Information Technology

Corporations invest billions into protecting private data. Globally, the cybersecurity services market brought in $173 billion in 2020. However, cybersecurity isn’t only a concern for government agencies and major corporations. Hackers and scammers also target individuals, including college students. Fortunately, college students can protect their private data and improve their internet safety without a corporate-sized budget.This internet safety guide walks through the steps you can take to improve your data security and protect your private data. From identifying red flags to avoiding common scams, college students can often avoid online threats for free.Why is cybersecurity awareness important?Internet safety matters––particularly for college students. Take identity theft, for example. Victims of identity theft may see their credit score tank. That can make it harder to qualify for an apartment, apply to certain jobs, or take out a car loan. And bad credit can follow students for years after graduation.College students need to prioritize cybersecurity awareness. By taking a few simple steps, students can protect their private data and decrease the chances of falling for a phishing scam, putting private information at risk, or becoming the victim of identity theft.Why hackers target college studentsHackers target college students because of their unique vulnerabilities. For example, scammers focus on college students because of their social media use, lax monitoring, and poor cybersecurity awareness.Social media use: College students tend to include a large amount of personally identifiable information on social media. Hackers can use this information to guess passwords or the answers to common security questions.Lax monitoring: For many people, college represents the first time they open credit cards or manage their own bank accounts. And some college students fail to keep a close eye on their finances. That means they miss fraudulent charges. Similarly, college students might not check their credit report or find out if scammers stole their identity. 

Poor cybersecurity awareness: College students, like everyone else, worry about data theft. But most Americans fail to follow safety practices to secure their information. Many simply see data breaches and cyberattacks as an unavoidable fact of modern life.Common online threats towards college studentsCollege students face many of the same online threats as the general public, including phishing scams and fraudulent shopping sites. However, certain scams target college students. This section introduces the common online threats that college students face. PhishingA phishing scam tricks people into revealing private data or downloading malware. Many criminals target colleges with phishing scams because college email addresses often follow a predictable format that includes the student’s name. Students might receive emails that look official and ask them to confirm personal data or messages claiming they won a prize or lottery and must click on a link to claim their prize. These scams harm millions of victims every year.Fraudulent shopping sitesFake shopping sites trick students into entering their personal information, including credit card numbers. And fraudulent shopping sites target more than your data. Some send products that may be unsafe.College students are vulnerable to fake shopping sites because these criminals target students. Fake sites might be advertised on social media that targets students. These sites often look legitimate because they steal product photos to imitate real online shopping sites.Job scamsCollege students invest a lot of time into looking for jobs. But criminals use fraudulent job postings to capture private information. These job scams convince students to enter their Social Security number and other data. Some scammers even reach out with unsolicited job or interview offers. However, these scams are actually phishing attempts disguised as job postings.Students should watch out for warning signs of a fishy job posting. A very high guaranteed salary, very low job requirements, or a demand that applicants pay a fee for their interview can indicate a scam.Romance fraudSocial media and dating website fraud can trick students into providing personal information or sending strangers money. Romance frauds hook students through catfishing, where scammers pretend to be someone else online. These scammers may spend weeks or months building an online relationship with college students before asking for money or personal information. Students can protect themselves from romance fraud by limiting the information on their profile and using a throwaway email address.Reporting cybersecurity threatsIf you identify a cybersecurity threat, report it to your college’s IT department or information security office. Most colleges provide information about how to report a threat and what to include in your report.What if you fall for a scam or criminals steal your identity? You can protect yourself in several ways. First, report cybercrimes to law enforcement. Filing a police report can also help you recover money and protect your identity. Second, notify your financial institutions and freeze your accounts. Your bank can help you cancel your credit cards or take additional steps. Finally, notify credit reporting agencies and monitor your credit to remove any fraudulent reports.Tips and tricks for avoiding hackersCollege students can take simple steps to avoid hackers and protect their privacy. From spotting red flags to avoiding unsecured wifi networks, here are some easy tips and tricks to make your data safer. Learn phishing red flagsHackers use phishing scams to trick people into sharing private data. In one of the most common phishing scams, hackers claim to be from a reputable company, including government agencies. Their emails ask people to enter private information, like their birth date, Social Security number, or credit card number. Hackers then use that information to steal someone’s identity.You can avoid phishing scams by looking for red flags, including incorrect grammar or spelling, fake-looking URL or email addresses, or high-pressure attempts to convince readers to click on a link. And phishing goes beyond email––watch out for phishing attacks on social media, by phone, and through text message.Use caution when shopping onlineSome scammers use fake online shopping deals to trick people into entering credit card information. Instead of jumping on a deal that sounds too good to be true, take a few steps to verify the seller. Reviews posted on third-party sites such as the Better Business Bureau might indicate a scam. Using a debit-type gift card can also protect buyers from risking their credit score by falling for an online shopping scam.Install antivirus softwareA computer virus can destroy your data and disable your computer. Antivirus software identifies malware and other viruses to prevent your devices from becoming corrupted. You can protect yourself by installing antivirus software from a trusted company like Norton or McAfee. In addition to using antivirus protection on your laptop or desktop, consider installing antivirus software on other devices connected to the internet, including your cell phone and tablet.  Follow password best practicesA strong password can prevent hackers from accessing your private data. Instead of reusing the same password on multiple platforms, use unique passwords to avoid damaging data breaches. Fortunately, you don’t need to remember every single password. Instead, use a password manager to keep track of your passwords.Set up two-factor authenticationTwo-factor authentication adds an extra layer of security. Instead of simply logging in with a username and password, users must authenticate their identity through a second source, such as a code sent to their cell phone or an email link.Change your password after a breachData breaches can compromise your passwords. And most people do not change their password after a data breach. By changing your password, you can prevent hackers from accessing private data. The site Have I Been Pwned lets people check whether a data breach has affected their accounts.Beware of unsecured wifiUnfamiliar and unsecured wifi can put your data at risk. Cybercriminals can access these networks to steal your information. Many colleges offer unsecured wifi access on campus.How can you avoid unsecured wifi? First, choose a secured network if possible. Second, reduce your potential exposure by using a VPN on an unsecured network. Finally, avoid entering personal data like credit card information while using an unsecured network.Add physical protectionAntivirus software, VPNs, and password managers protect your data from online intrusions. But you should also protect the physical safety of your devices. That means using passcodes to access your devices and protecting your devices from theft. Avoid leaving devices unattended on a college campus or in any other public space. Use a cable lock on your laptop, put it away when not in use, and lock your dorm room or car. Take care on shared computersCollege students often use shared computers to write papers, conduct research, or search the internet. But computers available to the public in the campus library and computer lab do not have the same protections as private computers. You can protect your data on shared computers by not saving passwords and clearing your browser history. Use caution when making online purchases or logging into accounts with private data through a shared computer.
What are key threats to student safety in online learning environments?

Students in online learning environments must protect themselves against threats like cyberbullying, ransomware, phishing, and other threats to their internet safety. College students taking online classes should avoid sharing personal information or other forms of student data to protect themselves from identity theft and other cybercrimes.

Are college networks secure?

Colleges use security methods to protect their networks. However, many colleges offer public wifi access, which can potentially expose student data. When using a college network, students should implement their own security measures, such as using a VPN.

How students can stay safe on the internet?

Internet safety starts with awareness of potential online threats. Students can avoid phishing scams, malware, and other cyberattacks by knowing how to spot a threat. College students should also use secure passwords, avoid inputting personal data on shared computers, and protect their computing devices. More

Department store giant Neiman Marcus has announced a data breach involving nearly 5 million customer accounts that included payment card numbers and expiration dates alongside other personal information.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

In a statement, the company said the breach occurred more than a year ago, in May 2020. The company told ZDNet that they only discovered the breach in September 2021.  Last year, the 114-year-old company filed for bankruptcy and said it owed between $1 billion and $10 billion to more than 50,000 creditors.  Neiman Marcus said it hired Mandiant to investigate the data breach and has notified law enforcement about what happened. The company said it is still trying to “determine the nature and scope” of the breach.  “The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts,” the company explained.  “Approximately 4.6 million Neiman Marcus online customers are being notified of this issue. Approximately 3.1 million payment and virtual gift cards were affected for these customers, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted.”  The company added that they do not believe any Bergdorf Goodman or Horchow online customer accounts were included in the breach. 

Neiman Marcus said it had created a call center to answer questions about the issue at (866) 571-9725, as well as a website for potential victims.  Quentin Rhoads, a director at cybersecurity firm CRITICALSTART, theorized that the company waited so long to notify affected customers because of the bankruptcy filing.  “From a security perspective, it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet been discovered. It is also not uncommon for attackers to sell their access to a breached company as part of their revenue-generating plan, which means there might be a chance attackers still have access,” Rhoads said.  “Even though most of the credit cards and gift cards stolen don’t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning. This data more than likely would be sold to other attackers who can use this for crimes such as identity theft in conjunction with the other personal information stolen. The amount of delay from the breach also adds a lot of complexity in discovering exactly what happened. More than likely, critical evidence is no longer present in their systems.”  The company has a long history of data breaches, including a major one in 2013 that led to the leakage of 1.1 million customer payment cards. Credit-card skimming malware had been implanted into systems in certain stores leading to the breach.  Neiman Marcus agreed to a settlement in 2019 worth $1.5 million with 43 states after the 2014 incident. More

ZDNet Recommends

One particularly sneaky piece of malware is trying to trick Android users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update. The text message scam delivers FluBot, a form of Android malware that steals passwords, bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. While the links can be delivered to iPhones, FluBot can’t infect Apple devices.  FluBot attacks have commonly come in the form of text messages which claim the recipient has missed a delivery, asking them to click a link to install an app to organise a redelivery. This app installs the malware.  But that isn’t the only technique cybercriminals are using to trick people into downloading FluBot malware — New Zealand’s Computer Emergency Response Team (CERT NZ) has issued a warning over scam text messages which claim the user is already infected with FluBot and they need to download a security update. See also: A winning strategy for cybersecurity (ZDNet special report).After following the link, the user sees a red warning screen claiming “your device is infected with FluBot malware” and explicitly states that FluBot is Android spyware that aims to steal financial login and password data.   At this point, the device is not actually infected with anything at all, but the reason the malware distributors are being so “honest” about FluBot is because they want the victim to panic and follow a link to install a “security update” which actually infects the smartphone with malware.  

This the attackers with access to all the financial information they want to steal, as well as the ability to spread FluBot malware to contacts in the victim’s address book.  FluBot has been a persistent malware problem around the world, but as long as the user doesn’t click on the link, they won’t get infected. Anyone who fears they’ve clicked a link and downloaded FluBot malware should contact their bank to discuss if there’s been any unusual activity and should change all of their online account passwords to stop cybercriminals from having direct access to the accounts.  If a user has been infected with FluBot, it’s also recommended they perform a factory reset on their phone in order to remove the malware from the device.  It can be difficult to keep up with mobile alerts, but it’s worth remembering that it’s unlikely that companies will ask you to download an application from a direct link — downloading official apps via official app stores is the best way to try to keep safe when downloading apps.  More on cybersecurity: More

iOS 15 brings several new security features to the iPhone. But ultimately, the security of a device is in the hands of the owner, who can choose to bolster that security or weaken it. Here’s what you need to know to make your iPhone a harder target for hackers and thieves. Note that these settings also mostly apply to the iPad.

The basics First off, everything starts off with the basics. These haven’t changed in years. Use a strong passcode using Custom Alphanumeric Code (if this is easily guessable, it’s game over). If you think someone knows your passcode, change it.Go to Settings > Face ID & Passcode (or Touch ID & Passcode).Turn on Face ID/Touch ID.Turn on screen Auto-Lock.Go to Settings > Display & Brightness and tap Auto-Lock and set to 30 seconds or 1 minute.Make sure iOS is up to date.Go to Settings > General > Software Update and make sure Automatic Update is enabled.Keep all your apps updated.Go to Settings > App Store and make sure App Updates are enabled. Keep an eye on apps that might be spying on you A new feature in iOS 15 is the ability to log what apps are up to on your iPhone. The feature is called Record App Activity, and this allows you to get a lot of when an app does one of the following: The user’s photo libraryA cameraThe microphoneThe user’s contactsThe user’s media libraryLocation dataScreen sharingTo enable this feature, go to Settings > Privacy and then scroll down to find Record App Activity. Built-in authenticator

iOS 15 brings an end to having to fire up a third-party two-factor authenticator app. Now Apple has built one right into iOS, and better still, it can even autofill the information for you. Got to Settings > Passwords, and then for each password entry, you can tap on it to get access to an option called Set Up Verification Codes… which allows you to enter the information required either using a setup key or QR code. Using a two-factor authenticator is far more secure than relying on SMS messages, so you should use this feature — either using Apple’s authenticator or another app — to get the highest security. Hide your IP address from trackers Safari can now cloak your IP address from trackers on websites, making it pretty much impossible for your browsing to be logged. Go to Settings > Safari and set Hide IP Address to From Trackers. Secure your browsing If you have an iCloud+ subscription, Apple has just given you a great reason to use the Safari browser — iCloud Private Relay. This is like a VPN in that it sends your web traffic through other servers to keep your location secret. To enable iCloud Private Relay, you’ll need an iCloud+ subscription. Then go to Settings, and at the top, tap your name and then go to iCloud and enable Private Relay. Put a stop to email trackers Protect Mail Activity is a feature built into the Mail app that prevents people from knowing if emails have been opened. To enable this feature, go to Settings > Mail, tap on Privacy Protection and enable Protect Mail Activity. If iCloud Private Relay is a good reason to switch to Safari, then this feature is a good reason to switch to Mail. More

Yesterday, I had a dozen — count ’em a dozen — spam calls. My carrier, Verizon, does a good job of marking most of them as spam, but it’s not perfect. Some calls get through. Now, if I were like most of you, I’d just ignore any call from an unknown number. Alas, I’m not. I’m a journalist, so I sometimes get calls that I must take from numbers I’ve never seen before. Sometimes you must do that too. But, now the Federal Communications Commission (FCC) is finally putting a stop to many spammers. 

The FCC is doing this by forbidding legitimate telecom companies from taking calls originating from voice service providers whose certification doesn’t appear in the FCC’s Robocall Mitigation Database. This means “voice service providers will be prohibited from directly accepting that provider’s traffic.” Technically that works because telecoms must now block traffic from “voice service providers that have neither certified to implementation of STIR/SHAKEN caller ID authentication standards nor filed a detailed robocall mitigation plan with the FCC.” Secure Telephone Identity Revisited (STIR)/ Signature-based Handling of Asserted Information Using toKENs (SHAKEN) is Caller-ID on steroids — it’s a protocol for authenticating phone calls with the help of cryptographic certificates. It’s meant to make certain that when someone calls you, the name showing up on Caller ID really is the person calling. It also lets your phone company know, in theory, who’s responsible for a specific call. STIR/SHAKEN works with both landline and cellular networks.  Acting FCC Chairperson Jessica Rosenworcel said, “The FCC is using every tool we can to combat malicious robocalls and spoofing – from substantial fines on bad actors to policy changes to technical innovations like STIR/SHAKEN. Today’s deadline establishes a very powerful tool for blocking unlawful robocalls. We will continue to do everything in our power to protect consumers against scammers who flood our homes and businesses with spoofed robocalls.” Much as I’d like to think that this would drop my spam call count to zero, I know better. For example, while digital telecoms must now be using STIR/SHAKEN, old-school.   Older time-division multiplexing (TDM)/public switched telephone network (PTSN) based networks are still grandfathered in. The FCC requires that “providers using older forms of network technology [must] either upgrade their networks to IP or actively work to develop a caller ID authentication solution.” Still, no date has been set for this changeover. In addition, as Brad Reaves, North Carolina State University professor of computer science, warned in a Marketplace interview, “There are just too many loopholes and ways to bypass this system.” These include smaller voice providers that still aren’t required to implement STIR/SHAKEN. Besides that, some providers provide US phone service to people living outside the country. They’re not required to participate in STIR/SHAKEN either.

Still, this new FCC move is a step forward. Will it end up substantially reducing spam calls? We’ll soon know if our phones finally stop ringing non-stop with junk calls. We live in hope. Related Stories: More

The chief executive of Group-IB has been arrested by law enforcement on suspicion of state treason. 

ZDNet Recommends

Ilya Sachkov, a co-founder of the prominent Russian cybersecurity company, was arrested on Tuesday at Group-IB’s Moscow office.  The company has confirmed the incident, adding that local law enforcement conducted a search of the property on the same day. At the time, Group-IB — with headquarters in Singapore — said that the “reason for the search was not yet clear.” State news agency TASS cited an unnamed source in the country’s security forces when reporting that Sachkov’s arrest is based on suspicion of treason, specifically the transfer of classified information to foreign agencies which allegedly “employed” the executive.  However, the agency says he has not “admit[ted] guilt in transferring intelligence data to foreign special services.” The case against the cybersecurity executive is confidential, and so there are no further details available concerning the allegations.  A court order will keep the 35-year-old in custody for two months. 

Sachkov was picked for the 2016 edition of the Forbes Under-30 entrepreneur list and has previously met Russia’s President, Vladimir Putin.  Group-IB maintains the innocence of its executive, as well as his “business integrity.” “Group-IB’s communications team refrains from commenting on the charges brought and the circumstances of the criminal case due to the ongoing procedural activities,” the firm added. In the meantime, lawyers for the firm are on the case, and Group-IB co-founder Dmitry Volkov will assume leadership, at least, for now.  The cybersecurity company says that all of Group-IB’s divisions will continue to operate as normal.  Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

For the second time this month, Google has patched two previously unknown or ‘zero-day’ security flaws in Chrome that are already being exploited by attackers.      Google has released a stable channel Chrome update for Windows, Mac and Linux machines to address two zero-day flaws affecting the most popular browser on the web.  The update pushes Chrome up to version 94.0.4606.71. Due to the attacks, it’s prudent for organizations and consumers to update as soon as it becomes available. Google says it will roll out in the “coming days/weeks”.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes The update includes four security fixes for Chrome, including the two zero-days. One of them, a high-severity flaw tracked as CVE-2021-37975, stems from Google’s hard-to-protect V8 JavaScript engine that was reported by an anonymous researcher.  Another medium-severity flaw, tracked as CVE-2021-37976, is an “information leak in core” and was reported by Google’s Threat Analysis Group (TAG) with assistance from Google Project Zero security researchers.      “Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google said in release notes.

These latest two flaws mean Google has patched 12 zero-days in Chrome since the beginning of 2021. Google patched two zero-day Chrome flaws on September 13, marking its 10th zero-day patch for the year.   TAG is the group at Google specializing in tracking state-sponsored attackers and has previously uncovered nefarious activity from North Korean hackers and attacks on iOS, and mainstream browsers.  Google Project Zero researcher Samuel Groß recently kicked off a project to resolve V8 bugs, which he noted are particular dangerous.  “V8 bugs typically allow for the construction of unusually powerful exploits,” Groß warned. These bugs are also resistant to modern hardware-assisted mitigations.    Details of the two new Chrome bugs haven’t yet been added Google Project Zero’s “0-day in the wild” tracker. After adding these Chrome bugs, the list would include a total 48 zero-day bugs found to have been exploited in the wild since the beginning of 2021. These bugs have affected software and hardware from from Google, Apple, Adobe, Microsoft, Qualcomm, and ARM. SEE: Half of businesses can’t spot these signs of insider cybersecurity threats Google Project Zero and TAG says there has been an uptick in zero-day exploits this year, but what that means in terms of offense and defense is less clear. “There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild. The attackers behind 0-day exploits generally want their 0-days to stay hidden and unknown because that’s how they’re most useful,” Google’s security researchers wrote.  The rise in zero-days could be because defenders are getting better at identifying and detecting them. But it could also be because attackers are using them more frequently because there are more platforms to attack and there are more commercial outfits selling governments access to zero-days, thus reducing the need for technical skills to use them. More

Facebook has released the Mariana Trench bug hunting software to the open source community.

This week, Dominik Gabi, Facebook software engineer said in a blog post that Mariana Trench was originally an internal tool for the company’s security engineers but has now been released to the public “to help scale security through building automation.” Mariana Trench (MT) is a tool for finding vulnerabilities in Android and Java, with a particular focus on examining code in Android applications. According to the tech giant, MT is able to scan “large mobile codebases” and will alert users to potential security problems found in the code by analyzing data flows prior to production.  MT hones in on data flows as a common source for bugs, whether this is due to incorrect data exposure or collection, or if they contain flaws that allow for the injection of malicious packages. MT scans the source of information and its sinks, tracking possible paths and then will compute models using static analysis to hunt for errors and issues in the codebase. “A security engineer would start by broadly defining the boundaries of the data flows she is interested in scanning the codebase for,” Facebook explained. “If she wants to find SQL injections, she would need to specify where user-controlled data is entering the code, and where it is not meant to go. However, this is only the start — defining a rule connecting the two is not enough. Engineers also have to review the identified issues and refine the rules until the results are sufficiently high-signal.” Facebook warns that this tool is only one addition to a security engineer’s arsenal, and false positives prior to production need to be considered.  “In using MT at Facebook, we prioritize finding more potential issues, even if it means showing more false positives,” the company says. “This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production.”

MT is now available on GitHub and a binary distribution has also been released on PyPI. In addition, Facebook has released the Static Analysis Post Processor (SAPP), an analysis tool for analyzing MT results.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More