Silent Fatigue

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete without a post about a current cybersecurity threat. This month we learned that Silent Librarian is making the rounds right on time for the start of the academic school year.

Academic libraries encountered Silent Librarian last year, where several prominent universities were targeted by this phishing attack. Silent Librarian targets students and academic staff/faculty by sending an email that appears to be from the library, stating that their library account is going to expire and that the recipient needs to click on a link to reactivate it. If the user clicks the link and tries to log into the spoofed site with their university account, the attacker can then use this account to gain access to the university network and other sensitive systems.

Last week, Malwarebytes reported the first round of attacks for the 20/21 academic year. The attack follows roughly the same pattern from previous years; however, this year is a bit different due to the current chaotic state that many universities are in due to the pandemic. The attackers can take advantage of the confusion and disorder caused by the rapidly changing plans of on/off-site teaching, access to academic resources, and changing restrictions and guidelines set by campus officials. 

The fatigue caused by all of these changes can change how a person behaves and potentially lower the person’s ability to protect their digital security. This fatigue is a boon for attackers because the behavior changes lead people to be less diligent about cybersecurity – people may not be checking email messages before clicking on a link in a phishing email, for example. It’s difficult to prevent this fatigue with everything going on in the world and harder to recover from once fatigue sets in. 

This year’s Cybersecurity Awareness Month comes at a time where information security and privacy folks have to be mindful about over-relying on individual responsibility. Advice to combat this security fatigue usually center around what the individual should do, but what happens if the individual is already overwhelmed? This fatigue is not new – research has shown that users mentally check out when they are presented end-user agreements and privacy policies. The user can only do so much if they are distracted and overwhelmed by, well… everything that’s going on in 2020.

Users have a part to play in protecting data, but solely putting the burden of security on the end-user can create a vulnerability that is hard to fix in an organization when fatigue sets in. For libraries, this would be a good time to check what cybersecurity measures are in place and where the organization can alleviate some of this fatigue in staff. In the last two weeks, we explored different types of cybersecurity training – it might be a good time to create reminders or training that use positive reinforcement and motivate staff to be proactive in securing the library’s data. It’s also a good time to check firewalls, spam filters, and other email and network security settings to identify and block phishing emails, particularly repeat attackers such as Silent Librarian. Creating checklists for staff using personal devices for work purposes, as well as checklists for staff doing remote work, can help already overwhelmed staff in ensuring that they are not putting library data and networks at risk. Even smaller actions such as a checklist can go a long way in reducing data security and privacy risks. Providing any assistance to users at this time will not force users to spend all their energy (or, in some cases, spoons) trying to do all the things to protect data on their own, quickly leading to burnout and increased risk to data security.

Friendly Phishing, or Should You Phish Your Own Staff?

Welcome to this week’s Tip of the Hat!

October is a very important month. Not only does October mean Halloween (candy), it also means Cybersecurity Awareness Month. This month’s TotH posts will focus on privacy’s popular sibling, security. We start this month by focusing on one common “trick” – phishing – and why not all cybersecurity training is created equal.

A hooded middle aged white man wearing sunglasses laughs as he holds a fishing pole with a USB drive at the end of the line.
This is also the month where we get to use our favorite phishing stock photo. Image source: https://www.flickr.com/photos/hivint/36953918384/.

We wrote more about phishing in a previous post if you need a refresher; the tl;dr summary is that phishing is a very common attack method to gain access to a variety of sensitive systems and data by pretending to be an email from a trusted source (business or person). Phishing can be very costly on both a personal level (identify theft) and an organizational level (ransomware, data breach, etc.), so it’s no wonder that any digital security training spends a considerable amount of time on teaching others on how to spot a phishing email and what to do to prevent being phished.

It turns out that this type of training, for the amount of time spent in covering avoiding phishes, might not be as effective, and in some cases, can actively go against the goal of the training itself. A good portion of cybersecurity training comes in the way of lectures or an online web module, where users listen/read the information and are then tested to assess understanding. While that has been the main mode of training in the past, lecture/quiz style training, trainers realize that interactive training that goes beyond this model can be more effective in knowledge retention and understanding.

A growing number of organizations are using another type of security training – sending out phishing emails without warning to their employees. The phishing email, created by an external cybersecurity training company or by the local training team, would be sent out to spoof ether an organizational email or an email from a trusted source. This live test, theoretically, would more accurately assess employees’ knowledge and awareness of phishing methods and provide on-the-spot results, which could include corrections or remedial training. There are a variety of vendors offering both free and paid tools and services, such as KnowBe4 and PhishingBox.

Simulated phishing tests appear like a great addition to your organization’s training approach; however, these simulated tests can backfire. One way it can backfire is turning staff against the organization. One recent example of this comes from a simulated phishing email sent to Tribune Publishing staff, promising staff a chance of a company bonus if they clicked on the enclosed link. This email was sent out after staff went through furloughs and other drastic budget cuts, and the staff reaction to this email led to further erosion of trust between employees and administration. The debate extended to the security field, questioning the ethics of using content that otherwise is used in common phishing emails in an organization where employees went through considerable stress due to budget cuts. 

Another way simulated phishing tests can backfire is when the tests focus on shaming or negative outcomes. Some phishing tests focus on those who do not spot the phish, providing on the spot corrective training or assigning the employee to a future training. However, research has shown that focusing on shaming to correct behavior doesn’t work in the long term and might lessen the chance of someone reporting a possible phishing email or other cybersecurity issues to the organization. Negative reinforcement serves to create a more insecure organization by creating an environment where staff either are not motivated to or fear reprimand if they report a cybersecurity issue.

The use of simulated phishing tests will be the topic of debate for some time, but this debate presents two takeaway points to consider for any type of cybersecurity training:

  1. Context and methods matter – simulated tests can be effective, but the test’s logistics – including timing and content – can work against the desired outcomes of the trainers. Trainers should also consider the current state of the organization, such as staff morale and major crises/events in the organization, in choosing and developing cybersecurity training for staff. Another thing to consider is the effectiveness of training methods, including how often training has to be repeated to keep staff current on cybersecurity threats and procedures.
  2. Positive reinforcement – positive reinforcement, such as awarding staff members who do not click on the test phish email, can help with creating a more security-conscious organization. 

Next week we will dive into another type of cybersecurity training that is a simulation of another kind – stay tuned!

News and Resource Roundup – Michigan Privacy Law Update, Privacy Literacy Toolkit, and Testing Your Infosec+Digital Literacy Knowledge

Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.

Michigan library patron data law amendment update

Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

Privacy literacy clearinghouse

If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!

Quiz time

The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:

  • Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
  • Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
  • Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…

COVID-19: Resources and Privacy Considerations

Welcome to this week’s Tip of the Hat!

Some of you might already know that LDH is based out of Seattle. Seattle has been in the news with the recent COVID-19 cases and deaths in the area. We at LDH are staying relatively healthy (outside of it being allergy season in town). Nonetheless, some of you have also been impacted by COVID-19, including institutional travel restrictions, dusting off the disaster policy and procedures, and fielding questions from both staff and patrons about what will happen when there’s an outbreak of COVID-19 in your area.

There’s a lot of information out there regarding COVID-19 and what you should do to help slow the spread of the infection. Some sources include:

The most important things to keep in mind during this time:

  • WASH YOUR HANDS WITH SOAP AND WATER. It doesn’t matter if it’s hot or cold water. There are several memes out there with lists of songs you can sing for about 20 seconds, be it Happy Birthday, the opening trumpet solo in Mahler’s 5th, or the chorus to this song.
    Hand sanitizer (store-bought, not homemade) is also an option, but not as effective as washing your hands with soap and water. [1]
  • Cover coughs and sneezes using your elbow or tissue (then throwing the tissue away).
  • If you are able, stay home if you are sick. This is not an option for those who do not have paid sick time, or if there’s a lack of coverage at work. If you do have the privilege to stay home, do so.
  • Extra cleaning of any hard surfaces as well as public or shared areas, such as open offices and break rooms.

COVID-19 has also brought up some good reminders and discussions surrounding privacy in a time of a possible pandemic:

Here are a few more articles surrounding the COVID-19 and the possible long-term implications to privacy regulations and public discourse:

Stay safe and healthy in the coming weeks!

[1] You would be surprised by the number of people who do not wash their hands regularly; this is something you should be doing anyway in normal circumstances. Hence, the shouting. Forever shouting about the washing of hands.

Silent Librarian and Tracking Report Cards

Welcome to this week’s Tip of the Hat! We at LDH survived the full moon on the Friday the 13th, though our Executive Assistant failed to bring donuts into the office to ward off bad luck. Unfortunately, several universities need more than luck against a widespread cyberattack that has a connection to libraries.

This attack, called Cobalt Dickens or Silent Librarian, relies on phishing to gain access to university systems. The potential victims receive a spoofed email from the library stating that their library account is expired, followed by instructions to click on a link to reactivate the account by entering their account information on a spoofed library website. With this attack happening at the beginning of many universities’ semesters, incoming students and faculty might click through without giving a second thought to the email.

We are used to having banking and other commercial sites be the subject of spoofing by attackers to obtain user credentials. Nonetheless, Silent Librarian reminds us that libraries are not exempt from being spoofed. Silent Librarian is also a good prompt to review incident response policies and procedures surrounding patron data leaks or breaches with your staff. Periodic reviews will help ensure that policies and procedures reflect the changing threats and risks with the changing technology environment. Reviews can also be a good time to review incident response materials and training for library staff, as well as reviewing cybersecurity basics. If a patron calls into the library about an email regarding their expired account, a trained staff member has a better chance in preventing that patron falling for the phishing email which then better protects library systems from being accessed by attackers.

We move from phishing to tracking with the release of a new public tool to assess privacy on library websites. The library directory on Marshall Breeding’s Library Technology Guides site is a valuable resource, listing thousands of libraries in the world. Each listing has basic library information, including information about the types of systems used by the library, including specific products such as the integrated library system, digital repository, and discovery layer. Each listing now includes a Privacy and Security Report Card that grades the main library website on the following factors:

  • HTTPS use
  • Redirection to an encrypted version of the web page
  • Use of Google Analytics, including if the site is instructing GA to anonymize data from the site
  • Use of Google Tag Manager, DoubleClick, and other trackers from Google
  • Use of Facebook trackers
  • Use of other third-party services and trackers, such as Crazy Egg and NewRelic

You can check what your library’s card looks like by clicking on the Privacy and Security Report button on the individual library page listing. In addition to individual statistics, you can view the aggregated statistics at https://bit.ly/ltg-https-report. The majority of public library websites are HTTPS, which is good news! The number of public libraries using Google Analytics to collect non-anonymized data, however, is not so good news. If you are one of those libraries, here are a couple of resources to help you get started in addressing this potential privacy risk for your patrons:

Gone Phishin’

Welcome to this week’s Tip of the Hat!

Our Executive Assistant has been waiting for the opportunity to spend some of her summer days fishing at one of Seattle’s many fishing spots. LDH, unfortunately, cannot claim that fishing is a work-related activity; however, dealing with the different types of “phishing” activities do fall under the realm of keeping data private and safe.

Phishing, like fishing, is a complex process, most of which is done behind the scenes. The general goal of email phishing is to gain a piece of sensitive information or system access from the target. To achieve that goal, the phishing email needs to pull off certain steps, the first being to appear official. This doesn’t work very well if you have encountered a phishing email for a company that you don’t do business with, but an email that is designed to look exactly like an official email from a company that you do business with (or even work for) can lead to a false sense of security.

Phishing relies heavily on exploiting human traits and biases. Having an email look authentic is one way. Even if the email doesn’t look authentic, if it tells you that your account has been compromised, or if you have won an award, you might not think twice before acting on the email. For example, if someone claiming to be from your IT department asks for your password because they need to access your computer to perform critical security updates, your initial reaction is to be helpful and to provide the information. If a bank email told you that your account has been suspended, you might not be thinking about if the email was legitimate – you might be thinking about bills that are set up to auto-pay with the account, and that you need to make sure all those payments go through. You click on the link and become another fish caught by the phisher.

Avoiding phishing attempts involves several tactics. The best way of dealing with phishing emails is to never have them pop into your inbox in the first place. Junk and spam filters can do most of the work, along with specialized applications and software. When you do get an email from a company that you do business with, the best first step to take is to stop and think before acting on the email’s requests:

  • Check the links – Some phishing attempts will come from a domain name similar to the actual company, but something just doesn’t quite fit. For example, the link companyA.examplesite.com might make you think that it’s a legitimate Company A URL – in reality, the main site is examplesite.com.
  • Check the sender field – If you are getting an email claiming to be from Company A, but the sender’s email address is not from Company A, the email is most likely not from Company A.
  • Check the message – does the message include any of the following?
    • Misspellings, bad grammar, poor formatting?
    • Messages claiming that your account was suspended or compromised and that you need to download a file, click a link, or send your login credentials via email to resolve the issue?
    • Messages claiming that you won a prize or award and that you need to click on a link or send over information to claim the prize?
    • If the email writer who is requesting your login information claims to come from your organization or from IT?

If you go through the checks and are still not 100% sure if the email is legitimate, do not click on any links, download or open any attachments, or reply back to the email. Contact the company through other means – opening a browser tab and accessing the company website via bookmarked tab or typing in the main company URL (NOT from the email!) is a safer way to obtain contact information as well as logging into your account.

Phishing has gotten more elaborate throughout the years, finding new ways to exploit human characteristics. Spear phishing and whaling are just two of the ways phishing has evolved. Nonetheless, if we all stop and think before we act on that email telling us to send over our information to claim our free fishing trip, more phishers will end their phishing trips with no catches.