in In the News
April 23rd, 2014

The Phishing continues

 The phishing scammers are trying again.  We have received several reports this morning of the message below being received by members of our community.  This is the kind of phishing message we believe was responsible for the direct deposit problem we reported earlier this month, and the scammers are trying to use the fact that they were successful last time to continue and extend their crime.  This message claims to be from security and talks protecting you from the evils of phishing.

BU Security Tips: Keeping Safe & Secure for the Holidays and 2014

 In this digital age, we rely on our computers and devices for so many aspects of our lives that the need to be proactive and vigilant to protect against cyber threats has never been greater. Included in this article are several best practice strategies for strengthening defenses!

Adobe Leaked Passwords – if you haven’t changed your password, please do so now

If you have ever created an account with Adobe to download or register any of their products, please change your Adobe password immediately and be sure to change the password of any account that shares this password.   To change your BU password, go to:  http://www.bu.edu/tech/accounts/kerberos/reset/

Adobe was recently the victim of a hack [1] in which  of over 153 million accounts, passwords and password hints were exposed. BU InfoSec has analyzed the information that was made public to find risks to our users and found that over 9000 of these accounts belong to users who signed up with Boston University email addresses.

To keep yourself safe in the future, do not use the same password for multiple accounts and use a password manager [2] to store each unique password and keep them all safe.

If you need any assistance or are concerned about the security of your BU Kerberos account, contact the BU Help Desk at (617) 353-HELP or ithelp@bu.edu.

[1] http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
[2] http://www.bu.edu/infosec/howtos/password-management/

Cryptolocker: How to avoid getting infected and what to do if you are

ComputerWorld: There’s a new piece of ransomware circling the internet – Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or money transfer.

Here’s how to protect yourself from this threat

If you believe you’ve been infected, visit this link for help: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Android banking malware with a twist in the delivery

Naked Security: “…Mobile malware that reads your SMSes before you do can steal important data such as the two-factor authentication (2FA) codes sent by your email provider or your bank, giving cybercriminals a way into your account despite the extra layer of protection in place.”

FBI has arrested five people, two of whom ran websites, on suspicion of offering or using hacking on demand services.  FBI said that it has picked up two website operators and three users in an international operation involving the cooperation of Romanian, Indian and Chinese authorities.  The five domestic suspects from Arkansas, California, Michigan and New York have been charged with obtaining unauthorized access to email accounts.

Craft store Michaels faces second credit card compromise in 3 years

Naked Security: Michaels, the largest arts and crafts store in North America, has acknowledged it may be the latest victim of malware targeting point-of-sale (PoS or cash register) computers.

Feds to Charge Alleged SpyEye Trojan Author

Krebs On Security: Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers.

Target admits “there was malware on our point-of-sale registers”

Naked Security: “The Target data breach story has turned into a bit of a bus: it’s big, has lots of momentum, and three just came along at once.”

Java-based malware driving DDoS botnet infects Windows, Mac, Linux devices

Ars Technica: “Multi-platform threat exploits old Java flaw, gains persistence.”

Deconstructing the $9.84 Credit Card Hustle

Krebs On Security: “Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.”

FBI warns of crimewave hitting cash registers

Naked Security: “The US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto credit card details from shoppers, as apparently happened to Target”

Stop Asking Me for My Email Address

New York Times: “I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.”

Apple.com does more to protect your password, study of top 100 sites finds

Ars Technica: Which sites allow “123456”? Study names/shames the best/worst password policies.