March News from Information Security

My apologies in advance to those who dislike baseball analogies…

Life likes to throw us curve balls every now and then. Some people believe this is something that makes life interesting, but I am not really in that camp. I can’t say the lack of a February newsletter was actually the result of a curve ball; it was more like a slow sinker. My curve ball came last year, pretty much all year long, but I knew in advance I would be out of the office for the start of February, and I reasoned that I could always write the February newsletter after I returned. Then began the slow process of getting back to work. Returning to work was the end goal and I could see it clearly, but I couldn’t put bat to baseball to get a hit, just like a slow sinker from a Major League pitcher somehow eludes even the best batter.

OK, I’m done with baseball – I have lots of information to present to all of you now that I am back to work. Three big topics and maybe a couple of bonus nuggets of security awareness, along with more Food For Thought.

First, a missed opportunity (I won’t call it a swing and a miss because there was no swing, just a miss – and I’m really, truly done with baseball analogies). Data Privacy Week was January 22nd through the 26th. My goal was to produce two informative articles about privacy for that week before I left, but that never happened. I’ll work those topics into future monthly newsletters. I’ll draw your attention to these topics when they come up. The theme for this year’s DPW was “Take control of your data” and that is becoming more and more important as we see data breaches occurring on a regular basis. Stay tuned.

Next, I want to revisit one of the topics from the January newsletter, specifically about moving your personal business and activity out of your Berry email account. Many of you may have wondered “but if I do that, then Google/Microsoft/Yahoo/(insert your free email provider here) will target me with ads based on my email and browsing history”. You are 100% correct about that. There are alternatives to these providers, some of which are still free or very low cost. Others are not inexpensive, but still cost less than some other things we don’t think about spending money on (think coffee drinks or fast food items).

One of the most popular alternatives to the many free, ad-rich email services most people use is Proton Mail. They have a free plan that is secure and ad-free, but it is limited to only 500MB of storage and 150 messages a day. For the cost of a latte a month, you get the same amount of storage you would from Google or other providers (15GB), plus calendars and storage, a VPN, a password manager, and even the ability to use your own domain name if you have one. If you want a secure email service or just want to break free from tracking and ads and annoyances, Proton Mail is a great choice. Check them out at https://proton.me. It might not be clear how to get the free account if you just look at the main page of the site. Check the top right corner for the “Create a free account” button there. You can always try it to see if you like having an ad-free email account. If you like it and want more features, you can upgrade to a paid plan. They have a web interface, iOS and Android apps and if you purchase a paid plan, you can use any desktop mail client you want to access your Proton Mail account.

On the other end of the usability and cost spectrum is Zoho Mail. Zoho is aimed squarely at businesses, as they provide full office and group collaboration suites, CRM, forms, digital signatures, customer loyalty management, scheduling and voice communications. But you can get a personal Zoho Mail account that you can put you own domain name on for zero dollars. The setup is not simple, but they have great documentation and support. The free plan includes 5GB of storage, a limit of 25MB per attachment, and both web access and mobile apps.

The bonus with putting up with the complexity of the Zoho Mail setup is that you can have 5 users, each with 5GB of storage, all using the same domain name for their address, i.e. johnsmith@domain.example and janedoe@domain.example. This lets you have a family email domain unique to you and your family if you want, at no cost. You could be “mom@family.domain” or “bigbrother@family.domain” (if you are OK with the connotation), or just use your names, i.e., @family.domain. For a dollar a person a month, you can get more features, like larger attachments and more collaboration capability. They also have more expensive plans that greatly expand your storage and other capabilities. The downside? You’ll need to draft someone (or “someones”) in the household to be the admin for your Zoho Mail account. There’s not much to do after you set up the account, but if no one wants to do this, you can still get a single free personal email account with Zoho. YOU just have to be the admin. If you are curious, check them out at https://zoho.com/mail.

For other options, check this article, provided by a company that claims to provide “clean email” regardless of what provider you use. It goes over seven other options beyond what I mentioned here, one of which (MsgSafe.io) is/was undergoing massive changes and/or a merger and appears to be unavailable, based on visits to the site. Two others on the list, Yandex and GMX, generally have poor reputations when it comes to being spam and phishing sources, so I would avoid them, but I’d encourage you to check the others out.

This nugget of information should probably be the headliner for this newsletter, but I am leaving it here out of respect for the topics already covered. That doesn’t make this any less important. Attackers are now using the ubiquitous “Unsubscribe” link found in almost every piece of unsolicited email to push phishing links to potential victims. Yes, THAT “Unsubscribe” link. The one that you put your hopes on to escape from yet another company sending you unsolicited email. It is now being weaponized to lead you to dangerous phishing sites. We have received emails from the Berry community that are using this tactic, so we dug into our email logs and found more. While the number at this point is less than a microscopic drop in the vast bucket of spam and phishing emails we receive, this is an indicator that this problem will grow.

This is my advice to everyone based on what we know right now. This most likely will change as we continue to investigate.

  • Don’t use unsubscribe links to opt out of spam emails.
  • Report spam emails using the “Report message” button in Outlook, the mobile apps, and on the web at https://mail.berry.edu and OIT will take appropriate action on the email.

My other nugget of information is this new opportunity – If you want to be THE person that can spot any and all phishing emails, sign up for my professional development course on phishing. The exact date has not been determined, but I will send an email and put a notice on this website when all the details are finalized. We’ll dive deeper into the basic ideas of how to spot a phishing email and you will learn what changes users have been forced to make in the face of AI-generated phishing emails and new insidious phishing tactics. More details coming soon!

Finally, I have to address the elephant in the room – our biannual (not biennial!) cybersecurity awareness training. My inability to get back to work when I wanted to has pushed the start date for training to next week (specifically, March 11th). It will remain open until the first Friday in May, the 3rd. It will be brief and general, not concentrating on any specific topic, but covering five key aspects of cybersecurity awareness with a bonus of tax season tips, because we are in that season. I’ll do my best to keep the time required to complete it to under 20 minutes. For those of you who have been here for our previous training courses, this will mostly be a review, but a very important review. For those who are new to this, you’ll get a quick and varied introduction to cybersecurity awareness. Everyone will receive an email inviting you to training on March 11th. The reminders will start after the first week, so if you want to avoid them, complete the training shortly after you are invited.

All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.

Please continue to report those phishing emails! Avoid using “unsubscribe” links and report spam via the “Report message” button, just like you would a phishing email.

If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.

Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.

Food For Thought

Based on the positive response to January’s Food For Thought, I present another “remake” of a celebrated song. I anticipate that many of you will NOT like this remake, but for those of us who are closet metalheadz, this will probably be gold. Simon and Garfunkel released “The Sound of Silence” in 1964 (which predates even me) as a lush folk tune that was wildly unsuccessful. (Fun Fact – It was originally “The Sounds of Silence”). The producer remixed the folk tune with electric instruments and drums and in 1965, the remix went to the top of the charts. In 2015, the rock band Disturbed, with lead vocalist David Draiman, covered the song, slowing the tempo and darkening the overall sound. The result is stunning and David really shows his chops as a vocalist on the track. Throw on your headphones, turn up the volume and get ready to shiver when the song reaches its amazing climax.

Relevant facts in this article were pulled from and verified against appropriate Wikipedia articles.

Featured Image: Photo by Janelly Chevere/ Berry College

Author

(Visited 184 times, 1 visits today)