Cybersecurity for Jewish organizations 101: an update

July 22, 2014

Two years ago the websites of many Jewish organizations were hacked during Israel’s Operation Pillar of Defense. JCRC-NY and ADL (thanks to the ADL for some of the suggestions below) have noted some new attacks against Jewish community websites allegedly motivated by the ongoing conflict in Israel. Hacker groups claiming affiliation to Anonymous, the hacker collective, have attacked and defaced the websites for U.S. based Jewish institutions as well as Israeli government and business websites.

There may be an increase in the frequency and scope of attacks against Jewish websites. Jewish institutions should review their security procedures, including:

Website. Have your website hosted with a professional web hosting company rather than having it reside on an institutional server or  a member’s home computer. Contact your institution’s Internet Service Provider (ISP) and/or website hosting company to discuss what measures are in place to protect your website and its content and what steps should be taken in case of an incident.

When deciding on a web host and ask them:

  • whether they install security patches on a regular and timely basis;
  • how often they make active backups of hosted websites (you should have a current back-up version of the relevant website and establish a periodic policy of taking snapshot backups — e.g., on a weekly basis, in no case should the period be longer than a month).
  • what security measures do the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized Website access. 
  • if they have a disaster recovery procedure that includes someone available as a 24/7 point of contact for emergencies.

Remove any personal information (e.g., personal email, Facebook pages, Twitter handles, home addresses and phone numbers) from organizational websites wherever possible. Website administrators should review website server logs for unusually high visitor activity or visitors from unusual locations and alert their ISP or hosting company immediately.

Passwords. As with institutional email addresses, an effort should be made to limit and control the number of people Website administrator or Webmaster permissions and policy for strong passwords and a schedule for changing passwords.

  • Administrator passwords must be changed periodically (at least every two months). Passwords must be complex, i.e., contain both alpha and numeric characters and have at least one case change. Ideally, they should also contain at least one “special” (non-alpha/numeric) character. Staff names should never be part of any password.
  • You can find tips to create strong passwords and  a utility to check the strength of a potential password here.

Social networks.  Social networking pages are also vulnerable and should be monitored regularly. In addition, wherever possible, institutional staff should remove information about their affiliation with the institution from personal social media pages. See these tips on socializing securely.

ADL is in contact with many of the major Internet and social networking companies. Facebook pages for Hamas and hacker groups have already been removed from the Internet and we will continue our efforts.

Computer systems. Be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.

  • To the extent possible, financial records should be segregated from membership data and other documents. Many programs allow users to encrypt data, further protecting the confidentiality of constituents. Of course, passwords become critical elements of your data protection efforts.
  • It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.

Phishing. Remind institutional staff and key members to be wary of attachments to emails.  Computer criminals are adept sending emails from people that you know (often victims of prior phishing attacks) to lure you into a sense of false security. See specific tips and more at Lots of phishing going on: Stop, think, click.

System Intrusion. Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the institution or externally by the public.

  • Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manually review of computer logs to detect unwanted access.
  • Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
  • Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
  • As soon as a system intrusion is detected the system administrator must be contacted immediately. Subsequent contact to law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists would not be an unusual next step.

For more information, explanations and suggestions see the FCC’s Small Biz Cyber Planner.

Lots of phishing going on: Stop, think, click

February 18, 2014
How do you stop phishers? Look for these clues. Click to enlarge.
How do you stop phishers? Look for these clues. Click to enlarge.

OK, you’ve heard it over and over…don’t click on unknown links. Well, people, even smart people, don’t listen. You get an email from someone that you know, click on what is said to be a “secure” link and your adventure begins.

googledocs - Secure Login
Here’s the bait. It looks official. People click and type in their password, giving their email account and contacts to hackers.

Now the phisher has you lured in. You’re asked to sign in. A nasty bot takes control of your computer, steals your contact list and sends everyone on your list an invitation to become infected.

Recommendations:

    • Look at the illustration at the top of this email. Be aware.
    • Do not follow unsolicited web links in email messages or submit any email account or password information to unknown webpages in links.
    • Use caution when opening email attachments. Refer to Using Caution with Email Attachments for more information on safely handling email attachments.
    • Maintain up-to-date anti-virus software.
    • Perform regular backups of all systems to limit the impact of data and/or system loss.
    • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
    • Secure open-share drives by only allowing connections from authorized users.
    • Keep your operating system and software up-to-date with the latest patches.
    • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
    • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Here are some free resources to see if your computer is infected (from STOP. THINK. CONNECT.™  the global cybersecurity awareness campaign to help all digital citizens stay safer and more secure online. – See more at: http://www.stopthinkconnect.org/)

For more tips about cybersecurity, check out the following non-technical publications:

New cyberthreats (including CryptoLocker Ransomware)

November 17, 2013
Stop. Think. Connect.
Click on the icon to download a set of posters to help you create a culture of cybersecurity.

The FBI and the National Cybersecurity and Communications have identified new computer malware threats and recommend that, “organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.” Destructive malware is a direct threat to your daily operations. Because of the increasing sophistication of malware, anyone (employee, client, volunteer, student) who  is on your network could trigger an infection affecting everyone. Organizations should work to develop a culture of safe computing.

  1. The publication, Planning and Recommended Guidance: Destructive Malware is technical, but it is a good guide for techies. Please pass it on to your IT departments and/0r consultants to assist them to protect you, your data, your credit and your reputation.
  2. The National Cyber Awareness System reports outbreak of “ransomware” that restricts access to infected computers and demands a payment to to decrypt and recover your files (see CryptoLocker Ransomware Infections for more information and how to undo the damage). The latest means of infection appears to be phishing emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. Some victims saw the malware appear following after a previous infection from existing botnets lurking on infected computers.

Recommendations:

    • Do not follow unsolicited web links in email messages or submit any information to webpages in links.
    • Use caution when opening email attachments. Refer to Using Caution with Email Attachments for more information on safely handling email attachments.
    • Maintain up-to-date anti-virus software.
    • Perform regular backups of all systems to limit the impact of data and/or system loss.
    • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
    • Secure open-share drives by only allowing connections from authorized users.
    • Keep your operating system and software up-to-date with the latest patches.
    • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
    • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Related information:

For more tips about cybersecurity, check out the following non-technical publications:

Syria: potential repercussions

September 01, 2013

The escalating drumbeat for military action naturally leads to questions about possible terrorism here in New York. Note: as of today there are no specific, credible threats against New York or the Jewish community. Nevertheless, all Jewish organizations should review their security and emergency preparedness plans to ensure that they are up-to-date and that they can be readily implemented. Some specifics:

High Holidays

If you are an organizations hosting High Holiday services and/or programs you should:

  1. Notify your local police about all planned services and programs. Discuss the number of people expected at each service and ask them for any suggestions that could improve your security and emergency preparedness plans.
  2. Review your security and emergency preparedness measures, especially access control, evacuation and lockdowns. Meet with your staff and volunteers and make sure that everyone is on the same page and knows what to do. Check the “High Holidays” category for more suggestions..

Potential for Cyberattacks

Last week the Syrian Electronic Army compromised the New York Times website and others. Western financial institutions are also targetted by others. We all should review our own cybersecurity because, in the past, anti-Israel hackers have attacked Jewish-related sites. See JCRC’s Cybersecurity Resources.

This week the FBI distributed the following:

  • The Syrian Electronic Army (SEA), a pro-regime hacker group that emerged during Syrian antigovernment protests in 2011, has been compromising high-profile media outlets in an effort to spread proregime propaganda. The SEA’s primary capabilities include spearphishing, Web defacements, and hijacking social media accounts to spread propaganda. Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets.
  • The SEA has recently compromised high profile media Web sites through a new tactic of hacking third party networks – including a Domain Name System (DNS) registrar and a content recommendation website.
  • In April 2013, the SEA compromised the Twitter feed of the Associated Press, posting a false story that President Obama was injured, causing in a brief drop in the stock market.
  • In addition to Syrian hackers, groups or individuals sympathetic to the SEA may also be observed participating in CNO efforts against US Web sites and networks.
  • Please maintain heightened awareness of your network traffic and take appropriate steps to maintain your network security. If you detect anomalous or malicious traffic or network behavior, please contact your local FBI Cyber Task Force or the FBI CyWatch (855) 292-3937 immediately.

Defending Against Hacktivism

In general, hacktivism cyber attacks may result in denial of service, Web site defacements, and the compromise of sensitive information which may lead to harassment and identify theft. Although the specific OpUSA claims referenced above speak specifically to DDoS attacks, precautionary measures to mitigate a range of potential hacktivism threats include:

  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks. 
  • Have a DDoS mitigation strategy ready ahead of time and keep logs of any potential attacks.
  • Scrutinize links contained in e-mail attachments.
  • Regularly mirror and maintain an image of critical system files.
  • Encrypt and secure sensitive information.
  • Use strong passwords, implement a schedule for changing passwords frequently and do not reuse passwords for multiple accounts.
  • Enable network monitoring and logging where feasible.
  • Be aware of social engineering tactics aimed at obtaining sensitive information.
  • Securely eliminate sensitive files and data from hard drives when no longer needed or required.
  • Establish a relationship with local law enforcement and participate in IT information sharing groups for early warnings of threats.

Protecting your cyberlives

July 31, 2013

DHS has an excellent resource: the US Computer Emergency Readiness Team (US-CERT). Their website has information ranging from Computer Security 101 to advanced information for IT professionals.

Remember: Scams, bots and viruses continue to proliferate. Use caution when opening email messages and take the following preventive measures to protect themselves from phishing scams and malware campaigns.

  • Do not click on or submit any information to webpages.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments.
  • Maintain up-to-date antivirus software.
  • Users who are infected should change all passwords AFTER removing the malware from their system.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Other great information for non-techies from the US-CERT website.

Top 10 Ways to Improve the Security of a New Computer

  • Top 10 Ways to Improve the Security of a New Computer Because our computers have such critical roles in our lives and we trust them with so much personal information, it’s important to improve their security so we can continue to rely on them and keep our information safe.Virus Basics
  • Virus Basics Learn about viruses, what they can do to your systems, and how to avoid them and lessen their impact.
  • Home Network SecuritySecuring Wireless Networks In today’s connected world, almost everyone has at least one Internet-connected devices. With the number of these devices on the rise, it is important to implement a security strategy to minimize their potential for exploitation (see Securing the Internet of Things). Internet-connected devices may be used by nefarious entities to collect personal information, steal identities, compromise financial data, and silently listen to—or watch—users. However, taking a few precautions in the configuration and use of your devices can help prevent this type of activity.
  • Staying Safe on Social Networking Sites The popularity of social networking sites continues to increase. The nature of these sites introduces security risks, so you should take certain precautions.

Considerations for digital & online security at Jewish institutions

November 28, 2012

The hackings of 82 synagogue websites during Israel’s Operation Pillar of Defense by the “Moroccan Ghosts” brought appropriate responses from law enforcement agencies. The intrusions should remind us that cybersecurity is in our own hands. The following recommendations from the ADL make sense.

Read More Considerations for digital & online security at Jewish institutions

New hack attack on websites

August 19, 2012

For those of you with websites.

The problem

There is a relatively new attack on websites hitting MySQL. If you don’t understand this, check with your techie or your ISP to confirm if your website is vulnerable.

How do you know that you’ve been compromised? Google is ever alert and will mark your site as “dangerous”. Websites/web hosting companies subscribe to “blacklists” of such sites. Firefox and Chrome check the blacklists before going to a site and will tell a user, Warning – visiting this website may harm your computer!”.

Once your site is hacked it must be “cleaned”. After doing so, you can notify Google, request that it be removed from the blacklist and 3 to 24 hours later the site will be unblacklisted.

Best practices

  1. Make regular backups of your website. Even if your ISP takes care of this it couldn’t  hurt to have another.
  2. Your website probably has all kinds of access passwords (FTP, SQL administration, etc.). Make sure that you have strong passwords at every option. This usually includes multiple words, mixing capital and lower case letters and using numbers and symbols. See this Consumer Reports article for more explanations and tips.