Going on vacation? Five things to do before you leave

Tomáš Foltýn

You’ve set up an out-of-office auto-responder and packed your stuff, but have you done all of your “homework” before you rush out the front door for that well-deserved time off?

You’re probably taking the vacation to unwind, but it is certainly not the time to put cybersecurity on the back burner. On the contrary, being outside the familiar environment of your home or office may expose you to unforeseen threats. Which is why you would be well-advised to be doubly cyber-vigilant, or else pesky insects may be the least of your worries during your time off. Indeed, a serious cyber-mishap can “spoil the fun” even beyond the duration of your vacation.

Let’s cut to the chase, then: what can you do ahead of your trip to take the sting out of a possible cyber-incident?

Downsize

Consider preparing to become a bit of a “digital minimalist” for a while and leave (some of) your tech at home. Put differently, pare down only to the bare essentials that you cannot possibly do without. All those mesmerizing sights on your trip will be distracting enough anyway, won’t they?

This suggestion may raise an eyebrow, but the truth is that, by carrying only the most necessary of devices, you not only have fewer of them to lose but, even more importantly, you’re giving ne’er-do-wells fewer opportunities for compromising your digital assets and personal information.

Having less stuff to carry around and recharge may well be a welcome added benefit. The especially wary may want to consider using a temporary or throwaway device and ensure that it contains as little in the way of private information as possible.

Stay current

Whatever device(s) you take with you, check that the operating system(s) and applications are updated for security fixes, especially the software with vulnerabilities that are known to be often exploited by cybercriminals. Ideally, it helps to have this never-ending routine automated whenever possible or at least to make sure that you receive timely notifications of a pending update.

Double-check that everything works as intended, so that you don’t end up stranded while on the go. When it comes to installing updates, especially the major ones, you want to limit the likelihood of remaining exposed or being forced to rely on an unreliable and unsafe public Wi-Fi connection or on your data plan.

Another way of reducing your attack surface is uninstalling outdated and unused software and shutting down no-longer used accounts. Needless to say, ensure that you use reputable anti-malware software and that it is up-to-date, too.

Keep intruders out

Regardless of the tech you carry, make sure its screen is protected with a first line of defense – such as a strong and unique password, passphrase, PIN code, or one of the available methods of biometric authentication such as fingerprint scanning or facial recognition. By extension, set up the device to auto-lock its screen after being idle for as short a period as you can tolerate.

That’s not all, however. The odds of data falling into the wrong hands can be greatly lessened with full-disk encryption. This is generally available for various types of devices and platforms, be it as in-built solution (although not necessarily enabled out of the box) or as third-party software. Speaking of theft, you can also set up an anti-theft security feature that allows you to track your missing device and even wipe all of its contents remotely.

Back it up before you go-go

The loss of a wealth of personal data stored on a laptop or smartphone is bound to cause much more heartache than the loss of the device as such. Which is why the importance of having a safety net to fall back on when things do go awry with your data cannot be overstated.

With encrypted backups of your data stored in a secure offline location, you can also ultimately emerge unscathed from, say, a malware infestation, ransomware attack or, indeed, even a simple device malfunction.

Moderation is (the) key …

… not to your home, though. Rounding off our list is a tip that actually extends to the safety of your abode. Put simply, you may want to refrain from trumpeting all over social networking sites that you and your family will be away from home for any given number of days. The temptation to share can be hard to resist, but giving in to it may expose you to a physical intrusion into your home, which may jeopardize not only your backups or the very devices we suggested you leave at home.

Putting yourself in a criminal’s shoes may help: could the information you post publicly help an attacker hurt you? If so, you may want to think twice before posting it. Boundaries between virtual and actual worlds can be very blurry and even seemingly innocuous digital actions can have outsize real-life implications.

Have a great vacation!

Indeed, these basic precautions are unlikely to stop you from enjoying your vacation, but they can go a long way towards preventing you from having a miserable one (or homecoming). For more tips that can serve you well both during your travel and beyond, navigate to our recent article covering 11 basic cybersecurity tips.

https://www.welivesecurity.com/2018/07/04/vacation-five-things-before-you-leave/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Britain’s tax authority reports takedown of record 20,000 fake sites Tomáš Foltýn

Tomáš Foltýn

Her Majesty’s Revenue & Customs (HMRC) is “consistently the most abused government brand”, according to the National Cyber Security Centre (NCSC)

The United Kingdom’s tax collection authority, Her Majesty’s Revenue & Customs (HMRC), initiated the removal of as many as 20,750 websites masquerading as the taxman over the past 12 months, according to HMRC’s recent announcement.

This is a 29-percent increase on the 12-month period before. Nobody should rest on their laurels, however, with HMRC calling on the public to remain on guard against scammers.

“Despite a record number of malicious sites being removed, HMRC is warning the public to stay alert as millions of taxpayers remain at risk of losing substantial amounts of money to online crooks,” according to HMRC.

Most commonly, fraudsters seek to con people out of money via the age-old tax refund scam. This involves sending out emails or text messages that attempt to bamboozle the taxpayers into believing that they are due a tax rebate. The missives will normally include links to websites that collect the targets’ personal information or bank account details, or spread malicious software.

In addition, HMRC said that it has taken other actions designed to combat fraud, especially those where technology helps. This includes deploying a verification system, called DMARC, in 2016 that has since blocked no fewer than half a billion phishing emails from reaching their intended recipients.

Additionally, the tax authority has been trialling new technology since April 2017 that “identifies phishing texts with ‘tags’ that suggest they are from HMRC, and stops them from being delivered”. Thanks to this, the number of customer reports concerning fraudulent HMRC-related texts has plunged by 90 percent.

Importantly, HMRC said recently that “people are 9 times more likely to fall for text message scams than other forms like email”, hence its pilot project combating fake texts. The increased susceptibility to falling prey to SMS-borne campaigns is because the messages “can appear more legitimate, with many texts displaying ‘HMRC’ as the sender, rather than a phone number”.

Mel Stride, Financial Secretary to the Treasury and Paymaster General, noted the strides in the fight against online fraud: “HMRC is cracking down harder than ever, as these latest figures show. But we need the public’s help as well. By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims,” he said.

HMRC reminded people that genuine organizations such as itself or banks never make uninvited approaches via emails or texts to ask for people’s PIN, password or bank details. As a result, people should never disclose their personal data, download attachments, or click links in messages or emails that they didn’t expect to receive from HMRC or, indeed, anybody else.

https://www.welivesecurity.com/2018/07/03/britains-tax-authority-takedown-record-20000-fake-sites/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

The principle of least privilege: A strategy of limiting access to what is essential

Miguel Ángel Mendoza

The principle of least privilege is a security strategy applicable to different areas, which is based on the idea of only granting those permissions that are necessary for the performance of a certain activity

In a recent conversation with our marketing analyst at ESET Mexico, Juan Carlos Fernández, we discussed a story about a scam carried out by a bogus company during his time as a university student. The company, which allegedly recruited students, collected information included on the résumés of those who applied.

No students were actually hired, of course, but their personal information had been provided voluntarily. The incident would be quite irrelevant if it wasn’t for the fact that résumés usually include personal information and data, which can compromise people’s safety if it falls into the wrong hands. In the case of university students, data such as their photographs, addresses, contact information, social network accounts, and other information will no doubt be included.

And while this information may be necessary for some recruiters, it is highly likely that it is not essential when finalizing the hiring process. The idea of only providing the required information, and access to it, can be applied to different areas, and cybersecurity is no exception. This good practice is known as the principle of least privilege, and we discuss it in this publication.

Least privilege: A good security practice

In the area of cybersecurity, the assignment of permissions that a user may have to a system or to information is a security practice that is continuously applied. For example, operating systems are developed with different roles (and, of course, privileges), which are designed for different user profiles, based on their activities and responsibilities.

Operating under the principle of least privilege, as the name implies, is based on the premise of only granting necessary and sufficient permissions to users to carry out their activities, for a limited time, and with the minimum rights required for their tasks. This practice can be implemented with respect to technology usage, with the aim of ensuring the security of information, as well as our privacy.

Assigning permissions to users that go beyond the rights necessary to carry out a certain action may allow them to carry out actions that they are not authorized to carry out, such as accessing, obtaining, or modifying information. And privileges must also be considered for entities or services to meet their objectives without compromising privacy or security; however, for this task, an important responsibility of users is ascertaining and only granting necessary and sufficient permissions.

Can least privilege be applied to social networks?

The recent revelations involving Facebook and Cambridge Analytica demonstrate the value of personal data and the responsibility we have as users over how our personal information is handled.

And while the paradigms of privacy change over time, we should not ignore the fact that this is a constant concern, especially in the digital age, where even new legislation seeks to grant more rights to users over their information.

Based on this notion, a good practice would be to only provide the basic information necessary to use social networks and not share sensitive or confidential information with any other users, especially if we do not know those people who may be hiding behind what may be fake profiles.

So, in addition to being careful about the information we post on different social platforms, it is also a good idea to configure the privacy and security options, as well as the restrictions applicable to other users concerning the posts or data on display. We should not become so paranoid that we feel the need to stop using these new forms of communicating and interacting, especially if we advocate their conscious, responsible, and safe use, and this is where we could also apply the principle of least privilege.

The principle of least privilege on mobile devices

The applications we install on our devices must also be limited by privileges on the device. An application may be considered intrusive (or even malicious) due to the permissions it requests when it is installed, and of course, due to the activities it then carries out on the device.

There are countless cases in which applications request permissions that are often not necessary for their intended function on a phone. A classic example of this is flashlight applications. These apps only turn the LED of the device on and off, so do not require access to phone information such as location, contacts, calls, or SMS messages. In this case, the principle of least privilege should also play a prominent role.

In a specific case related to this type of flashlight application, a banking Trojan was discovered that targeted Android users. Once it was installed and executed, the app requested device administrator permissions.

In addition to granting the promised flashlight function, this remotely controlled threat also sought to steal the banking credentials of its victims. No doubt, the principle of least privilege could also be applied to this scenario, by only providing the app with the minimum privileges necessary for its function.

The principle of least privilege: A security strategy applicable to different areas

Touching back on the story we initially discussed, we know that different criteria may be considered when hiring a person, but for reasons of security and also privacy, a recruiter probably should not know all of our information, especially if all that information is not handled securely.

And so, it is about providing only the minimum data, privileges, or resources necessary to perform an activity or fulfill a purpose, regardless of whether it involves an operating system, a social network, an application, or, even as we proposed at the start of this publication, when submitting a résumé.

https://www.welivesecurity.com/2018/07/02/principle-least-privilege-strategy/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29