children
Here is an example of one of the Topics from this site:
Revealing Too Much
Web 2.0 lets users share information online as easily as they download it. Unfortunately, people of all ages often
reveal too much. Children can be made especially vulnerable by sharing personal information, such as home ad-
dresses and phone numbers, private thoughts and feelings, and pictures. In order to keep your children from post-
ing information and images they may end up regretting, remind them who may see the information they reveal
while online.
Predators
Predators are always looking to collect information about their child victims. This information may be used to iden-
tify, connect with, or manipulate children. For example, if a child blogs about being misunderstood, a predator
might provide a sympathetic ear in order to create trust and form a relationship. Predators may also try to encour-
age children into a sexual relationship by talking about sex, so children should avoid talking about provocative sub-
jects with people they do not know.
Cyberbullies
Cyberbullies take their targets’ personal information and use it against them. They may copy and alter photos;
share private e-mail or instant message conversations; and taunt their victims with emotional insecurities revealed
in blogs.
Scammers
Scammers want to use children’s personal information to manipulate them. Children who post e-mail addresses
and phone numbers may be the targets of spam, telemarketers, and e-mail scams.
It is also becoming more common for coaches, college admissions officers, and employers to screen applicants by
checking their online profiles and postings. An admissions officer’s decisions may be negatively influenced by a
teen’s posts - for example, rude comments about teachers or inappropriate photos.
Page 4 Volume 2, Issue 6
Help children maintain online pri-
vacy
Children can hurt themselves when
they reveal too much information.
Inappropriate pictures, videos, and
conversations posted online may
come back to haunt them. Help your
children take control of their per-
sonal information with the following
tips.
Make sure that your child takes
advantage of the privacy set-
tings on social networking sites.
Pre-approve the pictures and
videos your child posts online.
Remind your child never to post
e-mail addresses or cell phone
numbers.
Tell your child that passwords
should only be shared with par-
ents and guardians.
Teach your child not to respond
to any e-mails requesting per-
sonal information and to delete
e-mails from unknown senders.
Discuss how to keep screen-
names and e-mail addresses
gender-neutral, appropriate, and
free of any information that
could reveal identity.
Encourage your child to tell you
right away if anything happens
online that bothers or frightens
him or her.
Protect and Educate Your Children
Start a discussion with your chil-dren
Use these discussion starters to get an Internet safety conversa-
tion going with your children. The more often you talk to them
about online safety, the easier it will get, so don’t get discouraged
if they don’t respond immedi-ately!
Can I take a look at what you have been posting online?
Does anyone else have access to your passwords?
What information is okay to share online? What informa-tion should you keep private?
What could someone learn about you from what you post
online? How might they use this information?
Have you ever regretted any-thing you posted online?
Want to learn how to check your
child’s browser history, use Face-
book’s privacy settings or report
cyberbullying on Twitter? Check
out these websites for informa-
tion and how-to videos so you can
be as tech savvy as your child.
Instructional videos and guides • www.howcast.com/categories/2-tech
Videos include “How to Use Twitter,” “How to Use Facebook” and “How to Use an iPhone.”
• www.fosi.org/good-digital-parenting Information and tips for parents about specific websites and apps.
Website help centers • www.facebook.com/help Learn how
to manage your child’s account and report problems.
• support.twitter.com Find out how to use Twitter and protect your child’s privacy.
• https://support.google.com/youtube Read about YouTube’s safety policies and how to report inappropriate con-tent.
• www.google.com/safetycenter Browse through videos and articles for advice on using Google’s safety tools and how to manage your fam-ily’s safety online.
• help.instagram.com Learn about the basics of this popular app and get tips for parents.
• https://support.snapchat.com Under-stand how to use the app and what to do if your child is using it inappro-priately.
• https://kikinteractive.zendesk.com Read about the app and how to re-port problems.
• https://support.skype.com Browse articles about securing your child’s account and managing their privacy settings.
• www.tumblr.com/help Learn about this blogging platform and how to manage your child’s account settings.
• https://help.pinterest.com Find out how to use Pinterest and secure your child’s account.
• help.meetme.com Get answers to your questions about controlling who sees your child’s profile and how to report problems.
• help.disney.com/clubpenguin Read about this popular game’s rules and safety features.
Page 5 Volume 2, Issue 6
A Month Without Adobe Flash Player I’ve spent the better part of the last month running a little experi-ment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I re-moved it from my systems alto-gether. Turns out, not so much.
Browser plugins are favorite tar-gets for malware and miscreants because they are generally full of unpatched or undocumented se-curity holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar ex-ample of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently). It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.
Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bun-dled a new exploit for a Flash vulner-ability just three days after Adobe fixed it in April 2015. So, rather than continue the patch madness and keep this insecure soft-ware installed, I decided to the pull the…er…plugin. I tend to (ab)use dif-ferent browsers for different tasks, and so uninstalling the plugin was al-most as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is sim-ple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome: plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux vir-tual machine I have running inside of VirtualBox.
Try Not Using Adobe Flash Player
In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose. If you decide that removing Flash al-together or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.
Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default). Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the En-hanced Mitigation Experience Tool-kit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applica-tions. http://krebsonsecurity.com/2015/06/a-month-without-adobe-flash-player/#more-28770
Page 6 Volume 2, Issue 6
Scott T. Robison M.Ed.
INDOT Security Awareness Coordinator
Office: (317) 232-5179
Email: [email protected]
Indiana Department of
Transportation
The IRUA is Posted at
http://iot.in.gov/security/irua/
The Mobile Device policy - http://www.in.gov/
indot/div/pubs/mobile-device-policy.pdf
IOT’s Information Security Framework page is
located at the web address: http://www.in.gov/
iot/2339.htm
Adobe, Microsoft Issue Critical Security Fixes
Adobe today released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.
The bulk of the flaws Microsoft addressed today (23 of them) reside in the Internet Explorer Web browser. Microsoft also is-sued fixes for serious problems in Office, the Windows OS itself and Windows Media Player, among other components. A link to an index of the individual Microsoft updates released today is here. As it normally does on Patch Tuesday, Adobe issued fixes for its Flash and AIR software, plugging a slew of dangerous flaws in both products. Flash continues to be one of the more complex programs to manage and update on a computer, mainly be-cause its auto-update function tends to lag the actual patches by several days at least (your mileage may vary), and it’s difficult to know which version is the latest. If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.160. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to ver-sion 18.0.0.160, although Chrome users on Mac systems will find 18.0.0.161 is actually the latest version, according to Adobe. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser. The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). See this graphic for the full Adobe ver-sion release. Most applications bundled with Adobe AIR should check for updates on startup. If prompted, please download and install the AIR update. If you need to update manually, grab the latest version here.
As usual, please sound off in the comments section if you experience any issues applying any of these patches. June 10,2015
