iM Secure, iM Aware News

Surfs Up

Using Common Sense to

Ride the Internets Riptide
Longer is Stronger

Building Better Passwords

Real Life Spear Phishing Attack

Public WiFi is Public
& More!

Security Awareness is an essential part of achieving

WorleyParsons goal of achieving zero harm to our people,
assets and the environment. Please remember to always
practice Security Awareness within the boundaries of the
WorleyParsons Code of Conduct, OneWay Framework
and Documented iM Policies and Procedures.

To report a Security Incident:

http://support.worleyparsons.com

Surfs Up, Dude!

Y

oure probably not familiar with the

added complication of accessibility. From our homes
name Jean Armour Polly, but you are familiar
to our mobile devices to our computers at work, we
with the common catchphrase she coined.
are connected, we are surfing. If were not doing it
The phrase surfing the internet came from
safely, we can easily drown in a sea of malware,
her paper written back in 1992, before internet
spyware, viruses and even identity theft.
connections were mainstream.
But what does it mean to be a safe surfer? It begins
According to Polly, she wanted something that
and ends with common sense. We can install and
metaphorically expressed the fun of using the
run all the anti-virus and anti-malware services in
internet the way we go from
the world. We can spend top-dollar
From our homes to our
website to website, link to link
on hiring security experts to set
mobile devices to our
but that also evoked a sense of
up our networks with all the latest
computers at work, we are
randomness, chaos, and even
and greatest firewalls, but none of
danger. Her paper, Surfing the connected, we are surfing. If it will matter if we dont use oldInternet is still available for free via
were not doing it safely, we fashioned logic.
Project Gutenberg, for those of you
Meaning? Dont click on any
can easily drown in a sea of
who want a little light reading.
suspicious links. Verify sources
malware, spyware, viruses
We still use her now famous
before downloading apps on
and even identity theft.
phrase, but the phrase safely
mobile devices. Follow policy at
surfing the internet is the one were most interested
work. Keep devices up to date at all times. These are
in, especially here at work. The randomness, chaos
all simple, non-technical steps to take that promote
and danger Polly spoke of is greater than she could
good cyber hygiene and keep us away from the
have imagined in the early 90s. We now have the
many dangers our beloved internet presents.

social media: where sharing isnt caring

There are 7.3 billion humans on our planet, and over
2.3 billion of them use social media. Data scientists
expect that number to rise above 2.5 billion by 2018,
which means a third of Earths population will be on
social media in the very near future.
It also means that everything you share, depending
on your privacy settings, is shared with a whole lot of
people. The keywords here are depending on your
privacy settings. Social media platforms update

their security policies all the time; how often do you

review them? When was the last time you checked
who can view your profile and who has access to the
information you post?
The average person has five social media accounts.
Thats five completely different methods of sharing and
five completely different sets of privacy settings. While
its important to know everything you can about privacy
settings, you should also consider just sharing less.

A Real Life Spear Phishing Attack

Are you familiar with spear phishing? You should be, because the spear phisher
is familiar with you! Unlike phishing emails that are usually sent at random from
an aggregated list, spear phishing targets specific people. A spear phisher knows
your email address, the company you work for and just enough information about
you and your position that he or she can use that information to appear to be a
friend, a colleague, a boss or even law enforcement!.
What does a spear phishing attack look like? Heres a real life example below. (Actual
names and information have been changed.)

1
At first glance, the email to
the right seems legitimate.
It addresses the recipient by
name. The signature includes
a phone number. The body
of the email includes Jessicas
actual place of employment.
So how would she know
this is a scam?

Lets start at the top.

Who is Lucas? And
why does his email address
look so strange? His name
isnt in the email address,
it doesnt look professional
and if it were actually
from Lawyers-R-Us PLLC,
wouldnt the domain name
reflect that?

This is the first Jessica

is hearing of any
sort of testimonial or legal
issue. Why would she be
subpoenaed out of the
blue and via email at that?
Wouldnt her supervisors or
company lawyers inform her
of such things well before
she was advised to appear
in court?

Finally, doesnt it seem strange that theres an attachment when everything

she needs to know is written in the body of the email? What is it for?

This very well-crafted spear phishing attack hits all the right notes. If Jessica had let
her fear take control without studying the email closely, she may have downloaded
the attachment and launched it on her work computer, infecting it with malware.

What should you do if you receive an email like this?

At home: delete, delete, delete. At work: follow policy, know how to report any
security incidents and, if youre not sure, ask someone immediately!

FAMILY PRACTICE
It goes without saying that we need to take extra
precautions at work to ensure that the confidentiality,
integrity and availability of our data stays intact. But
what about at home? How do we protect our families?
It starts with leading by example. We teach our
children to be kind to others, to eat right, and to look
both ways before crossing the street. We also need to
teach them how to be good digital citizens with strong
online safety habits. The best way to do that is by holding
ourselves to the same high standards.
When it comes to kids and the internet, the why is
just as important as the what. Why do we need strong
passwords? Why do we need to be careful with whom
we share? Why are certain websites and social media
platforms not allowed?
As parents, we must also teach our children how
to report an incident, especially when it comes to
cyberbullying. Encourage them to speak up if they

are a victim or if they see someone else being bullied.

Furthermore, we need to know what to do should we
suspect our own children of being cyberbullies, which is
never an easy conversation.

Implementing and enforcing a Family Cyber Security &

Privacy Policy is the first step to protecting our families.

A good policy emphasizes strong and unique passwords,

regular backups of family data (such as pictures and
videos), utilizing anti-virus software, limiting what
information is shared online, and knowing what files are
safe to download or click on.
There is also another layer of policy a lot of us dont
add: device disconnect. You might already have a no
phones at the dinner table rule, which is a great start,
but setting aside a few nights a week where no screens
are allowed helps teach the value of unplugging,
helps minimize device dependency, and enhances
development of important face-to-face social skills!

PASSWORDS: LONGER is STRONGER

Passwords are the first defenders in the privacy universe. Without them our cyber lives would be less secure than
they are now.. The average person has over 25 internet accounts and some reports suggest that number is closer
to 90! It goes without saying that we need strong, unique passwords for every single online account. The question
is, what constitutes a strong, unique password? Lets run a test. Head over to PassFault.com, a password strength
analyzer, and play around with a few you think are strong. (DO NOT USE YOUR ACTUAL PASSWORDS.) Here are some
interesting results we found:

LogMeIn

Pr0tectMe!

kpD59lgOA0D!

The Dog Wants To G0 Out!

Time to Crack: < 24 HOURS

Time to Crack: < 24 HOURS

Time to Crack: ~ 48 DAYS

Time to Crack: ~ 3,127,836

CENTURIES

This is obviously a weak

password that shouldnt be
used for anything. Lets beef
it up a bit. Many accounts will
say Password must be at least
eight characters long, contain
at least one uppercase and
one lowercase letter, contain
at least one number and one
special character. No problem!

Wait! What happened here?

We followed the instructions.
Youre telling me that a criminal
could crack this in less than a
day? Thats right. Even though
this passcode is complex and
satisfies the requirements set
by most account admins, its
still not strong enough. Lets
kick it up a notch!

Alright, this password scores a

little better. But even though
its completely random and
complex, its still not optimal.
A determined criminal will
crack this in under two
months, which will certainly
occur before the user changes
it. We need to do better!

Now thats what we call a

strong password! Capitalized
with spaces between each
word. One number, effectively
misspelling Go. One special
character. Its a phrase, not
a single word. And the best
part? Its easy to remember!
So go ahead, criminals, try to
crack this passphrase. Well be
waiting.

A Moving Target
Last year more than half a billion
mobile devices were added to global
networks. Experts project that by 2020,
the total number of devices will be 11.6
billion 1.5 times that of the worlds
population. Guess whats coming to a
smartphone near you? If you guessed
MALWARE, youre correct.
With everyone and their dog carrying
around a connected device, you can bet
that criminals are targeting smartphones,
tablets and whatever mobile tech
is next. Weve already experienced
alarming reports of malware hitting
both Android and iOS, such as the socalled Hummingbird which infected
over 10 million Android devices or the
AceDeceiver malware that hit iPhones
right out of the box.
The fact of the matter is, our lives have
gone mobile. Assuming the devices we take
everywhere are immune to cyberattacks
is pure negligence. Criminals look at the
booming tech industry with the Internet
of Things and see untapped, and nearly
unlimited, potential.

So what are we going to

do about it?
Treat your mobile devices like you
would your computers. Install antivirus and malware detection scanning
software. Dont click on suspicious or
unsolicited links sent to you in any form.
Research and verify the source before
downloading apps. Stay up to date from
both a software standpoint and a news
standpoint so you are familiar with
todays threats. And as always, follow
work policy when it comes to personal
devices you bring to the office and
devices issued to you by our organization.
Most importantly, use common sense.
The benefits of mobility far outweigh
the downsides, but the sheer volume of
connected devices has made them the
top targets for cybercriminals.

Public WiFi is Public

Whats the first thing we all do when we go to a caf, bar or hotel? Look for
a WiFi connection, of course! We live in a world where public WiFi is nearly
everywhere. But heres the thing about public WiFi: its public.
Its easy to forget that once you connect to the same hotspot as everyone
else, every bit of your internet traffic can be easily intercepted. Your passwords,
your user IDs, your online banking credentials, all of your texts both personal
and professional private Facebook chats, pictures and videos sent over SMS,
Skype conversations, email contents, EVERYTHING is wide open.
For that matter, theres
always a chance that a
bad guy has set up a rogue
network at a popular
place. These networks look
legitimate because they
will use a common name
like CafWiFi. A great
example of this happened
recently when Avast, an
anti-virus developer, set up
a bogus WiFi hotspot at the
US Republican National
Convention. Around 1,200
users connected, giving
Avast full access to the their
information.
The solution? A virtual
private network, or VPN.
VPNs encrypt your traffic
so all of your private
and personal data stays
private and personal. A
criminal hacker wont be
able to easily snoop your
information while youre
on a public network.
In a world where we are
always connected, a VPN is
your best friend. They are
inexpensive, easy to use,
and can be installed across
multiple devices. But only
install a VPN on personal
devices.

Always

organizational

check

policy

for

work-issued devices before

installing software!

HEADLINE NEWS
New Ransomware Can Find Victims
Physical Location

THN

A new version of ransomware called Cry has stepped

out onto the scene, and its arguably more unsettling than

previous types of the malware. Pretending to come from

a fake organization called the Central Security Treatment

IS

Organization (CSTO), this ransomware gathers the device

The Hacker News @TheHackersNews Sep 5

Breach of Russias biggest portal leaks nearly
100M plaintext passwords bit.ly/2chOLm0

Infosecurity @InfosecurityMag Sep 2

Global smartphone malware infections up
98% in first half of 2016 bit.ly/2cBv6K7

information and location of its victims then posts the

details on public sites such as Imgur.com and Pastee.org.

Researchers are unsure why the attackers determine their

victims locations, unless its a scare tactic used to convince

people to pay the 1.1 Bitcoin ransom (about $625). For more

Tripwire @TripwireInc Sep 1

Leoni AG loses 40M Euros to email scammer
using spear phishing bit.ly/2ckqURg

information and technical details about how Cry works, visit

http://bit.ly/2cIYulY.

Dropbox Breach Exposes Credentials

for 69 Million Accounts
Reports surfaced recently of a major data breach involving

the cloud storage service Dropbox. Criminal hackers were

AR
BBC

able to obtain almost 69 million account credentials from a

breach dating back to 2012.

AppRiver @AppRiver Sep 1

Phishing email distributes malware via
download with a convincing imitation of
Dropbox notification bit.ly/2chQdF0

BBC News @BBCNews Aug 29

UK Pokmon GO players involved in
hundreds of thefts, assaults, harassment &
driving offenses bbc.in/2cdmRWr

When the breach was initially made public four years

ago, it was believed that only email addresses were leaked.

Updated reports now say that passwords were also stolen,

and are in danger of being sold on the dark web. Security

Google Europe @GoogleEuropeRSS Aug 29

Google is latest American tech giant to sign
on to US-EU Privacy Shield bit.ly/2c4W8d5

L3

Level 3 @Level3 Aug 25

1M+ Internet of Things devices are
enslaved to DDoS botnets bit.ly/2bTljx8

professional Troy Hunt was able to verify that the hack

contains legitimate passwords and that even the strongest

passwords could be vulnerable to advanced cracking
techniques. Read more by visiting http://bit.ly/2ccY3uq.

If you have a Dropbox account, you are strongly advised

to change your password immediately, even if you are

not prompted to do so by a mandatory password reset

notification. Despite Hunts findings, its always best

to maintain strong, unique passwords for each of your

accounts and to change them often. This important security

habit makes it far less likely that breaches like this one will
compromise any sensitive information.

Lookout @Lookout Aug 25

Sophisticated Israeli mobile attack Trident
targets iOS; need to update to the latest
version immediately! bit.ly/2c8gkJm