Moving at the Speed of Creativity by Wesley Fryer

You Need to Be Talking about Phishing and Ransomware

Digital Citizenship involves both rights and responsibilities. One of the responsibilities we have as digital citizens is to help educate others about safe and appropriate online behavior. As the number of phishing and ransomware security events in schools and elsewhere around the world continues to increase, we each have important responsibilities to talk to the teachers, students, and parents with whom we have direct contact about these issues. This is NOT just the responsibility of the technology department or the computer teachers. We ALL need to:

  1. Understand what phishing and ransomware attacks are
  2. Be able to discuss specific strategies which we can follow to address these issues
  3. Use current events / news articles about these issues to raise community awareness and tech-savvyness

Phishing

The English WikiPedia defines phishing as:

the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

One of the most well-known phishing attacks in the past year involved the Democratic National Committee (DNC) in the United States, including DNC chair John Podesta. Former US Secretary of State and 4 star General Colin Powell was also the victim of a phishing attack in 2016. Knowing some of the facts of these phishing incidents can provide you with good “talking points” to discuss the vulnerability we ALL have to phishing. If smart and saavy people like Podesta and Powell can be victimized by phishing attacks, any of us can be. This shouldn’t leave us feeling helpless, rather, it should galvanize our resolve to take concrete actions to be sure we are as prepared and protected as we can be against these kinds of attacks. This October 2016 article from Motherboard is worth reading and provides more background about the DNC, Podesta and Powell phishing hacks.

Sometimes news which is “close to home” resonates more than distant events. As an Oklahoma educator, it’s helpful to know that Yukon Public Schools (one of our suburban school districts just west of Oklahoma City) was victimized by a targeted phishing scam earlier this month, in March 2017. Sharing local articles like this shouldn’t be viewed as “throwing a local school district under the bus.” Educators (particularly in our state, perhaps, but this is likely true everywhere) cringe when YET ANOTHER negative news story about public schools or teachers is shared in the mainstream media. The purpose for sharing local stories of local school phishing attacks is to highlight the REALITY and PRESENT DANGER of these security situations for all of us. This includes administrative assistants as well as teachers and administrators. Anyone with digital access to confidential student and parent information, as well as business office employees, are potential targets for school phishing attacks. Be on the lookout for phishing attack incidents in your local area, and share these with others with whom you have contact to raise awareness among staff, parents and students.

Phishing attacks are increasingly tricky and difficult to identify. Noted radio technology guru Kim Komando (@kimkomando) recently highlighted a new twist on phishing: Hackers are writing malicious programs which generate customized emails from people who have emailed you previously, using words in the email subject lines which have been used previously, and also copying some previously used text phrases. This can make emails seem legitimate… and if you click the attached file and enter your Google credentials again – BOOM! The hacker has access to your Gmail account and all Google files / resources. This can not only compromise your own security, but potentially the security and confidential information of others in your school / organization. Read this article and share it with others as part of your ongoing conversations about digital citizenship.

Ransomware

The English WikiPedia defines ransomware as:

computer malware that installs covertly on a victim’s device (e.g., computer, smartphone, wearable device) and that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim’s data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim’s data, until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

A shorter way to explain ransomware is to describe it as “digital extortion.” Like Janice Avery, the bathroom bully in “Bridge to Terabithia” who extorts money from smaller students to enter the bathroom at recess, malicious hackers (black-hat hackers – hackers “who violate computer security for little reason beyond maliciousness or for personal gain”) use ransomware to unfairly take money from others using coercion and threats.

Two recent ransomware events which can highlight the dangers of clicking on malicious email attachments involve a Austrian hotel and legislators in Pennsylvania. In January 2017, owners of a 4 star hotel in Austria had to pay thousands of dollars (with Bitcoin) because of a ransomware attack. It turns out this was the 4th time the hotel was hit with a ransomware attack, but the latest incident made the news because the management decided to issue a press release. Articles which reported guests were actually locked in their rooms were NOT accurate, according to this clarifying article from The Verge. The ransomware attack was real, however, as is the ongoing danger of these attacks. (Thanks to Doug Levin @douglevin for this clarifying Verge article)

Earlier this month, in March 2017, Democrats in the Pennsylvania state Senate were locked out of their email and computer systems by a ransomware attack.

Search Google News for “school ransomware” for specific articles about how K-12 schools as well as colleges/universities continue to be targets for malicious hackers using ransomware programs which can be readily purchased online via the “dark web.” Problems with hackers, ransomware, and phishing are likely to become even more common in the weeks and months ahead. Use news articles like these to talk with others about the dangers and what can be done.

What Can Be Done About Phishing and Ransomware?

I strongly encourage you to NOT feel helpless as you read these articles about hacking attacks, phishing and ransomware. There are MULTIPLE specific things which we can do as individuals and organizations to protect ourselves and be proactive in the face of these malicious dangers.

My December 2016 post, “Give the Gift of Digital Security to Your Family,” details my best advice about how to become more secure in your computing habits. The post includes 11 specific suggestions. These include using a password manager so you can use long, secure, and unique passwords on each website you log in to, and setting up 2 step authentication on as many websites as you can. Definitely setup two step verification on your email accounts and banking websites.

In addition to these personal security measures, we need to talk to teachers, staff, parents and students about the critical thinking process which we should each follow before we choose to CLICK A LINK in an email message or OPEN AN ATTACHMENT. The “payload” of malicious phishing or ransomware code is almost always triggered by a user’s decision to click a link or open a file. Security firewalls and security software programs continue to improve in an ongoing battle to keep schools secure, but there are so many threats no single hardware or software solution can guarantee security.

If phishing and ransomware have not been specifically discussed at a faculty meeting recently, ask your principal, superintendent, or team leader if these issues can be addressed. Consider volunteering to talk about them yourself. Ask others at the meeting how many of them know someone who has been the victim of identity theft. Some hands will almost certainly be raised. These issues hit very close to home, and we don’t need to just raise awareness and therefore fear / apprehension levels, we also need to EQUIP and EMPOWER others with whom we work to take proactive steps to protect ourselves and our organizations.

If your school uses G Suite for Education (Google Apps for Education) and two step verification is not enabled for your domain, ask your administrators / technology department leaders to enable it. 2 Step can be enabled in G Suite without requiring it for everyone. Eventually requiring 2 Step verification for all users is a good idea, but an educational and hands-on training process should proceed that deadline to give all users plenty of time to adjust to the demands of this security requirement. The G Suite Administrator Help article, “Set up 2-Step Verification for your domain,” details the specific steps in this process.

Digital Citizenship education involves everyone, and it should include EMPOWERING as well as educating our constituents! Whatever your educational role or title, step up to the plate and start talking with others about phishing and ransomware. Take proactive steps to make your computing practices more secure, and encourage others to follow your lead.

If you find this post helpful, please let me know with a comment below or by reaching out on Twitter to @wfryer.

phishing by Richzendy, on Flickr
phishing” (CC BY 2.0) by Richzendy

If you enjoyed this post and found it useful, subscribe to Wes’ free newsletter. Check out Wes’ video tutorial library, “Playing with Media.” Information about more ways to learn with Dr. Wesley Fryer are available on wesfryer.com/after.

On this day..


Posted

in

, ,

by