Safely to 2023
Enter the new year safely. The Cybersecurity Team of Masaryk University prepared ten resolutions for you that will help you to take better care of yourself in cyberspace.
The attackers in cyberspace are constantly creating new ways to deceive their victims and often target not the technology but the person. They don't let Masaryk University out of their sight either – right before the Christmas holidays, the umpteenth spear-phishing wave took place, leaving behind dozens of compromised accounts. How to avoid these pitfalls?
Experts from The Cybersecurity Team of Masaryk University (CSIRT-MU), who consider a secure cyber environment essential for a modern educational institution, deal with this. Therefore, they have prepared several basic recommendations for you, which are worth remembering. You can think of them as resolutions for 2023.
Ten resolutions for 2023
Cyber security is not rocket science for everyday users. A few steps that do not change much for ordinary users will help you protect yourself from significant inconveniences.CSIRT-MU
Do not enter
Do not open
Do not lend
It pays off to be vigilant
Now let's take a closer look at the attacks we have covered in the top ten tips. A common feature that attackers rely on is the inattention of users - it's often easier for them to fool humans rather than bypass technology security. So, in practice, they send fraudulent e-mails that lead users to fake login pages to lure from them their login details for essential accounts. At Masaryk University, we have noticed that fraudulent login pages were created, for example, for IS MU and the Portal.
Not only the visual of the fake login gateways but also the text of e-mails themselves tend to be elaborate. They often try to instill a sense of fear ("If you don't log in within 24 hours, you will pay a fine of 10,000"), curiosity ("You can find spicy footage from the Christmas party at this link"), or, for example, the desire to earn money ("You won 30,000, -, to choose a prize, log in through this link."). And that's why it's crucial to be careful and not get caught by similar techniques.
We recommend always verifying who is the sender of the e-mail (i.e. from which e-mail address the message was sent), especially if the message concerns monetary amounts. It is also useful to check the URL of the pages. Sometimes, the attackers change or add letters or numbers (www.portal.muni.cz -> www.portal.munii.cz – inconspicuous, right?).
Cyber security overlaps with the ordinary, physical world, so being vigilant also pays off here, especially in the case of tablets, laptops, or smartphones, whose security people often overlook. An attacker can copy the entire content of a hard drive in a few minutes. That's why it's important to never leave your devices unlocked in case of your absence. Additionally, if you need to transfer something to the device, do not use external media (flash drive, CD-ROM, etc.) of which you are unsure of the content and origin. They may contain malicious software that you may transfer to the device without knowing it. This is also why it is crucial to have an anti-virus program installed and updated. Last but not least, be careful when logging into accounts in public, where attackers can easily gather the data.
The password as a key
The password unlocks all the secrets to the accounts it guards, so let's talk about them for a moment. You always prove your identity with a password. Therefore, once someone gets your password details, they access your personal data. Furthermore, internet bots and algorithms can try thousands of password combinations per minute, so having a strong password is essential.
The art of creating secure passwords does not lie in the use of dozens of special characters and symbols. Yet you can still come across this myth in many sources. The secret to strong passwords lies in a combination of easy-to-remember words. Such passwords are called passphrases, and cracking them would take millions of years. The inspiration for its creation can be the scenery on the way to work or a memory from childhood. It is enough to think of three to four words. We also recommend adding special characters (such as space, numbers, punctuation, and symbols) in random places.
Examples of passphrases: WH0Ashesaidyes, rating9*forG0T, never8say8never.
Tip: Every day, a user logs into many accounts and generally knows that each account's password should be different. To make your life easier, CSIRT-MU recommends installing the Bitwarden password manager (for Apple users of the Keychain device), which works as a safe chest of all your passwords guarded by one really strong password.
Warning: LastPass password manager is again under attack!
The Cybersecurity Team of Masaryk University warns against using the LastPass password manager.
Warning: the threat of university account compromise
The Cybersecurity Team of Masaryk University warns against a spear-phishing campaign by which an attacker tries to lure login information from MUNI employees.
Advent wreath CSIRT-MU
Advent candles on our wreaths are slowly but surely starting to light up - Christmas is coming! The following month is often used to prepare for the Christmas holidays, but it also gives space to slow down after the past year and find peace. The Cybersecurity Team of Masaryk University has prepared an Advent wreath for you for this season. It will shed some light on one topic every week that may be useful for you in pre-Christmas.
Warning: weaponized open-source tools
We would like to draw your attention to increasingly frequent attacks using the weaponization of open-source tools, which target a wide range of organizations from the media, through defense and aerospace, to the IT services industries. The attacks are carried out using social engineering. Thanks to this, the attackers lure job seekers with fraudulent job offers. An ISO file infected with Trojan malware is subsequently sent to the applicants who respond to such an offer.