IT Security Incident/News

SMU Phishing Exercise 2016 - Results

The phishing exercise was conducted by IITS in Oct and Nov 2016, involving  over 12,000 staffs and students. A total of 13.49%  of our Faculty/Staffs and 28.30% of students fall prey to this phishing test.

Content Of The Phishing Email

Tips On How To Identify A Phishing Email

Ransomware

What is a Ransomware - a type of malicious software designed to block access to a computer system until a sum of money is paid. It block by encrypt files.

One of the most common ransomware is CryptoLocker

The most recent is Locky ransomware (Sample Email)

Ransomware has become increasingly complex and advanced over time – making prevention and protection more challenging Ransomware can enter a PC through many vectors; including via email spam, phishing attacks, or malicious web downloads. Like other high sophisticated threats, organizations are recommended to employ multiple layers of protection on the endpoint, gateway and mail servers for the highest level of protection against ransomware.

Ransomware has become increasingly complex and advanced over time – making prevention and protection more challenging Ransomware can enter a PC through many vectors; including via email spam, phishing attacks, or malicious web downloads. Like other high sophisticated threats, organizations are recommended to employ multiple layers of protection on the endpoint, gateway and mail servers for the highest level of protection against ransomware.

Ransomware has become increasingly complex and advanced over time – making prevention and protection more challenging Ransomware can enter a PC through many vectors; including via email spam, phishing attacks, or malicious web downloads. Like other high sophisticated threats, organizations are recommended to employ multiple layers of protection on the endpoint, gateway and mail servers for the highest level of protection against ransomware.

User Education

• Ensure your security products (antivirus software) are updated regularly and perform periodic scans.
• Timely application of software patches from OS and 3rd party vendors.
• Exercise good email and website safety practices – downloading attachments, clicking URLs or executing programs only from trusted sources. Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message.
• Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task.
• Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by a ransomware. A safe computing practice is to ensure you have back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location.
• Encourage users to alert IT Security team or Help Centre of potentially suspicious emails and files

IT Help Centre contact information: +65 6828 0123; email: helpdesk@smu.edu.sg

Sources from:

http://www.trendmicro.com

Last updated on 2 Aug 2016

Apple IDs Compromised - iPhones or iPads held for ransom

Recently, some users in Australia, New Zealand, Canada and US have had their Apple IDs compromised. As a result, affected users had their Apple iPhones or iPads being remotely locked and held for ransom. Users received the following screen on their locked devices.

Once the Apple ID is compromised, the perpetrator can access the Find My iPhone feature in iCloud, turn on the Lost Mode feature, lock the device and display a ransom message.

While it remains clear how the Apple IDs were compromised, there are some good security practices to follow to prevent the above from happening.

1. Set a passcode on your phone or tablet. If you had set a passcode on your device, then you can unlock your device by entering your passcode. If you did not set a passcode, then the perpetrator is required to set a passcode when enabling the Lost Mode feature. Unless you know the passcode, your device will remain locked and you will have to call Apple support for assistance.

2. Set up two step verification for your Apple ID. This will make it much harder for an attacker to access your Apple ID account to make changes or purchases. In essence, besides entering your Apple ID and password, you will have to enter a verification code sent to you before you can access to your Apple account.

For more information on the two step verification, browse to http://support.apple.com/kb/ht5570

Sources:

Apple IDs Compromised: iPhones, iPads and Macs Locked, Held for Ransom

http://www.symantec.com/connect/blogs/apple-ids-compromised-iphones-ipads-and-macs-locked-held-ransom

Apple device hijacking spreads to US as Aussies urged to change passwords

http://www.smh.com.au/digital-life/consumer-security/apple-device-hijacking-spreads-to-us-as-aussies-urged-to-change-passwords-20140529-zrrap.html

New Android Malware Blocks Phone Calls

Compromised Customer Database at Adobe Systems Inc

Adobe has announced that some of their customer information stored in a database has been compromised. The information that may have been compromised includes names, user identification, numbers, encrypted passwords and payment card numbers. As a precaution, Adobe has reset passwords for all users whose current login information was in the database that was taken by the attackers.

You will receive an email notification from Adobe with information on how to change your password. They will only notify customers whose Adobe ID and password were involved, and that process is already underway.

As a precaution, we strongly recommend that you change your password on all systems especially SMU systems that you have access to where you may have used the same user ID and password as your Adobe ID and password.

Protect yourself against non-legitimate email "phishing" attempts: If you received an email requesting you to change your password, and you're concerned whether it is legitimate, don't click any links in the email. Instead, type www.adobe.com/go/passwordreset into your browser to be sure. How to recognize phishing attempts.

For more information on the Adobe announcement, please refer to http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html.

Cyber experts uncover 2 million stolen passwords to Web accounts

(Source: http://www.reuters.com)

(Reuters) - Security experts have uncovered a trove of some 2 million stolen passwords to websites including Facebook, Google, Twitter and Yahoo from Internet users across the globe.

Researchers with Trustwave's SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cyber criminals use to control a massive network of compromised computers known as the "Pony botnet."

The company told Reuters on Wednesday that it has reported its findings to the largest of more than 90,000 websites and Internet service providers whose customers' credentials it had found on the server.

The data includes more than 326,000 Facebook Inc accounts, some 60,000 Google Inc accounts, more than 59,000 Yahoo Inc accounts and nearly 22,000 Twitter Inc accounts, according to SpiderLabs. Victims' were from the United States, Germany, Singapore and Thailand, among other countries.

Representatives for Facebook and Twitter said the companies have reset the passwords of affected users. A Google spokeswoman declined comment. Yahoo representatives could not be reached.

SpiderLabs said it has contacted authorities in the Netherlands and asked them to take down the Pony botnet server.

An analysis posted on the SpiderLabs blog showed that the most-common password in the set was "123456," which was used in nearly 16,000 accounts. Other commonly used credentials included "password," "admin," "123" and "1." (bit.ly/1g6hfJZ)

Useful Tips

One method of choosing a strong password

• Think of a phrase. Select the first letter of each word in the phrase
• Have both upper and lower case alphabets
• Some letters can be changed to numbers. Examples “5” for “S”, “7” for “L”, “3” for “E”, “0” (zero) for “O”
• Some letters can be changed to symbols. Examples “@” for “a”,”!” for “I” or “l”

For more information on password security please click here.

Fake Ministry of Manpower (MOM) website

Do you pay attention if you’re accessing genuine website? Can you guess the real MOM website below?

                                                                                                                Figure 1

                                                                                                                Figure 2

                                                                                                                 Figure 3

                                                                                                                 Figure 4

Have you noticed the differences? I hope you identified the correct MOM official site...

Just remember SAM. SAM stands for Source Always Matter. We should always check the source to ensure we are clicking on genuine links, as perpetrators will try to lure you to malicious sites by hiding the source. So don’t be tricked. Think of SAM.

Figure 2 and Figure 4 are MOM genuine web pages, here's the details of the incident of the MOM fake website. (source http://www.insing.com/)

The Ministry Of Manpower (MOM) has cautioned the public against fake websites online which have been duplicating the official MOM website (www.mom.gov.sg).

The ministry made the announcement on Facebook on Thursday, 29 December, adding that the public should only use mom.gov.sg for all relevant matters.

The first duplicate website, www.momgov.sg was discovered last Thursday, 28 November, and a police report was made the following day. The site was deleted close to midnight on Friday.

Another duplicate site, www.movgov.sg was found on Saturday and the website was deleted after another police report was made.

The two duplicate websites had followed the layout, colour scheme and images of the official MOM website.

Internet users who visited the duplicate sites were greeted with pop-up pages of spam advertising.

The ministry posted an update on their Facebook page on the morning of 1 December 2013, telling the public that the websites were deleted but "it will take about 48 hours for servers worldwide to effect the deletion. This means that some of you may still be able to view the website till then.”

The fake websites are inaccessible as of Monday morning.

“We would like to caution everyone that a small variation in the URL (in these cases, a full-stop or a misspelling) can make a whole world of difference,” wrote the administrators on the Facebook page.

Tan Chuan Jin, Acting Minister for Manpower, commented on his own Facebook profile on Sunday afternoon regarding the duplications.

He wrote: “Some feel it is a game and cheer on such activities. It is not. It disrupts all our lives and if substantive sites are really compromised, consequences aren't always trivial.”

Tan also warned the public against these sites and the disruptions they may potentially bring.

“Phishing sites are criminal because they try to fool you into giving your data. Serious hacking that entail stealing of information and disruption of systems is dangerous and something we must defend against,” wrote Tan.

Please see Ministry of Manpower official issued statement. (source http://www.mom.gov.sg/)

Anonymous will Target Government Agencies Globally on #Nov5th

Received from Starhub email alert.

Starhub has received news that hacktivist group, Anonymous, will be attacking government agencies globally on the 5th of November, 2013.

The operation is known as “#Nov5th”, is touted to be a global movement to celebrate Guy Fawkes Day/Night, an affiliation with the iconic masks worn by Anonymous members as a means of identification for the group, with a mass rally to remind the world ‘That fairness, justice and freedom are more than just words’.

Deviating from their usual modus operandi of underground communications channels for operations, this ‘event’ is planned through mainstream social media channels like Facebook, Twitters, Wordpress blogs.

Facebook pages relating to this event has been created, thus we have some ground to believe some form of cyber aggression may take place on the 5th of November.

Singapore: https://www.facebook.com/events/145165362355272/

Global Map: http://www.zeemaps.com/view?group=654291&x=-110.522023&y=40.261775&z=13

News agencies around the world had also released articles pertaining to this movement.
Voice of Russia: http://voiceofrussia.com/2013_10_17/One-million-masks-expect-us-Anonymous-2114/

RT USA: http://rt.com/usa/anonymous-fawkes-dc-march-902/

International Business Times: http://www.ibtimes.co.uk/articles/506779/20130917/anonymous-million-mask-march-highlights-shift-strategy.htm

We are anticipating some form of cyber-skirmish on government agencies globally, or government linked entities,  of possibly denial of service attacks or attempts to breach your network. It would also be prudent to be on heightened alert for attacks on any other private sectors.

Their main target would presumptuously be attempts to breach and deface publicly available resource and/or obtaining personal identifiable information (PII).

GCC has categorized this security alert as high risk priority and we will

(1) Be on heightened alert on any suspicious network incidents triggered for this period.

(2) Monitor public facing cyber assets closely for any suspicious activities.

Workaround/ Advices:

Ensure all your software are updated to the latest version as the attackers tend to exploit any kinds of vulnerabilities found within your site to achieve the defacement purpose.

Be on high alert for any unusual activities on your computer and your network.