As we start to approach the end of the academic year, here is a roundup of the current technology threats affecting the SHASS community as well as best practices to protect your privacy. Please feel free to bookmark this news article for later reference or more detailed reading.
As Aldous Huxley said in his 1965 introduction to the radio version of his novel “Brave New World”: ““Eternal vigilance is not only the price of liberty; eternal vigilance is the price of human decency.”
1) BEWARE of EMAIL SCAMS
These can be from any number of financial, education, delivery, or commercial institutions. Additionally, we’ve started seeing more scam emails that look like they’re coming from people at MIT. Some of these are pretending to be “from IT” trying to get you to click on a link or download an attachment filled with viruses, ransomware, spyware, or malware. Please be aware that we have discontinued including links in emails. Links to sources will now only appear in the SHASS IT news articles on our website shassit.mit.edu .
Please remember that no one at MIT will EVER send you an email to ask you to confirm, validate, verify, register, reactivate, request or require you to click on a mysterious link to maintain email or service or connectivity or demand your credentials or other personal information and/or require you to download an attachment for such. If you get one of these fraudulent emails, DELETE it immediately.
2) FAKE WEB BROWSER ALERTS
These fake popup windows tell you that you’re INFECTED by bad stuff, malware, or viruses. Some may try to get you to call a phone number where a bad guy tries to convince you to give them remote access to your computer. Others may try to get you to install a fake virus scanner that’s actually key loggers, spyware, or malware. Remember, all of these popup windows are fake. Never do anything these alerts tell you to do.
If your browser is hit by one of these, just quit out of the browse (force quit if necessary), shut down your computer (a restart is NOT good enough, it needs to be a shut down to clear out your computer’s memory), and turn it back on again. That should clear things out. Definitely contact us if you feel you’ve lost control of your computer and it appears to be doing things outside of your control.
3) PUBLIC WIFI (including those at airports and hotels) is NOT safe.
On the MIT campus, all on campus WiFi users should be connected to MIT Secure ONLY. Authenticate with your kerberos username and password to connect.
Most hotels, airports, convention centers, restaurants, and coffee shops offer free Public WiFi. These networks are NOT safe and all users should assume there could be bad actors embedded on these networks actively looking to intercept your internet activity.
Using public WiFi is fine for non-essential touristy activity like looking up reviews, restaurants, maps, traffic, or checking the weather.
You should NEVER pay your bills, access your bank accounts, or make purchases when connected to public WiFi. If you HAVE to conduct any activity where some confidential information is involved and you have no other options, ALWAYS run a VPN first so your network traffic is encrypted. VPN is not an impenetrable shield but your internet activity is no longer low hanging fruit to the bad guys.
Information on MIT’s VPN can be found here:
Paid 3rd party VPNs which may be faster and easier to use, including but not limited to Nord VPN, Private Internet Access, and ProtonVPN, will also do the trick.
Nord VPN
https://nordvpn.com/country/usa/
Private Internet Access
https://www.privateinternetaccess.com/
ProtonVPN
https://protonvpn.com/
4) KEEP REGULAR BACKUPS of your most important files.
Use Drop Box. Use external HDs. Use Windows Backup or Apple’s Time Machine. Use IS&T’s CrashPlan. Use USB thumb drives. If the files are super important, we always recommend users maintain 2 backups at any given time and keep them at separate locations, one at home, one at work, one on Dropbox, etc.
Remember, only YOU can prevent data loss.
5) USE SIGNAL for SECURE TEXT MESSAGING
If you are texting confidential IP, business, or sensitive proprietary or political topics on your phone, use the Signal App. Normal text messages are unencrypted and can be hacked. iMessage data can be turned over by Apple to adversary governments on request.
Be aware that both YOU AND YOUR RECIPIENT must be running the Signal app and have added and/or accepted each other as recipients for this to work.
Also, if you set up a Signal chat group make sure you vet ALL members of that group. Do not connect or include anyone in any Signal group chat whose number you do not. If at all possible, block all numbers who send you requests that you definitely don’t know.
Signal can also be set up to expire the messages in your chats. If this is a desired feature so there are no messages with confidential data or IP in your chat prior to crossing a border where an agent may demand you unlock your phone, make sure this feature is set up.
Download Signal here:
https://signal.org/download/
6) TELEPHONE SCAMS involving FAKE IRS/law enforcement
These scams that look like warnings or demands for payment of debts are very common now. The most recent permutation of this scam are fake toll collection calls/texts, especially for EZ-Pass here in MA. If you get one of these calls hang up immediately. If you get a voice mail or a text from these scammers, DELETE it immediately. Give these scammers nothing.
All legitimate IRS issues involve first contact via USPS mail NEVER by phone. Local law enforcement DO NOT make calls to shake people down for past debts.
The IRS has information on this scam here:
https://www.irs.gov/newsroom/tax-scamsconsumer-alerts
The FTC has information on bogus debt collection scams here:
https://www.consumer.ftc.gov/blog/2017/08/phantom-debt-collectors-impersonate-law-firms
An AARP article on con artists impersonating police:
https://www.aarp.org/money/scams-fraud/info-03-2013/beware-of-police-impostor.html
7) TRAVELING WITH Sensitive Data and/or Intellectual Property
In a word, DON’T. If you have sensitive data and/or IP on your computer, do not travel with it. Agents at the border could demand you to unlock your device so they can inspect your device. If your device disappears out of your view for any reason, you have to assume it’s been compromised.
For best results at the border, always comply with border agent requests. US Border Agents can detain you without charge for up to 72 hours so it is always in your best interest to expedite your crossing with as little attention or controversy as possible.
If you need a computer for travel, use a secure clean (no data) travel machine that does NOT have any of your or the Institute’s sensitive data on it. This also applies to any and all personal devices including tablets and smartphones. Remember, as long as you have VPN you can always retrieve any files or presentations you may need remotely, and then delete them before you need to cross a border again. Emails should only be accessed via web interface and then the browser’s history deleted.
If you are someone who is high profile enough to attract the attention of governments, activists, bad actors, or competitors for any reason including but not limited to corporate or political espionage you should NEVER travel with your personal devices. Travel only with clean travel devices bereft of your sensitive data especially any connection to your financial life, confidential files, IP, contacts, social media, or private communications.
8) EXPEDITE YOUR TRAVEL with TSA-PreCheck
For expedited travel, sign up for the TSA-PreCheck program if you are eligible. Not only will your experience at the airport be a lot faster and more pleasant, but you may be able to avoid the risk of detention altogether by going through a less-intrusive security screening process since you’ve already had the appropriate background checks that clears you as a safe flyer.
For more information:
https://tsaenrollmentbyidemia.tsa.dhs.gov/
9) CREDIT CARD SKIMMERS
These are everywhere now and could be at ATMs and Gas Station Credit Card readers you frequently use. Not all skimmers are easy to spot and some gas station skimmers are installed out of sight of the customer. If you have doubts about any card reader you’re using, grab it gently and pull. False skimmer overlays usually easily pop off. If you pull off a skimmer, immediately report it to the authorities who own the machine. There are also skimming technology that cannot be seen.
For more information on card skimmers:
Card Skimmers In Massachusetts: How To Spot Them
https://patch.com/massachusetts/somerville/card-skimmers-massachusetts-how-spot-them
How To Spot a Credit Card Skimmer
https://www.forbes.com/advisor/credit-cards/how-to-spot-a-credit-card-skimmer/
Could you spot a credit card skimmer on a gas pump?
http://www.mcall.com/news/watchdog/mc-nws-how-to-spot-credit-card-skimmer-watchdog-20170825-story.html
10) PASSIVE KEYLESS ENTRY systems found in cars (cars with push button start systems) have been under attack for over a decade now.
Bad actors have radios that are capable of intercepting and cloning the signal from the fobs. With the availability of cheaper technology, this tech allows a bad actor to access the car and drive off with it.
Key Fob cloning
https://www.youtube.com/watch?v=eMFDcCYVNeE
“Mystery Device” can unlock and start your car
https://www.youtube.com/watch?v=EE5Ygm0aFMk
“JUST A PAIR OF THESE $11 RADIO GADGETS CAN STEAL A CAR”
https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car
HONDA KEY FOB FLAW lets hackers remotely unlock and start cars
https://techcrunch.com/2022/07/12/honda-key-fob-flaw-hackers/
NOTE: Cars with TURN KEY ignitions are NOT affected by this vulnerability as they do not use a fob that is constantly broadcasting the RFID signal that can be stolen.
Users who have vehicles that use passive keyless entry should place their fobs in an RFID protected bag or purse immediately after they exit and lock their vehicle. Drivers should also consider using vehicle immobilization tools like steering wheel or brake pedal locks (The Club, The Auto Lock, etc) that add obstacles to a thief’s ability to easily steal a car.
11) GOOGLE CHROME
If you are a Google Chrome user and are not ok about Google tracking all of your activity, stop using Chrome. Download and install the Brave Browser instead. Brave is a much faster, much more secure Chromium Browser. Everything that runs in Chrome will run faster in Brave.
For secure searching, DuckDuckGo instead of Google is the search engine of choice.
More information about the Brave Browser can be found here:
https://brave.com/
Users may directly download the Brave Browser here:
https://brave.com/download/
For those curious about the differences between Google Chrome and Brave:
https://brave.com/compare/chrome-vs-brave/
12) FREEZE/LOCK YOUR CREDIT
Given the wide breadth and scope of a number of massive secure breaches including two that have compromised the social security numbers of everyone in the US, everyone NOT applying for more credit or in the process of securing a loan for a car or mortgate for a house should freeze/lock their credit ASAP if they haven’t already.
We’ve already covered what to do in a prior news article end of last August 2024.
https://shassit.mit.edu/news/lock-down-your-credit-now/
The technological landscape is always shifting and changing so remember, there is no such thing as a dumb question. Please ask if you’re not sure and please have a safe and sane end of spring semester and academic year!