Blog

Social Networking Sites: Security and Privacy Issues

Recent hacks involving several high-profile social networking accounts once again highlight the potential vulnerability of social media. The sheer volume of users and the information that gets posted on social media sites create plenty of opportunity for an attacker to use social engineering or other methods to gain access to the accounts of individuals and organizations. The more information you post, the more your security and privacy are at risk.

Precautions to Take
Below are some helpful tips regarding security and privacy while using social networking sites:
  • Ensure that any computer you use to connect to a social media site has proper security measures in place. Use and maintain anti-virus software, anti-spyware software, and a firewall.

  • Be cautious when clicking on links. If a link seems suspicious, or too good to be true, do not click on it…even if the link is on your most trusted friend’s page. Your friend’s account may have been hijacked or infected and is now spreading malware.

  • If you are going to request that your account be deleted, first remove all of the data. Request that the account be deleted, rather than deactivated.

  • Type the address of your social networking site directly into your browser or use your personal bookmarks. If you click a link to your site through email or another website, you might be entering your account name and password into a fake site where your personal information could be stolen.
  • Be cautious about installing applications. Some social networking sites provide the ability to add or install third party applications, such as games. Keep in mind there is sometimes little or no quality control or review of these applications and they may have full access to your account and the data you share. Malicious applications can use this access to interact with your friends on your behalf and to steal and misuse personal data. Only install applications that come from trusted, well-known sites. If you are no longer using the app, remove it. Also, please note that installing some applications may modify your security and privacy settings.

  • Use strong and unique passwords. Using the same password on all accounts increases the vulnerability of these accounts if one becomes compromised. Use different passwords for different accounts, and do not use a password you use to access your organizations network on any personal sites you access.
  • Be careful whom you add as a “friend,” or what groups or pages you join. The more “friends” you have or groups/pages you join, the more people who have access to your information.

  • Do not assume privacy on a social networking site. For both business and personal use, confidential information should not be shared. You should only post information you are comfortable disclosing to a complete stranger.

  • Use discretion before posting information or comments. Once information is posted online, it can potentially be viewed by anyone and may not be able to be retracted afterwards. Keep in mind that content or communications on government-related social networking pages may be considered public records.
  • When posting pictures, delete the meta data, which includes the date and time of the picture.

  • Do not announce that you are on vacation or away for an extended period of time.

  • Configure privacy settings to allow only those people you trust to have access to the information you post, and your profile. Also, restrict the ability for others to post information to your page. The default settings for some sites may allow anyone to see your information or post information to your page.

  • Review a site’s privacy policy. Some sites may share information, such as email addresses or user preferences, with other parties. If a site’s privacy policy is vague or does not properly protect your information, do not use the site.

Stay tuned to our blog for more on cyber security tips throughout the year. For additional information, please visit cybersecurity.sd.gov.

I/T Definition: Security Activity

I/T language can be confusing. BIT can help!

Security Activity – activity meant to enhance and maintain a high level of security.  This includes scanning network and email communications with sources and destinations that are outside of the state network.  It also includes installing upgraded security software and hardware including: anti-virus software, firewalls, content-filtering software, and intrusion detection software.

Gone Phishing

In the pre-Internet era, con men, also known as confidence men, would gain victims’ confidence through the use of deception, to defraud them. The same principles are being used today, only now to an even greater efficiency through the use of online scams.

One of the most prolific means for online scamming is phishing. When using email, it is difficult to know, with certainty, with whom you are communicating. Scammers will utilize this uncertainty to pose as legitimate businesses, organizations, or individuals, and gain the trust of users. If a scammer is able to gain the trust of victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. 
To gain users trust, scammers will appear like legitimate businesses or organizations, by spoofing the email address, creating a fake website with legitimate logos and even providing phone numbers to an illegitimate customer service center operated by the scammers.
Two Common Types of Phishing Attacks 

  1. Phishing scams are perhaps one of the best-known forms of email scams. This type of scam involves a scammer pretending to have a fortune that he or she is incapable of accessing without the help of someone trustworthy, which happens to be you! The scammers will try to obtain the user’s financial information using an empty promise of sharing the wealth in exchange for their help.
  2. Spear-phishing is a targeted and personalized attack in which a specific organization or an individual is the target. These attacks will utilize information about the user email addresses, which are similar to those of their acquaintances to entice the users to either divulge sensitive information or download a malicious file. This often requires a lot of information gathering on the targets and has become one of the favored tricks used in cyber espionage.

If you are mindful of potential phishing traps and observant of the telltale signs of a scam, you can better defend against a phishing attack.

  • Be cautious about all communications you receive including those purported to be from “trusted entities” and be careful when clicking links contained within those messages. If in doubt, do not click. 
  • Don’t respond to any spam-type e-mails. 
  • Don’t send your personal information via email. 
  • Don’t input your information in a pop-up; if you are interested in an offer that you see advertised in a pop-up ad, contact the retailer directly through its homepage, retail outlet or other legitimate contact methods.

Keep an eye out of these simple telltale signs of a phishing email:

  • The email has poor spelling or grammar.
  • For secure transactions, look for a lock icon in the URL.
  • The use of threats or incredible offers is a common tactic that tries to elicit an emotional response to cloud the user’s judgment.
  • The URL does not match that of the legitimate site. Scammers cannot use the same URL associated with the legitimate websites, so they will tweak the address of their spoofed website so that at a quick glance it looks legitimate.
    • The URL may use a different domain name (e.g., .com vs .net)
    • The URL may use variations of the spelling of the actual address

Don’t trust a file based on its extension either. There are a variety of tricks to hide the nature of the file. Lastly, make sure you have an up-to-date anti-virus software program installed. Enable the feature to scan attachments with the anti-virus program before downloading and saving them to your computer.

Security Scanning Requirements: But Why!?

Protecting web applications is an around-the-clock job. These days nearly everything that is connected to the Internet can be considered a target. Targeted attacks are designed to gather intelligence, steal citizen’s information, disrupt operations or even destroy critical infrastructure. As the threat landscape continues to worsen, government divisions are doing all they can to keep their web properties available and secure—this is where the security scanning requirements come into play.

While various network security technologies are good at protecting the network layer, a web application can be considered a point of entry for a potential attacker. Web applications are programs ran through an Internet browser to allow people to fill out forms or to perform specific actions such as applying for hunting licenses. An insecure application can be used to compromise more than the information managed by that system alone.  The insecure application can also be used to pivot the attack onto other systems and compromise information completely disconnected from that application’s scope.  Hackers now target the web application layer by injecting attacks through the forms and fields that are open to citizens.

The South Dakota Bureau of Information and Telecommunication (BIT) requires the scans to not only protect the application in question but to protect the state infrastructure as a whole. (State infrastructure refers to the technology (hardware and software) that comprise the computer network, phone network, and connections to the Internet.) That is why BIT performs security scans for every web application or website deploying in a production environment (available for the public to use). These scans consist of attempts to gain control of the system or to gain access to the State’s data using a variety of tools and manual methods designed with one objective: attempt to exploit security vulnerabilities in an application in a safe test environment before it is deployed to the public.

As a general guideline, BIT normally (but does not always limit itself to) tests for the Open Web Application Security Project (OWASP) Top 10 vulnerabilities published at: https://www.owasp.org/index.php/Top_10_2013-Top_10. This is not an all-inclusive list— cyber security is a never-ending battle. The bad guys advance, security professionals counter, bad guys cross over—and so the cat and mouse game continues. There are always new threats and attack vectors and BIT adjusts in real time to confront these new threats.

The need to properly secure web applications is absolute. Knowing what vulnerabilities exist within a web application helps government divisions contain possible points of exposure and safe guard citizen’s data. 


A special thanks goes out to Miguel Penaranda for providing us with this article!

Security Tip: Connect with Care

It’s easy to see and open Wi-Fi hotspots and connect to them, but BIT urges you to use common sense when you connect. If you’re online through an unsecured or unprotected network, be cautious about the sites you visit and information you release.

  
STOP. THINK. CONNECT., the global cybersecurity awareness campaign, gives us the below tips to assist us all to connect with care by exercising caution and using common sense when connecting –helping all digital citizens stay safer and more secure online.
  
  • Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your phone.
  • Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. “Http://” is not secure.
  • When in doubt, don’t respond. Fraudulent texting, calling and voicemails are on the rise. Just like email, requests for personal information or to immediate action are almost always a scam.
  • Be cautious about “scareware:” Cyber criminals have used fear to compromise your computer and to steal your personal information, which may include credit card information and banking login credentials. If you get security notices saying you are infected and need to purchase software, these could very well be attempts to compromise your device.
 

Online Holiday Shopping- Tips and Warnings

The holiday season is upon us! Along with the holidays comes shopping for gifts. This year BIT would like to share with you some tips and warnings to get you through the season safely…in terms of cyber security of course!
 
Online shopping is by far the most convenient way of shopping.  While sitting in front of the fire place wearing pajamas and holiday socks may seem as safe as it gets, it’s important to keep in mind that there are still threats that can affect you while holiday shopping from the comfort of your home.  
 
Whether you will be conducting transactions from your desktop, laptop or mobile device, keep these tips in mind to help protect yourself from identity theft and other malicious activity this holiday season and throughout the year:

  • Secure your computer and mobile devices. Be sure your computer and mobile devices are current with all operating system and application software updates. Anti-virus and anti-spyware software should be installed, running, and receiving automatic updates. Ensure you use a strong password and unique password, which is not used for any other accounts. Set a timeout that requires authentication after a period of inactivity.
  • Use mobile applications with caution. As devices such as smartphones and tablets, continue to gain popularity for online shopping, so too will the volume of attacks against them.  Malware could be downloaded onto the device from seemingly legitimate shopping apps that can steal credit card and other sensitive information for transmission to cyber criminals. Update all apps when notified and disable Bluetooth and Near Field Communications when not in use to reduce the risk of your data—such as credit card number—being intercepted by a nearby device.
  • Know your online merchants. Limit online shopping to merchants you know and trust. Only go to sites by directly typing the URL in the address bar. If you are unsure about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller’s contact information in case you have questions or problems.
  • Consider using an online payment system or credit card. Where available, you may want to use online payment services, which keep your credit card information stored on a secure server, and then let you make purchases online without revealing your credit card details to retailers.  If you do pay online directly to the retailer, use a credit, not debit card. Credit cards are protected by the Fair Credit Billing Act and may reduce your liability if your information is used improperly.
  • Look for “https” before you click “Purchase.” Before you submit your online transaction, make sure that the webpage address begins with “https.” The “s” stands for secure, and indicates that communication with the webpage is encrypted. A padlock or key icon in the browser’s status bar is another indicator.
  • Do not respond to pop-ups. When a window pops up promising you cash, bargains, or gift cards in exchange for your response to a survey or other questions, close it by pressing Control + F4 on Windows devices, or Command + W for Macs.
  • Do not use public computers or public wireless access for your online shopping. Public computers and Wi-Fi hotspots are potentially insecure. Criminals may be intercepting traffic on public wireless networks to steal credit card numbers and other sensitive information.
  • Secure your home Wi-Fi. Make sure you control who has administrative access, and that any users on your network authenticate with a strong password. Encryption settings should be enabled and strong – using WPA2 is recommended.
  • Be alert for potential charity donation scams. Cyber criminals try to take advantage of people’s generosity during the holiday season and can use fake charity requests as a means to gain access to your information or computer/device. Think before clicking on emails requesting donations. Don’t give your financial or personal information over email or text.
  • Be alert for major retailer / box store scams.  There is a significant increase this time of year of messages allegedly coming from Target, Wal-Mart, etc.  The message is in some form of “our online shop has an order addressed to you. You may pick it in any store of Target.com closest to you within four days. Please, open the link for full order information”.  They look incredibly authentic customized to be as local as possible.  Be extra cautious to insure that you have indeed ordered something from a store before clicking on any links provided therein. These scams usually infect your devices with malware.

 

Security Tip: Keep a Clean Machine

It’s important to keep a clean machine. Keeping your Internet-connected devices free from malware and infections makes the Internet safer for you and more secure for everyone. A “machine” refers to all devices that connect to the Internet—computers, gaming systems, smartphones and tablets.

STOP. THINK. CONNECT., the global cybersecurity awareness campaign, gives us the below tips to keep our machines clean while helping all digital citizens stay safer and more secure online.

  • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
  • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
  • Protect all devices that connect to the Internet: Along with computers, smartphones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
  • Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.

** LAN Services (Support) keep software on work machines up-to-date.  State users do not need to turn on the automatic updates on work machines. State users DO need to do that on your home machines.  If state workers have a question whether certain software on their work machines need updating or not, contact the Help Desk to have LAN Services look into the matter.